3Com 3C17300-US - SuperStack 3 Switch 4226T Скачать руководство пользователя страница 85 | Manualshive

Страница: 85 / 122

background image

What is Disconnect Unauthorized Device (DUD)?

85

What is Disconnect
Unauthorized
Device (DUD)?

The port security feature Disconnect Unauthorized Device (DUD), disables
a port if an unauthorized client device transmits data on it.

DUD may be automatically enabled when a port is set to one of the
following port security modes:

■

Automatic Learning

■

Network Login (Secure)

■

Learning off

How DUD Works

Disconnect Unauthorized Device (DUD) protects the network by checking
the source MAC address of each packet received on a port against the
authorized addresses for that port.

You can configure DUD to perform one of the following actions if an
unauthorized client device transmits data on the port:

■

Permanently disable the port

— The port is disabled and data from the

unauthorized client device is not transmitted.

■

Temporarily disable the port — The port is disabled for 20 seconds.
When the time period has expired the port is re-enabled; if the port is
set to one of the Network Login security modes, the client device is
authenticated again.

■

Do not disable the port

— The port is not disabled and data from

authorized client devices will continue to be transmitted, whilst data
from unauthorized client devices will be filtered.

What is RADIUS?

Remote Authentication Dial-In User Service (RADIUS) is an industry
standard protocol for carrying authentication, authorization and
configuration information between a network device and a shared
authentication server. Transactions between each network device and the
server are authenticated by the use of a shared secret. Additional security
is provided by encryption of passwords to prevent interception by a
network snooper.

RADIUS is defined in the RFCs 2865 and 2866, “Remote Authentication
Dial-in User Service (RADIUS)” and “RADIUS Accounting”.

Network Login and Rada both utilize the RADIUS protocol.

dua1730-0bAA03.book Page 85 Monday, July 11, 2005 11:14 AM

«
...
83
84
85
86
87
...
»

Содержание 3C17300-US - SuperStack 3 Switch 4226T

Страница 1: ...Published June 2005 SuperStack 3 Switch 4200 Family Implementation Guide Generic guide for units in the SuperStack 3 Switch 4200 Family 3C17300 3C17302 3C17304 3C17300A 3C17302A 3C17304A dua1730 0bAA03 book Page 1 Monday July 11 2005 11 14 AM ...

Страница 2: ...on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com the 3Com logo and SuperStack are all registered trademarks of 3Com Corporation Intel and Pentium are registered trademarks of Intel Corporation...

Страница 3: ...icast Filtering 18 Spanning Tree Protocol and Rapid Spanning Tree Protocol 18 Switch Database 19 Traffic Prioritization 19 RMON 20 Broadcast Storm Control 20 VLANs 20 Configuration Save and Restore 20 2 OPTIMIZING BANDWIDTH Port Features 23 Duplex 23 Flow Control 24 Auto negotiation 24 Smart Auto sensing 25 Aggregated Links 26 How 802 3ad Link Aggregation Operates 26 Implementing 802 3ad Aggregate...

Страница 4: ...s 43 STP Calculation 43 STP Configuration 44 STP Reconfiguration 44 How RSTP Differs to STP 45 STP Example 45 STP Configurations 46 Using STP on a Network with Multiple VLANs 48 5 USING THE SWITCH DATABASE What is the Switch Database 49 How Switch Database Entries Get Added 49 Switch Database Entry States 50 6 USING TRAFFIC PRIORITIZATION What is Traffic Prioritization 51 How Traffic Prioritizatio...

Страница 5: ...reating New VLANs 68 VLANs Tagged and Untagged Membership 68 Placing a Port in a Single VLAN 69 VLAN Configuration Examples 70 Using Untagged Connections 70 Using 802 1Q Tagged Connections 71 9 USING AUTOMATIC IP CONFIGURATION How Your Switch Obtains IP Information 74 How Automatic IP Configuration Works 74 Automatic Process 75 Important Considerations 76 Event Log Entries and Traps 76 10 MAKING Y...

Страница 6: ...Rules for Gigabit Ethernet 93 Configuration Rules for Fast Ethernet 94 Configuration Rules with Full Duplex 95 B NETWORK CONFIGURATION EXAMPLES Simple Network Configuration Examples 98 Desktop Switch Example 98 Advanced Network Configuration Examples 99 Improving the Performance and Resilience of Your Network 99 C IP ADDRESSING IP Addresses 101 Simple Overview 101 Advanced Overview 102 Subnets and...

Страница 7: ...D STANDARDS SUPPORTED GLOSSARY INDEX dua1730 0bAA03 book Page 7 Monday July 11 2005 11 14 AM ...

Страница 8: ...dua1730 0bAA03 book Page 8 Monday July 11 2005 11 14 AM ...

Страница 9: ...rations and the command line interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch If release notes are shipped with your product and the information there differs from the information in this guide follow the instructions in the release notes Most user guides and rele...

Страница 10: ... use the following syntax system password password In this example you must supply a password for password Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands appear in bold Example To display port information enter the following command bridge port detail The words enter and type When you see the word enter in this guide you mus...

Страница 11: ...arameters available It is supplied in HTML format on the CD ROM that accompanies your Switch Management Quick Reference Guide You can find this guide on the CD ROM that accompanies your Switch Supplied in PDF format this guide contains A list of the features supported by the Switch A summary of the web interface operations and CLI commands that enable you to manage the Switch Release Notes These n...

Страница 12: ...le SuperStack 3 Switch Implementation Guide Part number DUA1730 0BAA0x Page 25 Please note that we can only respond to comments and questions about 3Com product documentation at this e mail address Questions related to technical support or sales should be directed in the first instance to your network supplier dua1730 0bAA03 book Page 12 Monday July 11 2005 11 14 AM ...

Страница 13: ...g Resilience Features Chapter 5 Using the Switch Database Chapter 6 Using Traffic Prioritization Chapter 7 Status Monitoring and Statistics Chapter 8 Setting Up Virtual LANs Chapter 9 Using Automatic IP Configuration Chapter 10 Making Your Network Secure Chapter 11 IP Addressing dua1730 0bAA03 book Page 13 Monday July 11 2005 11 14 AM ...

Страница 14: ...14 dua1730 0bAA03 book Page 14 Monday July 11 2005 11 14 AM ...

Страница 15: ... features offered by the Switch and to change and monitor the way it works you have to access the management software that resides on the Switch This is known as managing the Switch Managing the Switch can help you to improve its efficiency and therefore the overall performance of your network There are several different methods of accessing the management software to manage the Switch These metho...

Страница 16: ...een these three automatic configuration methods The Switch tries each method in a specified order For more information about how the automatic IP configuration feature works see Chapter 9 Using Automatic IP Configuration Security Your Switch has the following security features which guard against unauthorized users connecting devices to your network Network Login controls user access at the networ...

Страница 17: ...ovide the highest performance supported by the port For details of the auto negotiation features supported by your Switch please refer to the Management Quick Reference Guide supplied in PDF format on the CD ROM that accompanies your Switch Ports operating at 1000 Mbps only support full duplex mode Duplex Full duplex mode allows packets to be transmitted and received simultaneously and in effect d...

Страница 18: ... and Rapid Spanning Tree Protocol Spanning Tree Protocol STP and Rapid Spanning Tree Protocol RSTP are bridge based systems that makes your network more resilient to link failure and also provides protection from network loops one of the major causes of broadcast storms STP allows you to implement alternative paths for network traffic in the event of path failure and uses a loop detection process ...

Страница 19: ...lower priority traffic High priority traffic is given preference over low priority traffic to ensure that the most critical traffic gets the highest level of service The traffic prioritization feature supported by your Switch using layer 2 information is compatible with the relevant sections of the IEEE 802 1D D17 standard incorporating IEEE 802 1p For more information about 802 1D and traffic pri...

Страница 20: ...raffic level rises to a pre defined number of frames per second threshold the broadcast traffic on the port is blocked until the broadcast traffic level drops below the threshold This system prevents the overwhelming broadcast traffic that can result from network equipment which is faulty or configured incorrectly VLANs A Virtual LAN VLAN is a flexible group of devices that can be located anywhere...

Страница 21: ...Switch Features Explained 21 For further information about Configuration Save and Restore see Chapter 11 Using Switch Configuration Features dua1730 0bAA03 book Page 21 Monday July 11 2005 11 14 AM ...

Страница 22: ...22 CHAPTER 1 SWITCH FEATURES OVERVIEW dua1730 0bAA03 book Page 22 Monday July 11 2005 11 14 AM ...

Страница 23: ...tch Port Features The default state for all the features detailed below provides the best configuration for most users In normal operation you do not need to alter the Switch from its default state However under certain conditions you may wish to alter the default state of these ports for example if you want to force a port to operate at 10 Mbps Duplex Full duplex allows packets to be transmitted ...

Страница 24: ...egotiation is enabled default a port advertises its maximum capabilities these capabilities are by default the parameters that provide the highest performance supported by the port You can modify the capabilities that a port advertises on a per port basis dependent on the type of port You can disable auto negotiation on all fixed ports on the Switch or on a per port basis You can also modify the c...

Страница 25: ... a poor quality cable If both ends of the link support 100 1000 Mbps auto negotiation then auto sensing tunes the link to 100 Mbps to provide an error free 100 Mbps connection to the network An SNMP Trap is sent every time a port is down rated to a lower speed Conditions that affect smart auto sensing Smart auto sensing will not operate on links that do not support auto negotiation or on links whe...

Страница 26: ...d Link Aggregation Operates Your Switch supports IEEE 802 3ad standard aggregated links which uses the Link Aggregation Control Protocol LACP LACP provides automatic point to point redundancy between two devices switch to switch or switch to server that have full duplex connections operating at the same speed By default LACP is disabled on the 10 100 1000BASE T and GBIC or SFP ports If you enable ...

Страница 27: ... and managed via network management Implementing 802 3ad Aggregated Links LACP can be enabled or disabled on a per port basis You can implement 802 3ad aggregated links in three ways Manual Aggregations You can manually add and remove ports to and from an aggregated link via Web or CLI commands However if a port has LACP enabled if a more appropriate or correct automatic membership is detected by ...

Страница 28: ...ing pre configured aggregated links exist LACP will automatically assign a free un configured aggregated link to form an aggregated link with the partner device The aggregated link will inherit its configuration from the first port originally detected against the partner device If you have an existing single port connection between two devices this automatic behavior allows quick and easy addition...

Страница 29: ...ated links The remaining devices will each only have one link made active that is passing data All other links will be made inactive to prevent loops occurring LACP detects if one of the existing four aggregated links is removed and will then automatically assign one of the remaining devices to the aggregated link that has become free When multiple links of different speed connect two devices only...

Страница 30: ...ation in Figure 4 will not work as Switch A has one aggregated link defined whose member links are then split between two aggregated links defined on Switches B and C Note that this illegal configuration could not occur if LACP is enabled Figure 4 An illegal aggregated link configuration To make this configuration work you need to have two aggregated links defined on Switch A one containing the me...

Страница 31: ...hen a packet is made available for transmission down an aggregated link a hardware based traffic distribution mechanism determines which particular port in the link should be used this mechanism uses the MAC address The traffic is distributed among the member links as efficiently as possible To avoid the potential problem of out of sequence packets or packet re ordering the Switch ensures that all...

Страница 32: ...ggregated link 4 Add the SFP ports on the lower unit to the aggregated link 5 Connect the 1000BASE T port marked Up on the upper Switch to the 1000BASE T port marked Up on the lower Switch 6 Connect the 1000BASE T port marked Down on the upper Switch to the 1000BASE T port marked Down on the lower Switch 7 Connect the SFP port marked 27 on the upper Switch to the SFP port marked 27 on the lower Sw...

Страница 33: ...at is intended for one to many and many to many communication Users explicitly request to participate in the communication by joining an endstation to a specific multicast group If the network is set up correctly a multicast can only be sent to an endstation or a subset of endstations in a LAN or VLAN that belong to the relevant multicast group Multicast group members can be distributed across mul...

Страница 34: ...where a multicast approach is more logical and efficient than a unicast approach Application examples include distance learning transmitting stock quotes to brokers and collaborative computing A typical use of multicasts is in video conferencing where high volumes of traffic need to be sent to several endstations simultaneously but where broadcasting that traffic to all endstations would seriously...

Страница 35: ...roup and then sets its filters accordingly Query Mode Query mode allows the Switch to function as the Querier if it has the lowest IP address in the subnetwork to which it belongs IGMP querying is disabled by default on the Switch 4200 Family This helps prevent interoperability issues with core products that may not follow the lowest IP address election method You can enable or disable IGMP query ...

Страница 36: ... Switch only has an IP address on its default VLAN the Switch will only ever query on the default VLAN VLAN1 Therefore if there are no other queriers on other VLANs the IP multicast traffic will not be forwarded on them 2 When an IP endstation receives a query packet it sends a report packet back that identifies the multicast group that the endstation would like to join 3 When the report packet ar...

Страница 37: ...s not enabled then IP multicast traffic is always forwarded that is it floods the network For information about configuring IGMP functionality on an endstation refer to the user documentation supplied with your endstation or the endstation s Network Interface Card NIC dua1730 0bAA03 book Page 37 Monday July 11 2005 11 14 AM ...

Страница 38: ...38 CHAPTER 3 USING MULTICAST FILTERING dua1730 0bAA03 book Page 38 Monday July 11 2005 11 14 AM ...

Страница 39: ...nt Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch Spanning Tree Protocol STP The Spanning Tree Protocol STP makes your network more resilient to link failure and also provides a protection from loops one of the major causes of broadcast storms STP is enabled by default on your Switch To be fully effective STP must be enabled on all Switches in your net...

Страница 40: ...to an endstation to begin forwarding traffic after only four seconds this Auto setting is default for front panel ports During these four seconds RSTP or STP will detect any misconfiguration that may cause a temporary loop and react accordingly If you have Fast Start disabled on a port the Switch will wait for 30 seconds before RSTP or STP lets the port forward traffic If you set Fast Start to Ena...

Страница 41: ...parated by three bridges With this configuration each segment can communicate with the others using two paths Without STP enabled this configuration creates loops that cause the network to overload Figure 7 A network configuration that creates loops Figure 8 shows the result of enabling STP on the bridges in the configuration STP detects the duplicate paths and prevents or blocks one of them from ...

Страница 42: ...he most efficient path between each bridged segment and a specifically assigned reference point on the network Once the most efficient path has been determined all other paths are blocked Therefore in Figure 7 Figure 8 and Figure 9 STP initially determined that the path through Bridge C was the most efficient and so blocked the path through Bridge B After the failure of Bridge C STP re evaluated t...

Страница 43: ... the bandwidth of the link the higher the cost the less efficient the link Table 3 shows the default port costs for a Switch Table 3 Default port costs STP Calculation The first stage in the STP process is the calculation stage During this stage each bridge on the network transmits BPDUs that allow the system to work out Port Speed Link Type Path Cost 802 1D 1998 Path Cost 802 1w 10 Mbps Half Dupl...

Страница 44: ...twork have agreed on the identity of the Root Bridge and have established the other relevant parameters each bridge is configured to forward traffic only between its Root Port and the Designated Bridge Ports for the respective network segments All other ports are blocked which means that they are prevented from receiving or forwarding traffic STP Reconfiguration Once the network topology is stable...

Страница 45: ... all other bridges in the network have had time to react to the change So the main benefit of RSTP is that the configuration decision is made locally rather than network wide which is why RSTP can carry out automatic configuration and restore a link faster than STP STP Example Figure 10 shows a LAN that has STP enabled The LAN has three segments and each segment is connected using two possible lin...

Страница 46: ...100 Port 2 on Bridge C is therefore selected as the Designated Bridge Port for LAN Segment 3 STP Configurations Figure 11 shows three possible STP configurations using SuperStack 3 Switch units Configuration 1 Redundancy for Backbone Link In this configuration the Switches both have STP enabled and are connected by two links STP discovers a duplicate path and blocks one of the links If the enabled...

Страница 47: ...How STP Works 47 Figure 11 STP configurations dua1730 0bAA03 book Page 47 Monday July 11 2005 11 14 AM ...

Страница 48: ...ween Switch B and Switch C By default this link has a path cost of 100 and is automatically blocked because the other Switch to Switch connections have a path cost of 36 18 18 This means that both VLANs are now subdivided VLAN 1 on Switch units A and B cannot communicate with VLAN 1 on Switch C and VLAN 2 on Switch units A and C cannot communicate with VLAN 2 on Switch B Figure 12 Configuration th...

Страница 49: ...e that accompanies your Switch For detailed descriptions of the web interface operations and the command line interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch How Switch Database Entries Get Added Entries are added to the Switch Database in one of two ways The Swi...

Страница 50: ...oved from the network its entry is also removed from the database Learned entries are removed from the Switch Database if the Switch is reset or powered down Non aging learned If the aging time is set to 0 seconds all learned entries in the Switch Database become non aging learned entries This means that they are not aged out but they are still removed from the database if the Switch is reset or p...

Страница 51: ...iving it a basic capability to prioritize traffic For more granular prioritization and an enhanced Quality of Service support other products are available in the 3Com range of stackable Switches What is Traffic Prioritization Traffic prioritization allows high priority data such as time sensitive and system critical data to be transferred smoothly and with minimal delay over a network Traffic prio...

Страница 52: ...g traffic for prioritization Traffic classification is the means of identifying which application generated the traffic so that a service level can be applied to it The two supported methods for classifying traffic are 802 1D classification is done at layer 2 of the OSI model DiffServ code point classification is done at layer 3 of the OSI model 802 1D traffic classification At layer 2 a traffic s...

Страница 53: ...ed by the Switch 4200 Series DiffServ traffic classification DiffServ is an alternative method of classifying traffic so that different levels of service can be applied to it on a network DiffServ is a layer 3 function and the service to be applied is contained within the DSCP field which is in the IP header of a packet 802 1p Service levels Classification 802 1D Low Priority Queue Egress Port Bes...

Страница 54: ...witch 4200 Family are checked for DSCP classification and IEEE 802 1D priority The Switch 4200 Family does not set or modify priority levels within the packet The transmitting endstation sets the priority of each packet When the packet is received the Switch places the packet into the appropriate queue depending on its priority level for onward transmission across the network The Switch determines...

Страница 55: ... traffic prioritization for QoS on a 4200 Family QoS can be configured on your Switch using the 3Com Network Supervisor or via the Command Line Interface CLI You can also configure QoS via the command line interface CLI For a detailed description of the commands that you require refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch Con...

Страница 56: ...this setting Data protocols operating window sizes greater that 18 kilobytes will not work efficiently with this setting Data This setting increases the maximum egress buffer per port to 32 kilobytes or 27 packets This setting is suitable if data applications require a window size of up to 32 kilobytes Under these circumstances high priority traffic may not always be able to access sufficient Swit...

Страница 57: ...opics What is RMON Benefits of RMON RMON and the Switch What is RMON RMON is a system defined by the IETF Internet Engineering Task Force that allows you to monitor the traffic of LANs or VLANs RMON is an integrated part of the Switch software agent and continually collects statistics about a LAN segment or VLAN and transfers the information to a management workstation on request or when a pre def...

Страница 58: ...arms are used to inform you of network performance problems and they can trigger automated responses through the Events group Events The Events group provides you with the ability to create entries in an event log and send SNMP traps to the management workstation Events are the action that can result from an RMON alarm In addition to the standard five traps required by SNMP link up link down warm ...

Страница 59: ...ou can analyze the causes of problems It reduces the load on the network and the management workstation Traditional network management involves a management workstation polling network devices at regular intervals to gather statistics and identify problems or trends As network sizes and traffic levels grow this approach places a strain on the management workstation and also generates large amounts...

Страница 60: ... Statistics session per port History A new or initialized Switch has two History sessions per port These sessions provide the data for the Web interface history displays 30 second intervals 120 historical samples stored 2 hour intervals 96 historical samples stored Alarms A new or initialized Switch has the following alarm s defined for each port Broadcast bandwidth used Percentage of errors over ...

Страница 61: ...and unfilter port Send Trap Stop blocking broadcast and multicast traffic on the port System started Software Upgrade report Table 5 Alarm Events Event Action Table 6 Values for the default alarm s Statistic High Threshold Low Threshold Recovery Period Broadcast bandwidth used Value 20 Action Notify and filter Value 10 Action Notify and unfilter 30 secs Number of errors over 10 seconds Value 8 err...

Страница 62: ...ur You can receive notification via email SMS Short Message Service or pager of the event that has occurred This feature uses an SMTP Simple Mail Transfer Protocol email client to send the notification email The Short Message Service SMS and pager messages are constrained on message size so they are sent to a different email address which creates the message to be displayed and then forwards it on...

Страница 63: ...link to a server A security violation occurs A resilient link activates System Started Smart Autosensing Activated Temperature Critical Secure address learned Execution of intrusion action Authentication failure POST Failed ports Port access authentication failure Port access logon Port access logoff dua1730 0bAA03 book Page 63 Monday July 11 2005 11 14 AM ...

Страница 64: ...64 CHAPTER 7 STATUS MONITORING AND STATISTICS dua1730 0bAA03 book Page 64 Monday July 11 2005 11 14 AM ...

Страница 65: ...the CD ROM that accompanies your Switch What are VLANs A VLAN is a flexible group of devices that can be located anywhere in a network but which communicate as if they are on the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design As an example with VLANs you can segment your network according to ...

Страница 66: ...a different subnetwork the addresses of each endstation must be updated manually With a VLAN setup if an endstation in VLAN Marketing for example is moved to a port in another part of the network and retains its original subnet membership you only need to specify that the new port is in VLAN Marketing You do not need to carry out any re cabling VLANs provide extra security Devices within each VLAN...

Страница 67: ...about each VLAN on your Switch before the Switch can use it to forward traffic VLAN Name This is a descriptive name for the VLAN for example Marketing or Management 802 1Q VLAN ID This is used to identify the VLAN if you use 802 1Q tagging across your network The Default VLAN A new or initialized Switch contains a single VLAN the Default VLAN This VLAN has the following definition VLAN Name Defaul...

Страница 68: ...can be an untagged member but if the port needs to be a member of multiple VLANs tagged membership must be defined Typically endstations for example clients or servers will be untagged members of one VLAN while inter Switch connections will be tagged members of all VLANs The IEEE 802 1Q standard defines how VLANs operate within an open packet switched network An 802 1Q compliant packet carries add...

Страница 69: ...any of the VLANs defined on your Switch 802 1Q tagging can only be used if the devices at both ends of a link support IEEE 802 1Q To create an 802 1Q tagged link 1 Ensure that the device at the other end of the link uses the same 802 1Q tags as your Switch that is the same VLAN IDs are configured note that VLAN IDs are global across the network 2 Place the Switch ports in the required VLANs as tag...

Страница 70: ...and therefore untagged connections can be used The example shown in Figure 17 illustrates a single Switch connected to endstations and servers using untagged connections Ports 1 2 and 3 of the Switch belong to VLAN 1 ports 10 11 and 12 belong to VLAN 2 VLANs 1 and 2 are completely separate and cannot communicate with each other This provides additional security for your network Figure 17 VLAN conf...

Страница 71: ...trates two Switch units Each switch has endstations and a server in VLAN 1 and VLAN 2 All endstations in VLAN 1 need to be able to connect to the server in VLAN1 which is attached to Switch 1 and all endstations in VLAN 2 need to connect to the server in VLAN2 which is attached to Switch 2 Figure 18 VLAN configuration example 802 1Q tagged connections To set up the configuration shown in Figure 18...

Страница 72: ...in the appropriate VLANs as untagged members 6 Add port 11 on Switch 2 to the VLANs Add port 11 on Switch 2 as a tagged member of both VLANs 1 and 2 so that all VLAN traffic is passed over the link to Switch 1 7 Check the VLAN membership for both switches The relevant ports should be listed in the VLAN members summary 8 Connect the switches Connect port 12 on Switch 1 to port 11 on Switch 2 The VL...

Страница 73: ... setting up your Switch for management see the Getting Started Guide that accompanies your Switch For detailed descriptions of the web interface operations and the command line interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch For background information on IP addre...

Страница 74: ...do not have to choose between these three automatic configuration methods The Switch tries each method in a specified order as described in Automatic Process on page 75 Manual IP Configuration you can manually input the IP information IP address subnet mask and default gateway If you select an option for no IP configuration the Switch will not be accessible from a remote management workstation on ...

Страница 75: ...e this address is not already in use on the network If not it will allocate this default address to the Switch If this IP address is already in use Auto IP will check once every second for three seconds for an IP address on the 169 254 x y subnet where x 1 254 and y 0 255 Auto IP only uses addresses in the range 169 254 1 0 through to 169 254 254 255 as valid addresses Once Auto IP has ensured tha...

Страница 76: ...y change its IP address whilst in use Event Log Entries and Traps An event log will be generated and an SNMP trap will be sent if any of the following changes occur in the IP configuration IP address configuration is changed manually IP address changes from Auto IP to DHCP IP configuration DHCP negotiates a change in the IP configuration from Auto IP BOOTP negotiates a change in the IP configurati...

Страница 77: ... Login What is Rada Auto VLAN Assignment What is Disconnect Unauthorized Device DUD What is RADIUS For detailed descriptions of the Web interface operations and the Command Line Interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch dua1730 0bAA03 book Page 77 Monday Ju...

Страница 78: ... Disconnect Unauthorized Device DUD on page 85 Learning Off Only traffic received from an authorized address either configured by management or learned while the port was prevously operating in the Automatic Learning mode is forwarded While in this mode the DUD operation is enabled When a port in this mode has learned the maximum number of authorized addresses configured for the port then it will ...

Страница 79: ...ting hosts is still required for example client virus isolation This mode is intended to complement 802 1X network login and can be used to authorise host access to any network resource It can only be considered secure if the MAC based authentication is configured to deny access to all secure network resources It is intended to prevent access to secure network resources if a particular edge device...

Страница 80: ...witch port no intervening switch or hub as the Switch uses the link status to determine if an authorized client device is connected Network Login will not operate correctly if there is a bridge device between the client device and the Switch port or if there are multiple client devices attached via a hub to the Switch port In addition to providing protection against unauthorized network access Net...

Страница 81: ...rity settings Figure 19 Network Login Operation When the client device and RADIUS server have exchanged authentication information the Switch receives either an authentication succeeded or failed message from the server and then configures the port to forward or filter traffic as appropriate If access is granted the Spanning Tree Protocol places the port into the forwarding state and the client de...

Страница 82: ...thenticating its MAC address A host is allowed access to the entire network to a restricted network or no access at all The switch obtains the network access authorisation from a centrally located RADIUS server by supplying the MAC address of the host as shown in Figure 20 Figure 20 Network Login Operation via MAC Address For Rada the Switch uses PAP Password Authentication Protocol Rada has an Un...

Страница 83: ...assword The username should be set as the MAC address of the device This must be of the form of Hex digits separated by hyphens for example 08 05 54 AB CD EF Table 7 Setting Rada attributes Auto VLAN Assignment Auto VLAN assignment complements the basic Network Login and Rada features It allows an appropriate VLAN configuration to be obtained from a RADIUS server when a user or device authenticate...

Страница 84: ...tication on a single port could compromise the security of the entire network RADIUS Server settings for Auto VLAN When setting up Auto VLAN on a RADIUS server the following attributes must be set to supply VLAN data to the Switch Table 8 Setting Auto VLAN attributes The Tunnel Private Group ID attribute specifies the VLAN to be assigned This can take various forms to indicate if the port is untag...

Страница 85: ... disabled for 20 seconds When the time period has expired the port is re enabled if the port is set to one of the Network Login security modes the client device is authenticated again Do not disable the port The port is not disabled and data from authorized client devices will continue to be transmitted whilst data from unauthorized client devices will be filtered What is RADIUS Remote Authenticat...

Страница 86: ...86 CHAPTER 10 MAKING YOUR NETWORK SECURE dua1730 0bAA03 book Page 86 Monday July 11 2005 11 14 AM ...

Страница 87: ... be restored onto the Switch from a remote file The configuration information is stored in an editable ASCII text file as a set of Command Line Interface CLI commands All configuration information that can be set using the Switch s Command Line Interface is saved and restored Sensitive information such as user passwords and the IP address configuration is not saved You can edit the text file and a...

Страница 88: ...saved by a single user at a time The system summary CLI command displays the progress of restore and save operations to all other users When using the Configuration Save and Restore feature 3Com recommends that aggregated links are configured as either Manual aggregations with Link Aggregation Configuration Protocol LACP disabled on the ports that are to be manually placed in the aggregated link o...

Страница 89: ...re Your Switch has an image of the Switching software residing in Flash memory During the software upgrade process the loading software image will always over write the existing software image In the event of a software upgrade failing you must completely reinstall the image to avoid potential complications You will not be able to run a corrupted or missing software image The CD ROM supplied with ...

Страница 90: ...o power up correctly The symptoms of a failed TFTP software upgrade are the PowerOn Self Test POST has failed the Power Self Test LED is yellow all of the Port Status LEDs are Off you cannot access the Switch via Telnet dua1730 0bAA03 book Page 90 Monday July 11 2005 11 14 AM ...

Страница 91: ...ES AND INDEX Appendix A Configuration Rules Appendix B Network Configuration Examples Appendix C IP Addressing Appendix D Standards Supported Glossary Index dua1730 0bAA03 book Page 91 Monday July 11 2005 11 14 AM ...

Страница 92: ...92 dua1730 0bAA03 book Page 92 Monday July 11 2005 11 14 AM ...

Страница 93: ...h connections up to 100 m 328 ft The different types of Gigabit Ethernet media and their specifications are detailed in Table 9 Table 9 Gigabit Ethernet cabling Gigabit Ethernet Transceivers Fiber Type Modal Bandwidth MHz km Lengths Supported Specified by IEEE meters 1000BASE LX 1000BASE SX 1000BASE T MM Multimode 62 5 µm MM 50 µm MM 50 µm MM 10 µm SM 62 5 µm MM 62 5 µm MM 50 µm MM 50 µm MM N A SM...

Страница 94: ... Fast Ethernet networks Figure 21 Fast Ethernet configuration rules The key topology rules are Maximum UTP cable length is 100 m 328 ft over Category 5 cable A 412 m 1352 ft fiber link is allowed for connecting switch to switch or endstation to switch using half duplex 100BASE FX A total network span of 325 m 1066 ft is allowed in single repeater topologies one hub stack per wiring closet with a f...

Страница 95: ...for all its ports including Expansion Module ports Full duplex allows packets to be transmitted and received simultaneously and in effect doubles the potential throughput of a link With full duplex the Ethernet topology rules are the same but the Fast Ethernet rules are Maximum UTP cable length is 100 m 328 ft over Category 5 cable A 2 km 6562 ft fiber link is allowed for connecting switch to swit...

Страница 96: ...96 APPENDIX A CONFIGURATION RULES dua1730 0bAA03 book Page 96 Monday July 11 2005 11 14 AM ...

Страница 97: ... contains the following sections Simple Network Configuration Examples Desktop Switch Example Advanced Network Configuration Examples Improving the Performance and Resilience of Your Network dua1730 0bAA03 book Page 97 Monday July 11 2005 11 14 AM ...

Страница 98: ...ted 10 Mbps or 100 Mbps connections to the desktop The Switch 4200 Family stack uses one of its built in 1000BASE T ports to provide a Gigabit Ethernet link to a Switch 3870 in the basement Figure 22 Using the Switch 4200 Family in a desktop environment Switch 4200 Family stack Endstations on 10 Mbps 100 Mbps connections Local server on a switched 100 Mbps connection Local server on a switched 100...

Страница 99: ...bandwidth available for the backbone connection and also provides extra resilience Figure 23 Network set up to provide resilience Endstations on 10 100 Mbps connections 100 Mbps Servers on 1000 Mbps connections with resilient links set up 1000 Mbps with aggregated links set up Server on 1000 Mbps connection with aggregated links Server on 1000 Mbps connection with aggregated links Core Switch Stac...

Страница 100: ...100 APPENDIX B NETWORK CONFIGURATION EXAMPLES dua1730 0bAA03 book Page 100 Monday July 11 2005 11 14 AM ...

Страница 101: ...ves a more in depth explanation of IP addresses and the way they are structured Simple Overview To operate correctly each device on your network must have a unique IP address IP addresses have the format n n n n where n is a decimal number between 0 and 255 An example IP address is 192 168 100 8 The IP address can be split into two parts The first part called the network part 192 168 in the exampl...

Страница 102: ... organization responsible for supplying registered IP addresses The following contact information is correct at time of publication World Wide Web site http www internic net Advanced Overview IP addresses are 32 bit addresses that consist of a network part the address of the network where the host is located and a host part the address of the host on that network Figure 24 IP Address Network Part ...

Страница 103: ...s follows Class A address Uses 8 bits for the network part and 24 bits for the host part Although only a few Class A networks can be created each can contain a very large number of hosts Class B address Uses 16 bits for the network part and 16 bits for the host part Class C address Uses 24 bits for the network part and 8 bits for the host part Each Class C network can contain only 254 hosts but ma...

Страница 104: ... mask identifies the bits that constitute the subnetwork address and the bits that constitute the host address A subnet mask is a 32 bit number in the IP address format The 1 bits in the subnet mask indicate the network and subnetwork part of the address The 0 bits in the subnet mask indicate the host part of the IP address as shown in Figure 26 Figure 26 Subnet Masking Figure 27 shows an example ...

Страница 105: ...th the Class B natural network mask 255 255 and the subnet mask 255 240 is sometimes called the extended network prefix Continuing with the previous example the subnetwork part of the mask uses 12 bits and the host part uses the remaining 4 bits Because the octets are actually binary numbers the number of subnetworks that are possible with this mask is 4 096 212 and the number of hosts that are po...

Страница 106: ...P packets the gateway determines the next network hop on the path to the remote destination and sends the packets to that hop This could either be the remote destination or another gateway closer towards the destination This hop by hop process continues until the IP packets reach the remote destination If manually configuring IP information for the Switch enter the IP address of the default gatewa...

Страница 107: ...II RFC 1213 Bridge MIB RFC 1493 RMON MIB II RFC2021 Remote Monitoring MIB RFC 1757 MAU MIB RFC 2239 Administration UDP RFC 768 IP RFC 791 ICMP RFC 792 TCP RFC 793 ARP RFC 826 TFTP RFC 783 DHCP RFC 2131 RFC 2132 RFC 1534 BOOTP RFC 951 RFC 1497 Terminal Emulation TELNET RFC 854 Network Login Network Login IEEE 802 1X RADIUS RFC 2618 2620 dua1730 0bAA03 book Page 107 Monday July 11 2005 11 14 AM ...

Страница 108: ...108 APPENDIX D STANDARDS SUPPORTED dua1730 0bAA03 book Page 108 Monday July 11 2005 11 14 AM ...

Страница 109: ...val of dynamic entries from the Switch Database which have timed out and are no longer valid Aggregated Links Aggregated links allow a user to increase the bandwidth and resilience between switches by using a group of ports to carry traffic between the switches auto negotiation A feature on twisted pair ports that allows them to advertise their capabilities for speed duplex and flow control When c...

Страница 110: ... a network to fail Broadcast storms can be due to faulty network devices cache Stores copies of frequently accessed objects locally to users and serves them to users when requested Classifier Classifies the traffic on the network Traffic classifications are determined by protocol application source destination and so on You can create and modify classifications The Switch then groups classified tr...

Страница 111: ...rox Intel and Digital Equipment Corporation Ethernet networks use CSMA CD to transmit packets at a rate of 10 Mbps over a variety of cables Ethernet address See MAC address Fast Ethernet An Ethernet system that is designed to operate at 100Mbps forwarding The process of sending a packet toward its destination using a networking device Forwarding Database See Switch Database filtering The process o...

Страница 112: ...changing files text graphic images sound video and other multimedia files on the World Wide Web IEEE Institute of Electrical and Electronics Engineers This American organization was founded in 1963 and sets standards for computers and communications IEEE 802 1D A standard that defines the behavior of bridges in an Ethernet network IEEE 802 1p A standard that defines traffic prioritization 802 1p i...

Страница 113: ...r 3 network protocol that is the standard for sending data through a network IP is part of the TCP IP set of protocols that describe the routing of packets to addressed devices IPX Internetwork Packet Exchange IPX is a layer 3 and 4 network protocol designed for networks that use Novell Netware IP address Internet Protocol address A unique identifier for a device attached to a network using TCP IP...

Страница 114: ...nterface An Ethernet port connection where the transmitter of one device is connected to the receiver of another device MDI X Medium Dependent Interface Cross over An Ethernet port connection where the internal transmit and receive lines are crossed MIB Management Information Base A collection of information about the management characteristics and parameters of a networking device MIBs are used b...

Страница 115: ...ion between a network device and a shared authentication server Rapid Spanning Tree Protocol An enhanced version of the Spanning Tree Protocol that allows faster determination of Spanning Tree topology throughout the bridged network repeater A simple device that regenerates LAN traffic so that the transmission distance of that signal can be extended Repeaters are used to connect two LANs of the sa...

Страница 116: ...iably and efficiently as defined in RFC 821 SNMP Simple Network Management Protocol The current IETF standard protocol for managing devices on an TCP IP network Spanning Tree Protocol STP A bridge based system for providing fault tolerance on networks STP works by allowing you to implement parallel paths for network traffic and ensure that redundant paths are disabled when the main paths are opera...

Страница 117: ...a virtual terminal service letting a user log into another computer system and access a device as if the user were connected directly to the device TFTP Trivial File Transfer Protocol Allows you to transfer files such as software upgrades from a remote device using the local management capabilities of the Switch traffic classification Traffic can be classified using one or more of types of traffic...

Страница 118: ...ache A device that is installed on the network to cache frequently accessed Web pages from which they can be retrieved thus reducing network traffic over the WAN dua1730 0bAA03 book Page 118 Monday July 11 2005 11 14 AM ...

Страница 119: ...ON group 60 Configuration Restore 20 87 Save 20 87 conventions notice icons About This Guide 10 text About This Guide 10 D default gateway 106 Default VLAN 67 Designated Bridge 44 Designated Bridge Port 44 DHCP 16 74 Disconnect Unauthorized Device DUD 16 85 E event notification 20 62 Events RMON group 58 60 extended network prefix 105 F Fast Ethernet configuration rules 94 Filter RMON group 58 60 ...

Страница 120: ...ts permanent SDB entries 50 port costs default 43 port security 16 77 78 priority in STP 43 priority levels 802 1D 52 Q QoS apply QoS profile 56 configuring traffic on a Switch 4200 55 creating profiles 56 How traffic is processed to provide QoS 55 service levels 55 traffic classification 55 Quality of Service 19 R RADA 16 82 RADIUS 85 Rapid Spanning Tree Protocol RSTP 18 40 registered IP address ...

Страница 121: ...b networks See subnets Switch Database 49 switch management login 77 T topology rules for Fast Ethernet 94 topology rules with full duplex 95 traffic classification 802 1D 52 traffic prioritization 51 802 1D 52 Trusted IP 85 U upgrade software 89 Upgrading Flash Images 89 Upgrading Management Software 89 Upgrading the Switch 4400 SE 89 V VLANs 65 802 1Q tagging 69 benefits 66 communication between...

Страница 122: ...122 INDEX dua1730 0bAA03 book Page 122 Monday July 11 2005 11 14 AM ...

Отзывы:

Нет отзывов

Похожие инструкции для 3C17300-US - SuperStack 3 Switch 4226T

Бренд: Accedian Страницы: 2

Бренд: Black Box Страницы: 28

Бренд: N-Tron Страницы: 196

Бренд: Lindy Страницы: 7

Бренд: DELTA DORE Страницы: 3

Бренд: SMART-AVI Страницы: 2

TIMEGUARD IS3N-20

Бренд: Theben Страницы: 2

SilverStorm 9120

Бренд: Qlogic Страницы: 16

Бренд: J-Tech Digital Страницы: 8

Бренд: Eaton Страницы: 4

Бренд: H3C Страницы: 34

Бренд: Alcor Страницы: 24

ServeView Pro SEB-8UB

Бренд: Rose electronics Страницы: 36

SIMATIC NETRUGGEDCOM RS900W

Бренд: Siemens Страницы: 50

SIMATIC NET SCALANCE X-000 Series

Бренд: Siemens Страницы: 52

SIMATIC NET RUGGEDCOM RST916P

Бренд: Siemens Страницы: 50

SIMATIC NET RUGGEDCOM RST916C

Бренд: Siemens Страницы: 50

SIMATIC RUGGEDCOM RSG2100P

Бренд: Siemens Страницы: 58

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды