manualshive.com logo in svg

3Com 4210 PWR, Руководство по настройке

Поделиться
Скачать
3Com 4210 PWR Скачать руководство пользователя страница 130

128

C

HAPTER

 12: P

ORT

 S

ECURITY

 C

ONFIGURATION

Configuring the Trap feature

Ignoring the 

Authorization 

Information from the 

RADIUS Server

After an 802.1x user or MAC-authenticated user passes Remote Authentication 
Dial-In User Service (RADIUS) authentication, the RADIUS server delivers the 
authorization information to the device. You can configure a port to ignore the 
authorization information from the RADIUS server.

Configuring Security 

MAC Addresses

Security MAC addresses are special MAC addresses that never age out. One 
security MAC address can be added to only one port in the same VLAN so that you 
can bind a MAC address to one port in the same VLAN.

Security MAC addresses can be learned by the auto-learn function of port security 
or manually configured.

Before adding security MAC addresses to a port, you must configure the port 
security mode to 

autolearn

. After this configuration, the port changes its way of 

learning MAC addresses as follows.

The port deletes original dynamic MAC addresses;

If the amount of security MAC addresses has not yet reach the maximum 
number, the port will learn new MAC addresses and turn them to security 
MAC addresses;

If the amount of security MAC addresses reaches the maximum number, the 
port will not be able to learn new MAC addresses and the port mode will be 
changed from 

autolearn

 to 

secure

.

The security MAC addresses manually configured are written to the configuration 
file; they will not get lost when the port is up or down. As long as the 
configuration file is saved, the security MAC addresses can be restored after the 
switch reboots.

Table 84   

Configure port security trapping

Operation 

Command 

Remarks 

Enter system view 

system-view

 

Enable sending traps for the 
specified type of event 

port-security trap { 
addresslearned | 
dot1xlogfailure | 
dot1xlogoff | dot1xlogon | 
intrusion | ralmlogfailure | 
ralmlogoff | ralmlogon }

Required

By default, no trap is sent.

Table 85   

Configure a port to ignore the authorization information from the RADIUS 

server

Operation 

Command 

Remarks 

Enter system view 

system-view

 

Enter Ethernet port view 

interface

 

interface-type 

interface-number

 

Ignore the authorization 
information from the RADIUS 
server 

port-security authorization 
ignore

 

Required

By default, a port uses the 
authorization information 
from the RADIUS server.

Содержание 4210 PWR

Страница 1: ...amily Configuration Guide Switch 4210 PWR 9 port Switch 4210 PWR 18 port Switch 4210 PWR 26 port Switch 4210 9 port Switch 4210 18 port Switch 4210 26 port www 3Com com Part Number 10016117 Rev AA Pub...

Страница 2: ...252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or d...

Страница 3: ...entication Mode Being Scheme 44 Logging in Using a Modem 52 Logging in through the Web based Network Management System 56 Managing from an NMS 59 User Control 60 3 CONFIGURATION FILE MANAGEMENT Introd...

Страница 4: ...10 LINK AGGREGATION CONFIGURATION Overview 107 Link Aggregation Classification 108 Aggregation Group Categories 110 Link Aggregation Configuration 111 Displaying and Maintaining Link Aggregation Confi...

Страница 5: ...cast Models 189 Multicast Architecture 189 Multicast Packet Forwarding Mechanism 195 16 IGMP SNOOPING CONFIGURATION IGMP Snooping Overview 197 IGMP Snooping Configuration 200 Displaying and Maintainin...

Страница 6: ...AC Authentication Functions 270 MAC Address Authentication Enhanced Function Configuration 271 Displaying and Debugging MAC Authentication 274 MAC Authentication Configuration Example 275 23 ARP CONFI...

Страница 7: ...30 CLUSTER Cluster Overview 317 Cluster Configuration Tasks 325 Displaying and Maintaining Cluster Configuration 333 Cluster Configuration Example 333 31 POE CONFIGURATION PoE Overview 339 PoE Config...

Страница 8: ...GURATION SSH Overview 387 Configuring the SSH Server 390 Configuring the SSH Client 396 Displaying SSH Configuration 406 SSH Configuration Examples 406 37 FILE SYSTEM MANAGEMENT CONFIGURATION File Sys...

Страница 9: ...Example 491 45 REMOTE PING CONFIGURATION Remote Ping Overview 495 Remote Ping Configuration 498 Remote Ping Configuration Example 511 46 IPV6 MANGEMENT CONFIGURATION IPv6 Overview 525 IPv6 Configurat...

Страница 10: ...Password Control Configuration 556 Displaying Password Control 563 Password Control Configuration Example 564...

Страница 11: ...sts icon conventions that are used throughout this guide Table 2 lists text conventions that are used throughout this guide Table 1 Notice Icons Icon Notice Type Description n Information note Informa...

Страница 12: ...nformation in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Document Format PDF on th...

Страница 13: ...to enter partially matching text to search for commands This allows you to execute a command by entering partially spelled command keywords as long as the system can uniquely identify the keywords ent...

Страница 14: ...ation for user level switching Switching to a specific user level n If no user level is specified in the super password command or the super command level 3 is used by default For security purposes th...

Страница 15: ...perating and maintaining the switch When you change the level of a command with multiple keywords you should input the keywords one by one in the order they appear in the command syntax Otherwise your...

Страница 16: ...switch To enter the system view execute the system view command Table 4 lists the CLI views provided by the Switch 4210 Family operations that can be performed in each view and the commands used to e...

Страница 17: ...Configure user interface parameters 4210 ui aux0 Execute the user interface command in system view FTP client view Configure FTP client parameters ftp Execute the ftp command in user view SFTP client...

Страница 18: ...ll available keywords at the position and their descriptions will be displayed on your terminal Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 4210 acl basic 2000 Execut...

Страница 19: ...u udp unit user interface users 3 Enter the first several characters of a command s keyword and then press Tab If there is a unique keyword beginning with the characters just typed the unique keyword...

Страница 20: ...t executed history commands Execute the display history command command This command displays the command history Recall the previous history command Press the up arrow key or Ctrl P This operation re...

Страница 21: ...keyword and press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parame...

Страница 22: ...20 CHAPTER 1 CLI CONFIGURATION...

Страница 23: ...Ethernet port or remotely over the network using Telnet or SSH The VTY port is the logical port associated with your management session User Interface Index Index numbers are used to distinguish betwe...

Страница 24: ...e user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal login shell text Optional By default no banner is configured...

Страница 25: ...ng into a switch you can perform configuration for AUX users Refer to Common Configurations on page 26 Following are the procedures to connect to a switch through the Console port 1 Connect the serial...

Страница 26: ...24 CHAPTER 2 LOGGING INTO AN ETHERNET SWITCH Figure 2 Create a connection Figure 3 Specify the port used to establish the connection...

Страница 27: ...key if the switch successfully completes POST power on self test The prompt such as 4210 appears after you press the Enter key as shown in Figure 5 Figure 5 HyperTerminal CLI 4 You can then configure...

Страница 28: ...Check mode Optional By default the check mode of the Console port is set to none which means no check bit Stop bits Optional The default stop bits of a Console port is 1 Data bits Optional The default...

Страница 29: ...ure user names and passwords for local RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a RADIUS user are configured on the R...

Страница 30: ...of level 3 are available to users logging into the AUX user interface and commands of level 0 are available to users logging into the VTY user interface Enable terminal services shell Optional By def...

Страница 31: ...onsole port is 19 200 bps The screen can contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time fo...

Страница 32: ...gh the Console port 4210 ui aux0 authentication mode none Specify commands of level 2 are available to users logging into the AUX user interface 4210 ui aux0 user privilege level 2 Set the baud rate o...

Страница 33: ...simple password Required Configure the Console port Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Console port is 9 600 bps Set the check mode parity even...

Страница 34: ...buffer can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Set history command buffer size history command max size value Optional The default history command buffer si...

Страница 35: ...ssword 4210 ui aux0 authentication mode password Set the local password to 123456 in plain text 4210 ui aux0 set authentication password simple 123456 Specify commands of level 2 are available to user...

Страница 36: ...name argument you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to AAA Configuration on page 245 for more information Configure the user name...

Страница 37: ...ging into the AUX user interface Make terminal services available to the user interface shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines...

Страница 38: ...ure to authenticate the users in the scheme mode The baud rate of the Console port is 19 200 bps The screen can contain up to 30 lines The history command buffer can store up to 20 commands The timeou...

Страница 39: ...C accordingly in the dialog box shown in Figure 4 to log into the switch successfully Logging in through Telnet The Switch 4210 Family supports Telnet You can manage and maintain a switch remotely by...

Страница 40: ...be executed automatically after a user log into the user interface successfully Optional By default no command is executed automatically after a user logs into the VTY user interface VTY terminal conf...

Страница 41: ...on specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default Refer to AAA Configuration on page 245 Configure user name and passw...

Страница 42: ...user interface successfully auto execute command text Optional By default no command is executed automatically after a user logs into the VTY user interface Make terminal services available shell Opti...

Страница 43: ...e vty 0 Configure not to authenticate Telnet users logging into VTY 0 4210 ui vty0 authentication mode none Specify commands of level 2 are available to users logging into VTY 0 4210 ui vty0 user priv...

Страница 44: ...er interface Configure the protocol to be supported by the user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the commands to be...

Страница 45: ...contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 10 Network diagram for Telnet configuration with the auth...

Страница 46: ...i vty0 user privilege level 2 Configure Telnet protocol is supported 4210 ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 4210 ui vty0 screen length 30 Set...

Страница 47: ...d Specify the service type for VTY users service type telnet level level Required Quit to system view quit Enter one or more VTY user interface views user interface vty first number last number Config...

Страница 48: ...disable the function to display information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buf...

Страница 49: ...users that are authenticatedin the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user pr...

Страница 50: ...ommand buffer can store up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 11 Network diagram for Telnet configuration with the authentication mode being scheme Configurat...

Страница 51: ...n IP address to VLAN interface 1 of the switch VLAN 1 is the default VLAN of the switch Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 12 Figure 12 Di...

Страница 52: ...ing to instructions earlier in this chapter 3 Connect your PC terminal and the switch to an Ethernet as shown in Figure 14 Make sure the port through which the switch is connected to the Ethernet belo...

Страница 53: ...Refer to Command Hierarchy on page 11 and CLI Views on page 14 for information about command hierarchy Telnetting to another Switch from the Current Switch You can Telnet to another switch from the cu...

Страница 54: ...to configure the administrator side and the switch properly as listed in the following table Configuring the Switch Modem Configuration Perform the following configuration on the modem directly conne...

Страница 55: ...on mode is none Refer to Configuring Console Port Login with no Authentication on page 27 Configuration on switch when the authentication mode is password Refer to Configuring Console Port Login to Re...

Страница 56: ...Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 18 through Figure 20 Note that you need to set the tel...

Страница 57: ...mpted If the password is correct the prompt such as 4210 appears You can then configure or manage the switch You can also enter the character at anytime for help n If you perform no AUX user related c...

Страница 58: ...or telnet This is an example of creating a Web user account with the user name and password set to admin with level 3 priviledges 4210 system view 4210 local user admin 4210 luser admin service type...

Страница 59: ...onfigured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner informatio...

Страница 60: ...ss of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 24 Figure 24 Banner page displayed when a us...

Страница 61: ...RMON Configuration on page 361 for related information To manage your switch from an NMS you need to perform related configuration on both the NMS and the switch Figure 25 Network diagram for logging...

Страница 62: ...h basic ACL Controlling Telnet Users by Source IP Addresses By source and destination IP address Through advanced ACL Controlling Telnet Users by Source and Destination IP Addresses By source MAC addr...

Страница 63: ...er config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit protocol rule string Required You can define rules as needed t...

Страница 64: ...ntrolling Network Management Users by Source IP Addresses You can manage a Switch 4210 through network management software Network management users can access switches through SNMP You need to perform...

Страница 65: ...ntrol network management users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config au...

Страница 66: ...52 to access the switch 4210 snmp agent community read aaa acl 2000 4210 snmp agent group v2c groupa acl 2000 4210 snmp agent usm user v2c usera groupa acl 2000 Controlling Web Users by Source IP Addr...

Страница 67: ...t Table 34 Control Web users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto...

Страница 68: ...66 CHAPTER 2 LOGGING INTO AN ETHERNET SWITCH Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch 4210 ip http acl 2030...

Страница 69: ...onfiguration settings commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a...

Страница 70: ...ort def This has factory loaded default settings recommended by 3Com There is a specific def file for each switch type Management of Configuration File If the default def configuration file does not e...

Страница 71: ...attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existing in the system this command will erase its back...

Страница 72: ...file as the main startup configuration file You can also use the startup saved configuration cfgfile main command to set the file as main startup configuration file Assign backup attribute to the sta...

Страница 73: ...view Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display current configuration vlan vlan id by linen...

Страница 74: ...72 CHAPTER 3 CONFIGURATION FILE MANAGEMENT...

Страница 75: ...resources A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the abov...

Страница 76: ...ss the network without changing its network configuration VLAN Principles VLAN tag VLAN tags in the packets are necessary for a switch to identify packets of different VLANs A switch works at the data...

Страница 77: ...e of 1 to 4 094 VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the inbound po...

Страница 78: ...LAN Port based VLAN technology introduces the simplest way to classify VLANs You can assign the ports on the device to different VLANs Thus packets received on a port will be transmitted through the c...

Страница 79: ...VLAN configuration Optional Displaying VLAN Configuration Table 42 Basic VLAN configuration Operation Command Description Enter system view system view Create multiple VLANs in batch vlan vlan id1 to...

Страница 80: ...erface Vlan interface vlan id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the descript...

Страница 81: ...e 32 Switch A and Switch B each connect to a server and a workstation PC For data security concerns the two servers are assigned to VLAN 101 with the descriptive string being DMZ and the PCs are assig...

Страница 82: ...hB vlan101 quit Create VLAN 201 and add Ethernet1 0 12 to VLAN 201 SwitchB vlan 201 SwitchB vlan201 port Ethernet 1 0 12 SwitchB vlan201 quit Configure the link between Switch A and Switch B Because t...

Страница 83: ...ased VLAN 81 n For the command of configuring a port link type port link type and the command of allowing packets of certain VLANs to pass through a port port trunk permit refer to Ethernet Port Confi...

Страница 84: ...82 CHAPTER 5 VLAN CONFIGURATION...

Страница 85: ...of the VLAN interface is the one obtained through BOOTP n For details of DHCP refer to the DHCP module Static Route A static route is configured manually by an administrator You can make a network wit...

Страница 86: ...through Telnet these requirements are to be met Switch A has an IP address and the remote Telnet user is reachable You need to configure the switch as follows Assigning an IP address to the management...

Страница 87: ...anagement VLAN 4210 vlan 10 4210 vlan10 quit 4210 management vlan 10 Create the VLAN 10 interface and enter VLAN interface view 4210 interface vlan interface 10 Configure the IP address of VLAN 10 int...

Страница 88: ...t the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a...

Страница 89: ...nto two parts Net ID The first several bits of the IP address defining a network also known as class bits Host ID Identifies a host on a network For administration sake IP addresses are divided into f...

Страница 90: ...s related to the corresponding bits in an IP address In a subnet mask the section containing consecutive ones identifies the combination of net ID and subnet ID whereas the section containing consecut...

Страница 91: ...bnet The maximum number of hosts is thus 64 512 512 126 1022 less after the network is subnetted Class A B and C networks before being subnetted use these default masks also called natural masks 255 0...

Страница 92: ...tch Network diagram Figure 36 Network diagram for IP address configuration Configuration procedure Configure an IP address for VLAN interface 1 4210 system view 4210 interface Vlan interface 1 4210 Vl...

Страница 93: ...rmally the contents of the FIB and the routing table are the same Configuring IP Performance Introduction to IP Performance Configuration Tasks Configuring TCP Attributes TCP optional parameters that...

Страница 94: ...n increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large If a host sends malicious ICMP destination unreachable packets end users may...

Страница 95: ...cs Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket socktype sock type task id socket id Display the forwarding informatio...

Страница 96: ...94 CHAPTER 8 IP PERFORMANCE CONFIGURATION...

Страница 97: ...s but a trunk port only allows the packets of the default VLAN to be sent without tags You can configure all the three types of ports on the same device However note that you cannot directly switch a...

Страница 98: ...the packet carries a VLAN tag Access Receive the packet and add the default tag to the packet If the VLAN ID is just the default VLAN ID receive the packet If the VLAN ID is not the default VLAN ID di...

Страница 99: ...and to disable the port Set the description string for the Ethernet port description text Optional By default the description string of an Ethernet port is null Set the duplex mode of the Ethernet por...

Страница 100: ...ling Flow Control on a Port Flow control is enabled on both the local and peer switches If congestion occurs on the local switch Configure the available auto negotiation speed s for the port speed aut...

Страница 101: ...Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the link type of the port to access port link type access Optional By default the link type...

Страница 102: ...back Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port After you enable loopback detection on Ethernet ports the switch can monitor if external l...

Страница 103: ...ic period Table 64 Configure loopback detection for an Ethernet port Operation Command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Required By de...

Страница 104: ...st these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty cable n Currently the device is only capable of testing the cable...

Страница 105: ...By default a port is allowed to output the Up Down log information Execute the shutdown command or the undo shutdown command on Ethernet 1 0 1 and the system outputs Up Down log information of Etherne...

Страница 106: ...configuration Operation Command Remarks Display port configuration information display interface interface type interface type interface number You can execute the display commands in any view Displa...

Страница 107: ...pe trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 4210 Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100...

Страница 108: ...106 CHAPTER 9 PORT BASIC CONFIGURATION...

Страница 109: ...compares the information with the information of other ports on the peer device to determine the ports that can be aggregated In this way the two parties can reach an agreement in adding removing the...

Страница 110: ...e the system determines the mater port with one of the following settings being the highest in descending order as the master port full duplex high speed full duplex low speed half duplex high speed h...

Страница 111: ...rest are unselected ports The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port t...

Страница 112: ...as the preferred one 2 Compare port IDs port priority port number on the preferred device The comparison between two port IDs is as follows First compare the two port priorities then the two port numb...

Страница 113: ...ng aggregation resources c CAUTION A load sharing aggregation group contains at least two selected ports but a non load sharing aggregation group can only have one selected port at most while others a...

Страница 114: ...cannot remove the port unless you remove the whole aggregation group Configuring a Static LACP Aggregation Group You can create a static LACP aggregation group or remove an existing static LACP aggreg...

Страница 115: ...s already in a manual aggregation group n Changing the system priority may affect the priority relationship between the aggregation peers and thus affect the selected unselected status of member ports...

Страница 116: ...three ports Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B Configure a description for an aggregation group link aggregation group agg...

Страница 117: ...net1 0 1 port link aggregation group 1 4210 Ethernet1 0 1 quit 4210 interface Ethernet1 0 2 4210 Ethernet1 0 2 port link aggregation group 1 4210 Ethernet1 0 2 quit 4210 interface Ethernet1 0 3 4210 E...

Страница 118: ...e Ethernet1 0 1 4210 Ethernet1 0 1 lacp enable 4210 Ethernet1 0 1 quit 4210 interface Ethernet1 0 2 4210 Ethernet1 0 2 lacp enable 4210 Ethernet1 0 2 quit 4210 interface Ethernet1 0 3 4210 Ethernet1 0...

Страница 119: ...olation group n When a member port of an aggregation group joins leaves an isolation group the other ports in the same aggregation group on the local device will join leave the isolation group at the...

Страница 120: ...so that they cannot communicate with each other Network diagram Figure 39 Network diagram for port isolation configuration Configuration procedure Add Ethernet1 0 2 Ethernet1 0 3 and Ethernet1 0 4 to...

Страница 121: ...0 interface ethernet1 0 4 4210 Ethernet1 0 4 port isolate 4210 Ethernet1 0 4 quit 4210 quit Display information about the ports in the isolation group 4210 display isolate port Isolated port s on UNIT...

Страница 122: ...120 CHAPTER 11 PORT ISOLATION CONFIGURATION...

Страница 123: ...system security and manageability Port Security Features The following port security features are provided NTK need to know feature By checking the destination MAC addresses in outbound data frames on...

Страница 124: ...s the maximum number configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC a...

Страница 125: ...user on the port userLoginWithOUI This mode is similar to the userLoginSecure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a...

Страница 126: ...oginSecu re mode except that there can be more than one authenticated user on the port macAddressAndUserLo ginSecure To perform 802 1x authentication on the access user MAC authentication must be perf...

Страница 127: ...s Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the configured upper limit By setting the maxi...

Страница 128: ...d to set the maximum number of MAC addresses allowed on the port with the port security max mac count command When the port operates in the autoLearn mode you cannot change the maximum number of MAC a...

Страница 129: ...ty intrusion mode blockmac command on the same port the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port that is the NTK feature conf...

Страница 130: ...not yet reach the maximum number the port will learn new MAC addresses and turn them to security MAC addresses If the amount of security MAC addresses reaches the maximum number the port will not be a...

Страница 131: ...ecurity MAC address to the port in VLAN 1 After the number of security MAC addresses reaches 80 the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protect...

Страница 132: ...net1 0 1 port security max mac count 80 Set the port security mode to autolearn 4210 Ethernet1 0 1 port security port mode autolearn Add the MAC address 0001 0002 0003 of Host as a security MAC addres...

Страница 133: ...ch adopts one of the two forwarding methods based upon the MAC address table entries Unicast forwarding If the destination MAC address carried in the packet is included in a MAC address table entry th...

Страница 134: ...ess table the switch forwards the packet to all ports except Ethernet 1 0 1 to ensure that User B can receive the packet Figure 43 MAC address learning diagram 2 3 Because the switch broadcasts the pa...

Страница 135: ...e special circumstances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts t...

Страница 136: ...ets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 88 lists the different types of MAC address entries and their characteristics Configuring MAC Add...

Страница 137: ...ument is a dynamic VLAN after a static MAC address is added it will become a static VLAN Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC ad...

Страница 138: ...able can dynamically maintain When the number of the MAC address entries learnt from a port reaches the set value the port stops learning MAC addresses Displaying MAC Address Table Information To veri...

Страница 139: ...ver is 000f e20f dc71 Port Ethernet 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view 4210 system view 4210 Add a MAC address with the VLAN ports and states specified 4210 mac address...

Страница 140: ...138 CHAPTER 13 MAC ADDRESS TABLE MANAGEMENT...

Страница 141: ...transmitting BPDUs between STP compliant network devices BPDUs contain sufficient information for the network devices to complete the spanning tree calculation In STP BPDUs come in two types Configura...

Страница 142: ...ated port is the port BP2 on Device B Figure 46 A schematic diagram of designated bridges and designated ports n All the ports on the root bridge are designated ports 4 Path cost Path cost is a value...

Страница 143: ...name 1 Detailed calculation process of the STP algorithm Initial state Upon initialization of a device each device generates a BPDU with itself as the root bridge in which the root path cost is 0 des...

Страница 144: ...they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topo...

Страница 145: ...TP algorithm Initial state of each device The following table shows the initial state of each device Comparison process and result on each device The following table shows the comparison process and r...

Страница 146: ...PDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 Port BP2 recei...

Страница 147: ...iguration BPDU Root port CP1 0 0 0 AP2 Designated port CP2 0 10 2 CP2 Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to...

Страница 148: ...mes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BP...

Страница 149: ...imized version of STP RSTP allows a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP As a result it takes a shorter time for t...

Страница 150: ...ing packets from being duplicated and forwarded in a network endlessly Furthermore it offers multiple redundant paths for forwarding data and thus achieves load balancing for forwarding VLAN data MSTP...

Страница 151: ...information about how VLANs are mapped to MSTIs For example in Figure 49 the VLAN mapping table of region A0 is VLAN 1 is mapped to MSTI 1 VLAN 2 is mapped to MSTI 2 and other VLANs are mapped to CIS...

Страница 152: ...er MST region an STP enabled region or an RSTP enabled region An alternate port is a secondary port of a root port or master port and is used for rapid transition With the root port or master port bei...

Страница 153: ...of the highest priority in the network is selected as the root of the CIST In each MST region an IST is calculated by MSTP At the same time MSTP regards each MST region as a switch to calculate the C...

Страница 154: ...as follows For MSTP CIST configuration information is generally expressed as follows Root bridge ID External path cost Master bridge ID Internal path cost Designated bridge ID ID of sending port ID o...

Страница 155: ...witch If the latter takes precedence over the former the switch blocks the local port and keeps the port s configuration BPDU unchanged so that the port can only receive configuration messages and can...

Страница 156: ...nged after the switch is specified as the root bridge or a secondary root bridge Configuring the Bridge Priority of the Current Switch Configure the mode a port recognizes and sends MSTP packets Optio...

Страница 157: ...h VLAN 10 being mapped to spanning tree instance 1 and VLAN 20 through VLAN 30 being mapped to spanning tree 2 4210 system view 4210 stp region configuration 4210 mst region region name info 4210 mst...

Страница 158: ...If the value of the instance id argument is set to 0 the stp root primary stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST A switch can...

Страница 159: ...hes using the stp root secondary command You can also configure the current switch as the root bridge by setting the priority of the switch to 0 Note that once a switch is configured as the root bridg...

Страница 160: ...rmines the format legacy or dot1s of received MSTP packets and then determines the format of the packets to be sent accordingly thus communicating with the peer devices If the format of the received p...

Страница 161: ...RSTP compatible mode MSTP mode where the ports of a switch send MSTP BPDUs or STP BPDUs if the switch is connected to STP enabled switches to neighboring devices In this case the switch is MSTP capabl...

Страница 162: ...ism the maximum hop count configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree which limits the size of the s...

Страница 163: ...ew 4210 stp bridge diameter 6 Configuring the MSTP Time related Parameters Three MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to contr...

Страница 164: ...guration of the three time related parameters that is the hello time forward delay and max age parameters the following formulas must be met to prevent frequent network jitter 2 x forward delay 1 seco...

Страница 165: ...et port view As the maximum transmitting speed parameter determines the number of the configuration BPDUs transmitted in each hello time set it to a proper value to Table 112 Configure the timeout tim...

Страница 166: ...in one of the following two ways Configure a port as an edge port in system view Configure a port as an edge port in Ethernet port view On a switch with BPDU guard disabled an edge port becomes a non...

Страница 167: ...onfigure the link connected to a port in an aggregation group as a point to point link the configuration will be synchronized to the rest ports in the same aggregation group If an auto negotiating por...

Страница 168: ...procedure Table 119 Enable MSTP in system view Operation Command Description Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on specified ports s...

Страница 169: ...able MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources of the switch Table 120 Enable MSTP in Ethernet port view Operatio...

Страница 170: ...ting Speed on the Current Port on page 163 Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port on page 164 Configuring the Path Cost for a Port The path cost param...

Страница 171: ...the standard for calculating the default path costs of the links connected to the ports of the switch stp pathcost standard dot1d 1998 dot1t legacy Optional By default the legace standard is used to...

Страница 172: ...0000000 With the proprietary standard adopted the path cost ranges from 1 to 200000 Configuration example A Configure the path cost of Ethernet 1 0 1 in spanning tree instance 1 to be 2 000 1 Perform...

Страница 173: ...h can have different port priorities and play different roles in different spanning tree instances This enables packets of different VLANs to be forwarded along different physical paths so that VLAN b...

Страница 174: ...166 Performing mCheck Operation Ports on an MSTP enabled switch can operate in three modes STP compatible RSTP compatible and MSTP A port on an MSTP enabled switch operating as an upstream switch tra...

Страница 175: ...me non edge ports automatically upon receiving configuration BPDUs which causes spanning tree recalculation and network topology jitter Normally no configuration BPDU will reach edge ports But malicio...

Страница 176: ...ops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become designa...

Страница 177: ...thernet1 0 1 root protection 2 Perform this configuration in Ethernet port view Table 130 Configure BPDU guard Operation Command Description Enter system view system view Enable the BPDU guard functio...

Страница 178: ...switch to remove the MAC address table within 10 seconds to 5 4210 system view 4210 stp tc protection threshold 5 Table 133 Configure loop guard Operation Command Description Enter system view system...

Страница 179: ...nufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manufacturer s switch and put them in the BPDUs to be sent to the other manufa...

Страница 180: ...in the same MST region When the digest snooping feature is enabled globally the VLAN to MSTI mapping table cannot be modified The digest snooping feature is not applicable to boundary ports in an MST...

Страница 181: ...om the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding st...

Страница 182: ...latter operates as the upstream switch The network operates normally The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transiti...

Страница 183: ...f all instances 4210 system view 4210 stp portlog all Enabling Trap Messages Conforming to 802 1d Standard A switch sends trap messages conforming to 802 1d standard to the network management device i...

Страница 184: ...respectively In this network Switch A and Switch B operate on the convergence layer Switch C and Switch D operate on the access layer VLAN 10 and VLAN 30 are limited in the convergence layer and VLAN...

Страница 185: ...T region 4210 mst region region name example 4210 mst region instance 1 vlan 10 4210 mst region instance 3 vlan 30 4210 mst region instance 4 vlan 40 4210 mst region revision level 0 Activate the sett...

Страница 186: ...ce 4 vlan 40 4210 mst region revision level 0 Activate the settings of the MST region manually 4210 mst region active region configuration Specify Switch C as the root bridge of spanning tree instance...

Страница 187: ...teraction processes in unicast broadcast and multicast Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this...

Страница 188: ...e from the information transmission process the security and legal use of paid service cannot be guaranteed In addition when only a small number of users on the same network need the information the u...

Страница 189: ...d E The advantages of multicast over unicast are as follows No matter how many receivers exist there is only one copy of the same multicast data flow on each link With the multicast mode used to trans...

Страница 190: ...raffic Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of point to multipoint data transm...

Страница 191: ...t data from only certain multicast sources The SSM model provides a transmission service that allows users to specify the multicast sources they are interested in at the client side The radical differ...

Страница 192: ...hority IANA categorizes IP addresses into five classes A B C D and E Unicast packets use IP addresses of Class A B and C based on network scales Class D IP addresses are used as destination addresses...

Страница 193: ...otocols 224 0 1 0 to 231 255 255 255 233 0 0 0 to 238 255 255 255 Available any source multicast ASM multicast addresses IP addresses for temporary groups They are valid for the entire network 232 0 0...

Страница 194: ...bits are mapped to a MAC address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address Multicast Protocols This section provides...

Страница 195: ...e flooding of multicast data in a Layer 2 network Layer 3 multicast protocols n We refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as...

Страница 196: ...es and inter domain routes An intra domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system AS so as to deliver multi...

Страница 197: ...cast source S sends to a multicast group G the multicast device first searches its multicast forwarding table If the corresponding S G entry exists and the interface on which the packet actually arriv...

Страница 198: ...gure 59 Multicast packets travel along the SPT from the multicast source to the receivers Figure 61 RPF check process A multicast packet from Source arrives to VLAN interface 1 of Switch C and the cor...

Страница 199: ...n IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are mult...

Страница 200: ...and related messages and actions Work Mechanism of IGMP Snooping A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows When receiving a general...

Страница 201: ...g table the switch installs an entry for this port in the forwarding table and starts the member port aging timer of this port n A switch will not forward an IGMP report through a non router port for...

Страница 202: ...f that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires c Caution After an Ethernet s...

Страница 203: ...ing version is version 2 c Caution Before configuring related IGMP Snooping functions you must enable IGMP Snooping in the specified VLAN Different multicast group addresses should be configured for d...

Страница 204: ...f one or more VLANs are specified the configuration takes effect on the port only if the port belongs to the specified VLAN s If fast leave processing and unknown multicast packet dropping are enabled...

Страница 205: ...cast unknown multicast packets by default this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown mult...

Страница 206: ...case the multicast packets for the removed multicast group s will be flooded in the VLAN as unknown multicast packets As a result non member ports can receive multicast packets within a period of time...

Страница 207: ...iew interface interface type interface number Configure the current port as a static member port for a multicast group in a VLAN multicast static group group address vlan vlan id Required By default n...

Страница 208: ...simulated host responds with an IGMP report Meanwhile the switch sends the same IGMP report to itself to ensure that the IGMP entry does not age out When the simulated joining function is disabled on...

Страница 209: ...uration above you can execute the following display commands in any view to verify the configuration by checking the displayed information You can execute the reset command in user view to clear the s...

Страница 210: ...1 Host A and Host B are receivers of the multicast group 224 1 1 1 Network diagram Figure 64 Network diagram for IGMP Snooping configuration Configuration procedure 1 Configure the IP address of each...

Страница 211: ...chA vlan100 port Ethernet 1 0 1 to Ethernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100...

Страница 212: ...ping is wrong Use the display igmp snooping group command to check if the multicast groups are expected ones If the multicast group set up by IGMP Snooping is not correct contact your technical suppor...

Страница 213: ...ontrol protocol It authenticates and controls devices requesting for access in terms of the ports of LAN access devices With the 802 1x protocol employed a user side device can access the LAN only whe...

Страница 214: ...PAE authenticates the supplicant systems when they log into the LAN and controls the status authorized unauthorized of the controlled ports according to the authentication result The supplicant system...

Страница 215: ...s EAPoL packets EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server can either be encapsulated as EAP over RADIUS EAPoR packets or be terminated at system PAEs...

Страница 216: ...size of the Packet body field A value of 0 indicates that the Packet Body field does not exist The Packet body field differs with the Type field Note that EAPoL Start EAPoL Logoff and EAPoL Key packe...

Страница 217: ...t and Response packets Newly added fields for EAP authentication Two fields EAP message and Message authenticator are added to a RADIUS protocol packet for EAP authentication The EAP message field who...

Страница 218: ...ation protocol are available in the EAP relay mode EAP MD5 authenticates the supplicant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system...

Страница 219: ...st packet and forwards it to the RADIUS server Upon receiving the packet from the switch the RADIUS server retrieves the user name from the packet finds the corresponding password by matching the user...

Страница 220: ...cess the network The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected n In EA...

Страница 221: ...You can set the number of retries by using the dot1x retry command An online user will be considered offline when the switch has not received any response packets after a certain number of handshake...

Страница 222: ...for authentication actively The switch sends multicast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multica...

Страница 223: ...g function on the switch by using the dot1x version check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 80...

Страница 224: ...ect to the switch again the user needs to initiate 802 1x authentication with the client software again Figure 74 802 1x re authentication 802 1x re authentication can be enabled in one of the followi...

Страница 225: ...configure the user names and passwords on the RADIUS server and perform RADIUS client related configuration on the switch You can also specify to adopt the RADIUS authentication scheme with a local au...

Страница 226: ...andshaking function switches cannot receive handshaking acknowledgement packets Enable 802 1x for specified ports In system view dot1x interface interface list Required By default 802 1x is disabled o...

Страница 227: ...iew Set the maximum number of concurren t on line users for specified ports In system view dot1x max user user number interface interface list Optional By default a port can accommodate up to 256 user...

Страница 228: ...detecting function you need to enable the online user handshaking function first The configuration listed in Table 164 takes effect only when it is performed on CAMS as well as on the switch In addit...

Страница 229: ...ng request packets dot1x retry version max max retry version value Optional By default the maximum number of retires to send version checking request packets is 3 Set the client version checking perio...

Страница 230: ...e re authentication interval for access users Note the following During re authentication the switch always uses the latest re authentication interval configured no matter which of the above mentioned...

Страница 231: ...hose IP addresses are 10 11 1 1 and 10 11 1 2 The RADIUS server with an IP address of 10 11 1 1 operates as the primary authentication server and the secondary accounting server The other operates as...

Страница 232: ...sed This operation can be omitted as MAC address based is the default 4210 dot1x port method macbased interface Ethernet 1 0 1 Create a RADIUS scheme named radius1 and enter RADIUS scheme view 4210 ra...

Страница 233: ...without domain 4210 radius radius1 quit Create the domain named aabbcc net and enter its view 4210 domain enable aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS s...

Страница 234: ...232 CHAPTER 17 802 1X CONFIGURATION...

Страница 235: ...ts to collect the MAC addresses of the attached switches HABP clients respond to the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on ma...

Страница 236: ...st packets habp timer interval Optional The default interval for an HABP server to send HABP request packets is 20 seconds Table 171 Configure an HABP server Operation Command Remarks Table 172 Config...

Страница 237: ...unction Configuring System Guard Related Parameters Table 175 lists the operations to configure system guard related parameters including system guard mode checking interval threshold in terms of the...

Страница 238: ...the threshold of inbound rate limit any service packets including BPDU packets are possible to be dropped at random which may result in state transition of STP Displaying and Maintaining the System Gu...

Страница 239: ...on this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storag...

Страница 240: ...nly one protocol But in practice the most commonly used service for AAA is RADIUS What is RADIUS RADIUS remote authentication dial in user service is a distributed service based on client server struc...

Страница 241: ...ages exchanged between a RADIUS client a switch for example and a RADIUS server are verified through a shared key This enhances the security The RADIUS protocol combines the authentication and authori...

Страница 242: ...epending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type attribute value start to the RADIUS ser...

Страница 243: ...P Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this message to the client if all the attribute values carried in the Access Request message are accep...

Страница 244: ...bytes including the Type Length and Value fields The Value field up to 253 bytes contains the information of the attribute Its format is determined by the Type and Length fields The RADIUS protocol h...

Страница 245: ...rst byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Length and Value to implement a RADIU...

Страница 246: ...244 CHAPTER 20 AAA OVERVIEW...

Страница 247: ...authentication Local authentication RADIUS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional Cutting Down User Connections Forcibly Option...

Страница 248: ...By default the delimiter between the user name and the ISP domain name is Create an ISP domain or set an ISP domain as the default ISP domain domain isp name default disable enable isp name Required I...

Страница 249: ...CAUTION You can execute the scheme radius scheme radius scheme name command to adopt an already configured RADIUS scheme to implement all the three AAA functions If you adopt the local scheme only th...

Страница 250: ...e scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or local scheme still takes effect even...

Страница 251: ...ned by the RADIUS server is a character string containing only digits for example 1024 the switch first regards it as an integer VLAN ID the switch transforms the string to an integer value and judges...

Страница 252: ...ocal user in the system Set a password for the local user password simple cipher password Required Set the status of the local user state active block Optional By default the user is in active state t...

Страница 253: ...ress authentication user or multiple users with the same authorization VLAN to a port For local RADIUS authentication or local authentication to take effect the VLAN assignment mode must be set to str...

Страница 254: ...onfiguring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configu...

Страница 255: ...t one authentication authorization server and one accounting server and you should keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers Table 189 RADIUS confi...

Страница 256: ...view system view Enable RADIUS authentication port radius client enable Optional By default RADIUS authentication port is enabled Create a RADIUS scheme and enter its view radius scheme radius scheme...

Страница 257: ...eme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS accounting server primary accounting ip addres...

Страница 258: ...the same shared key c CAUTION The authentication authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication...

Страница 259: ...g with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged When both the primary and secondary serv...

Страница 260: ...ive Table 196 Set the status of RADIUS servers Operation Command Remarks Table 197 Configure the attributes of data to be sent to RADIUS servers Operation Command Remarks Enter system view system view...

Страница 261: ...witch provides the local RADIUS server function including authentication and authorization also known as the local RADIUS authentication server function in addition to RADIUS client service where sepa...

Страница 262: ...o communicate with the primary server again when it has a RADIUS request If it finds that the primary server has recovered the switch immediately restores the communication with the primary server ins...

Страница 263: ...ounting On message which mainly contains the following information NAS ID NAS IP address source IP address and session ID 2 The switch sends the Accounting On message to the CAMS at regular intervals...

Страница 264: ...user re authentication at restart function accounting on enable send times interval interval By default this function is disabled If you use this command without any parameter the system will try at...

Страница 265: ...IUS server You can select extended as the server type in a RADIUS scheme Table 203 Display and maintain RADIUS protocol information Operation Command Remarks Display RADIUS message statistics about lo...

Страница 266: ...Enter system view 4210 system view Adopt AAA authentication for Telnet users 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme 4210 ui vty0 4 quit Configure an ISP domain 4210 dom...

Страница 267: ...thenticated locally Network diagram Figure 82 Local authentication of Telnet users Configuration procedure Method 1 Using local authentication scheme Enter system view 4210 system view Adopt AAA authe...

Страница 268: ...in the database of the RADIUS server Check the database of the RADIUS server make sure that the configuration information about the user exists The user input an incorrect password Be sure to input t...

Страница 269: ...the authentication authorization server and the accounting server use the same device with the same IP address but in fact they are not resident on the same device Be sure to configure the RADIUS ser...

Страница 270: ...268 CHAPTER 21 AAA CONFIGURATION...

Страница 271: ...ntication For details refer to AAA Configuration on page 245 for information about local user attributes Performing MAC Authentication on a RADIUS Server When authentications are performed on a RADIUS...

Страница 272: ...et MAC address which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires This prevents an invalid user from being authenticated repeatedly...

Страница 273: ...user name is mac and no password is configured Configure the user name mac authentica tion authusername username Configure the password mac authentica tion authpassword password Specify an ISP domain...

Страница 274: ...re authenticate the first access user of this port namely the first user whose unicast MAC address is learned by the switch periodically If this user passes the re authentication this port will exit...

Страница 275: ...on for MAC authentication does not take effect when port security is enabled Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum n...

Страница 276: ...the display command in any view to display system running of MAC Authentication configuration and to verify the effect of the configuration You can execute the reset command in user view to clear the...

Страница 277: ...n interface Ethernet 1 0 2 Set the user name in MAC address mode for MAC authentication requiring hyphened lowercase MAC addresses as the usernames and passwords 4210 mac authentication authmode usern...

Страница 278: ...trol related features Otherwise a user may be denied of access to the networks because of incomplete configuaration 4210 mac authentication After doing so your MAC authentication configuration will ta...

Страница 279: ...P reply messages Figure 84 illustrates the format of these two types of ARP messages As for an ARP request all the fields except the hardware address of the receiver field are set The hardware address...

Страница 280: ...ss length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the type of a data packets which can be 1 ARP request packets 2 ARP reply packets 3 RARP request packe...

Страница 281: ...dress into its ARP mapping table encapsulates its MAC address into an ARP reply and unicasts the reply to Host A 4 After receiving the ARP reply Host A adds the MAC address of Host B into its ARP mapp...

Страница 282: ...1 00e0 fc01 0000 1 Ethernet1 0 10 Table 213 Display and debug ARP Operation Command Remarks Display specific ARP mapping table entries display arp static dynamic ip address Available in any view Displ...

Страница 283: ...ervers return the corresponding configuration information such as IP addresses to implement dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple cli...

Страница 284: ...a DHCP ACK packet to the DHCP client to confirm the assignment of the IP address to the client or returns a DHCP NAK packet to refuse the assignment of the IP address to the client When the client rec...

Страница 285: ...n Hardware address type and length of the DHCP client hops Number of DHCP relay agents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increase...

Страница 286: ...ength fields including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include RFC2131 Dynamic...

Страница 287: ...relay agent operating at the network layer Switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer Figure 87 illustrates a typical network diagram for D...

Страница 288: ...C Enable DHCP snooping on the switch Network diagram Figure 88 Network diagram for DHCP snooping configuration Configuration procedure Enable DHCP snooping on the switch 4210 system view 4210 dhcp sn...

Страница 289: ...ddress and IP address of a BOOTP client When a BOOTP client sends a request to the BOOTP server the BOOTP server will search for the BOOTP parameter file and return it to the client A BOOTP client dyn...

Страница 290: ...bles the DHCP client and UDP port 68 Using the undo ip address dhcp alloc command disables the DHCP client and UDP port 68 Displaying DHCP BOOTP Client Configuration DHCP Client Configuration Example...

Страница 291: ...cribes only the configuration on Switch A serving as a DHCP client Configure VLAN interface 1 to dynamically obtain an IP address by using DHCP 4210 system view 4210 interface Vlan interface 1 4210 Vl...

Страница 292: ...290 CHAPTER 26 DHCP BOOTP CLIENT CONFIGURATION...

Страница 293: ...d port numbers carried in the packets According to their application purposes ACLs fall into the following four types Basic ACL Rules are created based on source IP addresses only Advanced ACL Rules a...

Страница 294: ...rinciples will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the parameter itself will jointly decide the final matchin...

Страница 295: ...pper layer software for packet filtering They cannot be applied to hardware ACL Configuration Configuring a Time Range Time ranges can be used to filter packets You can specify a time range for each r...

Страница 296: ...s within the range from 12 00 to 14 00 on every Wednesday in 2004 If the start time is not specified the time section starts from 1970 1 1 00 00 and ends on the specified end date If the end date is n...

Страница 297: ...stent rules are unaltered Configuration Example Configure ACL 2000 to deny packets whose source IP addresses are 192 168 0 1 4210 system view 4210 acl number 2000 4210 acl basic 2000 rule deny source...

Страница 298: ...the ACL you cannot modify any existent rule otherwise the system prompts error information If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically...

Страница 299: ...160 0 0 0 0 255 destination port eq www 0 times matched Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information...

Страница 300: ...trolling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10 110 100 46 to log in to the switch through HTTP Network diagram Figure 91 N...

Страница 301: ...ey arrive This service policy is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio r...

Страница 302: ...nagement handles resource competition during network congestion Generally it adds packets to queues first and then forwards the packets by using a scheduling algorithm Congestion avoidance monitors th...

Страница 303: ...ccording to their DSCP values Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is suitable for preferential services with low de...

Страница 304: ...e with an 802 1Q tag header As shown in the figure above each host supporting 802 1Q protocol adds a 4 byte 802 1Q tag header after the source address of the former Ethernet frame header when sending...

Страница 305: ...s and will be processed preferentially By default a Switch 4210 processes a received packet as follows For a packet without an 802 1q tag header the switch uses the priority of the receiving port as t...

Страница 306: ...precedence to the packet With the IP precedence trusted the switch obtains the corresponding local precedence by looking up the IP precedence of the packet in the IP precedence to local precedence map...

Страница 307: ...gram for LR If you perform port rate limiting configuration for a port the token bucket determines the way to process the packets to be sent by this port or packets reaching the port Packets can be se...

Страница 308: ...t fixed that is to say if a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use HQ WRR queuing HQ WRR is an improvement over WRR With queue 3 allocate...

Страница 309: ...is to be configured is determined The target priority value is determined Configuration procedure Configuration example Configure port priority on Ethernet 1 0 1 and set the priority of Ethernet 1 0 1...

Страница 310: ...e Configuration example Configure the switch to trust the DSCP precedence of the received packets 4210 system view 4210 priority trust dscp Table 228 Configure to trust the 802 1p precedence of the re...

Страница 311: ...edence to local precedence mapping table Operation Command Description Enter system view system view Configure COS precedence to local pre cedence mapping table qos cos local precedence map cos0 map l...

Страница 312: ...or inbound packets on Ethernet 1 0 1 The rate limit is 1 024 Kbps Configuration procedure 4210 system view 4210 interface Ethernet1 0 1 4210 Ethernet1 0 1 line rate inbound 1024 Configuring Queue Sche...

Страница 313: ...on Configuration prerequisites The burst function is required Configuration procedure Configuration example Enable the burst function 4210 system view 4210 burst mode enable Table 234 Configure queue...

Страница 314: ...relationship display qos dscp local precedence map Available in any view Display the IP precedence to local preceden ce mapping relationship display qos ip precedence local precedenc e map Available...

Страница 315: ...re source ports of a device are copied to the destination port on the same device for packet analysis and monitoring In this case the source ports and the destination port must be located on the same...

Страница 316: ...rom the R D department and the marketing department through the data detection device Configure the source port for the port mirroring group In system view mirroring group group id mirroring port mirr...

Страница 317: ...e source ports and destination port for the local mirroring group 4210 mirroring group 1 mirroring port Ethernet 1 0 1 Ethernet 1 0 2 both 4210 mirroring group 1 monitor port Ethernet 1 0 3 Display co...

Страница 318: ...316 CHAPTER 29 MIRRORING CONFIGURATION...

Страница 319: ...nt A switch in a cluster plays one of the following three roles Management device Member device Candidate device A cluster comprises of a management device and multiple member devices To manage the de...

Страница 320: ...toring and maintaining the network It allows you to configure and upgrade multiple switches at the same time It enables you to manage your remotely devices conveniently regardless of network topology...

Страница 321: ...logy manages and maintains the cluster Management device also supports FTP server and SNMP host proxy Processes the commands issued by users through the public network Member device Normally a member...

Страница 322: ...ollect network topology information is determined by the NTDP timer If you do not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 b...

Страница 323: ...g the receiving devices will keep the NDP packet data The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet When they receive anoth...

Страница 324: ...enabled port on a device to forward an NTDP topology collection request after a specific period since the previous port on the device forwards the NTDP topology collection request n To implement NTDP...

Страница 325: ...ce is added to the cluster as a member device both the management device and the member device store the state information of the member device and mark the member device as Active The management devi...

Страница 326: ...unctions can be implemented Enabling the management packets including NDP packets NTDP packets and handshake packets to be transmitted in the management VLAN only through which the management packets...

Страница 327: ...When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at the same time Enabling NDP globally and on specific ports Table 240 Cluster configuration t...

Страница 328: ...al By default the holdtime of NDP information is 180 seconds Configure the interval to send NDP packets ndp timer hello seconds Optional By default the interval to send NDP packets is 60 seconds Table...

Страница 329: ...ptional Table 246 Enable the cluster function Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function i...

Страница 330: ...60 seconds Set the interval to send handshake packets timer interval Optional By default the interval to send handshake packets is 10 seconds Table 247 Establish a cluster and configure cluster param...

Страница 331: ...the member devices in the cluster is closed at the same time When you execute the undo administrator address command on a member device UDP port 40000 of the member device is closed at the same time E...

Страница 332: ...tination file Optional Table 252 Enable the cluster function Operation Command Description Table 254 Manage a cluster through management devices Operation Command Description Enter system view system...

Страница 333: ...d restore the administrative device using the backup topology on the Flash memory so that the devices in the cluster can resume normal operation With the display cluster current topology command the s...

Страница 334: ...tive device topology save to local flash Required Restore the standard topology from the Flash memory of the administrative device topology restore from local flash Optional Display the detailed infor...

Страница 335: ...57 Configure the cluster device blacklist Operation Command Description Table 258 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running inf...

Страница 336: ...s 163 172 55 1 All the devices in the cluster share the same FTP server and TFTP server The FTP server and TFTP server use the same IP address 63 172 55 1 The NMS and logging host use the same IP addr...

Страница 337: ...and on Ethernet 1 0 2 and Ethernet 1 0 3 4210 ntdp enable 4210 interface Ethernet 1 0 2 4210 Ethernet1 0 2 ntdp enable 4210 Ethernet1 0 2 quit 4210 interface Ethernet 1 0 3 4210 Ethernet1 0 3 ntdp ena...

Страница 338: ...r device to the remote shared FTP server of the cluster aaa_1 3Com ftp cluster Download the file named aaa txt from the shared TFTP server of the cluster to the member device aaa_1 3Com tftp cluster g...

Страница 339: ...d save it in the flash of the local management device in the cluster Network diagram Figure 103 Network diagram for the enhanced cluster feature configuration Configuration procedure Enter cluster vie...

Страница 340: ...338 CHAPTER 30 CLUSTER...

Страница 341: ...applied to IP phones wireless access points APs chargers for portable devices card readers network cameras and data collection system PoE components PoE consists of three components power sourcing eq...

Страница 342: ...e that is different PoE policies can be set for different user groups These PoE policies are each saved in the corresponding PoE profile and applied to ports of the user groups n When you use the PoE...

Страница 343: ...default auto When the switch is close to its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs...

Страница 344: ...two types signal mode and spare mode Signal mode DC power is carried over the data pairs 1 2 3 6 of category 3 5 twisted pairs Spare mode DC power is carried over the spare pairs 4 5 7 8 of category...

Страница 345: ...n disabled on all the ports When the internal temperature of the switch increases from X X 60 C or X 140 F to Y 60 C Y 65 C or 140 F Y 149 F the switch still keeps the PoE function enabled on all the...

Страница 346: ...y command in any view to see the operation of the PoE feature and verify the effect of the configuration PoE Configuration Example PoE Configuration Example Networking requirements Switch A is a Switc...

Страница 347: ...uration procedure Upgrade the PSE processing software online SwitchA system view SwitchA poe update refresh 0290_021 s19 Enable the PoE feature on Ethernet 1 0 1 and set the PoE maximum output power o...

Страница 348: ...t the PoE management mode on the switch to auto it is the default mode so this step can be omitted SwitchA poe power management auto Enable the PD compatibility detect of the switch to allow the switc...

Страница 349: ...the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Table 270 Configure PoE profile Operation Command Description Enter system view...

Страница 350: ...ent framework IRF system 3 Combination of Unit creates a new Fabric In the newly created Fabric the PoE profile configuration of the Unit with the smallest Unit ID number will become the PoE profile c...

Страница 351: ...0 5 is Critical whereas the PoE priority for Ethernet 1 0 6 through Ethernet 1 0 10 is High The maximum power for Ethernet 1 0 1 through Ethernet 1 0 5 ports is 3 000 mW whereas the maximum power for...

Страница 352: ...Create Profile2 and enter PoE profile view SwitchA poe profile Profile2 In Profile2 add the PoE policy configuration applicable to Ethernet 1 0 6 through Ethernet 1 0 10 ports for users of group A Sw...

Страница 353: ...Request GetNextRequest and SetRequest messages to the agents Upon receiving the requests from the NMS an agent performs Read or Write operation on the managed object MIB Management Information Base ac...

Страница 354: ...be uniquely identified by a path starting from the root Figure 106 Architecture of the MIB tree The management information base MIB describes the hierarchical architecture of the tree and it is the se...

Страница 355: ...B attribute MIB content Related RFC Table 273 Configure basic SNMP functions SNMPv1 and SNMPv2c Operation Command Description Enter system view system view Enable SNMP agent snmp agent Optional Disabl...

Страница 356: ...ricid Optional By default the device switch fabric ID is enterprise number device information Create Update the view information snmp agent mib view included excluded view name oid tree mask mask valu...

Страница 357: ...t calculate password plain password mode md5 sha local switch fabricid specified switch fabricid switch fabricid Optional This command is used if password in cipher text is needed for adding a new use...

Страница 358: ...view interface interface type interface number Enable the port or interface to send Trap messages enable snmp trap updown Quit to system view quit Set the destination for Trap messages snmp agent targ...

Страница 359: ...etwork management Operation Command Description Enter system view system view Enable logging for network management snmp agent log set operation get operation all Optional Disabled by default Table 27...

Страница 360: ...on protocol to HMAC MD5 authentication password to passmd5 encryption protocol to DES encryption password to cfb128cfb128 4210 snmp agent group v3 managev3group privacy write view internet 4210 snmp a...

Страница 361: ...ame and password authentication When you use 3Com s NMS you need to set user names and choose the security level in Authentication Parameter For each security level you need to set authorization mode...

Страница 362: ...360 CHAPTER 33 SNMP CONFIGURATION...

Страница 363: ...ts can be reduced thus facilitating the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways Using the dedicate...

Страница 364: ...e following operations accordingly Sampling the defined alarm variables periodically Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter Ex...

Страница 365: ...eration Command Description Enter system view system view Add an event entry rmon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add a...

Страница 366: ...table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm events will be triggered Network diagram Figure 108 Network diagram...

Страница 367: ...very 10 seconds When the change ratio between samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered 4210 rmon pri...

Страница 368: ...366 CHAPTER 34 RMON CONFIGURATION...

Страница 369: ...onfiguration NTP is mainly applied to synchronizing the clocks of all devices in a network For example In network management the analysis of the log information and debugging information collected fro...

Страница 370: ...ple we suppose that Before the system clocks of Device A and Device B are synchronized the clock of Device A is set to 10 00 00 am and the clock of Device B is set to 11 00 00 am Device B serves as th...

Страница 371: ...me offset of Device A relative to Device B Offset T2 T1 T3 T4 2 Device A can then set its own clock according to the above information to synchronize its clock to that of Device B For detailed informa...

Страница 372: ...ronization packets periodically Network Server Initiates a client server mode request after receiving the first multicast packet Works in the server mode automatically and sends responses Client serve...

Страница 373: ...l Switch 4210 to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric passive peer of the Switch 4210 and the local switch serves as the symmetric active peer Broadca...

Страница 374: ...n the clients and not on the servers n The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will b...

Страница 375: ...first otherwise the clock synchronization will not proceed You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the p...

Страница 376: ...ients Configuring a switch to work in the multicast server mode Table 285 Configure a switch to work in the NTP broadcast server mode Operation Command Description Enter system view system view Enter...

Страница 377: ...e to perform synchronization and control query to the local switch and also permits the local switch to synchronize its clock to the peer device From the highest NTP service access control right to th...

Страница 378: ...ated configurations are properly performed For the NTP authentication function to take effect a trusted key needs to be configured on both the client and server after the NTP authentication is enabled...

Страница 379: ...no trusted key is configured Associate the specified key with the correspo nding NTP server Configure on the client in the server client mode ntp service unicast server remote ip server name authenti...

Страница 380: ...em will create a static association and the server will just respond passively Associate the specified key with the correspondin g broadcast m ulticast client Configure on the NTP broadcast server ntp...

Страница 381: ...rver of Device B a Switch 4210 Table 295 Configure the number of dynamic sessions allowed on the local switch Operation Command Description Enter system view system view Configure the maximum number o...

Страница 382: ...000 00000000 Set Device A as the NTP server of Device B DeviceB system view DeviceB ntp service unicast server 1 0 1 11 After the above configurations Device B is synchronized to Device A View the NTP...

Страница 383: ...e 115 Network diagram for NTP peer mode configuration Configuration procedure 1 Configure Device C Set Device A as the NTP server DeviceC system view DeviceC ntp service unicast server 3 0 1 31 2 Conf...

Страница 384: ...offset delay disper 1234 3 0 1 32 LOCL 1 95 64 42 14 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associatio...

Страница 385: ...0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17...

Страница 386: ...ice multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own Vlan interface2 and Device C advertises multicast messages through...

Страница 387: ...the NTP server Device B is set to work in client mode while Device A works in server mode automatically The NTP authentication function is enabled on Device A and Device B Network diagram Figure 118...

Страница 388: ...tatus Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 100 0000 Hz Actual frequency 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Roo...

Страница 389: ...rently the Switch 4210 device supports only SSH2 when functioning as either an SSH client or an SSH server Unless otherwise noted SSH refers to SSH2 throughout this document Algorithm and Key Algorith...

Страница 390: ...version identification string in the format of SSH primary protocol version number secondary protocol version number software version number The primary and secondary protocol version numbers constitu...

Страница 391: ...tication type from the method list to perform authentication again The above process repeats until the authentication succeeds or the connection is torn down when the authentication times reach the up...

Страница 392: ...configuration does not take effect immediately but will be effective for subsequent login requests Table 299 SSH server configuration tasks Tasks Description Configuring the SSH server Configuring th...

Страница 393: ...to replace the existing key pair n The command for generating a key pair can survive a reboot You only need to configure it once Some third party software for example WinSCP requires that the modulo o...

Страница 394: ...password and remote authentication RADIUS authentication for example is adopted you need not use the ssh user command to create an SSH user because it is created on the Table 302 Export the RSA public...

Страница 395: ...h a username that does not exist the system will automatically create the SSH user However the user cannot log in unless you specify an authentication type for it Configuring SSH Management The SSH se...

Страница 396: ...TFTP You can also use the following commands to configure the client s RSA public key on the server Table 307 Configure the client s public key manually Operation Command Description Enter system view...

Страница 397: ...Configure the client RSA public key manually Operation Command Description Enter system view system view Enter public key view rsa peer public key keyname Required Enter public key edit view public ke...

Страница 398: ...pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client G...

Страница 399: ...ent key 1 Note that while generating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 121 Otherwise the process bar sto...

Страница 400: ...N Figure 121 Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure...

Страница 401: ...es and enter the name of the file for saving the private key private in this case to save the private key Figure 123 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe...

Страница 402: ...s of the server Note that there must be a route available between the IP address of the server and the client Select a protocol for remote connection As shown in Figure 125 select SSH under Protocol S...

Страница 403: ...m only when the ssh1 version is selected The PuTTY client software supports DES algorithm negotiation ssh2 Open an SSH connection with publickey authentication If a user needs to be authenticated with...

Страница 404: ...3 Click Browse to bring up the file selection window navigate to the private key file and click Open to enter the following SSH client interface If the connection is normal a user will be prompted fo...

Страница 405: ...rface 1 Open an SSH connection with password authentication From the window shown in Figure 127 click Open The following SSH client interface appears If the connection is normal you will be prompted t...

Страница 406: ...and is not configured with the server host public key the user can continue accessing the server and will save the host public key on the client for use in subsequent authentications When first time...

Страница 407: ...lient first time Required By default the client is enabled to run first time authentication Configure server public key Refer to Configuring the Client Public Key on the Server on page 394 Required Th...

Страница 408: ...e SSH client will use as the destination for SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 192 168 0 1 255 255 255 0 4210 Vlan interface1 quit n Gener...

Страница 409: ...n password to abc protocol type to SSH and command privilege level to 3 for the client 4210 local user client001 4210 luser client001 password simple abc 4210 luser client001 service type ssh level 3...

Страница 410: ...TY exe to enter the following configuration interface Figure 131 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 From the category o...

Страница 411: ...rotocol options select 2 from Preferred SSH protocol version 3 As shown in Figure 131 click Open to enter the following interface If the connection is normal you will be prompted to enter the user nam...

Страница 412: ...Configuration procedure n Under the publickey authentication mode either the RSA or DSA public key can be generated for the server to authenticate the client Here takes the RSA public key as an examp...

Страница 413: ...authentication type of the SSH client named client 001 as publickey 4210 ssh user client001 authentication type publickey n Before performing the following steps you must generate an RSA public key p...

Страница 414: ...n exe choose SSH2 RSA and click Generate Figure 135 Generate a client key pair 1 n While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown...

Страница 415: ...mples 413 Figure 136 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 137 Generate...

Страница 416: ...to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with the SSH server The foll...

Страница 417: ...H Configuration Examples 415 Figure 140 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 3 Select Connection SSH Auth The following window appea...

Страница 418: ...rowse to bring up the file selection window navigate to the private key file and click OK 4 From the window shown in Figure 141 click Open The following SSH client interface appears If the connection...

Страница 419: ...red Network diagram Figure 143 Network diagram of SSH client configuration when using password authentication Configuration procedure Configure Switch B Create a VLAN interface on the switch and assig...

Страница 420: ...nd assign an IP address which serves as the SSH client s address in an SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 10 165 87 137 255 255 255 0 4210...

Страница 421: ...nterfaces to AAA 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH 4210 ui vty0 4 protocol inbound ssh Set the user command privilege leve...

Страница 422: ...to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Copyright c 2004 2007 3Com Corporation Without...

Страница 423: ...he file to the SSH server through FTP or TFTP For details refer to the following Configure Switch A Import the client s public key file Switch001 and name the public key as Switch001 4210 public key p...

Страница 424: ...upload the file to the SSH client through FTP or TFTP For details refer to the above section Configure Switch B Import the public key named Switch002 from the file Switch002 4210 public key peer Swit...

Страница 425: ...s method can be used to specify a path or a file in the current work directory Directory Operations The file system provides directory related functions such as Creating deleting a directory Displayin...

Страница 426: ...rackets If the configuration files are deleted the switch adopts the null configuration when it starts up next time Table 320 File operations To do Use the command Remarks Delete a file delete unreser...

Страница 427: ...ig cfg 3 rwh 151 Apr 03 2000 16 04 55 private data txt 4 rwh 716 Apr 04 2000 17 27 35 hostkey 5 rwh 572 Apr 04 2000 17 27 41 serverkey 6 rwh 548 Apr 04 2000 17 30 06 dsakey 7 drw Apr 04 2000 23 04 21...

Страница 428: ...ree startup files support file attribute configuration App files An app file is an executable file with bin as the extension Configuration files A configuration file is used to store and restore confi...

Страница 429: ...tributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the main or backup attribute of the file Perform the con...

Страница 430: ...and Otherwise Web server cannot function normally Currently a configuration file has the extension of cfg and resides in the root directory of the Flash memory For the detailed configuration of config...

Страница 431: ...for program file transfer ASCII mode for text file transfer A 3Com Switch 4210 can operate as an FTP client or the FTP server in FTP employed data transmission Table 325 The Switch 4210 FTP Roles Item...

Страница 432: ...tes as an FTP server Table 326 FTP configuration tasks Item Configuration task Description FTP Configuration A Switch Operating as an FTP Server Creating an FTP user Required Enabling an FTP server Re...

Страница 433: ...long time without performing any operation Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through FTP the confi...

Страница 434: ...ons such as creating removing a directory by executing commands on the switch Table 332 lists the operations that can be performed on an FTP client Table 330 Configure the banner display for an FTP se...

Страница 435: ...current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only t...

Страница 436: ...figure Switch A the FTP server Log in to the switch and enable the FTP server function on the switch Configure the user name and password used to access FTP services and specify the service type as FT...

Страница 437: ...ON If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then uploa...

Страница 438: ...figuration Configuration procedure 1 Configure the switch FTP server Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears For detailed configur...

Страница 439: ...client Configuration procedure 1 Configure the PC FTP server Perform FTP server related configurations on the PC that is create a user account on the FTP server with user name switch and password hell...

Страница 440: ...on is upgraded 4210 boot boot loader switch bin 4210 reboot n For information about the boot boot loader command and how to specify the startup file for a switch refer to Basic System Configuration an...

Страница 441: ...t only the first user can log in to the SFTP user The subsequent connection will fail When you upload a large file through WINSCP if a file with the same name exists on the server you are recommended...

Страница 442: ...rmdir pathname Delete a specified file delete remotefile Optional Both commands have the same effect remove remote file Query a specified file on the SFTP server dir remotefile localfile Optional If n...

Страница 443: ...iagram for SFTP configuration Configuration procedure 1 Configure the SFTP server switch B Create key pairs 4210 system view 4210 public key local create rsa 4210 public key local create dsa Create a...

Страница 444: ...me client001 and the password abc and then enter SFTP client view 4210 sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not aut...

Страница 445: ...and then verify the result sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubk...

Страница 446: ...y1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received s...

Страница 447: ...server he Switch 4210 can operate as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory If the TFTP server supports file size negotiation file...

Страница 448: ...figure the IP addresses of a VLAN interface on the switch and the PC as 1 1 1 1 and 1 1 1 2 respectively The port through which the switch connects with the PC belongs to the VLAN Network diagram Figu...

Страница 449: ...ugh which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 1 1 1 1 255 255 255...

Страница 450: ...448 CHAPTER 39 TFTP CONFIGURATION...

Страница 451: ......

Страница 452: ...450 CHAPTER 39 TFTP CONFIGURATION...

Страница 453: ...nformation Debugging information Eight levels of system information The information is classified into eight levels by severity and can be filtered by level More emergent information has a smaller sev...

Страница 454: ...information center is enabled Table 339 Information channels and output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debu...

Страница 455: ...module HABP 3Com authentication bypass protocol module HTTPD HTTP server module HWCM 3Com Configuration Management private MIB module HWP Remote Ping module IFNET Interface management module IGSP IGM...

Страница 456: ...ailed explanation of the fields involved Priority The priority is calculated using the following formula facility 8 severity 1 in which facility the device name defaults to local7 with the value being...

Страница 457: ...o that you can know the standard time when the information center processing each piece of information That is you can know the Greenwich standard time of each switch in the network based on the UTC r...

Страница 458: ...information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line prompt in command editi...

Страница 459: ...ole Table 342 Configure synchronous information output Operation Command Description Enter system view system view Enable synchronous information output info center synchronous Required Disabled by de...

Страница 460: ...nfo center timestamp log trap debugging boot date none Optional By default the time stamp format of the log and trap output information is date and that of the debugging output information is boot Tab...

Страница 461: ...ugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable trap information terminal display function terminal trapping Op...

Страница 462: ...le debugging information terminal display function terminal debugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable...

Страница 463: ...center enable Optional Enabled by default Enable system information output to the trap buffer info center trapbuffer channel channel number channel name size buffersize Optional By default the switch...

Страница 464: ...fo center timestamp log trap debugging boot date none Optional By default the time stamp format of the output log information is date Table 351 Set to output system information to the log buffer Opera...

Страница 465: ...r Operation Command Description Display information on an information channel display channel channel number channel name Available in any view Display the operation status of information center the c...

Страница 466: ...ing with a sign In each pair a tab should be used as a separator instead of a space No space is allowed at the end of a file name The device name facility and received log information severity level s...

Страница 467: ...action pairs Switch configuration messages local7 info var log Switch information n Note the following items when you edit file etc syslog conf A note must start in a new line starting with a sign In...

Страница 468: ...ble Disable the function of outputting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules...

Страница 469: ...4210 clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date 4210 system view System View return to User View with Ctrl Z 4210 info center...

Страница 470: ...468 CHAPTER 40 INFORMATION CENTER...

Страница 471: ...thernet port You can load software remotely by using FTP TFTP n The Boot ROM software version should be compatible with the host software version when you load the Boot ROM and host software Local Boo...

Страница 472: ...t bootrom password recovery 9 Set switch startup mode 0 Reboot Enter your choice 0 9 Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is w...

Страница 473: ...Choose an appropriate baudrate for downloading For example if you press 5 the baudrate 115200 bps is chosen and the system displays the following information Download baudrate is 115200 bps Please ch...

Страница 474: ...472 CHAPTER 41 BOOT ROM AND HOST SOFTWARE LOADING Figure 157 Properties dialog box Figure 158 Console port configuration dialog box...

Страница 475: ...the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Pre...

Страница 476: ...e system prompts Your baudrate should be set to 9600 bps again Press enter key when ready You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 9600 bps In this...

Страница 477: ...on to TFTP TFTP a protocol in TCP IP protocol suite is used for trivial file transfer between client and server It is over UDP to provide unreliable data stream transfer service Loading the Boot ROM F...

Страница 478: ...s the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 3 Step 2 Enter 1 in the above menu to...

Страница 479: ...et XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 4 Enter 2 in the above menu to download the Boot ROM using FTP Then set the following FTP related parameters as required Load F...

Страница 480: ...oading the Boot ROM As shown in Figure 164 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands to download the Boot ROM prog...

Страница 481: ...g files refer to File System Management Configuration on page 423 Ensure that the power supply is available during software loading Loading Procedure Using FTP Server As shown in Figure 165 the switch...

Страница 482: ...st New local user added 4210 luser test password simple pass 4210 luser test service type ftp d Enable FTP client software on the PC Refer to Figure 166 for the command line interface in Windows opera...

Страница 483: ...ot ROM directory f Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 168 to log on to the FTP server Figure 168 Log on to the FTP server g Use the put command to upl...

Страница 484: ...oading the host software is the same as loading the Boot ROM program except that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the...

Страница 485: ...e end time end date offset time Optional Execute this command in user view When the system reaches the specified start time it automatically adds the specified offset to the current time so as to togg...

Страница 486: ...lay of debugging information Protocol debugging switch which controls protocol specific debugging information Screen output switch which controls whether to display the debugging information on a cert...

Страница 487: ...OFF ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 OFF ON ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 1 3 Table 356 Enable debu...

Страница 488: ...an use the command here to display the current operating information about the modules in the system for troubleshooting your system Table 358 Display the current operation information about the modul...

Страница 489: ...ed to check the network connectivity It can also be used to help locate the network faults The executing procedure of the tracert command is as follows First the source host sends a data packet with t...

Страница 490: ...e tracert command Operation Command Description View the gateways that a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout s...

Страница 491: ...tasks Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional Configuring Real time Monitoring of the Running Status of the System Optional Specifying the APP to...

Страница 492: ...e to specify the one that will be used when the switch reboots Upgrading the Boot ROM You can use the Boot ROM program saved in the Flash memory of the switch to upgrade the running Boot ROM With this...

Страница 493: ...e PC is reachable to each other The host software switch bin and the Boot ROM file boot btm of the switch are stored in the directory switch on the PC Use FTP to download the switch bin and boot btm f...

Страница 494: ...pears 4210 c CAUTION If the Flash memory of the switch is not sufficient delete the original applications before downloading the new ones 4 Initiate an FTP connection with the following command in use...

Страница 495: ...booted next time on unit 1 4210 display boot loader Unit 1 The current boot app is switch bin The main boot app is switch bin The backup boot app is Reboot the switch to upgrade the Boot ROM and host...

Страница 496: ...494 CHAPTER 44 DEVICE MANAGEMENT...

Страница 497: ...iated by Remote Ping client and you can view the test results on Remote Ping client only When performing a Remote Ping test you need to configure a Remote Ping test group on the Remote Ping client A R...

Страница 498: ...ll known port 1 to 1023 being unavailable TCP test Tcppublic test Tcpprivate test UDP test Udppublic test Udpprivate test Table 369 Remote Ping test parameters Test parameter Description Destination a...

Страница 499: ...ing IP and ICMP headers Maximum number of history records that can be saved history records This parameter is used to specify the maximum number of history records that can be saved in a test group Wh...

Страница 500: ...obe the Remote Ping client sends a series of packets to the Remote Ping server at regular intervals you can set the interval Once receiving such a packet the Remote Ping server marks it with a timesta...

Страница 501: ...for jitter TCP and UDP tests Remote Ping server configuration Configure a listening service on the Remote Ping server You can configure multiple TCP UDP listening services on one Remote Ping server w...

Страница 502: ...type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes C...

Страница 503: ...r Figure 173 Optional By default the maximum number is 50 Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Displ...

Страница 504: ...a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the type of FTP operation ftp operation get put Optional By default t...

Страница 505: ...s host name Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source...

Страница 506: ...nable the Remote Ping client function Remote Ping agent enable Required By default the Remote Ping client function is disabled Create a Remote Ping test group and enter its view Remote Ping administra...

Страница 507: ...l be sent in each jitter probe jitter packetnum number Optional By default each jitter probe will send 10 packets Configure the interval to send test packets in the jitter test jitter interval interva...

Страница 508: ...t the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure t...

Страница 509: ...s Optional By default the source IP address is not specified Configure the source port source port port number Optional By default no source port is specified Configure the test type test type tcppriv...

Страница 510: ...address Required This IP address and the one configured on the Remote Ping server for listening service must be the same By default no destination address is configured Configure the destination port...

Страница 511: ...he service type is zero Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required The display command can be executed in any view Table 379...

Страница 512: ...t specified Configure the IP address of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display Re...

Страница 513: ...able Remote Ping client 4210 system view 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and test tag to ICMP 4210 Remote Ping administrat...

Страница 514: ...test time 2000 4 2 20 55 12 3 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connect...

Страница 515: ...splay Remote Ping results administra tor dhcp Remote Ping entry admin administrator tag dhcp test result Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 1018 1037 102...

Страница 516: ...stem view 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 10 1 1 1 8 Enable the Remote Ping client 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrat...

Страница 517: ...ther operation errors 0 4210 Remote Ping administrator ftp display Remote Ping history administrat or ftp Remote Ping entry admin administrator tag ftp history record Index Response Status LastRC Time...

Страница 518: ...ator http timeout 30 Start the test 4210 Remote Ping administrator http test enable Display test results 4210 Remote Ping administrator http display Remote Ping results administrator h ttp Remote Ping...

Страница 519: ...e DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test Jitter Test Network requirements Both the Remote Ping client and the Remote Ping server a...

Страница 520: ...0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Jitter result RTT Number 100 Min Posit...

Страница 521: ...gent community write private n The SNMP network management function must be enabled on SNMP agent before it can receive response packets The SNMPv2c version is used as reference in this example This c...

Страница 522: ...admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19...

Страница 523: ...rator tcpprivate test enable Display test results 4210 Remote Ping administrator tcpprivate display Remote Ping results administr ator tcpprivate Remote Ping entry admin administrator tag tcpprivate t...

Страница 524: ...onfigure Remote Ping Client Switch A Enable the Remote Ping client 4210 system view 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and te...

Страница 525: ...04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 04 02 08 29 45 3 8 10 1 0 2000 04 02 08 29 45 3 9 10 1 0 2000 04 02 08 29 45...

Страница 526: ...Square Sum of Round Trip Time 756 Last complete test time 2006 11 28 11 50 40 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeo...

Страница 527: ...header thus making IPv6 packet handling simple and improving the forwarding efficiency Although the IPv6 address size is four times that of IPv4 addresses the size of basic IPv6 headers is only twice...

Страница 528: ...the IPv6 header allows the device to label packets in a flow and provide special handling for these packets Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented b...

Страница 529: ...nly fall into three types unicast address multicast address and anycast address Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast addre...

Страница 530: ...et to itself Unassigned address The unicast address is called the unassigned address and may not be assigned to any node Before acquiring a valid IPv6 address a node may fill this address in the sourc...

Страница 531: ...Thus an interface identifier in EUI 64 format is obtained Figure 190 Convert a MAC address into an EUI 64 address Introduction to IPv6 Neighbor Discovery Protocol The IPv6 neighbor discovery protocol...

Страница 532: ...n address is the Neighbor advertisement NA message Used to respond to a neighbor solicitation message When the link layer address changes the local node initiates a neighbor advertisement message to n...

Страница 533: ...herwise node B is unreachable Duplicate address detection After a node acquires an IPv6 address it should perform the duplicate address detection to determine whether the address is being used by othe...

Страница 534: ...81 Path MTU Discovery for IP version 6 RFC 2375 IPv6 Multicast Address Assignments RFC 2460 Internet Protocol Version 6 IPv6 Specification RFC 2461 Neighbor Discovery for IP Version 6 IPv6 RFC 2462 IP...

Страница 535: ...configured for an interface a link local address will be generated automatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link loc...

Страница 536: ...resolved into a link layer address dynamically through NS and NA messages or statically through manual configuration You can configure a static neighbor entry in two ways Mapping a VLAN interface to a...

Страница 537: ...ssage You can configure the interval for sending NS messages Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an int...

Страница 538: ...ved before the finwait timer expires the IPv6 TCP connection is terminated If FIN packets are received the IPv6 TCP connection status becomes TIME_WAIT If other packets are received the finwait timer...

Страница 539: ...host name to IPv6 address mapping You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address Each host name can correspond to on...

Страница 540: ...upport at most 10 domain name suffixes n The dns resolve and dns domain commands are the same as those of IPv4 DNS For details about the commands refer to DNS Configuration on page 549 Table 398 Confi...

Страница 541: ...xclude include text Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic static interface interface type interface number vlan vlan id co...

Страница 542: ...erface Vlan interface 2 SwitchA Vlan interface2 ipv6 address auto link local Configure a global unicast address for the interface Vlan interface2 SwitchA Vlan interface2 ipv6 address 3001 1 64 2 Confi...

Страница 543: ...pes of IPv6 addresses can be pinged c CAUTION When you use the ping ipv6 command to verify the reachability of the destination you must specify the i keyword if the destination address is a link local...

Страница 544: ...hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 5 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 6 ms 3001 2 ping statistics 5 packet s transmitted 5 packet...

Страница 545: ...be received For details about the ping command refer to Basic System Configuration and Debugging on page 483 c CAUTION When you use the ping ipv6 command to verify the reachability of the destination...

Страница 546: ...ort unreachable ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination IPv6 TFTP IPv6 supports TFTP Trivi...

Страница 547: ...For details refer to You can log into a Switch 4210 in one of the following ways on page 21 c CAUTION When you use the telnet ipv6 command to connect to the Telnet server you must specify the i keywo...

Страница 548: ...s Configuration procedure n You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is accessible before the following confi...

Страница 549: ...wait TFTP 13 bytes received in 1 243 second s File downloaded successfully SWA Connect to Telnet server 3001 2 SWA telnet ipv6 3001 2 Trying 3001 2 Press CTRL K to abort Connected to 3001 2 Telnet Se...

Страница 550: ...ptom Unable to download and upload files by performing TFTP operations Solution Check that the route between the device and the TFTP server is up Check that the file system of the device is usable You...

Страница 551: ...Switch 4210 supports both static and dynamic DNS clients Static Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP add...

Страница 552: ...ges DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is not complete The resolver can supply the missing part automat...

Страница 553: ...in user view to clear the information stored in the dynamic domain name resolution cache Table 405 Configure static domain name resolution Operation Command Remarks Enter system view system view Confi...

Страница 554: ...to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1...

Страница 555: ...ons are done on the devices For the IP addresses of the interfaces see the figure above There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server The DNS server works nor...

Страница 556: ...ceived 100 00 packet loss Troubleshooting DNS Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution Use the display dns dynamic host command to...

Страница 557: ...he system when the password is about to age out that is the remaining usable time of the password is no more than the set alert time the switch will alert the user to the forthcoming expiration and pr...

Страница 558: ...allowed to log into the switch again only after the administrator manually removes the user from the user blacklist Allow the user to log in again without any inhibition User blacklist If the maximum...

Страница 559: ...blacklist command in any view to check the names and the IP addresses of such users Configuring Password Aging n In this section you must note the effective range of the same commands when executed i...

Страница 560: ...chooses not to change the password the system allows the user to log in If the user chooses to change the password but fails in modification the system logs out the user after the maximum number of a...

Страница 561: ...ng one single password or using an old password for a long time to enhance the security Enable the limitation of minimum password length password control length enable Optional By default the limitati...

Страница 562: ...password must conform to the related configuration of password control when you set the local user password in interactive mode Table 412 Manually remove history password records Operation Command Des...

Страница 563: ...actions to be taken when the number of retries to enter the SSH password exceeds the configured value Refer to SSH Configuration on page 387 for information about SSH server If a user in the blacklist...

Страница 564: ...ory Password combination falls into four levels 1 2 3 and 4 each representing the number of categories that a password should at least contain Level 1 means that a password must contain characters of...

Страница 565: ...n enable Optional By default the password composition check function is enabled Configure the password composition policy globally password control composition type number policy type type length type...

Страница 566: ...and the minimum number of characters in each composition type to 3 4210 password control super composition type number 3 type length 3 Configure a super password 4210 super password level 3 simple 111...

Страница 567: ...Control Configuration Example 565 Set the aging time for the local user password to 20 days 4210 luser test password control aging 20 Configure the password of local user 4210 luser test password simp...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды