3Com 4210G Series Скачать руководство пользователя страница 662

Страница: 662 / 1133

10-20

Configuring a Certificate Attribute-Based Access Control Policy

Network requirements

The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol.

SSL is configured to ensure that only legal clients log into the HTTPS server.

Create a certificate attribute-based access control policy to control access to the HTTPS server.

Figure 10-4

Configure a certificate attribute-based access control policy

Configuration procedure

For detailed information about SSL configuration, refer to

SSL Configuration

in the

Security

Volume

For detailed information about HTTPS configuration, refer to

HTTP Configuration

in the

System

Volume

The PKI domain to be referenced by the SSL policy must be created in advance. For detailed
configuration of the PKI domain, refer to

Configure the PKI domain

1) Configure the HTTPS server
# Configure the SSL policy for the HTTPS server to use.

<Switch> system-view

[Switch] ssl server-policy myssl

[Switch-ssl-server-policy-myssl] pki-domain 1

[Switch-ssl-server-policy-myssl] client-verify enable

[Switch-ssl-server-policy-myssl] quit

2) Configure the certificate attribute group
# Create certificate attribute group

mygroup1

and add two attribute rules. The first rule defines that

the DN of the subject name includes the string

aabbcc

, and the second rule defines that the IP

address of the certificate issuer is 10.0.0.1.

[Switch] pki certificate attribute-group mygroup1

[Switch-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc

[Switch-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1

[Switch-pki-cert-attribute-group-mygroup1] quit

Содержание 4210G Series

Страница 1: ...Port Switch 4210G 48 Port Switch 4210G NT 24 Port Switch 4210G NT 48 Port Switch 4210G PWR 24 Port Switch 4210G PWR 48 Port Product Version Release 2202 Manual Version 6W100 20100205 www 3com com 3Co...

Страница 2: ...cial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove o...

Страница 3: ...Volume IP Routing Overview Static Routing IPv6 Static Routing Mulitcast Overview IGMP Snooping Multicast VLAN MLD Snooping 04 Multicast Volume IPv6 Multicast VLAN QoS Overview QoS Configuration Approa...

Страница 4: ...he manual uses the following conventions Command conventions Convention Description Boldface The keywords of a command line are in Boldface italic Command arguments are in italic Items keywords or arg...

Страница 5: ...may cause data loss or damage to equipment Means a complementary description Related Documentation In addition to this manual each 3com Switch 4210G documentation set includes the following Manual De...

Страница 6: ...res 1 1 Introduction to Product 1 1 Feature Lists 1 1 2 Features 2 1 Access Volume 2 1 IP Services Volume 2 3 IP Routing Volume 2 5 Multicast Volume 2 5 QoS Volume 2 6 Security Volume 2 7 High Availab...

Страница 7: ...manageability Feature Lists The Switch 4210G supports abundant features and the related documents are divided into the volumes as listed in Table 1 1 Table 1 1 Feature list Volume Features 00 Product...

Страница 8: ...t Link Monitor Link RRPP DLDP 07 High Availability Volume Ethernet OAM Connectivity Fault Detection Track Logging In to an Ethernet Switch Logging In Through the Console Port Logging In Through Telnet...

Страница 9: ...z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on a...

Страница 10: ...re quality of service QoS parameters for the voice traffic thus improving transmission priority and ensuring voice quality This document describes z Overview z Configuring a Voice VLAN z Displaying an...

Страница 11: ...scribes z Configuring ARP Source Suppression z Configuring ARP Defense Against IP Packet Attacks z Configuring ARP Active Acknowledgement z Configuring Source MAC Address Based ARP Attack Detection z...

Страница 12: ...ding of Directed Broadcasts to a Directly Connected Network z Configuring TCP Attributes z Configuring ICMP to Send Error Packets UDP Helper UDP Helper functions as a relay agent that converts UDP bro...

Страница 13: ...olume Features Description Multicast Overview This document describes the main concepts in multicast z Introduction to Multicast z Multicast Models z Multicast Architecture z Multicast Packets Forward...

Страница 14: ...te Congestion Management The key to congestion management is how to define a dispatching policy for resources to decide the order of forwarding packets when congestion occurs This document describes z...

Страница 15: ...hed devices to download and install the EAD client before permitting them to access the network This document describes z EAD Fast Deployment overview z EAD Fast Deployment configuration HABP On an HA...

Страница 16: ...ted configuration SSL Secure Sockets Layer SSL is a security protocol providing secure connection service for TCP based application layer protocols this document describes SSL related configuration Pu...

Страница 17: ...guring RRPP Rings z Configuring RRPP Ports z Configuring RRPP Nodes z Activating an RRPP Domain z Configuring RRPP Timers z Configuring an RRPP Ring Group DLDP In the use of fibers link errors namely...

Страница 18: ...ite to configure other login methods This document describes z Introduction z Setting Up the Connection to the Console Port z Console Port Login Configuration z Configuring Command Authorization z Con...

Страница 19: ...lcome message user privilege levels and so on This document describes z Configuration display z Basic configurations z CLI features Device Management Through the device management function you can vie...

Страница 20: ...ce the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the same as that of the NMS This do...

Страница 21: ...es and service quality by sending test packets to provide you with network performance and service quality parameters This document describes z NQA Overview z Configuring the NQA Server z Enabling the...

Страница 22: ...PoE feature enables the power sourcing equipment PSE to feed powered devices PDs from Ethernet ports through twisted pair cables This document describes z PoE overview z Configuring the PoE Interface...

Страница 23: ...Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router...

Страница 24: ...and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain R...

Страница 25: ...oint Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavel...

Страница 26: ...ernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC H...

Страница 27: ...on IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automati...

Страница 28: ...ate LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol D...

Страница 29: ...on Overhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF...

Страница 30: ...OC 3 OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol...

Страница 31: ...Virtual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Author...

Страница 32: ...hoke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Mul...

Страница 33: ...Distribution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE D...

Страница 34: ...rk VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Trib...

Страница 35: ...uration 2 1 Overview 2 1 Basic Concepts of Link Aggregation 2 1 Link Aggregation Modes 2 4 Load Sharing Mode of an Aggregation Group 2 6 Link Aggregation Configuration Task List 2 6 Configuring an Agg...

Страница 36: ...ork 4 20 Configuring Timers of MSTP 4 21 Configuring the Timeout Factor 4 22 Configuring the Maximum Port Rate 4 23 Configuring Ports as Edge Ports 4 23 Configuring Path Costs of Ports 4 24 Configurin...

Страница 37: ...Configuring Basic VLAN Settings 6 3 Configuring Basic Settings of a VLAN Interface 6 4 Port Based VLAN Configuration 6 5 Introduction to Port Based VLAN 6 5 Assigning an Access Port to a VLAN 6 6 Ass...

Страница 38: ...on Example I 9 7 GVRP Configuration Example II 9 8 GVRP Configuration Example III 9 9 10 QinQ Configuration 10 1 Introduction to QinQ 10 1 Background 10 1 QinQ Mechanism and Benefits 10 1 QinQ Frame S...

Страница 39: ...sification of Port Mirroring 12 1 Implementing Port Mirroring 12 1 Configuring Local Port Mirroring 12 3 Configuring Remote Port Mirroring 12 4 Configuration Prerequisites 12 4 Configuring a Remote So...

Страница 40: ...ombo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port Inside the device there is only one forwarding interface For a Combo port th...

Страница 41: ...ission rate is determined through auto negotiation too For a Gigabit Ethernet interface you can specify the transmission rate by its auto negotiation capacity For details refer to Configuring an Auto...

Страница 42: ...he ingress and egress interfaces Follow these steps to enable flow control on an Ethernet interface To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface...

Страница 43: ...interface view interface interface type interface number Enable loopback testing loopback external internal Optional Disabled by default z As for the internal loopback test and external loopback test...

Страница 44: ...the network card transmission rate of the server group Server 1 Server 2 and Server 3 is 1000 Mbps and the transmission rate of GigabitEthernet 1 0 4 which provides access to the external network for...

Страница 45: ...d if you enable the storm constrain for the interface For information about the storm constrain function see Configuring the Storm Constrain Function on an Ethernet Interface Follow these steps to set...

Страница 46: ...terval for collecting interface statistics is 300 seconds Enabling Forwarding of Jumbo Frames Due to tremendous amount of traffic occurring on an Ethernet interface it is likely that some frames great...

Страница 47: ...ng MAC address forwarding entries will be removed z If loops are detected on a trunk port or a hybrid port trap messages are sent to the terminal If the loopback detection control function is also ena...

Страница 48: ...for transmitting signals pin 3 and pin 6 are used for receiving signals You can change the pin roles through setting the MDI mode For an Ethernet interface in normal mode the pin roles are not change...

Страница 49: ...torm Constrain Function on an Ethernet Interface The storm constrain function suppresses packet storms in an Ethernet With this function enabled on an interface the system detects the multicast traffi...

Страница 50: ...number Enable the storm constrain function and set the lower threshold and the upper threshold storm constrain broadcast multicast pps kbps ratio max pps values min pps values Required Disabled by de...

Страница 51: ...mary of an interface display brief interface interface type interface number begin exclude include regular expression Available in any view Display information about discarded packets on an interface...

Страница 52: ...hese member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate interface Aggregation group...

Страница 53: ...ceived information with the information received on other ports This allows the two systems to reach an agreement on which link aggregation member ports should be placed in the selected state 2 Extend...

Страница 54: ...y Class two configurations Class two configurations are listed in Table 2 1 In an aggregation group if the configurations of a member port are different from the class two configurations that member p...

Страница 55: ...lex high speed full duplex low speed half duplex high speed and half duplex low speed with full duplex high speed being the most preferred If two ports with the same duplex mode speed pair are present...

Страница 56: ...port with smaller port number is selected as the reference port z If a port in up state is with the same port attributes and class two configuration as the reference port and the peer port of the port...

Страница 57: ...k Aggregation Groups Optional Configuring an Aggregation Group z The following ports cannot be assigned to an aggregation group Stack ports RRPP enabled ports MAC address authentication enabled ports...

Страница 58: ...em view system view Set the system LACP priority lacp system priority system priority Optional By default the system LACP priority is 32768 Changing the system LACP priority may affect the selected un...

Страница 59: ...g configurations for an aggregate interface z Configuring the Description of an Aggregate Interface z Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface z Shutting Down an Aggregate I...

Страница 60: ...ports in the corresponding aggregation group is re calculated Follow these steps to shut down an aggregate interface To do Use the command Remarks Enter system view system view Enter Layer 2 aggregate...

Страница 61: ...es and those for Layer 3 packets are source destination IP addresses After you configure this command the load sharing modes in all link aggregation groups change accordingly Configuring a load sharin...

Страница 62: ...e type interface number to interface type interface number Available in user view Clear the statistics of the specified aggregate interfaces reset counters interface bridge aggregation interface numbe...

Страница 63: ...e configuration procedure performed on Device A to configure Device B Layer 2 Dynamic Aggregation Configuration Example Network requirements As shown in Figure 2 2 Device A and Device B are connected...

Страница 64: ...regation Load Sharing Mode Configuration Example Network requirements As shown in Figure 2 3 Device A is connection to Device B by their Ethernet ports GigabitEthernet 1 0 1 through GigabitEthernet 1...

Страница 65: ...ing mode of aggregation group 2 as the destination MAC based load sharing mode DeviceA interface bridge aggregation 2 DeviceA Bridge Aggregation2 link aggregation load sharing mode destination mac Dev...

Страница 66: ...en a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group Configuring the Isolation Group Assigning a Port to the Isolation Group Foll...

Страница 67: ...hat Host A Host B and Host C cannot communicate with one another at Layer 2 but can access the Internet Figure 3 1 Networking diagram for port isolation configuration Configuration procedure Add ports...

Страница 68: ...3 3 Uplink port support NO Group ID 1 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3...

Страница 69: ...ops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking...

Страница 70: ...port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 4 1 Description of designated bridges and design...

Страница 71: ...spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Страница 72: ...iority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configur...

Страница 73: ...device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be def...

Страница 74: ...port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received confi...

Страница 75: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Страница 76: ...ning tree with Device A as the root bridge is established as shown in Figure 4 3 Figure 4 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With p...

Страница 77: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Страница 78: ...gs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism...

Страница 79: ...tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the sa...

Страница 80: ...constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to a...

Страница 81: ...ate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a des...

Страница 82: ...are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference...

Страница 83: ...List Before configuring MSTP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes...

Страница 84: ...nce mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP...

Страница 85: ...rations of currently activated MST regions display stp region configuration The display command can be executed in any view z Two or more MSTP enabled devices belong to the same MST region only if the...

Страница 86: ...r if you specify a new primary root bridge for the instance then the secondary root bridge will not become the root bridge If you have specified multiple secondary root bridges for an instance when th...

Страница 87: ...e device send out MSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate to STP compatible mode Make t...

Страница 88: ...panning tree calculation and thereby the size of the MST region is confined Make this configuration on the root bridge only All the devices other than the root bridge in the MST region use the maximum...

Страница 89: ...the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are fault free If a device fa...

Страница 90: ...l to timely launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max ag...

Страница 91: ...mit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent within each hello time and the more system resources will be used By setting an appropriate maximum port rate...

Страница 92: ...flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically calculate the default path cost alternatively you can also configure the pat...

Страница 93: ...66 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula o...

Страница 94: ...elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priori...

Страница 95: ...ew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manu...

Страница 96: ...cy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and rece...

Страница 97: ...nual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled on all ports z MSTP takes effect when it is enabled both globally...

Страница 98: ...RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to...

Страница 99: ...led by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated...

Страница 100: ...oping on Device B DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 stp config digest snooping DeviceB GigabitEthernet1 0 1 quit DeviceB stp config digest snoopi...

Страница 101: ...P and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the...

Страница 102: ...ice that has different MSTP implementation Both devices are in the same region z Device B is the regional root bridge and Device A is the downstream device Figure 4 9 No Agreement Check configuration...

Страница 103: ...default BPDU guard does not take effect on loopback test enabled ports For information about loopback test refer to Ethernet Interface Configuration in the Access Volume Enabling Root guard The root b...

Страница 104: ...work The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream device and if the port takes part in STP calculation all th...

Страница 105: ...ontinuously in order to destroy the network When a switch receives the BPDU packets it will forward them to other switches As a result STP calculation is performed repeatedly which may occupy too much...

Страница 106: ...ation information that has taken effect display stp region configuration Available in any view View the root bridge information of all MSTIs display stp root Available in any view Clear the statistics...

Страница 107: ...MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision level of the MST region as 0 DeviceA system view DeviceA stp region configuration DeviceA mst region region name example DeviceA mst re...

Страница 108: ...w DeviceC stp region configuration DeviceC mst region region name example DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 3 vlan 30 DeviceC mst region instance 4 vlan 40 DeviceC mst...

Страница 109: ...TID Port Role STP State Protection 0 GigabitEthernet1 0 1 DESI FORWARDING NONE 0 GigabitEthernet1 0 2 DESI FORWARDING NONE 0 GigabitEthernet1 0 3 DESI FORWARDING NONE 1 GigabitEthernet1 0 2 DESI FORWA...

Страница 110: ...0 2 ALTE DISCARDING NONE 4 GigabitEthernet1 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figure 4 11 Figure 4 11 MSTIs correspon...

Страница 111: ...in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major fun...

Страница 112: ...ng bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the...

Страница 113: ...nformation field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and...

Страница 114: ...y 3Com switches 4210G support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 5 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY...

Страница 115: ...set ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the...

Страница 116: ...resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved an...

Страница 117: ...port group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the following...

Страница 118: ...ends LLDP frames to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use the command Remarks Enter system view system view Enter Ethernet interface view int...

Страница 119: ...ng format of the management address as string on the connecting port to guarantee normal communication with the neighbor Follow these steps to configure a management address to be advertised and its e...

Страница 120: ...nal 2 seconds by default Set the number of LLDP frames sent each time fast LLDPDU transmission is triggered lldp fast count count Optional 3 by default Both the LLDPDU transmit interval and delay must...

Страница 121: ...h Cisco IP phones As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a reques...

Страница 122: ...ommand Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin status cdp txrx Required By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is...

Страница 123: ...name Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status inte...

Страница 124: ...SwitchB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 you can skip this step because LLDP is enabled on ports by default and set the LLDP operating mode to Tx SwitchB interface...

Страница 125: ...orts operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display...

Страница 126: ...allow the Cisco IP phones to automatically configure the voice VLAN thus confining their voice traffic within the voice VLAN to be isolated from other types of traffic Figure 5 5 Network diagram for...

Страница 127: ...0 2 SwitchA GigabitEthernet1 0 2 lldp enable SwitchA GigabitEthernet1 0 2 lldp admin status txrx SwitchA GigabitEthernet1 0 2 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 2 quit 3...

Страница 128: ...and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whe...

Страница 129: ...802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 6 3 Figure 6 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority...

Страница 130: ...t the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based...

Страница 131: ...n create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the V...

Страница 132: ...hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connecte...

Страница 133: ...move the tag and send the frame if the frame carries the default VLAN tag and the port belongs to the default VLAN z Send the frame without removing the tag if its VLAN is carried on the port but is d...

Страница 134: ...ce type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Enter port group view port group manual port group...

Страница 135: ...nter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or port group view Ente...

Страница 136: ...VLANs You can assign it to a VLAN in interface view or port group view Follow these steps to assign a hybrid port to one or multiple VLANs To do Use the command Remarks Enter system view system view...

Страница 137: ...z When receiving an untagged frame the device looks up the list of MAC to VLAN mappings based on the source MAC address of the frame for a match Two matching modes are available exact matching and fuz...

Страница 138: ...these steps to configure a MAC based VLAN To do Use the command Remarks Enter system view system view Associate MAC addresses with a VLAN mac vlan mac address mac address vlan vlan id priority priori...

Страница 139: ...tocol template z If the packet matches no protocol template the packet will be tagged with the default VLAN ID of the port The port processes a tagged packet as it processes tagged packets of a port b...

Страница 140: ...s in the protocol vlan command as 0xe0 or 0xff when configuring the user defined template for llc encapsulation Otherwise the encapsulation format of the matching packets will be the same as that of t...

Страница 141: ...segment or IP address to be associated with a VLAN cannot be a multicast network segment or a multicast address Return to system view quit Enter Ethernet interface view interface interface type inter...

Страница 142: ...n interface vlan interface id Available in any view Display hybrid ports or trunk ports on the device display port hybrid trunk Available in any view Display MAC address to VLAN entries display mac vl...

Страница 143: ...100 to pass through Figure 6 4 Network diagram for port based VLAN configuration Configuration procedure 1 Configure Device A Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 DeviceA system view Devi...

Страница 144: ...sted pair Port hardware type is 1000_BASE_T Unknown speed mode unknown duplex mode Link speed type is autonegotiation link duplex type is autonegotiation Flow control is not enabled The Maximum Frame...

Страница 145: ...derruns buffer failures 0 aborts 0 deferred 0 collisions 0 late collisions 0 lost carrier no carrier The output above shows that z The port GigabitEthernet 1 0 1 is a trunk port z The default VLAN of...

Страница 146: ...of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the por...

Страница 147: ...least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id...

Страница 148: ...to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 1 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEther...

Страница 149: ...n4 port gigabitethernet 1 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the isolate user VLAN config...

Страница 150: ...gigabitethernet 1 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports gigabitethernet 1...

Страница 151: ...OUI Addresses A device determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Uniqu...

Страница 152: ...from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically performed by the system z In manual mode you sh...

Страница 153: ...rt untagged If an IP phone sends tagged voice traffic and its connecting port is configured with 802 1X authentication and Guest VLAN you should assign different VLAN IDs for the voice VLAN the defaul...

Страница 154: ...Configuring a Voice VLAN Configuration Prerequisites Before configuring a VLAN as a voice VLAN create the VLAN first Note that you cannot configure VLAN 1 the system default VLAN as a voice VLAN Sett...

Страница 155: ...ate in Manual Voice VLAN Assignment Mode Follow these steps to set a port to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system view Enable the voice V...

Страница 156: ...playing and Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses currently supported by system dis...

Страница 157: ...ity enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 1100 0000 or 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the configured OUI...

Страница 158: ...ff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current states of voice VLANs DeviceA display voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice VLA...

Страница 159: ...1 undo voice vlan mode auto Configure GigabitEthernet 1 0 1 as a hybrid port DeviceA GigabitEthernet1 0 1 port link type access Please wait Done DeviceA GigabitEthernet1 0 1 port link type hybrid Conf...

Страница 160: ...0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice V...

Страница 161: ...t is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application entities by z Sending Join messages to register...

Страница 162: ...imer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send LeaveAll messages at the interval set by its LeaveAll...

Страница 163: ...for GVRP indicating the VLAN ID attribute Attribute List Contains one or multiple attributes Attribute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Numbe...

Страница 164: ...ed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs z Forbidden Disables the port to dynamically register and deregister VLA...

Страница 165: ...port mirroring are used GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refe...

Страница 166: ...r a timer you may change the value range by tuning the value of another related timer z If you want to restore the default settings of the timers restore the Hold timer first and then the Join Leave a...

Страница 167: ...nfiguration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports...

Страница 168: ...c Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP regis...

Страница 169: ...a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B De...

Страница 170: ...P globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1...

Страница 171: ...can support a maximum of 4094 VLANs In actual applications however a large number of VLANs are required to isolate users especially in metropolitan area networks MANs and 4094 VLANs are far from satis...

Страница 172: ...vider network it is tagged with outer VLAN 4 In this way there is no overlap of VLAN IDs among customers and traffic from different customers does not become mixed By tagging tagged frames QinQ expand...

Страница 173: ...ort the port tags it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged i...

Страница 174: ...PID of the outer VLAN tag of QinQ frames to different values For compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID v...

Страница 175: ...all member ports in the current port group z Basic and selective QinQ should both be configured on the ports connecting customer networks z Do not configure QinQ on a reflector port For information a...

Страница 176: ...port group name Required Use either command Enter QinQ view and configure the SVLAN tag for the port to add qinq vid vlan id Required By default the SVLAN tag to be added is the default VLAN tag of th...

Страница 177: ...aggregate interface view interface interface type interface number Enter the Ethernet port view of the customer network side port Enter port group view port group manual port group name Enter the Ethe...

Страница 178: ...ough trunk ports They belong to SVLAN 10 and 50 z Customer A1 Customer A2 Customer B1 and Customer B2 are edge devices on the customer network z Third party devices with a TPID value of 0x8200 are dep...

Страница 179: ...iderA GigabitEthernet1 0 2 port hybrid vlan 50 untagged Enable basic QinQ on GigabitEthernet 1 0 2 ProviderA GigabitEthernet1 0 2 qinq enable ProviderA GigabitEthernet1 0 2 quit z Configure GigabitEth...

Страница 180: ...derB qinq ethernet type 8200 3 Configuration on third party devices Configure the third party devices between Provider A and Provider B as follows configure the port connecting GigabitEthernet 1 0 3 o...

Страница 181: ...ProviderA GigabitEthernet1 0 1 port link type hybrid ProviderA GigabitEthernet1 0 1 port hybrid vlan 1000 2000 untagged Tag CVLAN 10 frames with SVLAN 1000 ProviderA GigabitEthernet1 0 1 qinq vid 1000...

Страница 182: ...and VLAN 2000 to pass through ProviderB system view ProviderB interface gigabitethernet 1 0 1 ProviderB GigabitEthernet1 0 1 port link type trunk ProviderB GigabitEthernet1 0 1 port trunk permit vlan...

Страница 183: ...nd Provider B with a TPID value of 0x8200 The expected result of the configuration is as follows z VLAN 10 of Customer A and Customer B can intercommunicate across VLAN 1000 on the public network z VL...

Страница 184: ...r the traffic behavior ProviderA traffic behavior P1000 ProviderA behavior P1000 nest top most vlan id 1000 ProviderA behavior P1000 quit Create a class A20 to match frames of VLAN 20 of Customer A Pr...

Страница 185: ...pass through ProviderB system view ProviderB interface gigabitethernet 1 0 1 ProviderB GigabitEthernet1 0 1 port link type trunk ProviderB GigabitEthernet1 0 1 port trunk permit vlan 1000 2000 3000 To...

Страница 186: ...figuration that should be made on the devices Configure that device connecting with GigabitEthernet 1 0 3 of Provider A and the device connecting with GigabitEthernet 1 0 1 of Provider B so that their...

Страница 187: ...hich belong to VLAN 100 User A s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot be transparently transmitted i...

Страница 188: ...Tunneling Implementation The BPDU tunneling implementations for different protocols are all similar This section describes how BPDU tunneling is implemented by taking the Spanning Tree Protocol STP a...

Страница 189: ...the edge devices PE 1 and PE 2 in the service provider network allows BPDUs of the customer network to be transparently transmitted in the service provider network thus ensuring consistent spanning tr...

Страница 190: ...disable the protocol on the port first Because PVST is a special STP protocol before enabling BPDU tunneling for PVST on a port you need to disable STP and then enable BPDU tunneling for STP on the p...

Страница 191: ...hrough the following configuration Follow these steps to configure destination multicast MAC address for BPDUs To do Use the command Remarks Enter system view system view Configure the destination mul...

Страница 192: ...vlan2 quit PE1 interface gigabitethernet 1 0 1 PE1 GigabitEthernet1 0 1 port access vlan 2 Disable STP on GigabitEthernet 1 0 1 and then enable BPDU tunneling for STP on it PE1 GigabitEthernet1 0 1 un...

Страница 193: ...iguring BPDU tunneling for PVST Configuration procedure 1 Configuration on PE 1 Configure the destination multicast MAC address for BPDUs as 0x0100 0CCD CDD0 PE1 system view PE1 bpdu tunnel tunnel dma...

Страница 194: ...unk PE2 GigabitEthernet1 0 2 port trunk permit vlan all Disable STP on GigabitEthernet 1 0 2 and then enable BPDU tunneling for STP and PVST on it PE2 GigabitEthernet1 0 2 undo stp enable PE2 GigabitE...

Страница 195: ...port are located on the same device z In remote port mirroring the mirroring port or ports and the monitor port can be located on the same device or different devices Currently remote port mirroring c...

Страница 196: ...Figure 12 2 Remote port mirroring implementation Remote mirroring involves the following device roles z Source device The source device is the device where the mirroring ports are located On it you m...

Страница 197: ...gement Commands in the System Volume Configuring Local Port Mirroring Configuring local port mirroring is to configure local mirroring groups A local mirroring group comprises one or multiple mirrorin...

Страница 198: ...he source device and the cooperating remote destination mirroring group on the destination device If GVRP is enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired...

Страница 199: ...epeat the step In system view mirroring group groupid monitor egress monitor egress port id interface interface type interface number mirroring group groupid monitor egress Configure the egress port I...

Страница 200: ...d remote destination Required Configure the remote probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required In system view mirroring group groupid monitor port monitor port id inte...

Страница 201: ...Available in any view Port Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Ethernet switche...

Страница 202: ...l the port mirroring groups SwitchC display mirroring group all mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEthern...

Страница 203: ...orts and configure them to permit packets of VLAN 2 z Create a remote destination mirroring group on Switch C Configure VLAN 2 as the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which...

Страница 204: ...trunk permit vlan 2 3 Configure Switch C the destination device Configure port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC...

Страница 205: ...5 ARP Configuration Example 2 5 Configuring Gratuitous ARP 2 5 Introduction to Gratuitous ARP 2 5 Configuring Gratuitous ARP 2 6 Displaying and Maintaining ARP 2 6 3 Proxy ARP Configuration 3 1 Proxy...

Страница 206: ...jects 4 8 Displaying and Maintaining ARP Detection 4 9 ARP Detection Configuration Example I 4 9 ARP Detection Configuration Example II 4 10 5 DHCP Overview 5 1 Introduction to DHCP 5 1 DHCP Address A...

Страница 207: ...P Snooping 8 7 DHCP Snooping Configuration Examples 8 7 DHCP Snooping Configuration Example 8 7 DHCP Snooping Option 82 Support Configuration Example 8 8 9 BOOTP Client Configuration 9 1 Introduction...

Страница 208: ...NS 13 9 Protocols and Standards 13 9 IPv6 Basics Configuration Task List 13 10 Configuring Basic IPv6 Functions 13 10 Enabling IPv6 13 10 Configuring an IPv6 Unicast Address 13 10 Configuring IPv6 NDP...

Страница 209: ...sFlow Configuration 15 1 sFlow Overview 15 1 Introduction to sFlow 15 1 Operation of sFlow 15 1 Configuring sFlow 15 2 Displaying and Maintaining sFlow 15 2 sFlow Configuration Example 15 3 Troublesho...

Страница 210: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Страница 211: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Страница 212: ...ce needs an IP address to communicate with other devices You can assign an IP address to a VLAN interface or a loopback interface on a switch Besides directly assigning an IP address to the VLAN inter...

Страница 213: ...ts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN i...

Страница 214: ...es 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4...

Страница 215: ...device Because IP datagrams must be encapsulated within Ethernet frames before they can be transmitted over physical networks the sending host or device also needs to know the physical address of the...

Страница 216: ...B Host A buffers the packet and broadcasts an ARP request in which the sender IP address and the sender MAC address are the IP address and the MAC address of Host A respectively and the target IP addr...

Страница 217: ...n the static ARP entry Thus communications between the protected device and the specified device are ensured Static ARP entries can be classified into permanent or non permanent z A permanent static A...

Страница 218: ...the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the maximum number of dynamic ARP entries that a interface can learn arp max learni...

Страница 219: ...of dynamic ARP entries that VLAN interface 10 can learn to 1 000 z Add a static ARP entry with the IP address being 192 168 1 1 24 the MAC address being 000f e201 0000 and the outbound interface being...

Страница 220: ...ackets when receiving ARP requests from another network segment Enable the gratuitous ARP packet learning function gratuitous arp learning enable Optional Enabled by default Displaying and Maintaining...

Страница 221: ...ork Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless...

Страница 222: ...e two hosts Figure 3 2 Application environment of local proxy ARP Switch Vlan int2 192 168 10 100 24 Switch GE1 0 3 GE1 0 1 GE1 0 2 Host A 192 168 10 99 24 Host B 192 168 10 200 24 VLAN 2 port isolate...

Страница 223: ...Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have the same IP prefix and mask Host A belongs to VLAN 1 Host D belongs to VLAN 2 Configure pr...

Страница 224: ...d Host B Figure 3 4 Network diagram for local proxy ARP between isolated ports Switch A Switch B GE1 0 2 GE1 0 3 GE1 0 1 Host A 192 168 10 99 24 Host B 192 168 10 200 24 GE1 0 2 VLAN 2 Vlan int2 192 1...

Страница 225: ...ser vlan which includes uplink port GigabitEthernet 1 0 1 and two secondary VLANs VLAN 2 and VLAN 3 GigabitEthernet 1 0 2 belongs to VLAN 2 and GigabitEthernet 1 0 3 belongs to VLAN 3 z Configure loca...

Страница 226: ...d GigabitEthernet 1 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port gigabitethernet 1 0 1 SwitchA vlan5 interface vlan interface 5 SwitchA Vlan interface5 ip address 192 168 10 100 255...

Страница 227: ...o unreachable destinations z The device sends large numbers of ARP requests to the destination subnets which increases the load of the destination subnets z The device continuously resolves destinatio...

Страница 228: ...chip simply drops all packets matching the next hop during the age time of the black hole route Enabling ARP Defense Against IP Packet Attacks The ARP defense against IP packet attack function applie...

Страница 229: ...d to the CPU are detected Configuration Procedure Enabling source MAC address based ARP attack detection After this feature is enabled for a device if the number of ARP packets it receives from a MAC...

Страница 230: ...hreshold To do Use the command Remarks Enter system view system view Configure the threshold arp anti attack source mac threshold threshold value Optional 50 by default Displaying and Maintaining Sour...

Страница 231: ...t the rate of ARP packets to be delivered to the CPU Configuring the ARP Packet Rate Limit Function Follow these steps to configure ARP packet rate limit To do Use the command Remarks Enter system vie...

Страница 232: ...ies Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function For details refer to DHCP Configuration in the IP Service Volume Static IP Source Guard binding entries...

Страница 233: ...d ip address mac address Optional Not configured by default If the ARP attack detection mode is static bind you need to configure static IP to MAC bindings for ARP detection z If all the detection typ...

Страница 234: ...r the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded z dst mac Checks...

Страница 235: ...g and Maintaining ARP Detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detection Available in any view Display the ARP detection statistics display arp...

Страница 236: ...static IP Source Guard binding entry on GigabitEthernet 1 0 2 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 user bind ip address 10 1 1 5 mac address 0001 0203 0405 vlan 10 Swi...

Страница 237: ...SwitchB GigabitEthernet1 0 1 dot1x SwitchB GigabitEthernet1 0 1 quit SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 dot1x SwitchB GigabitEthernet1 0 2 quit Add local access user...

Страница 238: ...on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request...

Страница 239: ...server via four steps 2 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 3 A DHCP server offers configuration parameters including an IP address to the client in a DHCP OFFER mes...

Страница 240: ...ast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast deny...

Страница 241: ...rmat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry contr...

Страница 242: ...guration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for se...

Страница 243: ...te the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other p...

Страница 244: ...interface that received the client s request Its format is shown in Figure 5 10 Figure 5 10 Sub option 1 in verbose padding format In Figure 5 10 except that the VLAN ID field has a fixed length of 2...

Страница 245: ...r not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to r...

Страница 246: ...ported only on VLAN interfaces Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same s...

Страница 247: ...P address and forwards the message to the designated DHCP server in unicast mode 3 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent...

Страница 248: ...Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82...

Страница 249: ...an IP address via the DHCP relay agent the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server Otherwise the DHCP client cannot obt...

Страница 250: ...mand Configuring the DHCP Relay Agent Security Functions Creating static bindings and enable IP address check The DHCP relay agent can dynamically record clients IP to MAC bindings after clients get I...

Страница 251: ...a specified interval The DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP REQUEST message to the DHCP server z If the server...

Страница 252: ...After you configure this task the DHCP relay agent actively sends a DHCP RELEASE request that contains the client s IP address to be released Upon receiving the DHCP RELEASE request the DHCP server th...

Страница 253: ...to non user defined Option 82 only Configure non user defined Option 82 Configure the code type for the remote ID sub option dhcp relay information remote id format type ascii hex Optional By default...

Страница 254: ...on about the refreshing interval for entries of dynamic IP to MAC bindings display dhcp relay security tracker Display information about the configuration of a specified or all DHCP server groups disp...

Страница 255: ...erver select 1 Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing protocol to make them reachable to each other DHCP Relay Agent O...

Страница 256: ...company001 SwitchA Vlan interface1 dhcp relay information remote id string device001 You need to perform corresponding configurations on the DHCP server to make the Option 82 configurations function n...

Страница 257: ...recommended to enable both the DHCP client and the DHCP snooping on the same device Otherwise DHCP snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address Introd...

Страница 258: ...emarks Display specified configuration information display dhcp client verbose interface interface type interface number Available in any view DHCP Client Configuration Example Network requirements As...

Страница 259: ...11 06 35 DHCP server 10 1 1 1 Transaction ID 0x410090f0 Classless static route Destination 20 1 1 0 Mask 255 255 255 0 NextHop 10 1 1 2 DNS server 20 1 1 1 Client ID 3030 3066 2e65 3230 302e 3030 3032...

Страница 260: ...ng can implement the following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses f...

Страница 261: ...ng through For details refer to IP Source Guard Configuration in the Security Volume Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 8 1 Configure...

Страница 262: ...Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agen...

Страница 263: ...the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after addi...

Страница 264: ...yer 2 Ethernet interface to an aggregation group z Configuring both the DHCP snooping and selective QinQ function on the switch is not recommended because it may result in malfunctioning of DHCP snoop...

Страница 265: ...ooping information vlan vlan id circuit id string circuit id Optional By default the padding content depends on the padding format of Option 82 Configure user defined Option 82 Configure the padding c...

Страница 266: ...CP snooping device reset dhcp snooping packet statistics slot slot number Available in user view DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements z As show...

Страница 267: ...ernet 1 0 1 as trusted SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to support Option 82 S...

Страница 268: ...Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards BOOTP Application After you specify an interface of a...

Страница 269: ...the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received response Protocols and Standards Some protocols and stan...

Страница 270: ...the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Figure 9 1 Network diagram for BOOTP WINS server 10 1 1 4 25 Client Switch B Client DNS server 10 1 1 2 25 DHCP serv...

Страница 271: ...checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution...

Страница 272: ...is valid and the DNS client gets the aging information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be res...

Страница 273: ...the DNS proxy instead of on each DNS client Figure 10 2 DNS proxy networking application Operation of a DNS proxy 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS request to t...

Страница 274: ...us one if there is any You may create up to 50 static mappings between domain names and IP addresses Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name reso...

Страница 275: ...able in any view Clear the information of the dynamic domain name cache reset dns dynamic host Available in user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Net...

Страница 276: ...is com The mapping between domain name Host and IP address 3 1 1 1 16 is stored in the com domain z Switch serves as a DNS client and uses the dynamic domain name resolution and the suffix to access t...

Страница 277: ...ctions to create a new zone named com Figure 10 5 Create a zone Create a mapping between the host name and IP address Figure 10 6 Add a host In Figure 10 6 right click zone com and then select New Hos...

Страница 278: ...ost is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes pres...

Страница 279: ...er and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 10 8 1 Configure the DNS server This configuration may vary with different DNS serv...

Страница 280: ...4 ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Troubl...

Страница 281: ...specific network In the destination IP address of a directed broadcast the network ID is a network ID identifies the target network and the host ID is all one If a device is allowed to forward directe...

Страница 282: ...effect only If the command executed last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 11 1 the h...

Страница 283: ...ng TCP Optional Parameters TCP optional parameters that can be configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the sy...

Страница 284: ...CMP redirect packet z The selected route is not the default route of the device z There is no source route option in the packet ICMP redirect packets function simplifies host administration and enable...

Страница 285: ...packets facilitates network control and management it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If a device receives a lot of malicious pac...

Страница 286: ...Display socket information display ip socket socktype sock type task id socket id slot slot number Display FIB information display fib begin include exclude regular expression acl acl number ip prefix...

Страница 287: ...relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP b...

Страница 288: ...tion of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 d...

Страница 289: ...0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the desti...

Страница 290: ...rview Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant...

Страница 291: ...s stateful and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from a server for example a DHCP server z Stateless a...

Страница 292: ...es can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in a shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 a...

Страница 293: ...unicast address other forms Multicast address 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses U...

Страница 294: ...same link and is also used for duplicate address detection DAD Each IPv6 unicast or anycast address has a corresponding solicited node address The format of a solicited node multicast address is as fo...

Страница 295: ...ode initiates an NA message to notify neighbor nodes of the node information change Router solicitation RS message 133 After started a node sends an RS message to request the router for an address pre...

Страница 296: ...layer address of its neighbor node B node A can verify whether node B is reachable according to NS and NA messages 1 Node A sends an NS message whose destination address is the IPv6 address of node B...

Страница 297: ...other configuration parameters in the RA message z In addition to an address prefix the prefix information option also contains the preferred lifetime and valid lifetime of the address prefix After r...

Страница 298: ...Name System DNS is responsible for translating domain names into IPv6 addresses instead of IPv4 addresses Like IPv4 DNS IPv6 DNS also involves static domain name resolution and dynamic domain name res...

Страница 299: ...ng IPv6 related configurations you need to Enable IPv6 Otherwise an interface cannot forward IPv6 packets even if it has an IPv6 address configured Follow these steps to Enable IPv6 To do Use the comm...

Страница 300: ...utomatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link local command If a link local address is manually assigned to an interf...

Страница 301: ...ion of the VLAN interface z If you adopt the second method you should ensure that the corresponding VLAN interface exists and that the Layer 2 port specified by port type port number belongs to the VL...

Страница 302: ...ts use the stateful autoconfiguration to acquire information other than IPv6 addresses If the O flag is set to 1 hosts use the stateful autoconfiguration to acquire information other than IPv6 address...

Страница 303: ...nal By default no prefix information is configured for RA messages and the IPv6 address of the interface sending RA messages is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfi...

Страница 304: ...essage for DAD ipv6 nd dad attempts value Optional 1 by default When the value argument is set to 0 DAD is disabled Configuring PMTU Discovery Configuring a Static PMTU for a Specified IPv6 Address Yo...

Страница 305: ...connection is terminated after the finwait timer expires z Size of the IPv6 TCP sending receiving buffer Follow these steps to configure IPv6 TCP properties To do Use the command Remarks Enter system...

Страница 306: ...echo requests by default Follow these steps to enable sending of multicast echo replies To do Use the command Remarks Enter system view system view Enable sending of multicast echo replies ipv6 icmpv...

Страница 307: ...r for resolution The system can support at most six DNS servers You can configure a DNS suffix so that you only need to enter part of a domain name and the system can automatically add the preset suff...

Страница 308: ...c slot slot number interface interface type interface number vlan vlan id count Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display socket info...

Страница 309: ...obal unicast addresses of VLAN interface 2 and VLAN interface 1 on Switch A are 3001 1 64 and 2001 1 64 respectively z The aggregatable global unicast address of VLAN interface 2 on Switch B is 3001 2...

Страница 310: ...6 neighbors interface gigabitethernet 1 0 2 Type S Static D Dynamic IPv6 Address Link layer VID Interface State T Age FE80 215 E9FF FEA6 7D14 0015 e9a6 7d14 1 GE1 0 2 STALE D 1238 2001 15B E0EA 3524 E...

Страница 311: ...current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 F...

Страница 312: ...Switch B SwitchB Vlan interface2 display ipv6 interface vlan interface 2 verbose Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE...

Страница 313: ...hem When you ping a link local address you should use the i parameter to specify an interface for the link local address SwitchB Vlan interface2 ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CT...

Страница 314: ...IPv6 address cannot be pinged Solution z Use the display current configuration command in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 inte...

Страница 315: ...and IPv6 either TCP or UDP can be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 14 1 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figu...

Страница 316: ...icast address is configured on an interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure an IPv6 link local address...

Страница 317: ...the sFlow packets and displays the results sFlow has the following two sampling mechanisms z Packet based sampling An sFlow enabled port samples one packet out of a configurable number of packets pass...

Страница 318: ...collects the statistics of sFlow enabled ports sflow interval interval time Optional 20 seconds by default Enter Ethernet port view interface interface type interface number Enable sFlow in the inbou...

Страница 319: ...e results Network diagram Figure 15 1 Network diagram for sFlow configuration Configuration procedure Configure an IP address for the sFlow agent Switch system view Switch sflow agent ip 3 3 3 1 Speci...

Страница 320: ...f the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector z No IP address is configured for the Layer 3 interface on the device or the IP address is confi...

Страница 321: ...on Prerequisites 2 2 Configuration Procedure 2 2 Detecting Reachability of the Static Route s Nexthop 2 3 Detecting Nexthop Reachability Through Track 2 3 Displaying and Maintaining Static Routes 2 4...

Страница 322: ...xt router or the directly connected destination Routes in a routing table can be divided into three categories by origin z Direct routes Routes discovered by data link protocols also known as interfac...

Страница 323: ...is not directly connected to the router To prevent the routing table from getting too large you can configure a default route All packets without matching any entry in the routing table will be forwa...

Страница 324: ...approach Priority DIRECT 0 STATIC 60 UNKNOWN 256 z The smaller the priority value the higher the priority z The priority for a direct route is always 0 which you cannot change Any other type of route...

Страница 325: ...n for a specified destination IPv6 address display ipv6 routing table ipv6 address prefix length longer match verbose Available in any view Display routing information permitted by an IPv6 ACL display...

Страница 326: ...case the network administrator has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded...

Страница 327: ...pecified The next hop address can not be a local interface IP address otherwise the route configuration will not take effect 3 Other attributes You can configure different preferences for different st...

Страница 328: ...of the static route s next hop Detecting Nexthop Reachability Through Track If you specify the nexthop but not outgoing interface when configuring a static route you can associate the static route wit...

Страница 329: ...information display current configuration Display the brief information of the IP routing table display ip routing table Display the detailed information of the IP routing table display ip routing tab...

Страница 330: ...guration Display the IP routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 0 0 0 0 0 Static 60 0...

Страница 331: ...ta Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Ping statistics f...

Страница 332: ...n unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in...

Страница 333: ...ic routes is 60 Displaying and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available...

Страница 334: ...C SwitchC system view SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the de...

Страница 335: ...chA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 1 by...

Страница 336: ...ion of IGMP Snooping 2 7 Configuring IGMP Snooping Port Functions 2 7 Configuration Prerequisites 2 7 Configuring Aging Timers for Dynamic Ports 2 8 Configuring Static Ports 2 8 Configuring Simulated...

Страница 337: ...onfiguration 3 10 4 MLD Snooping Configuration 4 1 MLD Snooping Overview 4 1 Introduction to MLD Snooping 4 1 Basic Concepts in MLD Snooping 4 2 How MLD Snooping Works 4 3 Protocols and Standards 4 5...

Страница 338: ...cy Fails to Take Effect 4 27 5 IPv6 Multicast VLAN Configuration 5 1 Introduction to IPv6 Multicast VLAN 5 1 IPv6 Multicast VLAN Configuration Task List 5 3 Configuring IPv6 Sub VLAN Based IPv6 Multic...

Страница 339: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Страница 340: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Страница 341: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Страница 342: ...f Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast g...

Страница 343: ...G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S sends to multicast group G Here S represents a specific multicast source...

Страница 344: ...locations of the multicast sources by some other means In addition the SSM model uses a multicast address range that is different from that of the ASM SFM model and dedicated multicast forwarding path...

Страница 345: ...TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8...

Страница 346: ...ticast address are as follows z 0xFF The most significant 8 bits are 11111111 indicating that this address is an IPv6 multicast address Figure 1 5 Format of the Flags field z Flags Referring to Figure...

Страница 347: ...the scope defined by the Scope field Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the MAC address of the receiver When a multic...

Страница 348: ...ple of IPv6 to MAC address mapping Multicast Protocols z Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multi...

Страница 349: ...iver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in t...

Страница 350: ...on the Layer 2 device This avoids waste of network bandwidth and extra burden on the Layer 3 device Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to t...

Страница 351: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 2 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at...

Страница 352: ...e DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list z Me...

Страница 353: ...age out How IGMP Snooping Works A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this s...

Страница 354: ...tening to the reported multicast address will suppress their own reports upon receiving this report and this will prevent the switch from knowing whether the reported multicast group still has active...

Страница 355: ...st of the forwarding table entry for that multicast group when the aging timer expires Protocols and Standards IGMP Snooping is documented in z RFC 4541 Considerations for Internet Group Management Pr...

Страница 356: ...ate port view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they take part in aggregation...

Страница 357: ...e version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding...

Страница 358: ...ging time interval Optional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLA...

Страница 359: ...ber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running IGMP responds to IGMP querie...

Страница 360: ...n IGMP leave message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated group Then when receiving IGMP group specific querie...

Страница 361: ...rce address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general...

Страница 362: ...by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For IGMP general queries you can configure the maximum response time to fill their Max...

Страница 363: ...nd cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem you are commended to configure a non all zero IP address...

Страница 364: ...re a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure a multicast group filter group policy acl number vlan...

Страница 365: ...e either approach Enable multicast source port filtering igmp snooping source deny Required Disabled by default For the Switch 4210G Family when enabled to filter IPv4 multicast data based on the sour...

Страница 366: ...d over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report suppres...

Страница 367: ...dition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is channel switching namely by joining a...

Страница 368: ...icast group replacement functionality will not take effect Displaying and Maintaining IGMP Snooping To do Use the command Remarks View IGMP Snooping multicast group information display igmp snooping g...

Страница 369: ...can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch A even if Host A and Host B accidentally temporarily stop receiving multicast data Network diagram Figure 2 3 Networ...

Страница 370: ...chA acl basic 2001 quit SwitchA igmp snooping SwitchA igmp snooping group policy 2001 vlan 100 SwitchA igmp snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts f...

Страница 371: ...itEthernet 1 0 5 on Switch C are required to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the n...

Страница 372: ...M DM on each interface and enable IGMP on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable Ro...

Страница 373: ...tEthernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable IGMP Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 igm...

Страница 374: ...100 on Switch C SwitchC display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real...

Страница 375: ...nown multicast data packets z Because a switch does not enlist a port that has heard an IGMP query with a source IP address of 0 0 0 0 default as a dynamic router port configure a non all zero IP addr...

Страница 376: ...mp snooping enable SwitchB vlan100 igmp snooping drop unknown SwitchB vlan100 quit Configurations on Switch C and Switch D are similar to the configuration on Switch B 3 Verify the configuration After...

Страница 377: ...to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups Analysis z The ACL rule is incorrectly configured z The multicast group policy is not...

Страница 378: ...ayer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 3 1 Multicast transmission without multicast VLAN The multicast VLAN featu...

Страница 379: ...t A Host B and Host C are in three different user VLANs All the user ports ports with attached hosts on Switch A are hybrid ports On Switch A configure VLAN 10 as a multicast VLAN assign all the user...

Страница 380: ...n is given preference Configuring Sub VLAN Based Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based multicast VLAN complete the following tasks z Create VLANs as required z E...

Страница 381: ...e port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port...

Страница 382: ...packets of VLAN 1 to pass For details about the port link type port hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring Multicast VLAN Ports In this...

Страница 383: ...A port can belong to only one multicast VLAN Displaying and Maintaining Multicast VLAN To do Use the command Remarks Display information about a multicast VLAN display multicast vlan vlan id Availabl...

Страница 384: ...sses Configure an IP address and subnet mask for each interface as per Figure 3 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enable PIM DM on ea...

Страница 385: ...he configuration Display information about the multicast VLAN SwitchA display multicast vlan Total 1 multicast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping m...

Страница 386: ...oup s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE1 0 4 Vlan id 10 To...

Страница 387: ...port based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the multicast data to the receivers that belong to different...

Страница 388: ...1 0 2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type hybrid SwitchA Gig...

Страница 389: ...rt C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s matc...

Страница 390: ...een ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 4 1 when MLD Snooping is not running IPv6 multicast packets are broadcast to all devic...

Страница 391: ...s Router port Member port Ports involved in MLD Snooping as shown in Figure 4 2 are described as follows z Router port A router port is a port on the Ethernet switch that leads switch towards the Laye...

Страница 392: ...tialized to the dynamic router port aging time MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Dynamic member port agi...

Страница 393: ...d IPv6 multicast group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exi...

Страница 394: ...the port suppose it is a dynamic member port before its aging timer expires this means that some host attached to the port is receiving or expecting to receive IPv6 multicast data for that IPv6 multi...

Страница 395: ...up view are effective only for all the ports in the current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet po...

Страница 396: ...MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of M...

Страница 397: ...ure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure dynamic router port aging time router aging time...

Страница 398: ...mber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running MLD responds to MLD queries...

Страница 399: ...er port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process MLD done messages in a fast way With the fast leave processing feature enabled when receiving a...

Страница 400: ...ng querier prepare the following data z MLD general query interval z MLD last member query interval z Maximum response time for MLD general queries z Source IPv6 address of MLD general queries and z S...

Страница 401: ...n to 0 the host sends an MLD report to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids...

Страница 402: ...e time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occur Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6...

Страница 403: ...entry for this port in the MLD Snooping forwarding table otherwise the switch drops this report message Any IPv6 multicast data that fails the ACL check will not be sent to this port In this way the s...

Страница 404: ...rt filtering globally Follow these steps to configure IPv6 multicast source port filtering To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable IPv6...

Страница 405: ...ort suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default Configurin...

Страница 406: ...in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joinin...

Страница 407: ...ulticast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect Displaying and Maintaining MLD Snooping To do Use the command Remarks View MLD Snooping mul...

Страница 408: ...ven if Host A and Host B accidentally temporarily stop receiving IPv6 multicast data Network diagram Figure 4 3 Network diagram for IPv6 group policy simulated joining configuration Source Router A Sw...

Страница 409: ...group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 1...

Страница 410: ...red to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forward...

Страница 411: ...IM DM on each interface and enable MLD on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 mld enabl...

Страница 412: ...hernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable MLD Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 mld sno...

Страница 413: ...0 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VL...

Страница 414: ...e MLD Snooping querier Network diagram Figure 4 5 Network diagram for MLD Snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 forwarding and enable MLD Snooping glo...

Страница 415: ...l queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 12 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records...

Страница 416: ...ured z The IPv6 multicast group policy is not correctly applied Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6...

Страница 417: ...the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 5 1 Multicast transmission without IPv6 multicast VLAN The IPv6 multi...

Страница 418: ...in Figure 5 3 Host A Host B and Host C are in three different user VLANs All the user ports are hybrid ports On Switch A configure VLAN 10 as an IPv6 multicast VLAN assign all the user ports to this I...

Страница 419: ...st VLAN on a device the port based IPv6 multicast VLAN configuration is given preference Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN Configuration Prerequisites Before configuring sub VLAN bas...

Страница 420: ...effective only for the current port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports i...

Страница 421: ...t hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring IPv6 Multicast VLAN Ports In this approach you need to configure a VLAN as an IPv6 multicast VL...

Страница 422: ...elong to only one IPv6 multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN To do Use the command Remarks Display information about an IPv6 multicast VLAN display multicast vlan ipv6 vlan id...

Страница 423: ...gure an IPv6 address and address prefix for each interface as per Figure 3 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on...

Страница 424: ...display multicast vlan ipv6 Total 1 IPv6 multicast vlan s IPv6 Multicast vlan 10 subvlan list vlan 2 4 port list no port View the MLD Snooping IPv6 multicast group information on Switch A SwitchA disp...

Страница 425: ...otal 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 0 port MAC g...

Страница 426: ...2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A MLD querier Router A GE1 0 1 1 2 64 GE1 0 2 2001 1 64 1 1 64 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Enable IPv6 forwarding a...

Страница 427: ...witchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration s...

Страница 428: ...AC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC...

Страница 429: ...iew 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring Priority...

Страница 430: ...tering Configuration Example 6 2 Traffic Filtering Configuration Example 6 2 7 Priority Marking Configuration 7 1 Priority Marking Overview 7 1 Configuring Priority Marking 7 1 Priority Marking Config...

Страница 431: ...11 1 Creating a User Profile 11 2 Applying a QoS Policy to User Profile 11 2 Enabling a User Profile 11 3 Displaying and Maintaining User Profile 11 3 12 Appendix 12 3 Appendix A Acronym 12 4 Appendix...

Страница 432: ...resources effectively The following part introduces the QoS service models and some mature QoS techniques used most widely Using these techniques reasonably in the specific environments you can impro...

Страница 433: ...ffic shaping line rate congestion management and congestion avoidance The following part briefly introduces these QoS techniques Positions of the QoS Techniques in a Network Figure 1 1 Positions of th...

Страница 434: ...hen congestion occurs Congestion management is usually applied to the outgoing traffic of a port z Congestion avoidance monitors the usage status of network resources and is usually applied to the out...

Страница 435: ...ng QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these c...

Страница 436: ...Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Required By default the relationship between match criteria is AND Configure match...

Страница 437: ...gument at a time VLAN ID is in the range 1 to 4094 In a class configured with the operator and the logical relationship between the customer VLAN IDs specified for the customer vlan id keyword is or d...

Страница 438: ...kets with a specified source MAC address Suppose the logical relationship between classification rules is and Note the following when using the if match command to define matching rules z If multiple...

Страница 439: ...the class regardless of whether the match mode of the if match clause is deny or permit z In a QoS policy with multiple class to traffic behavior associations if the action of creating an outer VLAN t...

Страница 440: ...configuration may be lost due to insufficient resources Applying the QoS policy to an interface A policy can be applied to multiple ports Only one policy can be applied in inbound direction of a port...

Страница 441: ...ve by default z If a user profile is active the QoS policy except ACLs referenced in the QoS policy applied to it cannot be configured or removed If the user profile is being used by online users the...

Страница 442: ...plied globally Displaying and Maintaining QoS Policies To do Use the command Remarks Display information about a class and the corresponding actions associated by a policy display qos policy user defi...

Страница 443: ...marks Clear the statistics of a global QoS policy reset qos policy global inbound Available in user view Clear the statistics of QoS policies applied to VLANs reset qos vlan policy vlan vlan id inboun...

Страница 444: ...ly scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assig...

Страница 445: ...lds carried in packets There are three priority trust modes on Switch 4210G series z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP carried in packets for...

Страница 446: ...port priority as the 802 1p priority for priority mapping Look up the dot1p dp and dot1p lp mapping tables Mark the packet with local precedence and drop precedence Port priority The priority mapping...

Страница 447: ...ing table display qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Optional Available in any view You cannot configure mapping any DSCP value to drop precedence 1 Configuring the Priority...

Страница 448: ...r port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port...

Страница 449: ...to GigabitEthernet 1 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priority mapping table and priority marking to...

Страница 450: ...t1 0 1 quit Set the port priority of GigabitEthernet 1 0 2 to 4 Device interface gigabitethernet 1 0 2 Device GigabitEthernet1 0 2 qos priority 4 Device GigabitEthernet1 0 2 quit Set the port priority...

Страница 451: ...vior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 qos apply p...

Страница 452: ...it it is shaped or policed to ensure that it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features...

Страница 453: ...xcess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward CBS and EBS are carried by two different token buckets In each evaluation packets are measure...

Страница 454: ...traffic Traffic shaping provides measures to adjust the rate of outbound traffic actively A typical traffic shaping application is to limit the local traffic output rate according to the downstream t...

Страница 455: ...cifies the maximum rate for forwarding packets including critical packets Line rate also uses token buckets for traffic control With line rate configured on an interface all packets to be sent through...

Страница 456: ...avior view traffic behavior behavior name Configure a traffic policing action car cir committed information rate cbs committed burst size ebs excess burst size pir peak information rate green action r...

Страница 457: ...e Switch 4210G series traffic shaping is implemented as queue based GTS that is configuring GTS parameters for packets of a certain queue Follow these steps to configure queue based GTS To do Use the...

Страница 458: ...ize Required Configuration Example Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Enter system view Sysname system view Enter interface view Sysname interface gigabitethernet 1 0 1...

Страница 459: ...4 8...

Страница 460: ...two common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet t...

Страница 461: ...queuing As shown in Figure 5 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to...

Страница 462: ...age of SP queuing that packets in low priority queues may fail to be served for a long time Another advantage of WRR queuing is that while the queues are scheduled in turn the service time for each qu...

Страница 463: ...ve flows on the port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth...

Страница 464: ...current interface settings in port group view take effect on all ports in the port group Configure SP queuing qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the...

Страница 465: ...group with their weights being 1 2 4 6 8 10 12 and 14 2 Configuration procedure Enter system view Sysname system view Configure the WRR queues on port GigabitEthernet1 0 1 Sysname interface GigabitEth...

Страница 466: ...4 6 8 10 12 and 14 respectively z Set the minimum guaranteed bandwidth of queue 0 to 128 kbps 2 Configuration procedure Enter system view Sysname system view Configure WFQ queues on GigabitEthernet 1...

Страница 467: ...ssigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration Example Network requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 z Configure que...

Страница 468: ...figuration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue c...

Страница 469: ...to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria...

Страница 470: ...filtering configuration Configuration procedure Create advanced ACL 3000 and configure a rule to match packets whose source port number is 21 DeviceA system view DeviceA acl number 3000 DeviceA acl ba...

Страница 471: ...iceA qospolicy policy quit Apply the policy named policy to the incoming traffic of GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 qos apply policy policy i...

Страница 472: ...hange its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bi...

Страница 473: ...QoS policy Globally Applying the QoS policy globally Display the priority marking configuration display traffic behavior user defined behavior name Optional Available in any view Priority Marking Conf...

Страница 474: ...destination IP address 192 168 0 3 Device acl number 3002 Device acl adv 3002 rule permit ip destination 192 168 0 3 0 Device acl adv 3002 quit Create a class named classifier_dbserver and reference A...

Страница 475: ...behavior_fserver Device behavior behavior_fserver remark local precedence 2 Device behavior behavior_fserver quit Create a policy named policy_server and associate classes with behaviors in the polic...

Страница 476: ...to only Layer 2 packets and the target interface should be a Layer 2 interface Configuring Traffic Redirecting Follow these steps to configure traffic redirecting To do Use the command Remarks Enter...

Страница 477: ...e CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior z You can use the display traffic behavior command to view the traffic r...

Страница 478: ...terface z Mirroring traffic to the CPU copies the matching packets on an interface to a CPU the CPU of the device where the traffic mirroring enabled interface resides Configuring Traffic Mirroring To...

Страница 479: ...these steps to mirror traffic to the CPU To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the matc...

Страница 480: ...a data monitoring device is connected to GigabitEthernet1 0 2 of the switch Monitor and analyze packets sent by Host A on the data monitoring device Figure 9 1 Network diagram for configuring traffic...

Страница 481: ...lass 1 in the QoS policy Sysname qos policy 1 Sysname policy 1 classifier 1 behavior 1 Sysname policy 1 quit Apply the QoS policy to the incoming traffic of GigabitEthernet 1 0 1 Sysname interface Gig...

Страница 482: ...steps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the matc...

Страница 483: ...s with source IP address 1 1 1 1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and refer...

Страница 484: ...to verify the configuration DeviceA display qos policy interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If ma...

Страница 485: ...access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more gr...

Страница 486: ...e corresponding user profile view The configuration made in user profile view takes effect when the user profile is enabled and the corresponding users are online Refer to 802 1x Configuration in the...

Страница 487: ...rks Enter system view system view Enable a user profile user profile profile name enable Required A user profile is disabled by default z Only an enabled user profile can be used by a user You cannot...

Страница 488: ...ted Services Codepoint EACL Enhanced ACL EBS Excess Burst Size EF Expedited Forwarding FEC Forwarding Equivalence Class FIFO First in First out GTS Generic Traffic Shaping IntServ Integrated Service I...

Страница 489: ...tion Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For the default dscp dscp priority mapping table an input value yields a target value that is equal to it Table 12 2 T...

Страница 490: ...fields As shown in Figure 12 1 the ToS field of the IP header contains eight bits and the first three bits 0 to 2 represent IP precedence from 0 to 7 According to RFC 2474 the ToS field of the IP head...

Страница 491: ...2 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7...

Страница 492: ...ag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 12 6 presents the values for 802 1p priority Figure 12 3 802 1Q tag...

Страница 493: ...12 1...

Страница 494: ...omain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 19 Configuring User Group Attributes 1 20 Tearing down User Connections Forcibly 1 21 Displayin...

Страница 495: ...hentication Triggering 2 5 Authentication Process of 802 1X 2 6 802 1X Timers 2 9 Extensions to 802 1X 2 10 Features Working Together with 802 1X 2 10 Configuring 802 1X 2 12 Configuration Prerequisit...

Страница 496: ...L Assignment Configuration Example 5 7 6 Port Security Configuration 6 1 Introduction to Port Security 6 1 Port Security Overview 6 1 Port Security Features 6 2 Port Security Modes 6 2 Port Security C...

Страница 497: ...ng SSH Server 8 5 Configuring the User Interfaces for SSH Clients 8 5 Configuring a Client Public Key 8 6 Configuring an SSH User 8 7 Setting the SSH Management Parameters 8 8 Configuring the Device a...

Страница 498: ...rification 10 10 Destroying a Local RSA Key Pair 10 11 Deleting a Certificate 10 11 Configuring an Access Control Policy 10 12 Displaying and Maintaining PKI 10 12 PKI Configuration Examples 10 13 Req...

Страница 499: ...ction to ACL 13 1 Introduction 13 1 Application of ACLs on the Switch 13 1 Introduction to IPv4 ACL 13 2 IPv4 ACL Classification 13 2 IPv4 ACL Naming 13 2 IPv4 ACL Match Order 13 3 IPv4 ACL Step 13 4...

Страница 500: ...guration Example 15 2 Configuring an Advanced IPv6 ACL 15 2 Configuration Prerequisites 15 3 Configuration Procedure 15 3 Configuration Example 15 4 Copying an IPv6 ACL 15 4 Configuration Prerequisite...

Страница 501: ...e network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA net...

Страница 502: ...s Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distributed information...

Страница 503: ...secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods for example the Password Authentication Protocol PAP and Challenge Hand...

Страница 504: ...ADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 9 The RADIUS server returns a stop accounting response Accounting...

Страница 505: ...r and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If the length of a received packet is less...

Страница 506: ...0 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Timeout 74 ARAP Security Data 28 Idle Timeout 75 Password Retry 29 Termination Act...

Страница 507: ...a code complying with RFC 1700 z Vendor Type Indicates the type of the sub attribute z Vendor Length Indicates the length of the sub attribute z Vendor Data Indicates the contents of the sub attribute...

Страница 508: ...s only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on diffe...

Страница 509: ...ontinuance packet with the login password 2 A Telnet user sends an access request to the NAS 3 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS server...

Страница 510: ...difications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Configur...

Страница 511: ...User Connections Forcibly Optional Displaying and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authoriza...

Страница 512: ...rization accounting policies for all the other types of users For a user who has logged in to the device AAA can provide the command authorization service to enhance device security Allows the authori...

Страница 513: ...an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain...

Страница 514: ...r HWTACACS server to authenticate users As for RADIUS the device can use the standard RADIUS protocol or extended RADIUS protocol in collaboration with systems like iMC to implement user authenticatio...

Страница 515: ...eyword and argument combination configured local authentication is the backup method and is used only when the remote server is not available z If the primary authentication method is local or none th...

Страница 516: ...can configure an authorization scheme specifically for each access mode and service type limiting the authorization protocols that can be used for access 3 Determine whether to configure an authoriza...

Страница 517: ...ISP Domain In AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end requests to the specified accounting...

Страница 518: ...d by default z With the accounting optional command configured a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the...

Страница 519: ...n authorization attribute configured in local user view takes precedence over the same attribute configured in user group view Follow these steps to configure the attributes for a local user To do Use...

Страница 520: ...accounting is used z Local authentication checks the service types of a local user If the service types are not available the user cannot pass authentication z In the authentication method that requir...

Страница 521: ...attribute is configured for a user group Tearing down User Connections Forcibly Follow these steps to tear down user connections forcibly To do Use the command Remarks Enter system view system view T...

Страница 522: ...S scheme mainly include IP addresses of primary and secondary servers shared key and RADIUS server type Actually the RADIUS protocol configurations only set the parameters necessary for the informatio...

Страница 523: ...S servers as the primary and secondary authentication authorization servers respectively At one time a server can be the primary authentication authorization server for a scheme and the secondary auth...

Страница 524: ...op accounting request until it receives a response or the number of transmission retries reaches the configured limit In the latter case the device discards the packet z You can set the maximum number...

Страница 525: ...DIUS scheme and enter RADIUS scheme view radius scheme radius scheme name Required Not defined by default Set the number of retransmission attempts of RADIUS packets retry retry times Optional 3 by de...

Страница 526: ...server remains the same z If the secondary server fails the device restores the status of the primary server to active immediately If the primary server has resumed the device turns to use the primary...

Страница 527: ...the command Remarks Enter system view system view Enable the RADIUS trap function radius trap accounting server down authentication server down Optional Disabled by default Create a RADIUS scheme and...

Страница 528: ...ing request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z...

Страница 529: ...ssion attempts of RADIUS packets refer to the command retry in the command manual Specifying a Security Policy Server The core of the EAD solution is integration and cooperation and the security polic...

Страница 530: ...cs slot slot number Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer radius scheme radius server name session id s...

Страница 531: ...WTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the primary HWTACACS authentication server primary authentication ip address...

Страница 532: ...secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connection for sending authorization packets is us...

Страница 533: ...ackets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system...

Страница 534: ...e sending the username to the server z The nas ip command in HWTACACS scheme view is only for the current HWTACACS scheme while the hwtacacs nas ip command in system view is for all HWTACACS schemes H...

Страница 535: ...uffer hwtacacs scheme hwtacacs scheme name slot slot number Available in any view Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization slot slot number Avail...

Страница 536: ...10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without d...

Страница 537: ...ting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given...

Страница 538: ...ds for all types of users Switch domain bbb Switch isp bbb authentication default local Switch isp bbb authorization default hwtacacs scheme hwtac Switch isp bbb accounting default radius scheme imc W...

Страница 539: ...Access Service Access Device from the navigation tree to enter the Access Device page Then click Add to enter the Add Access Device window and perform the following configurations z Set both the shar...

Страница 540: ...the navigation tree to enter the Device Management User page Then click Add to enter the Add Device Management User window and perform the following configurations z Add a user named hello bbb and spe...

Страница 541: ...of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and D...

Страница 542: ...ured account to access the user interface of the switch The commands that the user can access depend on the settings for EXEC users on the iMC server Troubleshooting AAA Troubleshooting RADIUS Symptom...

Страница 543: ...the NAS are the same as those configured on the RADIUS server 18 The port numbers of the RADIUS server for authentication authorization and accounting are available Symptom 3 A user is authenticated...

Страница 544: ...rt security feature provides rich security modes that combine or extend 802 1X and MAC address authentication In a networking environment that requires flexible use of 802 1X and MAC address authentic...

Страница 545: ...relayed to the RADIUS server In EAP termination mode EAP protocol packets are terminated at the device repackaged in the Password Authentication Protocol PAP or Challenge Handshake Authentication Pro...

Страница 546: ...s z auto Places the port in the unauthorized state initially to allow only EAPOL frames to pass and turns the ports into the authorized state to allow access to the network after the users pass authen...

Страница 547: ...goff a value of 0x02 Frame for logoff request present between a client and a device z Length Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subs...

Страница 548: ...ume EAP Message The EAP Message attribute is used to encapsulate EAP packets Figure 2 6 shows its encapsulation format The value of the Type field is 79 The String field can be up to 253 bytes If the...

Страница 549: ...seconds by default This method can be used to authenticate clients which cannot send EAPOL Start frames and therefore cannot trigger authentication for example the 802 1X client provided by Windows X...

Страница 550: ...packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 5 Upon receiving the EAP Response Identity packet the device relays the packet in a RADIUS Acc...

Страница 551: ...as gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 12 The client can also send an EAPOL Logoff frame to the device to go offline...

Страница 552: ...s section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout tim...

Страница 553: ...hentication server sends authorization information to the device If the authorization information contains VLAN authorization information the device adds the port connecting the client to the assigned...

Страница 554: ...s link type in the similar way as described in VLAN assignment When a user of a port in the guest VLAN initiates an authentication if the authentication is not successful the port stays in the guest V...

Страница 555: ...ion that uses certificates the certificate of a user determines the authentication domain of the user However you can specify different mandatory authentication domains for different ports even if the...

Страница 556: ...timer 100 seconds for the server timeout timer 30 seconds for the client timeout timer and 30 seconds for the username request timeout timer Enable the quiet timer dot1x quiet period Optional Disabled...

Страница 557: ...portbased Optional macbased by default Set the maximum number of users for the port dot1x max user user number Optional 256 by default Enable online user handshake dot1x handshake Optional Enabled by...

Страница 558: ...voice VLAN function and 802 1X are mutually exclusive and cannot be configured together on the same port For details about voice VLAN refer to VLAN Configuration in the Access Volume Configuring an 80...

Страница 559: ...RADIUS server is received If the RADIUS accounting fails the device gets users offline z A server group with two RADIUS servers is connected to the device The IP addresses of the servers are 10 1 1 1...

Страница 560: ...sword simple localpass Device luser localuser attribute idle cut 20 Device luser localuser quit Create RADIUS scheme radius1 and enter its view Device radius scheme radius1 Configure the IP addresses...

Страница 561: ...l Set the maximum number of users for the domain as 30 Device isp aabbcc net access limit enable 30 Enable the idle cut function and set the idle cut interval Device isp aabbcc net idle cut enable 20...

Страница 562: ...in VLAN 10 so that the host can access the update server and download the 802 1X client As shown in Figure 2 13 z After the host passes the authentication and logs in the host is added to VLAN 5 In t...

Страница 563: ...ntication 10 11 1 1 1812 Device radius 2000 primary accounting 10 11 1 1 1813 Device radius 2000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format withou...

Страница 564: ...he configured guest VLAN functions z When no users log in z When a user goes offline After a user passes the authentication successfully you can use the display interface GigabitEthernet 1 0 2 command...

Страница 565: ...isp 2000 authorization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 2000 quit Configure ACL 3000 to deny packets destined for 10 0 0 1 Device acl number...

Страница 566: ...hich tends to be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to downloa...

Страница 567: ...before passing 802 1X authentication Once a free IP is configured the fast deployment of EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remar...

Страница 568: ...rk segment but fail the authentication ACLs will soon be used up and new users will be rejected An EAD rule timeout timer is designed to solve this problem When a user accesses the network this timer...

Страница 569: ...192 168 2 0 24 GE1 0 1 Configuration procedure 1 Configure the WEB server Before using the EAD fast deployment function you need to configure the WEB server to provide the download service of 802 1X c...

Страница 570: ...cified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it resolved If the resolution fails the oper...

Страница 571: ...devices of the cluster to bypass 802 1X authentication because network devices usually do not support 802 1 client Otherwise the management device will fail to perform centralized management of the cl...

Страница 572: ...n link layer frames exchanged between the clients can bypass the 802 1X authentication on ports of the server without affecting the normal operation of the whole network All HABP packets must travel i...

Страница 573: ...y default Configure HABP to work in client mode undo habp server Optional HABP works in client mode by default Displaying and Maintaining HABP To do Use the command Remarks Display HABP configuration...

Страница 574: ...nfigure Switch B and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify...

Страница 575: ...and password z Fixed username where all users use the same preconfigured username and password for authentication regardless of the MAC addresses RADIUS Based MAC Authentication In RADIUS based MAC au...

Страница 576: ...uiet MAC address is the same as a static MAC address configured or an MAC address that has passed another type of authentication the quiet function does not take effect VLAN Assigning For separation o...

Страница 577: ...nterface list Enable MAC authentication for specified ports interface interface type interface number mac authentication quit Required Use either approach Disabled by default Specify the ISP domain fo...

Страница 578: ...nterface list Available in user view MAC Authentication Configuration Examples Local MAC Authentication Configuration Example Network requirements As illustrated in Figure 5 1 a supplicant is connecte...

Страница 579: ...ername format as MAC address that is using the MAC address with hyphens of a user as the username and password for MAC authentication of the user Device mac authentication user name format mac address...

Страница 580: ...23456 Figure 5 2 Network diagram for MAC authentication using RADIUS Configuration procedure It is required that the RADIUS server and the device are reachable to each other and the username and passw...

Страница 581: ...tication MAC address authentication is enabled User name format is fixed account Fixed username aaa Fixed password 123456 Offline detect period is 180s Quiet period is 180s Server response timeout val...

Страница 582: ...assword of each user on the RADIUS server correctly z You need to configure the RADIUS server to assign ACL 3000 as the authorization ACL Configure the RADIUS scheme Sysname system view Sysname radius...

Страница 583: ...MAC authentication of the user Sysname mac authentication user name format mac address Enable MAC authentication for port GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname Gigabit...

Страница 584: ...needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces your maintenance workl...

Страница 585: ...oRestrictions Port security is disabled on the port and access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a por...

Страница 586: ...uthentication upon receiving 802 1X frames macAddressElseUs erLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher pri...

Страница 587: ...tication fails the protocol type of the authentication request determines whether to turn to the authentication method following the Else z In a security mode with Or the protocol type of the authenti...

Страница 588: ...urations on a port to the bracketed defaults z Port security mode noRestrictions z 802 1X disabled port access control method macbased and port access control mode auto z MAC authentication disabled 3...

Страница 589: ...y mode ensure that z 802 1X is disabled the port access control method is macbased and the port access control mode is auto z MAC authentication is disabled z The port does not belong to any aggregati...

Страница 590: ...rst 24 bits of the MAC address and uniquely identifies a device vendor z You can configure multiple OUI values However a port in userLoginWithOUI mode allows only one 802 1X user and one user whose MA...

Страница 591: ...the following security policies when it detects illegal frames z blockmac Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards frames with blocked source MAC...

Страница 592: ...t security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default no port security trap is enabled Configuring Secure MAC Addresse...

Страница 593: ...the RADIUS server delivers the authorization information to the device You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a port t...

Страница 594: ...ram for configuring the autoLearn mode Configuration procedure 1 Configure port security Enable port security Switch system view Switch port security enable Enable intrusion protection trap Switch por...

Страница 595: ...this interface GigabitEthernet1 0 1 port security max mac count 64 port security port mode autolearn port security intrusion mode disableport temporarily port security mac address security 0002 0000...

Страница 596: ...client is authorized to access the Internet z RADIUS server 192 168 1 2 functions as the primary authentication server and the secondary accounting server and RADIUS server 192 168 1 3 functions as th...

Страница 597: ...etry 5 Switch radius radsun timer realtime accounting 15 Switch radius radsun user name format without domain Switch radius radsun quit Configure an ISP domain named sun Switch domain sun Switch isp s...

Страница 598: ...al for realtime accounting minute 15 Retransmission times of realtime accounting packet 5 Retransmission times of stop accounting packet 500 Quiet interval min 5 Username format without domain Data fl...

Страница 599: ...Timer is disabled Supp Timeout 30 s Server Timeout 100 s The maximal retransmitting times 2 EAD quick deploy configuration EAD timeout 30m The maximum 802 1X user resource number is 1024 per slot Tota...

Страница 600: ...erform MAC authentication first and then if MAC authentication fails 802 1X authentication Allow only one 802 1X user to log on z Set fixed username and password for MAC based authentication Set the t...

Страница 601: ...de is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Use t...

Страница 602: ...ckets 4 Fail Packets 5 Received EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 000...

Страница 603: ...x mac count 64 Switch GigabitEthernet1 0 1 port security port mode autolearn Switch GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Cannot Change Port Security Mode When a User Is...

Страница 604: ...uard If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard filters packets based on the following types of binding entries z IP port binding entry z M...

Страница 605: ...0 0 0 0 z A static binding entry can be configured on only Layer 2 Ethernet ports Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard will rec...

Страница 606: ...e static binding entries on Switch A and Switch B to meet the following requirements z On port GigabitEthernet 1 0 2 of Switch A only IP packets from Host C can pass z On port GigabitEthernet 1 0 1 of...

Страница 607: ...SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static binding entries are confi...

Страница 608: ...e gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display dynamic binding function is configured successfully on por...

Страница 609: ...ted by DHCP snooping after it is configured with dynamic binding function Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring st...

Страница 610: ...ents but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH version...

Страница 611: ...pports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation ot...

Страница 612: ...lid the authentication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authenticat...

Страница 613: ...t be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the command text exceeds 2000 bytes you can...

Страница 614: ...and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The length of the modulus of RSA server keys and host keys must be in the range 512 to 20...

Страница 615: ...H you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This configuration task is only necessary for SSH...

Страница 616: ...ublic key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public key from a...

Страница 617: ...ervice type sftp if the client uses SSH1 to log into the server you must set the service type to stelnet or all on the server Otherwise the client will fail to log in z The working folder of an SFTP u...

Страница 618: ...Set the SSH user authentication timeout period ssh server authentication timeout time out value Optional 60 seconds by default Set the maximum number of SSH authentication attempts ssh server authenti...

Страница 619: ...ient will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the server To...

Страница 620: ...ryption algorithms preferred HMAC algorithms and preferred key exchange algorithm For an IPv4 IPv6 server ssh2 ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hm...

Страница 621: ...he SSH server for secure data exchange z Password authentication is required The username and password are saved on the switch Figure 8 1 Switch acts as server for password authentication Configuratio...

Страница 622: ...the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configure th...

Страница 623: ...entication Network requirements z As shown in Figure 8 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey authen...

Страница 624: ...4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key in a file named key...

Страница 625: ...key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 8 5 Otherwise the process bar stops moving and the key pair g...

Страница 626: ...8 17 Figure 8 5 Generate a client key pair 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key Figure 8 6 Generate a client key pair 3...

Страница 627: ...After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration...

Страница 628: ...name After entering the correct username client002 you can enter the configuration interface SSH Client Configuration Examples When Switch Acts as Client for Password Authentication Network requiremen...

Страница 629: ...bcc SwitchB luser client001 service type ssh SwitchB luser client001 authorization attribute level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authent...

Страница 630: ...932E69D3B1F18517AD95 SwitchA pkey key code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 883...

Страница 631: ...n for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces...

Страница 632: ...c key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the save...

Страница 633: ...SFTP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the de...

Страница 634: ...r the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a s...

Страница 635: ...nclude z Changing or displaying the current working directory z Displaying files under a specified directory or the directory information z Changing the name of a specified directory on the server z C...

Страница 636: ...her aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view Change the name of a specified file or directory on the SFTP server rename old name new name Optional...

Страница 637: ...server To do Use the command Remarks Enter SFTP client view sftp ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh grou...

Страница 638: ...tchB ui vty0 4 quit Before performing the following tasks you must generate use the client software to generate RSA key pairs on the client save the host public key in a file named pubkey and then upl...

Страница 639: ...er delete the file named z and check if the file has been deleted successfully sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2...

Страница 640: ...ew rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Download the file pubkey2 from the server and change the name to public sftp client get pubkey2 public...

Страница 641: ...server enable Configure an IP address for VLAN interface 1 which the client will use as the destination for SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1...

Страница 642: ...supports only password authentication Establish a connection with the remote SFTP server Run the psftp exe to launch the client interface as shown in Figure 9 3 and enter the following command open 19...

Страница 643: ...olve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides networ...

Страница 644: ...is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of these CRLs CA policy A CA policy is a set of criteria that...

Страница 645: ...PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private network V...

Страница 646: ...ting a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Страница 647: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Страница 648: ...a dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certifi...

Страница 649: ...fication root certificate fingerprint md5 sha1 string Required when the certificate request mode is auto and optional when the certificate request mode is manual In the latter case if you do not confi...

Страница 650: ...and validity of a local certificate Generating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user whil...

Страница 651: ...command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of...

Страница 652: ...RL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verifi...

Страница 653: ...file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the priva...

Страница 654: ...ect name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Cr...

Страница 655: ...ed when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity requests a certificate from a CA Requesting a Cer...

Страница 656: ...d the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter it...

Страница 657: ...domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certifica...

Страница 658: ...SAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4...

Страница 659: ...Policy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate z Modify the Internet Information Services II...

Страница 660: ...4 Generating Keys z Apply for certificates Retrieve the CA certificate and save it locally Switch pki retrieval certificate ca domain torsa Retrieving CA RA certificates Please wait a while The truste...

Страница 661: ...onent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier keyid 9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509...

Страница 662: ...must be created in advance For detailed configuration of the PKI domain refer to Configure the PKI domain 1 Configure the HTTPS server Configure the SSL policy for the HTTPS server to use Switch syst...

Страница 663: ...ribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Switch ip https ssl server policy myssl Apply the certificate attribute base...

Страница 664: ...etrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for certificate request z Configure the...

Страница 665: ...and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key In...

Страница 666: ...ntity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the sessio...

Страница 667: ...and enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy...

Страница 668: ...r TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and accesses the HTTPS server thro...

Страница 669: ...yssl client verify enable Device ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure HTTPS service to use SSL server policy myssl Devic...

Страница 670: ...r the SSL client policy pki domain domain name Required No PKI domain is configured by default Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_aes_128_cbc_sha rsa_des_cb...

Страница 671: ...e for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certifi...

Страница 672: ...12 1 the information is encrypted before being sent for confidentiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 12 1...

Страница 673: ...ature is correct the data is considered from user 1 Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryp...

Страница 674: ...the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display...

Страница 675: ...blic key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a publi...

Страница 676: ...local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Gener...

Страница 677: ...3818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A 9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB12503...

Страница 678: ...Time of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CA...

Страница 679: ...logged in ftp binary 200 Type set to I ftp put devicea pub 227 Entering Passive Mode 10 1 1 2 5 148 125 BINARY mode data connection already open transfer starting for devicea pub 226 Transfer complete...

Страница 680: ...ontrol network traffic and save network resources Access control lists ACL are often used to filter packets with configured matching rules ACLs are sets of rules or sets of permit or deny statements t...

Страница 681: ...IPv4 ACL This section covers these topics z IPv4 ACL Classification z IPv4 ACL Naming z IPv4 ACL Match Order z IPv4 ACL Step z Effective Period of an IPv4 ACL z IP Fragments Filtering with IPv4 ACL I...

Страница 682: ...Depth first match for an advanced IPv4 ACL The following shows how your device performs depth first match in an advanced IPv4 ACL 1 Sort rules by VPN instance first and compare packets against the rul...

Страница 683: ...assign a newly defined rule a number that is the smallest multiple of the step bigger than the current biggest number For example with a step of five if the biggest number is currently 28 the newly d...

Страница 684: ...er to specify a name for an ACL is up to you After creating an ACL you cannot specify a name for it nor can you change or remove its name The name of an IPv6 ACL must be unique among IPv6 ACLs However...

Страница 685: ...s are the same look at the destination IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the destination IPv6 address 4 If the prefix lengths for the dest...

Страница 686: ...2 Required Display the configuration and status of one or all time ranges display time range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range...

Страница 687: ...range ends at the latest time that the system supports namely 24 00 12 31 2100 Configuration Example Create a time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname...

Страница 688: ...IPv4 ACL description text Optional By default a basic IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule descripti...

Страница 689: ...kets based on three priority criteria type of service ToS IP precedence and differentiated services codepoint DSCP priority Advanced IPv4 ACLs are numbered in the range 3000 to 3999 Compared with basi...

Страница 690: ...on for the advanced IPv4 ACL description text Optional By default an advanced IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rul...

Страница 691: ...To do Use the command Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required The default mat...

Страница 692: ...contain any rules z The rule specified in the rule comment command must already exist Configuration Example Configure ACL 4000 to deny frames with the 802 1p priority of 3 Sysname system view Sysname...

Страница 693: ...able in any view Display information about ACL uses of a switch display acl resource Available in any view Display the configuration and state of a specified or all time ranges display time range time...

Страница 694: ...itch acl adv 3000 rule deny ip source 192 168 2 0 0 0 0 255 destination 192 168 4 1 0 0 0 0 time range trname Switch acl adv 3000 quit Configure a rule to control access of the Marketing Department to...

Страница 695: ...b_rd Switch qospolicy p_rd quit Configure QoS policy p_market to use traffic behavior b_market for class c_market Switch qos policy p_market Switch qospolicy p_market classifier c_market behavior b_ma...

Страница 696: ...dure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create a basic IPv6 ACL view and enter its view acl ipv6 number acl6 number name acl6 name...

Страница 697: ...l ipv6 number acl6 number name acl6 name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configurat...

Страница 698: ...pe icmpv6 type icmpv6 code icmpv6 message logging source source source prefix source source prefix any source port operator port1 port2 time range time range name Required To create or modify multiple...

Страница 699: ...tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 9050 64 5...

Страница 700: ...name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number all name acl6 name Available in user...

Страница 701: ...b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd beha...

Страница 702: ...ernet interface view interface interface type interface number Enter interface view Enter VLAN interface view interface vlan interface vlan id Use either command Apply an Ethernet frame header ACL to...

Страница 703: ...takes effect for only rules with the logging keyword specified z The packet filtering statistics are managed and output as device log information by the information center z The packet filtering stat...

Страница 704: ...network GE1 0 1 Host A 192 168 1 2 24 Device A Host B 192 168 1 3 24 Configuration procedure Create a time range named study setting it to become active from 08 00 to 18 00 everyday DeviceA system vie...

Страница 705: ...nt100 192 168 1 1 Host A 192 168 1 2 Host B 192 168 1 3 Server 192 168 5 100 Configuration procedure Create a time range named study setting it to become active from 08 00 to 18 00 of the working days...

Страница 706: ...aining Smart Link 1 8 Smart Link Configuration Examples 1 9 Single Smart Link Group Configuration Example 1 9 Multiple Smart Link Groups Load Sharing Configuration Example 1 13 2 Monitor Link Configur...

Страница 707: ...tting DLDP State 4 11 Resetting DLDP State in System View 4 12 Resetting DLDP State in Port view Port Group View 4 12 Displaying and Maintaining DLDP 4 12 DLDP Configuration Example 4 13 Troubleshooti...

Страница 708: ...ation Examples 6 10 Configuring Service Instance 6 10 Configuring MEP and Enabling CC on it 6 11 Configuring the Rules for Generating MIPs 6 13 Configuring LB on MEPs 6 14 Configuring LT on MEPs 6 14...

Страница 709: ...ually dual uplinked to upstream devices That is a downstream device connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE1 0 1 GE1 0 2 GE1 0...

Страница 710: ...1 and GE1 0 2 of Device C and GE1 0 1 and GE1 0 2 of Device D each form a smart link group with GE1 0 1 being active and GE1 0 2 being standby Master slave port Master port and slave port are two por...

Страница 711: ...ilure does not take over immediately upon its recovery Instead link switchover will occur at next link switchover Topology change mechanism As link switchover can outdate the MAC address forwarding en...

Страница 712: ...the Sending of Flush Messages Optional Configuring an Associated Device Enabling the Receiving of Flush Messages Required z A smart link device is a device that supports Smart Link and is configured...

Страница 713: ...uration in the Access Volume Configuring Member Ports for a Smart Link Group You can configure member ports for a smart link group either in smart link group view or in interface view The configuratio...

Страница 714: ...tion mode role Required Disabled by default Configure the preemption delay preemption delay delay time Optional 1 second by default The preemption delay configuration takes effect only after role pree...

Страница 715: ...undo stp enable Sysname GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 20 Sysname GigabitEthernet1 0 1 quit Sysname interface gigabitethernet 1 0 2 Sysna...

Страница 716: ...es directly without any processing z Do not remove the control VLANs Otherwise flush messages cannot be sent properly z Make sure that the control VLANs are existing VLANs and assign the ports capable...

Страница 717: ...vice E Device D Device C Device B GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 Master link Slave link Smart link group Configuration procedure 1 Conf...

Страница 718: ...iceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device D Create VLANs 1 through 30 map VLANs 1 through 10 VLANs 11 through 20 and VLANs 21 through 30 to MSTI 0 MSTI 1 and MST...

Страница 719: ...eB GigabitEthernet1 0 1 smart link flush enable DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitEthernet1 0 2 port link type trunk DeviceB GigabitEthernet1 0 2...

Страница 720: ...ce gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan 1 to 30 DeviceA GigabitEthernet1 0 2 smart link flush enable DeviceA Giga...

Страница 721: ...link group 2 is VLAN 101 Figure 1 3 Multiple smart link groups load sharing configuration Device A Device D Device B GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 Device C GE1 0 1 GE1 0 2 Configurat...

Страница 722: ...2 DeviceC smart link group 2 DeviceC smlk group2 protected vlan reference instance 2 Configure GigabitEthernet 1 0 1 as the slave port and GigabitEthernet 1 0 2 as the master port for smart link group...

Страница 723: ...enable control vlan 10 101 DeviceD GigabitEthernet1 0 2 quit 4 Configuration on Device A Create VLAN 1 through VLAN 200 DeviceA system view DeviceA vlan 1 to 200 Configure GigabitEthernet 1 0 1 and Gi...

Страница 724: ...te Flush count Last flush time GigabitEthernet1 0 2 MASTER ACTVIE 5 16 37 20 2009 02 21 GigabitEthernet1 0 1 SLAVE STANDBY 1 17 45 20 2009 02 21 You can use the display smart link flush command to dis...

Страница 725: ...port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the...

Страница 726: ...orts In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate interface view port monitor l...

Страница 727: ...er in the smart link group For detailed information about smart link refer to Smart Link Configuration in the High Availability Volume Figure 2 1 Network diagram for smart link in combination with mon...

Страница 728: ...2 DeviceA GigabitEthernet1 0 2 smart link flush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 1 0 1 as an u...

Страница 729: ...1 and GigabitEthernet 1 0 2 separately DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet...

Страница 730: ...e protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use...

Страница 731: ...ne of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 3 1 Do...

Страница 732: ...detect the integrity of the primary ring and perform loop guard As shown in Figure 3 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and D...

Страница 733: ...de RRPP ring group Up to one subring in an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 3 1 shows the types of RRPPDUs and their functions Table 3 1 RRPPDU types and t...

Страница 734: ...to check the Health state of the ring network The master node sends Hello packets out its primary port periodically and these Hello packets travel through each transit node on the ring in turn z If th...

Страница 735: ...VLANs referred to as protected VLANs in a ring network traffic of different VLANs can be transmitted according to different topologies in the ring network In this way load balancing is achieved As sho...

Страница 736: ...or more rings in the network topology and only one common node between rings In this case you need to define an RRPP domain for each ring Figure 3 3 Schematic diagram for a tangent ring network Inters...

Страница 737: ...for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 3 6 Ring 1 is configured as the pri...

Страница 738: ...Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffi...

Страница 739: ...r node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto election mechanism so you m...

Страница 740: ...ed with RRPP you must ensure only the two ports connecting the device to the RRPP ring permit the packets of the control VLANs Otherwise the packets from other VLANs may go into the control VLANs in t...

Страница 741: ...Perform this configuration on each node s ports intended for accessing RRPP rings Follow these steps to configure RRPP ports To do Use the command Remarks Enter system view system view Enter interfac...

Страница 742: ...e Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP domains is 16 z If a device carries multiple RRPP rings in an RRPP domain only one ring can be con...

Страница 743: ...interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the edge port ring ring id node mode ed...

Страница 744: ...e or assistant edge node enable disable the primary ring and subrings separately as follows z Enable the primary ring of an RRPP domain before enabling subrings of the RRPP domain z Disable the primar...

Страница 745: ...marks Enter system view system view Create an RRPP ring group and enter RRPP ring group view rrpp ring group ring group id Required Assign the specified subrings to the RRPP ring group domain domain i...

Страница 746: ...control VLAN of RRPP domain 1 as VLAN 4092 and RRPP domain 1 protects all VLANs z Device A Device B Device C and Device D constitute primary ring 1 z Specify Device A as the master node of primary ri...

Страница 747: ...ng 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceA rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 se...

Страница 748: ...here 5 Verification After the above configuration you can use the display command to view RRPP configuration and operational information on each device Intersecting Ring Configuration Example Network...

Страница 749: ...interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 link delay 0 DeviceA GigabitEthernet1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 po...

Страница 750: ...Ethernet1 0 2 quit DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 undo stp enable DeviceB GigabitEthernet1 0 3 port link type trunk Devi...

Страница 751: ...interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type trunk DeviceC GigabitEthernet1 0 3 po...

Страница 752: ...P domain 1 and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1 DeviceD rrpp domain 1 DeviceD rrpp domain1 control vlan 4092 DeviceD rrpp domain1 protected vlan ref...

Страница 753: ...l information on each device Intersecting Ring Load Balancing Configuration Example Networking requirements z Device A Device B Device C Device D and Device F constitute RRPP domain 1 and VLAN 100 is...

Страница 754: ...igure the suppression time of physical link state changes on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assi...

Страница 755: ...pp domain1 ring 1 enable DeviceA rrpp domain1 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN of RRPP domain 2 and configure the VLAN mapped to MSTI 2 as the protected VLAN of...

Страница 756: ...ure the port as a trunk port remove it from VLAN 1 and assign it to VLAN 20 and configure it to trust the 802 1p precedence of the received packets DeviceB interface gigabitethernet 1 0 3 DeviceB Giga...

Страница 757: ...node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceB rrpp domain2 ring 1 node mode transit primary port gigab...

Страница 758: ...e of the received packets DeviceC interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type tru...

Страница 759: ...itEthernet 1 0 2 as the secondary port and enable ring 1 DeviceC rrpp domain2 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceC rrpp doma...

Страница 760: ...ence instance 1 Configure Device D as the transit node of primary ring 1 in RRPP domain 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring...

Страница 761: ...0 2 undo stp enable DeviceE GigabitEthernet1 0 2 port link type trunk DeviceE GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceE GigabitEthernet1 0 2 port trunk permit vlan 20 DeviceE Gigabit...

Страница 762: ...permit vlan 10 DeviceF GigabitEthernet1 0 2 qos trust dot1p DeviceF GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN and configure the VLAN mapped to MSTI...

Страница 763: ...e RRPP ring z Some ports are abnormal Solution z Use the display rrpp brief command to check whether RRPP is enabled for all nodes If not use the rrpp enable command and the ring enable command to ena...

Страница 764: ...ing Overview Background Sometimes unidirectional links may appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links resu...

Страница 765: ...h ends of a link are operating normally at the physical layer DLDP detects whether the link is correctly connected at the link layer and whether the two ends can exchange packets properly This is beyo...

Страница 766: ...timer This timer is set to 10 seconds and is triggered when a device transits to the Probe state or an enhanced detect is launched When the Echo timer expires and no Echo packet has been received from...

Страница 767: ...ntry timer expires the Enhanced timer is triggered and the device sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is received from the ne...

Страница 768: ...with the corresponding local configuration z Plain text authentication In this mode before sending a DLDP packet the sending side sets the Authentication field to the password configured in plain text...

Страница 769: ...information If the corresponding neighbor entry already exists resets the Entry timer If yes no process is performed Flush packet Determines whether or not the local port is in Disable state If not re...

Страница 770: ...port and removes the corresponding neighbor entry Link auto recovery mechanism If the port shutdown mode upon detection of a unidirectional link is set to auto DLDP sets the state of the port where a...

Страница 771: ...uthentication Optional Resetting DLDP State Optional Note that z DLDP takes effects only on Ethernet interfaces z DLDP can detect unidirectional links only after all links are connected Therefore befo...

Страница 772: ...e are two DLDP modes z Normal mode In this mode DLDP does not actively detect neighbors when the corresponding neighbor entries age out The system can identify only one type of unidirectional links cr...

Страница 773: ...Tx line fails the port goes down and then comes up again causing optical signal jitters on the Rx line When a port goes down due to a Tx failure the device transits to the DelayDown state instead of...

Страница 774: ...ode z If the device is busy or the CPU utilization is high normal links may be treated as unidirectional links In this case you can set the port shutdown mode to manual mode to eliminate the effects c...

Страница 775: ...tate dldp reset Required Resetting DLDP State in Port view Port Group View Resetting DLDP state in port view or port group view applies to the current port or all the ports in the port group shut down...

Страница 776: ...Device A Enable DLDP on GigabitEthernet1 0 50 and GigabitEthernet 1 0 51 DeviceA system view DeviceA interface gigabitethernet 1 0 50 DeviceA GigabitEthernet1 0 50 dldp enable DeviceA GigabitEthernet1...

Страница 777: ...ort is 0 The output information indicates that both GigabitEthernet 1 0 50 and GigabitEthernet 1 0 51 are in Disable state and the links are down which means unidirectional links are detected and the...

Страница 778: ...the two ports are restored Troubleshooting Symptom Two DLDP enabled devices Device A and Device B are connected through two fiber pairs in which two fibers are cross connected The unidirectional links...

Страница 779: ...net has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool...

Страница 780: ...be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet...

Страница 781: ...interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM conn...

Страница 782: ...k faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 5 4 the local OAM entity s...

Страница 783: ...y across established OAM connections an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs Therefore the network administrator can keep track of link status...

Страница 784: ...Ethernet port establishes an Ethernet OAM connection with its peer port Follow these steps to configure basic Ethernet OAM functions To do Use the command Remarks Enter system view System view Enter...

Страница 785: ...em view Configure the errored frame event detection interval oam errored frame period period value Optional 1 second by default Configure the errored frame event triggering threshold oam errored frame...

Страница 786: ...s than the errored frame seconds detection interval Otherwise no errored frame seconds event can be generated Enabling OAM Remote Loopback After enabling OAM remote loopback on a port you can send loo...

Страница 787: ...z Enabling internal loopback test on a port in remote loopback test can terminate the remote loopback test For more information about loopback test refer to Ethernet Interface Configuration in the Ac...

Страница 788: ...iew DeviceB interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 oam mode active DeviceB GigabitEthernet1 0 1 oam enable DeviceB GigabitEthernet1 0 1 quit 3 Verify the configuration Use the di...

Страница 789: ...p 0 Critical Event 0 According to the above output information no critical link event occurred on the link between Device A and Device B Display Ethernet OAM link event statistics of the remote end of...

Страница 790: ...ined by some maintenance association end points MEPs configured on the ports A MD is identified by an MD name To locate faults exactly CFD introduces eight levels from 0 to 7 to MDs The bigger the num...

Страница 791: ...P ID The MEPs of an MD define the range and boundary of the MD The MA and MD that a MEP belongs to define the VLAN attribute and level of the packets sent by the MEP MEPs fall into inward facing MEPs...

Страница 792: ...forwards packets at a higher level without any processing Figure 6 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled 1 through 6 respectively Suppose each...

Страница 793: ...MEPs send CCMs at the same time the multipoint to multipoint link check is achieved Loopback Similar to ping at the IP layer loopback is responsible for verifying the connectivity between a local dev...

Страница 794: ...be designed at the device port MEPs can be designed on devices or ports that are not at the edges Complete the following tasks to configure CFD Tasks Remarks Basic Configuration Tasks Required These...

Страница 795: ...ed by default Create a service instance cfd service instance instance id md md name ma ma name Required Not created by default z These configuration tasks are the foundation for other CFD configuratio...

Страница 796: ...d mip rule explicit default service instance instance id Required By default neither the MIPs nor the rules for generating MIPs are configured MIPs are generated on each port automatically according t...

Страница 797: ...sending on a MEP cfd cc service instance instance id mep mep id enable Required Disabled by default The relationship between the interval field value in the CCM messages the interval between CCM messa...

Страница 798: ...atter case after LT messages automatic sending is enabled if a MEP fails to receive the CCMs from the remote MEP within 3 5 sending intervals the link between the two is regarded as faulty and LTMs wi...

Страница 799: ...ep service instance instance id mep mep id Available in any view Display the content of the LTR that responds to LTM messages display cfd linktrace reply auto detection size size value Available in an...

Страница 800: ...B DeviceB system view DeviceB cfd enable DeviceB cfd md MD_A level 5 DeviceB cfd ma MA_MD_A md MD_A vlan 100 DeviceB cfd service instance 1 md MD_A ma MA_MD_A DeviceB cfd md MD_B level 3 DeviceB cfd...

Страница 801: ...1001 DeviceA GigabitEthernet1 0 1 cfd remote mep 4002 service instance 1 mep 1001 DeviceA GigabitEthernet1 0 1 cfd mep service instance 1 mep 1001 enable DeviceA GigabitEthernet1 0 1 cfd cc service in...

Страница 802: ...twork requirements After finishing MEP configuration you can continue to configure the MIPs MIPs which are generated by some rules are configured in the following way z Decide the device on which MIPs...

Страница 803: ...wn in Figure 6 6 enable LB on Device A so that Device A can send LBM messages to MEPs on Device D Configuration procedure Configure Device A DeviceA system view DeviceA cfd loopback service instance 1...

Страница 804: ...les to perform certain operations through the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detecti...

Страница 805: ...configure Track module Task Remarks Configuring Collaboration Between the Track Module and the Detection Modules Configuring Track NQA Collaboration Required Configuring Collaboration Between the Tra...

Страница 806: ...tatic Routing collaboration so as to check the reachability of the next hop of the static route ip route static dest address mask mask length next hop address track track entry number preference prefe...

Страница 807: ...n int2 10 1 1 2 24 Vlan int3 10 2 1 1 24 Switch C Vlan int3 10 2 1 2 24 Switch B Switch A Configuration procedure 1 Configure the IP address of each interface as shown in Figure 7 2 2 Configure a stat...

Страница 808: ...chA display track all Track ID 1 Status Positive Reference object NQA entry admin test Reaction 1 Display the routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinati...

Страница 809: ...re Cost NextHop Interface 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The output i...

Страница 810: ...Configuration Example 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 Configuring Command Authorization 2 11 Conf...

Страница 811: ...ers by Source and Destination IP Addresses 8 2 Controlling Telnet Users by Source MAC Addresses 8 3 Configuration Example 8 3 Controlling Network Management Users by Source IP Addresses 8 4 Prerequisi...

Страница 812: ...ggable transceivers 10 7 Identifying pluggable transceivers 10 8 Diagnosing pluggable transceivers 10 9 Displaying and Maintaining Device Management Configuration 10 9 Device Management Configuration...

Страница 813: ...Configuring the TFTP Client 13 2 Displaying and Maintaining the TFTP Client 13 3 TFTP Client Configuration Example 13 4 Single Device Upgrade 13 4 IRF System Upgrade 13 5 14 HTTP Configuration 14 1 H...

Страница 814: ...rocedure 18 3 Displaying and Maintaining RMON 18 5 RMON Configuration Example 18 5 19 MAC Address Table Management Configuration 19 1 Introduction to MAC Address Table 19 1 How a MAC Address Table Ent...

Страница 815: ...22 6 Outputting System Information to the Console 22 6 Outputting System Information to a Monitor Terminal 22 7 Outputting System Information to a Log Host 22 8 Outputting System Information to the Tr...

Страница 816: ...Configuring an ICMP Echo Test 23 6 Configuring a DHCP Test 23 7 Configuring an FTP Test 23 8 Configuring an HTTP Test 23 9 Configuring a UDP Jitter Test 23 10 Configuring an SNMP Test 23 12 Configurin...

Страница 817: ...ing Access Control Rights 25 11 Configuration Prerequisites 25 12 Configuration Procedure 25 12 Configuring NTP Authentication 25 12 Configuration Prerequisites 25 12 Configuration Procedure 25 13 Dis...

Страница 818: ...Synchronization Function 26 17 Configuring Web User Accounts in Batches 26 18 Displaying and Maintaining Cluster Management 26 19 Cluster Management Configuration Example 26 19 27 IRF Configuration 26...

Страница 819: ...ng Function 29 5 Configuring a Power Alarm Threshold for the PSE 29 6 Upgrading PSE Processing Software Online 29 6 Configuring a PD Disconnection Detection Mode 29 6 Enabling the PSE to Detect Nonsta...

Страница 820: ...ts two types of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port is usually used f...

Страница 821: ...s you to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in t...

Страница 822: ...user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of the current a specified user interface display user i...

Страница 823: ...in methods By default you can log in to an 3Com Switch 4210G family through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user termina...

Страница 824: ...perTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are config...

Страница 825: ...information about the switch by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands Console Port Login Configuration C...

Страница 826: ...ing in to the AUX user interface user privilege level level Optional By default commands of level 3 are available to the users logging in to the AUX user interface Set the maximum number of lines the...

Страница 827: ...locally or remotely Configure the authentication mode Scheme Create or enter a local user set the authentication password specifies the level and service type for AUX users Refer to Console Port Login...

Страница 828: ...rk diagram Figure 2 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interfac...

Страница 829: ...ogging in through the Console port are not authenticated while users logging in through the Telnet need to pass the password authentication Set the local password set authentication password cipher si...

Страница 830: ...n to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain...

Страница 831: ...ystem view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to a...

Страница 832: ...level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the local user to be guest z Set the...

Страница 833: ...unning on the user PC accordingly as shown in Figure 2 4 thus ensuring the consistency between the configurations of the terminal emulation utility and those of the switch Otherwise you will fail to l...

Страница 834: ...WTACACS server If both command accounting and command authorization are enabled only the authorized and executed commands will be recorded on the HWTACACS server The command accounting configuration i...

Страница 835: ...Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Telnet Connection Establishment Telnetting to a Switch from a Termi...

Страница 836: ...ble Figure 3 1 Network diagram for Telnet connection establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethernet port Step 4 Launch Telnet on your PC with the IP add...

Страница 837: ...user name and password for Telnet on the switch operating as the Telnet server Refer to section Telnet Login Configuration with Authentication Mode Being None section Telnet Login Configuration with A...

Страница 838: ...g tasks escape key default character Optional By default you can use Ctrl C to terminate a task Configure the type of terminal display under the current user interface terminal type ansi vt100 Optiona...

Страница 839: ...elnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last numb...

Страница 840: ...command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Login Configuration with Authentication Mode Being Pa...

Страница 841: ...dure Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users loggi...

Страница 842: ...eme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuration in the Security Vol...

Страница 843: ...creen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes 2 Network diagram Figure 3 6 Network diagram for Telnet configuration...

Страница 844: ...with the default level not higher than the user level With the command authorization configured the command level for a login user is decided by both the user level and AAA authorization If a user exe...

Страница 845: ...s will be recorded on the HWTACACS server The command accounting configuration involves two steps 1 Enable command accounting See the following table for details 2 Configure a command accounting schem...

Страница 846: ...Network diagram for configuring user authentication Configuration procedure Assign an IP address to Device to make Device be reachable from Host A Host B Host C and RADIUS server The configuration is...

Страница 847: ...ication as the backup Device domain system Device isp system authentication login radius scheme rad local Device isp system authorization login radius scheme rad local Device isp system quit Add a loc...

Страница 848: ...tandard Specify Device to remove the domain name in the username sent to the HWTACACS server for the scheme Device hwtacacs scheme tac Device hwtacacs tac primary authentication 192 168 2 20 49 Device...

Страница 849: ...vice user interface aux 0 Device ui aux0 command accounting Device ui aux0 quit Enable command accounting for users logging in through telnet or SSH Device user interface vty 0 4 Device ui vty0 4 comm...

Страница 850: ...Create ISP domain system and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users Device domain system Device isp system accounting command hwtacacs scheme...

Страница 851: ...is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password...

Страница 852: ...ss to the management VLAN interface of the switch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the fo...

Страница 853: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 5 2 appears enter the user name and...

Страница 854: ...rotocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to...

Страница 855: ...source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface...

Страница 856: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Страница 857: ...ugh Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Pr...

Страница 858: ...L refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create...

Страница 859: ...ne rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by s...

Страница 860: ...ontrol users accessing the switch through SNMP Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controllin...

Страница 861: ...ailed configuration refer to SNMP Configuration in the System Volume Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are per...

Страница 862: ...Web users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl ipv6 number acl number match order config auto Required The...

Страница 863: ...network Host B 10 110 100 52 Configuration procedure Create a basic ACL Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Refer...

Страница 864: ...e configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the startup configuration file Follow these step...

Страница 865: ...ommand or press the hot key Ctrl Z to return to user view Configuring the Device Name The device name is used to identify a device in a network Inside the system the device name corresponds to the pro...

Страница 866: ...he clock timezone command and the offset time is zone offset z 3 indicates daylight saving time has been configured with the clock summer time command and the offset time is summer offset z 1 indicate...

Страница 867: ...er time range date time is displayed Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone z...

Страница 868: ...ew after logging in to the device through the console port AUX port or asynchronous serial interface The copyright information will not be displayed under other circumstances The display format of cop...

Страница 869: ...right after the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywo...

Страница 870: ...Ctrl G corresponds to the display current configuration command z Ctrl L corresponds to the display ip routing table command z Ctrl O corresponds to the undo debugging all command Table 9 2 Hotkeys r...

Страница 871: ...yword by configuring the command alias function For example if you configure show as the replacement of the display keyword for each display command you can input the command alias show xx to execute...

Страница 872: ...his level include ping tracert telnet and ssh2 1 Monitor Includes commands for system maintenance and service fault diagnosis Commands at this level are not allowed to be saved after being configured...

Страница 873: ...authentication server User either approach z For local authentication if you do not configure the user level the user level is 0 that is users of this level can use commands with level 0 only z For re...

Страница 874: ...urity Volume Required if users adopt the SSH login mode and only username instead of password is needed at authentication After the configuration the authentication mode of the corresponding user inte...

Страница 875: ...name User view commands cluster Run cluster command display Display current system information ping Ping function quit Exit from current command view ssh2 Establish a secure shell client connection su...

Страница 876: ...stores to the original level To avoid misoperations the administrators are recommended to log in to the device by using a lower privilege level and view device operating parameters and when they have...

Страница 877: ...d level in a specified view command privilege level level view view command Required Refer to Table 9 3 for the default settings You are recommended to use the default command level or modify the comm...

Страница 878: ...nchronous Information Output z Undo Form of a Command z Editing Features z CLI Display z Saving History Command z Command Line Error Information Introduction to CLI CLI is an interaction interface bet...

Страница 879: ...delete Delete a file dir List files on a file system display Show running system information omitted 2 Enter a command and a separated by a space If is at the position of a keyword all the keywords a...

Страница 880: ...m Volume Undo Form of a Command Adding the keyword undo can form an undo command Almost every configuration command has an undo form undo commands are generally used to restore the system default disa...

Страница 881: ...ut information The device provides the function to filter the output information You can specify a regular expression that is the output rule to search information you need You can use one of the foll...

Страница 882: ...xample 16A can match a string containing any character among 1 6 and A 1 36A can match a string containing any character among 1 2 3 6 and A with being a hyphen can be matched only when it is put at t...

Страница 883: ...d in this table follow the specific meanings of the characters will be removed For example can match a string containing can match a string containing and b can match a string containing b Multiple sc...

Страница 884: ...CLI saves the commands in the format that you have input that is if you input a command in its incomplete form the saved history command is also incomplete z If you execute a command for multiple time...

Страница 885: ...line errors Error information Cause The command was not found The keyword was not found Parameter type error Unrecognized command found at position The parameter value is beyond the allowed range Inco...

Страница 886: ...device management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List...

Страница 887: ...IRF members Rebooting a Device When a fault occurs to a running device you can remove the fault by rebooting the device depending on the actual situation This operation equals to powering on the devi...

Страница 888: ...e backup boot file to restart the device z If you are performing file operations when the device is to be rebooted the system does not execute the command for the sake of security Configuring the Sche...

Страница 889: ...the automatic execution function is configured the scheduled automatic execution configuration turns invalid automatically z Only the last configuration takes effect if you execute the schedule job c...

Страница 890: ...on configuration information to ensure a successful upgrade Follow these steps to upgrade the Boot ROM program To do Use the command Remarks Enter system view system view Enable the validity check fun...

Страница 891: ...to the device Therefore the device provides the function of disabling the Boot ROM access to enhance security of the device After this function is configured no matter whether you press Ctrl B or not...

Страница 892: ...oid such a case you can clear all 16 bit interface indexes saved but not used in the current system in user view After the above operation z For a re created interface the new interface index may not...

Страница 893: ...r distance and vendor name or name of the vendor who customizes the transceivers to identify the pluggable transceivers Follow these steps to identify pluggable transceivers To do Use the command Rema...

Страница 894: ...To do Use the command Remarks Display information of the boot file display boot loader slot slot number Available in any view Display the statistics of the CPU usage display cpu usage number offset ve...

Страница 895: ...ed under the aaa directory of the FTP server z The IP address of Device is 1 1 1 1 24 the IP address of the FTP server is 2 2 2 2 24 and the FTP server is reachable z User can log in to Device via Tel...

Страница 896: ...new config cfg Download file soft version2 bin on the FTP server ftp binary ftp get soft version2 bin ftp bye Device Modify the extension of file auto update txt as bat Device rename auto update txt...

Страница 897: ...load file new config cfg on the TFTP server to Master Note that configurations may vary with different types of servers IRF tftp 2 2 2 2 get new config cfg File will be transferred in binary mode Down...

Страница 898: ...boot for all members IRF boot loader file soft version2 bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot fi...

Страница 899: ...d file copy and display If an operation delete or overwrite for example causes problems such as data loss or corruption the file system will prompt you to confirm the operation by default Depending on...

Страница 900: ...haracters flash test a txt Indicates that a file named a txt is in the test folder under the root directory of the flash memory on the master To read and write the a txt file under the root directory...

Страница 901: ...moved must be empty meaning that before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command for subdirectory de...

Страница 902: ...w Renaming a file To do Use the command Remarks Rename a file rename fileurl source fileurl dest Required Available in user view Copying a file To do Use the command Remarks Copy a file copy fileurl s...

Страница 903: ...in To do Use the command Remarks Enter the original working directory of the file to be deleted cd directory Optional If the original directory of the file to be deleted is not the current working dir...

Страница 904: ...se the command Remarks Restore the space of a storage medium fixdisk device Optional Available in user view Format a storage medium format device Optional Available in user view z When you format a st...

Страница 905: ...in 4 drw Apr 26 2007 19 58 11 test 31496 KB total 9943 KB free Create a new folder called mytest under the test directory Sysname cd test Sysname mkdir mytest Created dir flash test mytest Display the...

Страница 906: ...text file It z Saves configuration in the form of commands z Saves only non default configuration settings z Lists commands in sections by views usually in the order of system view interface view and...

Страница 907: ...iguration on your device using command line interface However the current configuration is temporary To make the modified configuration take effect at the next boot of the device you must save the cur...

Страница 908: ...root directories of the storage media of all the member devices and specify the file as the startup configuration file that will be used at the next system startup save safely backup main Required Use...

Страница 909: ...two ways the system saves the current running configuration at a specified interval or you can save the current running configuration as needed 3 Roll back the current running configuration to the co...

Страница 910: ...0 it restarts from 1 If you change the path or filename prefix or reboot the device the saved file serial number restarts from 1 and the system recounts the saved configuration files If you change the...

Страница 911: ...ent running configuration automatically You can configure the system to save the current running configuration at a specified interval and use the display archive configuration command to view the fil...

Страница 912: ...ning configuration manually otherwise the operation fails Setting configuration rollback Follow these steps to set configuration rollback To do Use the command Remarks Enter system view system view Se...

Страница 913: ...startup To do Use the command Remarks Specify a startup configuration file for the next system startup of all the member devices startup saved configuration cfgfile backup main Required Available in...

Страница 914: ...cified in the command to NULL You may need to delete the startup configuration file for the next startup for one of these reasons z After you upgrade system software the existing configuration file do...

Страница 915: ...restored startup configuration file exists Displaying and Maintaining Device Configuration To do Use the command Remarks Display the information about configuration rollback display archive configura...

Страница 916: ...r btm z ASCII mode for text file transmission like files with the suffixes txt bat or cfg Operation of FTP FTP adopts the client server model Your device can function either as the client or as the se...

Страница 917: ...e FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous F...

Страница 918: ...ined by the matched route as the source IP address to communicate with an FTP server z If the source address is specified with the ftp client source or ftp command this source address is used to commu...

Страница 919: ...nd is available in FTP client view Configuring the FTP Client After a device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection refer to...

Страница 920: ...erver rmdir directory Optional Disconnect from the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect from the FTP server without exiting the FTP...

Страница 921: ...rom an FTP server Configuration procedure If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete...

Страница 922: ...ory of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device Management Commands in the System Volume IR...

Страница 923: ...t newest bin z Download the startup file newest bin from PC to the root directory of the storage medium of a slave with member ID of 2 ftp get newest bin slot2 flash newest bin Upload the configuratio...

Страница 924: ...mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer might result in file corruption on the FTP server...

Страница 925: ...lume Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter system view system view Create a local user and enter its view local user user...

Страница 926: ...are 1 2 1 1 16 and 1 1 1 1 16 respectively An available route exists between Device and PC z PC keeps the updated startup file of the device Use FTP to upgrade the device and back up the configuratio...

Страница 927: ...nt Log in to the FTP server through FTP c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Password required for abc Password 230 User logged in Download the configurat...

Страница 928: ...Use FTP to upgrade the device and back up the configuration file z Set the username to ftp and the password to pwd for the FTP client to log in to the FTP server Figure 12 5 Smooth upgrading using the...

Страница 929: ...337 Apr 26 2000 13 47 32 archive_1 cfg 6 rw 478164 Apr 26 2000 14 52 35 4210G_505 btm 7 rw 368 Apr 26 2000 12 04 04 patch_xxx bin 8 rw 2337 Apr 26 2000 14 16 48 sfp cfg 9 rw 2195 Apr 26 2000 14 10 41...

Страница 930: ...ard Continue Y N y The specified file will be used as the main boot file at the next reboot on slot 1 The specified file will be used as the main boot file at the next reboot on slot 2 Reboot the devi...

Страница 931: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Страница 932: ...he secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file Source...

Страница 933: ...ddress get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user view Download or upload a file in an IPv6 netw...

Страница 934: ...s omitted z On the PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the available memory space of the device is not enough use the fixdisk command to cl...

Страница 935: ...evice and PC z Device downloads a startup file from PC for upgrading and uploads a configuration file named config cfg to PC for backup Figure 13 3 Smooth upgrading using the TFTP client function Conf...

Страница 936: ...be used at the next startup for all the member devices Sysname boot loader file newest bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file w...

Страница 937: ...cally the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP...

Страница 938: ...rt number Required By default the port number of the HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service...

Страница 939: ...es the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data...

Страница 940: ...l server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS ser...

Страница 941: ...associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute acce...

Страница 942: ...e HTTPS service with an ACL To do Use the command Remarks Enter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default Displaying an...

Страница 943: ...ficate request entity en Device pki domain 1 quit Generate a local RSA key pair Device public key local create rsa Obtain a server certificate from CA Device pki retrieval certificate ca domain 1 Appl...

Страница 944: ...h certificate attribute access control policy myacp Device ip https certificate access control policy myacp 6 Enable the HTTPS service Enable the HTTPS service Device ip https enable 7 Verify the conf...

Страница 945: ...the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An...

Страница 946: ...een the NMS and agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privac...

Страница 947: ...are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read v...

Страница 948: ...v3 all Required The defaults are as follows 3Com Corporation for contact Marlborough MA 01752 USA for location and SNMP v3 for the version Configur e directly Create an SNMP commun ity snmp agent comm...

Страница 949: ...dex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the informa...

Страница 950: ...specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output dest...

Страница 951: ...MP module the SNMP module saves the traps in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destinatio...

Страница 952: ...Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent stat...

Страница 953: ...nmp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port GigabitEthernet 1 0 1 to VLAN 2 Sysname vlan 2 Sysname vlan2 port GigabitEthernet 1 0 1 Sysn...

Страница 954: ...LAN interface on the agent is 1 1 1 1 24 z Configure community name access right and SNMP version on the agent Figure 16 4 Network diagram for SNMP logging Configuration procedure The configurations f...

Страница 955: ...n 1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID...

Страница 956: ...lexible management of the device the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the s...

Страница 957: ...rk monitor or a network probe It monitors and collects statistics on traffic over the network segments connected to its interfaces such as the total number of packets passed through a network segment...

Страница 958: ...an upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event gr...

Страница 959: ...undersize oversize packets broadcasts multicasts bytes received packets received bytes sent packets sent and so on After the creation of a statistics entry on an interface the statistics group starts...

Страница 960: ...that can be created the creation fails z When you create an entry in the history table if the specified buckets number argument exceeds the history table size supported by the device the entry will b...

Страница 961: ...g entry number Available in any view RMON Configuration Example Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS across the Internet Cre...

Страница 962: ...sname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysn...

Страница 963: ...in this table indicates the MAC address of a connected device ID of the interface to which this device is connected and ID of the VLAN to which the interface belongs When forwarding a frame the devic...

Страница 964: ...tries into the MAC address table of the device to bind specific user devices to the port thus preventing hackers from stealing data using forged MAC addresses Manually configured MAC address table ent...

Страница 965: ...y or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view mac address blackhole mac address vlan vlan id Add modify a MAC address entry mac addr...

Страница 966: ...atest network changes a short interval may result in removal of valid entries and hence unnecessary broadcasts which may affect device performance Follow these steps to configure the aging timer for d...

Страница 967: ...rmation display mac address mac address vlan vlan id dynamic static interface interface type interface number vlan vlan id count Display the aging timer for dynamic MAC address entries display mac add...

Страница 968: ...19 6 000f e235 dc71 1 Config static GigabitEthernet 1 0 1 NOAGED 1 mac address es found...

Страница 969: ...ation Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user inform...

Страница 970: ...g the Interval for Sending Syslog or Trap Messages To prevent Syslog or Trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or Tra...

Страница 971: ...twork requirements z Host A is connected to a remote server Server through Device z Enable MAC Information on GigabitEthernet 1 0 1 on Device Device sends MAC address change information using Syslog m...

Страница 972: ...hernet1 0 1 mac address information enable added Device GigabitEthernet1 0 1 mac address information enable deleted Device GigabitEthernet1 0 1 quit Set the MAC Information queue length to 100 Device...

Страница 973: ...the destination device 2 The source device determines whether the destination is reachable based on whether it receives an ICMP echo reply if the destination is reachable the source device determines...

Страница 974: ...Device A to Device C Figure 21 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING...

Страница 975: ...atistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 21 1 1 The source Device A sends an ICMP echo reque...

Страница 976: ...es the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3...

Страница 977: ...functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control the display of d...

Страница 978: ...l monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring terminal is disabled by default Available in user view Enable the terminal display of debuggi...

Страница 979: ...DeviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4...

Страница 980: ...odule z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the information channel...

Страница 981: ...system information The system supports six information output destinations including the console monitor terminal monitor log buffer log host trap buffer and SNMP module The specific destinations supp...

Страница 982: ...ault output rules of system information The default output rules define the source modules allowed to output information on each output destination the output information type and the output informati...

Страница 983: ...ions z If the output destination is not the log host such as console monitor terminal logbuffer trapbuffer SNMP the system information is in the following format timestamp sysname module level digest...

Страница 984: ...econds sysname Sysname is the system name of the current host You can use the sysname command to modify the system name Refer to Basic System Configuration Commands in the System Volume for details Th...

Страница 985: ...to a Monitor Terminal Optional Outputting System Information to a Log Host Optional Outputting System Information to the Trap Buffer Optional Outputting System Information to the Log Buffer Optional...

Страница 986: ...e command Remarks Enable the monitoring of system information on the console terminal monitor Optional Enabled on the console and disabled on the monitor terminal by default Enable the display of debu...

Страница 987: ...monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on...

Страница 988: ...rimary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information output to the log host info center timestamp loghost d...

Страница 989: ...ion center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 22 2 for default...

Страница 990: ...module info center snmp channel channel number channel name Optional By default system information is output to the SNMP module through channel 5 known as snmpagent Configure the output rules of the s...

Страница 991: ...on in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The...

Страница 992: ...play the configuration of the log file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize A...

Страница 993: ...tional to be output to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state o...

Страница 994: ...r After the above configurations the system will be able to record log information into the log file Outputting Log Information to a Linux Log Host Network requirements z Send log information to a Li...

Страница 995: ...onf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to recei...

Страница 996: ...the output of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system...

Страница 997: ...ysname terminal monitor Current terminal monitor is on Sysname terminal logging Current terminal logging is on After the above configuration takes effect if the specified module generates log informat...

Страница 998: ...they will be numbered as 1 2 and 3 respectively Incremental patch Patches in a patch file are all incremental patches An incremental patch means that the patch is dependent on the previous patch unit...

Страница 999: ...turn to the ACTIVE state Figure 23 1 Relationship between patch state changes and command actions Information about patch states is saved in file patchstate on the flash It is recommended not to oper...

Страница 1000: ...e At this time the patch states in the system are as shown in Figure 23 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 23 3 A patch file is...

Страница 1001: ...s of the system are as shown in Figure 23 5 Figure 23 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task L...

Страница 1002: ...tch name for device Table 23 1 Default patch names for device Product PATCH FLAG Default patch name 4210G PATCH XXX patch_xxx bin The loading and installation are performed on all member devices Befor...

Страница 1003: ...patch file location patch location patch location Optional flash by default z The directory specified by the patch location argument must exist on each member device If one member device does not have...

Страница 1004: ...is of some problem you can reboot the device to deactivate the patch so as to avoid a series of running faults resulting from patch error Follow the steps below to activate patches To do Use the comma...

Страница 1005: ...stop running a patch the patch state becomes DEACTIVE and the system runs in the way before it is installed with the patch Follow the steps below to stop running patches To do Use the command Remarks...

Страница 1006: ...fix configuration Configuration procedure 1 Configure TFTP Server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server functi...

Страница 1007: ...onfiguration procedure 1 Configure the TFTP server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the p...

Страница 1008: ...ce patch install flash Patches will be installed Continue Y N y Do you want to continue running patches after reboot Y N y Installing patches Installation completed and patches will continue to run af...

Страница 1009: ...ansfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test type...

Страница 1010: ...static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static route i...

Страница 1011: ...est one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and serv...

Страница 1012: ...e the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 S...

Страница 1013: ...er tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listen...

Страница 1014: ...cho and enter test type view type icmp echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a...

Страница 1015: ...f a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a D...

Страница 1016: ...example you need to configure the username and password used to log onto the FTP server For the FTP server configuration see File System Management Configuration in the System Volume Configuring an F...

Страница 1017: ...the get command the device does not save the files obtained from the FTP server z When you execute the get command the FTP test cannot succeed if a file named file name does not exist on the FTP serve...

Страница 1018: ...e for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test http version v1 0 Opt...

Страница 1019: ...r system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as UDP jitter and enter test type view type udp jitter Required Configure the destination...

Страница 1020: ...arameters See Configuring Optional Parameters Common to an NQA Test Group Optional The number of probes made in a UDP jitter test depends on the probe count command while the number of probe packets s...

Страница 1021: ...tween the client and the specified port on the NQA server and the setup time for the connection thus judge the availability and performance of the services provided on the specified port on the server...

Страница 1022: ...connectivity and roundtrip time of a UDP echo packet from the client to the specified UDP port on the NQA server Configuration prerequisites A UDP echo test requires cooperation between the NQA server...

Страница 1023: ...an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Conf...

Страница 1024: ...d when you evaluate the voice quality Configuration prerequisites A voice test requires cooperation between the NQA server and the NQA client Before a voice test make sure that the UDP listening funct...

Страница 1025: ...11 law codec type and is 32 bytes for G 729 A law codec type Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadeci...

Страница 1026: ...be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring the Collaboration Function Collaboration is...

Страница 1027: ...he snmp agent target host command create an NQA test group and configure related parameters For the introduction to the snmp agent target host command see SNMP Commands in the System Volume Configurin...

Страница 1028: ...unction To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dlsw ftp http icmp echo snm...

Страница 1029: ...robes in an NQA test probe count times Optional By default one probe is performed in a test Only one probe can be made in one voice test Therefore this command is not available in a voice test Configu...

Страница 1030: ...use the display clock command to view the current system time Configuration prerequisites Before scheduling an NQA test group make sure z Required test parameters corresponding to a test type have bee...

Страница 1031: ...ndtrip time of packets Figure 24 3 Network diagram for ICMP echo tests Configuration procedure Create an ICMP echo test group and configure related test parameters DeviceA system view DeviceA nqa entr...

Страница 1032: ...se Status Time 370 3 Succeeded 2007 08 23 15 00 01 2 369 3 Succeeded 2007 08 23 15 00 01 2 368 3 Succeeded 2007 08 23 15 00 01 2 367 5 Succeeded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00...

Страница 1033: ...res due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late...

Страница 1034: ...tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded pro...

Страница 1035: ...eA undo nqa schedule admin test Display results of the last HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation t...

Страница 1036: ...admin test udp jitter destination ip 10 2 2 2 DeviceA nqa admin test udp jitter destination port 9000 DeviceA nqa admin test udp jitter frequency 1000 DeviceA nqa admin test udp jitter quit Enable UD...

Страница 1037: ...delay 15 Max DS delay 16 Min SD delay 7 Min DS delay 7 Number of SD delay 10 Number of DS delay 10 Sum of SD delay 78 Sum of DS delay 85 Square sum of SD delay 666 Square sum of DS delay 787 SD lost...

Страница 1038: ...DS delay 3891 Square sum of SD delay 45987 Square sum of DS delay 49393 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 The display nqa history command cannot show you the re...

Страница 1039: ...min test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 50 50 50 Square Sum of round trip t...

Страница 1040: ...ceA nqa schedule admin test start time now lifetime forever Disable TCP test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last TCP test Device...

Страница 1041: ...elated test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo des...

Страница 1042: ...s Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nq...

Страница 1043: ...erage 6 Positive SD square sum 54127 Positive DS square sum 1691967 Min negative SD 1 Min negative DS 1 Max negative SD 203 Max negative DS 1297 Negative SD number 255 Negative DS number 259 Negative...

Страница 1044: ...egative DS 1297 Negative SD number 1028 Negative DS number 1022 Negative SD sum 1028 Negative DS sum 1022 Negative SD average 4 Negative DS average 5 Negative SD square sum 495901 Negative DS square s...

Страница 1045: ...do nqa schedule admin test Display the result of the last DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation tim...

Страница 1046: ...n NQA test group Create an NQA test group with the administrator name being admin and operation tag being test SwitchA nqa entry admin test Configure the test type of the NQA test group as ICMP echo S...

Страница 1047: ...127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the static route with the next hop 10 2 1 1 is active and the status of the track entry is positive The static route configur...

Страница 1048: ...127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the next hop 10 2 1 1 of the static route is not reachable and the status of the track entry is negative Th...

Страница 1049: ...s within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within...

Страница 1050: ...1 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of system clock synchronization is as follows z D...

Страница 1051: ...cator optional 96 bits Reference timestamp 64 bits Originate timestamp 64 bits 1 4 Main fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock un...

Страница 1052: ...ement clock synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the...

Страница 1053: ...message the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client an...

Страница 1054: ...client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continues listening to multicast messages and synchroni...

Страница 1055: ...he client server mode for example when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the recei...

Страница 1056: ...device To do Use the command Remarks Enter system view system view Specify a symmetric passive peer for the device ntp service unicast peer vpn instance vpn instance name ip address peer name authent...

Страница 1057: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Страница 1058: ...synchronized z You can configure up to 1024 multicast clients among which 128 can take effect at the same time Configuring Optional Parameters of NTP Specifying the Source Interface for NTP Messages...

Страница 1059: ...namic Sessions Allowed To do Use the command Remarks Enter system view system view Configure the maximum number of dynamic sessions allowed to be established locally ntp service max dynamic sessions n...

Страница 1060: ...anism provides only a minimum degree of security protection for the system running NTP A more secure method is identity authentication Configuring NTP Authentication The NTP authentication feature sho...

Страница 1061: ...tication for a client To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disabled by default Configure an NTP authenticati...

Страница 1062: ...d Associate the specified key with an NTP server Multicast server mode ntp service multicast server authentication keyid keyid Required You can associate a non existing key with an NTP server To enabl...

Страница 1063: ...0000 Hz Actual frequency 64 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000 00...

Страница 1064: ...s in the client mode and Switch A is to be used as the NTP server of Switch B z Switch C works in the symmetric active mode and Switch B will act as peer of Switch C Switch C is the symmetric active p...

Страница 1065: ...ision 2 7 Clock offset 21 1982 ms Root delay 15 00 ms Root dispersion 775 15 ms Peer dispersion 34 29 ms Reference time 15 22 47 083 UTC Sep 19 2005 C6D95647 153F7CED As shown above Switch B has been...

Страница 1066: ...witch A Switch B Switch C Switch D Configuration procedure 1 Configuration on Switch C Configure Switch C to work in the broadcast server mode and send broadcast messages through VLAN interface 2 Swit...

Страница 1067: ...l of Switch D is 3 while that of Switch C is 2 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interface2 displa...

Страница 1068: ...witchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client Because Switch D and Switch C are on the same subnet Switch D can receive the multicast messages from Switch C wi...

Страница 1069: ...nable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vlan interface2 quit SwitchB vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB interface vlan i...

Страница 1070: ...Configuring NTP Client Server Mode with Authentication Network requirements z The local clock of Switch A is to be used as the master clock with a stratum level of 2 z Switch B works in the client mo...

Страница 1071: ...cy 64 0000 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 31 00 ms Root dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown abov...

Страница 1072: ...ecify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 2 Configuration on Switch D Configure NTP authentication Swi...

Страница 1073: ...s shown above Switch D has been synchronized to Switch C and the clock stratum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an assoc...

Страница 1074: ...ing topology discovery and display function which is useful for network monitoring and debugging z Allowing simultaneous software upgrading and parameter configuration on multiple devices free of topo...

Страница 1075: ...gement is implemented through HW Group Management Protocol version 2 HGMPv2 which consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTD...

Страница 1076: ...nformation of all its neighbors The information collected will be used by the management device or the network management software to implement required functions When a member device detects a change...

Страница 1077: ...saves the state information of its member device and identifies it as Active And the member device also saves its state information and identifies itself as Active z After a cluster is created its ma...

Страница 1078: ...the management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the mem...

Страница 1079: ...r Optional Configuring Cluster Management Protocol Packets Optional Configuring the Management Device Cluster Member Management Optional Enabling NDP Optional Enabling NTDP Optional Manually Collectin...

Страница 1080: ...ed to a cluster that is the entry with the destination address as the management device cannot be added to the routing table the candidate device will be added to and removed from the cluster repeated...

Страница 1081: ...ckets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports For NTDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to...

Страница 1082: ...3 by default Configure the interval to collect topology information ntdp timer interval time Optional 1 minute by default Configure the delay to forward topology collection request packets on the fir...

Страница 1083: ...cluster in two ways manually and automatically With the latter you can establish a cluster according to the prompt information The system 1 Prompts you to enter a name for the cluster you want to est...

Страница 1084: ...e packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster For a member device in Connect state z If the management device does...

Страница 1085: ...by default Configure the interval to send MAC address negotiation broadcast packets cluster mac syn interval interval time Optional One minute by default When you configure the destination MAC addres...

Страница 1086: ...ling NDP Refer to Enabling NDP Globally and for Specific Ports Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports Manually Collecting Topology Information Refer to Manually Collectin...

Страница 1087: ...thentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a clus...

Страница 1088: ...included in the blacklist the MAC address and access port of the latter are also included in the blacklist The candidate devices in a blacklist can be added to a cluster only if the administrator manu...

Страница 1089: ...re an NM host for a cluster the member devices in the cluster send their Trap messages to the shared SNMP NM host through the management device If the port of an access NM device including FTP TFTP se...

Страница 1090: ...devices at one time simplifying the configuration process Follow these steps to configure the SNMP configuration synchronization function To do Use the command Remarks Enter system view system view E...

Страница 1091: ...ronize the configurations to the member devices in the whitelist This operation is equal to performing the configurations on the member devices You need to enter your username and password when you lo...

Страница 1092: ...y the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member number to member id mem...

Страница 1093: ...rnet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As the configurations of...

Страница 1094: ...t as 15 ms SwitchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure the management VLAN of the cluster as VLAN 10 SwitchB vla...

Страница 1095: ...rver 63 172 55 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01...

Страница 1096: ...evices through IRF ports You can manage all the devices in the IRF by managing the united device In an IRF every single device is an IRF member and plays one of the following two roles according to it...

Страница 1097: ...ggregated but also the physical links between the IRF system and the upper or lower layer devices can be aggregated and thus the reliability of the IRF system is increased through the link backup The...

Страница 1098: ...sively from left to right ports on the interface module in slot 1 are numbered 1 and 2 and ports on the interface module in slot 2 are numbered 3 and 4 as shown in Figure 27 2 which illustrates an exa...

Страница 1099: ...four Switch 4210G series switches to form an IRF Correspondence between an IRF port and a physical IRF port The connection of IRF ports is based on that of physical IRF ports therefore you need to bin...

Страница 1100: ...l port interface module is installed you need to bind IRF port 1 to physical IRF port 1 and IRF port 2 to physical IRF port 2 as shown in Figure 27 5 because the serial number of the physical IRF port...

Страница 1101: ...terface modules z If two single port interface modules are installed you need to bind IRF port 1 to physical IRF port 1 and IRF port 2 to physical IRF port 3 z If one dual port interface module and on...

Страница 1102: ...ed neighbor updates the local topology information The collection process lasts for a period of time When all members have obtained the complete topology information known as topology convergence the...

Страница 1103: ...erface changes to GigabitEthernet 2 0 1 where the first number indicates the member ID of the device A member ID is a natural number in the range 1 to 10 the default member ID is 1 To ensure the uniqu...

Страница 1104: ...type trunk For an IRF member the interface name also adopts the previously introduced format member ID slot number interface serial number where z The member ID identifies the IRF member on which the...

Страница 1105: ...tory of the flash on IRF member slave 3 perform the following steps Master mkdir slot3 flash test Created dir slot3 flash test Master cd slot3 flash test Master pwd slot3 flash test Or Master cd slot3...

Страница 1106: ...ation When a slave applies the port configuration on the master it cares about the configuration related to its own port for example the slave with the member ID of 3 only cares about the configuratio...

Страница 1107: ...mended or fibers and then power on the devices Logging In to the Master Required Logging In to an IRF Logging In to a Slave Optional IRF Configuration Configuring IRF Ports IRF can be enabled on a dev...

Страница 1108: ...ecided first and then the member IDs of slaves are decided one by one according to their distances to the master that is the nearest slave gets the smallest available ID and the nearer slave gets the...

Страница 1109: ...lection a member with the greatest priority will be elected as the master The priority of a device defaults to 1 You can modify the priority through command lines The greater the priority value the hi...

Страница 1110: ...ster does not come back after six minutes the IRF system will use the bridge MAC address of the newly elected master as that of the IRF z Preserve permanently No matter the master leaves the IRF or no...

Страница 1111: ...slave configures the file as the boot file for the next boot and reboots automatically z Because system boot file occupies large memory space to make the auto upgrade succeed ensure that there is eno...

Страница 1112: ...slave device instead of that of the master device The system enters user view of the salve device and the command prompt is changed to Sysname member ID for example Sysname 2 What you have input on th...

Страница 1113: ...ble in any view IRF Configuration Examples IRF Connection Configuration Example Network requirements Three Switch 4210G series switches in an IRF form a bus connection Their member IDs are 1 2 and 3 a...

Страница 1114: ...member 1 irf port 2 port 3 Configure Switch 3 Switch3 system view Switch3 irf member 1 renumber 3 Warning Renumbering the switch number may result in configuration change or loss Continue Y N y Switc...

Страница 1115: ...multiple CPUs Some distributed devices may be available with multiple CPUs for example service CPU and OAM CPU Therefore a distributed device corresponds to multiple nodes Therefore in actual applicat...

Страница 1116: ...up needs to be created first Multicasts will be sent to all the nodes in the multicast group An application can create multiple multicast groups The creation and deletion of a multicast group and mult...

Страница 1117: ...f a node display ipc multicast group node node id self node Display packet information of a node display ipc packet node node id self node Display link status information of a node display ipc link no...

Страница 1118: ...net interfaces through twisted pair cables Advantages z Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply z Easy to connect A network termi...

Страница 1119: ...etect Nonstandard PDs Optional z When the PoE power or PSE fails you cannot configure PoE z Turning off of the PoE power during the startup of the device might result in the failure to restore the PoE...

Страница 1120: ...rface poe pd description string Optional By default no description for the PD connected to the PoE interface is available Configuring PoE Interfaces Through a PoE Configuration File A PoE configuratio...

Страница 1121: ...figuration file z If you have configured a PoE interface through the command line you cannot configure it through a PoE configuration file again If you want to reconfigure the interface through a PoE...

Страница 1122: ...interface will preempt the power of other PoE interfaces with a lower priority level In the latter case the PoE interfaces whose power is preempted will be powered off but their configurations will re...

Страница 1123: ...rocessing software in full mode to restore the PSE function Online PSE processing software upgrade may be unexpectedly interrupted for example an error results in device reboot If you fail to upgrade...

Страница 1124: ...ween ID module and member ID of all PSEs display poe device Display the power state and information of the specified PoE interface display poe interface interface type interface number Display the pow...

Страница 1125: ...w Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 poe enable Sysname GigabitEthernet1 0 1 quit Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 poe enable Sysn...

Страница 1126: ...E interface fails Analysis z Some configurations in the PoE configuration file are already configured z Some configurations in the PoE configuration file do not meet the configuration requirements of...

Страница 1127: ...onfiguration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical Networking of Aut...

Страница 1128: ...ters such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the con...

Страница 1129: ...hen a device starts up without loading the configuration file the system automatically configures the first active interface if an active Layer 2 Ethernet interface exists this first interface is a vi...

Страница 1130: ...The DHCP server will select an address pool where an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters...

Страница 1131: ...d z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and t...

Страница 1132: ...its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and...

Страница 1133: ...f the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed description of the UDP Helper...

Результаты поиска

Содержание 4210G Series

Отзывы:

3Com 4210G Series, Руководство по настройке, Страница: 662 / 1133

Результаты поиска

Содержание 4210G Series

Отзывы: