3Com 5500 SI - Switch - Stackable Скачать руководство пользователя страница 354 | Manualshive

Страница: 354 / 686

background image

354

C

HAPTER

19: ACL C

ONFIGURATION

Table 363

Define Basic ACL

Define Advanced ACL

The rules of the classification for advanced ACL are defined on the basis of the
attributes such as source and destination IP address, the TCP or UDP port number in
use and packet priority to process the data packets. The advanced ACL supports the
analysis of three types of packet priorities, ToS (Type of Service), IP and DSCP priorities.

You can use the following command to define advanced ACL.

Perform the following configuration in the corresponding view.

Table 364

Define Advanced ACL

Note that, the

port1

and

port2

in the above command specify the TCP or UDP ports

used by various high-layer applications. For some common port numbers, you can use
the mnemonic symbols as a shortcut. For example, “bgp” can represent the TCP
number 179 used by BGP.

Define Layer-2 ACL

The rules of Layer-2 ACL are defined on the basis of the Layer-2 information such as
source MAC address, source VLAN ID, Layer-2 protocol type, Layer-2 packet format
and destination MAC address.

You can use the following command to define the numbered Layer-2 ACL.

Perform the following configuration in corresponding view.

Operation

Command

Enter basic ACL view (from System
View)

acl number

acl_number

[ match-order {

config | auto } ]

add a sub-item to the ACL (from
Basic ACL View)

rule [

rule_id

] { permit | deny } [

source {

source_addr wildcard

|

any } |

fragment | logging | time-range

name

]*

delete a sub-item from the ACL (from
Basic ACL View)

undo rule

rule_id

[ source | fragment |

logging | time-range ]*

Delete one ACL or all the ACL (from
System View)

undo acl { number

acl_number

| all }

Operation

Command

Enter advanced ACL view (from
System View)

acl number

acl_number

[ match-order { config

| auto } ]

Add a sub-item to the ACL (from
Advanced ACL View)

rule [

rule_id

] { permit | deny }

protocol

[

source {

source_addr wildcard

| any } ] [

destination {

dest_addr wildcard

| any } ] [

source-port

operator port1

[

port2

] ] [

destination-port

operator port1

[

port2

] ] [

icmp-type

type code

] [ established ] [ [ {

precedence

precedence

tos

tos

| dscp

dscp

}* |

vpn-instance

instance

] | fragment | logging

| time-range

name

]*

Delete a sub-item from the ACL
(from Advanced ACL View)

undo rule

rule_id

[ source | destination |

source-port | destination-port | icmp-type |
precedence | tos | dscp | fragment | logging
| time-range | vpn-instance ]*

Delete one ACL or all the ACL
(from System View)

undo acl { number

acl_number

| all }

«
...
352
353
354
355
356
...
»

Содержание 5500 SI - Switch - Stackable

Страница 1: ...3Com Switch 5500 Family Configuration Guide Switch 5500 SI Switch 5500 EI Switch 5500G EI www 3Com com Part Number 10014922 Rev AC Published December 2006...

Страница 2: ...or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be r...

Страница 3: ...ommand Line 40 User Interface Configuration 42 User Interface Configuration 43 Displaying and Debugging User Interface 49 2 ADDRESS MANAGEMENT CONFIGURATION Introduction to Address Management 51 Confi...

Страница 4: ...ving the Unit ID of Each Unit in the Fabric 81 Specifying the Fabric Port of the Switch 81 Setting Unit Names for Switches 81 Setting a Fabric Name for Switches 81 Setting an XRN Authentication Mode f...

Страница 5: ...rerequisite 114 Configuration Procedure 114 Configuration Example 115 Displaying GVRP 116 8 VLAN VPN CONFIGURATION VLAN VPN Overview 117 Implementation of VLAN VPN 117 Adjusting the TPID Values of VLA...

Страница 6: ...ols to DHCP Clients 133 Configuring to Assign IP Addresses of Interface based Address Pools to DHCP Clients 133 Configuring DNS Services for DHCP Clients 135 Configuring NetBIOS Services for DHCP Clie...

Страница 7: ...e Priority of a Switch 171 Configuring MSTP Operation Mode 172 Configuring the Maximum Hop Count of an MST Region 172 Configuring the Diameter of a Switched Network 173 Configuring MSTP Time Parameter...

Страница 8: ...Setting Centralized MAC Address Authentication Timers 196 Displaying and Debugging Centralized MAC Address Authentication 197 Centralized MAC Address Authentication Configuration Example 197 15 SSH TE...

Страница 9: ...Route Capacity Configuration 266 Displaying and Debugging Route Capacity 267 17 NETWORK PROTOCOL OPERATION IP Address Configuration 269 IP Address Overview 269 Configuring IP Address 271 Displaying an...

Страница 10: ...using the Web 302 UDP Helper Configuration 303 Overview of UDP Helper 303 UDP Helper Configuration 303 Displaying and Debugging UDP Helper Configuration 305 UDP Helper Configuration Example 305 IP Per...

Страница 11: ...GURATION Brief Introduction to ACL 351 ACL Supported by the Switch 352 Configuring ACL 352 Defining ACL 353 Activating ACL 355 Displaying and Debugging ACL 356 Advanced ACL Configuration Example 356 B...

Страница 12: ...on of the display acl command 387 Subdividing DSCP while Defining ACL Rules 387 The Synchronization Feature of Queue Scheduling for Aggregation Ports 388 Configuring Control Over Telnet 388 Configurat...

Страница 13: ...7 Configuring Domain Name Used by the MAC Address Authentication User 407 Configuring Centralized MAC Address Authentication Timers 407 Displaying and Debugging Centralized MAC Address Authentication...

Страница 14: ...5 Problem Diagnosis 436 3Com User Access Level 436 22 FILE SYSTEM MANAGEMENT File System Overview 437 Directory Operation 438 File Attribute Configuration 438 File Attribute Configuration 439 File Ope...

Страница 15: ...ping Configuration 466 Configuring Remote ping 466 Configuration Example 467 Logging Function 468 Introduction to Info center 468 Info Center Configuration 471 Sending the Information to Loghost 474...

Страница 16: ...24 DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION Introduction to Dynamically Apply ACL by RADIUS Server 525 Introduction to Dynamically Apply ACL by RADIUS Server Configurations 525 Configurat...

Страница 17: ...be Connected to Point to Point Link 553 Set mCheck of the Specified Port 554 Configure the Switch Security Function 554 Display and Debug RSTP 556 RSTP Configuration Example 556 27 POE PROFILE CONFIG...

Страница 18: ...trol 581 Password Control Configuration Example 582 31 MSDP CONFIGURATION Introduction to MSDP 585 MSDP Working Mechanism 587 Configuring MSDP Basic Functions 590 Configuration Prerequisites 590 Confi...

Страница 19: ...Example 612 33 HWTACACS CONFIGURATION Configuring HWTACACS 615 HWTACACS configuration tasks 615 Creating a HWTACAS Scheme 616 Configuring HWTACACS Authentication Servers 617 Configuring HWTACACS Acco...

Страница 20: ...N 672 Supported Switches 672 XRN Terminology 672 Benefits of XRN 673 XRN Features 673 Distributed Device Management DDM 673 Distributed Resilient Routing DRR 673 Distributed Link Aggregation DLA 674 H...

Страница 21: ...n Details how to configure VLANs GVRP Configuration Details GARP VLAN Registration Protocol configuration VLAN VPN Details configuration information to create VLAN VPNs DHCP Details Dynamic Host Confi...

Страница 22: ...ion note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or potential damage to an application system or device Warning Info...

Страница 23: ...d the vertical bars combined indicate that you must enter one of the parameters Enter either hardware or none or software Items shown in square brackets are optional Example 1 in the command display u...

Страница 24: ...24 ABOUT THIS GUIDE...

Страница 25: ...wer network control capacity Table 3 lists the models in the Switch 5500 family Table 3 Models in the Switch 5500 family Model Power supply unit PSU Number of service ports Number of 100 Mbps ports Nu...

Страница 26: ...rom any unit in the fabric DRR The multiple units of a Fabric route and forward packets as a single unit and provide uniform VLAN interfaces routing table and L3 forwarding table so the Fabric is rega...

Страница 27: ...liant with IEEE 802 1Q Standard Port based VLAN Protocol Based VLAN compliant with IEEE 802 1v Standard EI models only Voice VLAN 8021 Q in Q Double Tagged VLAN Support EI models only STP protocol Spa...

Страница 28: ...Link aggregation Link aggregation Link Aggregation Control Protocol LACP compliant with IEEE 802 3ad Standard Mirror Mirror based on the traffic classification Port based mirror VLAN based mirror Remo...

Страница 29: ...indows 9X on the PC Set the terminal communication parameters as follows Baud rate 19200 Databit 8 Parity check none Stopbit 1 Flow control none Terminal type VT100 Management and Maintenance Command...

Страница 30: ...30 CHAPTER 1 GETTING STARTED Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...

Страница 31: ...ort using the ip address command in VLAN Interface View and added the port that connects to a terminal to this VLAN using the port command in VLAN View you can Telnet this Switch and configure it 1 Au...

Страница 32: ...Telnet do not modify the IP address of the Switch unnecessarily for the modification might end the Telnet connection By default when a Telnet user passes the password authentication to log on to the...

Страница 33: ...and you will see the prompt such SW5500 If the prompt All user interfaces are used please try later appears it indicates that too many users are connected to the Switch through Telnet In this case co...

Страница 34: ...W Bar the modem to send command response or execution result and save the configurations After the configuration enter AT V to verify the Modem settings The Modem configuration commands and outputs ma...

Страница 35: ...to the Switch using the terminal emulator and Modem on the remote end The number you dial is the telephone number of the Modem connected to the Switch See Figure 10 and Figure 11 Figure 10 Setting th...

Страница 36: ...ogin password on the remote terminal emulator and wait for the prompt SW5500 Then you can configure and manage the Switch Enter to view online help For details of specific commands refer to the follow...

Страница 37: ...sis tools such as ping and tracert commands for the different language environments of the user interface language mode and the telnet command The saving of the configuration file is not allowed at th...

Страница 38: ...w VLAN View VLAN Interface View Local User View User Interface View FTP Client View RSA Public Key View RSA Key Code View PIM View RIP View OSPF View OSPF Area View Route Policy View Basic ACL View Ad...

Страница 39: ...ter pim in System View quit returns to System View return returns to User View RIP View Configure RIP parameters SW5500 rip Enter rip in System View quit returns to System View return returns to User...

Страница 40: ...tials in the command will be listed SW5500 display ver version 5 Enter the first letters of a keyword of a command and press Tab If no other keywords begin with these letters then this unique keyword...

Страница 41: ...es Incorrectly entered commands will cause error messages to be reported to users The common error messages are listed in Table 8 Table 6 Functions of Displaying Key or Command Function Press Ctrl C w...

Страница 42: ...ort There is only the one type of AUX user interface The user interface is numbered by absolute number or relative number To number the user interface by absolute number The AUX user interface is the...

Страница 43: ...og in to the Switch only through the supported protocol The configuration becomes effective when you log in again Perform the following configurations in User Interface VTY user interface only View By...

Страница 44: ...Table 12 Configuring the Transmission Speed on the AUX Console Port Operation Command Configure the transmission speed on the AUX console port speed speed_value Restore the default transmission speed...

Страница 45: ...Note the following points For security the undo shell command can only be used on the user interfaces other than AUX user interface You cannot use this command on the user interface through which you...

Страница 46: ...ation method to deny the access of an unauthorized user Perform the following configuration in User Interface View By default terminal authentication is not required for users logged in through the co...

Страница 47: ...ser zbr service type telnet 3 No authentication SW5500 ui vty0 authentication mode none By default the password is required for authenticating Modem and Telnet users when they log in If the password h...

Страница 48: ...nd is used for setting the priority of a specified command in a certain view The command levels include visit monitoring system and management which are identified with 0 through 3 respectively An adm...

Страница 49: ...1 after the user logs in through VTY0 automatically SW5500 ui vty0 auto execute command telnet 10 110 100 1 When a user logs on through VTY 0 the system will run telnet 10 110 100 1 automatically Disp...

Страница 50: ...50 CHAPTER 1 GETTING STARTED...

Страница 51: ...he IP addresses in this IP address pool are those configured in the static ARP on another port the system will prompt you to delete the corresponding static ARP to ensure that the binding takes effect...

Страница 52: ...ress management Configuration procedure To enable address management enter the following S5500 system view S5500 am enable Table 31 Bind the MAC address and IP address of a legal user to the specified...

Страница 53: ...egal User Network requirements The GigabitEthernet1 0 1 port of the switch is connected to multiple PCs Network diagram Figure 13 Network diagram for address management Configuration procedure To conf...

Страница 54: ...54 CHAPTER 2 ADDRESS MANAGEMENT CONFIGURATION...

Страница 55: ...eamlined Gigabit SFP ports operate in 1000Mbps full duplex mode The duplex mode can be set to full full duplex and auto auto negotiation and its speed can be set to 1000 1000Mbps and auto auto negotia...

Страница 56: ...set it to full duplex To configure a port to either send or receive data packets set it to half duplex If the port has been set to auto negotiation mode the local and peer ports will automatically neg...

Страница 57: ...ble type is auto auto recognized That is the system can automatically recognize the type of cable connecting to the port Enabling Disabling Flow Control for the Ethernet Port After flow control is ena...

Страница 58: ...ser s computer A trunk port can belong to more than one VLAN and receive send the packets on multiple VLANs used for connection between the Switches A hybrid port can also carry more than one VLAN and...

Страница 59: ...d to an existing VLAN other than VLAN 1 The VLAN to which a hybrid port is added must have already exist The one to which a trunk port is added cannot be VLAN 1 After adding an Ethernet port to specif...

Страница 60: ...the switch will monitor whether the ports have loopback on a regular basis if the switch detects loopback for a particular port it will put that port under control For Access port If system detects l...

Страница 61: ...Trunk ports and Hybrid ports loopback detection per vlan enable Optional By default system only detects loopback for the default VLANs with Trunk ports and Hybrid ports Display the loopback detection...

Страница 62: ...et1 0 1 virtual cable test Cable status abnormal open 7 metres Pair Impedance mismatch yes Pair skew 4294967294 ns Pair swap swap Pair polarity normal Insertion loss 7 db Return loss 7 db Near end cro...

Страница 63: ...nding ports thus improving the security of the system Configuring Port Security Table 47 Configure port security Operation Command Description Enter system view system view Enable port security port s...

Страница 64: ...eature on the port to ntkonly and the action mode of the Intrusion Protection feature on the port to disableport Connect PC1 to the port through switch B Bind the MAC and IP addresses of PC1 to the po...

Страница 65: ...fc00 5600 ip address 10 153 1 1 interface Ethernet1 0 1 Copying Port Configuration to Other Ports To keep the configuration of other ports consistent with a specified port you can copy the configurat...

Страница 66: ...e that The loopback test cannot be performed on a port disabled by the shutdown command During the loopback test the system will disable speed duplex mdi and shutdown operation on the port Some ports...

Страница 67: ...ag and forward the packet Networking Diagram Figure 15 Configuring the Default VLAN for a Trunk Port Configuration Procedure The following configurations are used for Switch A Configure Switch B in th...

Страница 68: ...VLAN ID The port setting includes port link type The Switch 5500 SI 28 Port can support up to 14 aggregation groups the Switch 5500 SI 52 Port can support up to 26 aggregation groups and the Switch 5...

Страница 69: ...oup the system sets the ports to active or inactive state by using these rules The system sets the port with the highest priority to active state and others to inactive state based on the following de...

Страница 70: ...standby ports can transceive LACP protocol but standby ports cannot forward user service packets Among the selected ports of an aggregation group the one with minimum port number serves as the master...

Страница 71: ...ion Group Setting Deleting the Aggregation Group Descriptor Configuring System Priority Configuring Port Priority Enabling Disabling LACP You should first enable LACP at the ports before performing dy...

Страница 72: ...ts but contains no member port you can overwrite the existing group if it already exists in the system and contains member ports then you can only change a dynamic or static LACP aggregation group to...

Страница 73: ...ses The smaller system ID is given priority Changing system priority may affect the priority levels of member ports and further their selected or standby state Perform the following configuration in S...

Страница 74: ...a specific aggregation group display link aggregation verbose agg_id Display local system ID display lacp system id Display detailed link aggregation information at the port display link aggregation...

Страница 75: ...00 Ethernet1 0 2 port link aggregation group 1 SW5500 Ethernet1 0 2 interface ethernet1 0 3 SW5500 Ethernet1 0 3 port link aggregation group 1 2 Static LACP aggregation a Create static LACP aggregatio...

Страница 76: ...red globally with the broadcast suppression command will take effect on all the Ethernet ports in a stack system Global Broadcast Suppression Configuration Example Network requirements Configure the g...

Страница 77: ...ollowing information about a specified optical port Hardware type Interface type Wavelength Vender Serial number Transfer distance Table 59 Display information about a specified optical port Operation...

Страница 78: ...78 CHAPTER 3 PORT OPERATION...

Страница 79: ...ore management cost is reduced n Enables you to purchase devices on demand and expand network capacity smoothly Protects your investment to the full extent during network upgrade n Ensures high reliab...

Страница 80: ...oes not exist in the Fabric the Switch sets its priority to 5 and saves it in the unit Flash memory Device Configuration Default Settings Comment Switch Specify the stacking VLAN of the Switch The sta...

Страница 81: ...View Table 63 Save the unit ID of each unit in the Fabric Specifying the Fabric Port of the Switch Perform the following configuration in System View Table 64 Specifying the Fabric Port of the Switch...

Страница 82: ...e settings Table 68 Displaying and Debugging FTM Fabric Configuration Example Networking Requirements Configure unit ID unit name Fabric name and authentication mode for four Switches and interconnect...

Страница 83: ...nfigure Switch D SW5500 change unit id 1 to auto numbering SW5500 fabric port gigabitethernet4 0 51 enable SW5500 fabric port gigabitethernet4 0 52 enable SW5500 sysname hello hello xrn fabric authent...

Страница 84: ...Detection As the basis of the XRN function the fabric topology management FTM module manages and maintains the entire topology of a fabric The FTM module also implements the peer fabric port detection...

Страница 85: ...authentication will be discarded Prompt Information and Solution normal If the port displays normal it indicates the fabric operates properly temporary If the port displays temporary it indicates the...

Страница 86: ...r may occur if the XRN fabric authentication modes configured for the both devices are not the same or the password configured does not match Solution Make sure the XRN fabric authentication modes and...

Страница 87: ...eed to invalidate the current fabric port group before configuring the other port group to be a fabric port group After a fabric is configured the master switch synchronizes its configuration file to...

Страница 88: ...88 CHAPTER 4 XRN CONFIGURATION...

Страница 89: ...the local device See Figure 20 and Figure 20 Unidirectional links can cause many problems spanning tree topology loop for example Device Link Detection Protocol DLDP can detect the link status of the...

Страница 90: ...s up or an neighbor entry is cleared Advertisement All neighbors communicate normally in both direction or DLDP remains in active status for more than five seconds and enters this status It is a stabl...

Страница 91: ...or the enhanced timer is 10 seconds The enhanced timer then sends two probe packets every one second and totally eight packets continuously to the neighbor If no echo packet is received from the neigh...

Страница 92: ...s the neighbor entry if this neighbor entry does not exist on the local device If the neighbor entry already exists on the local device refreshes the entry aging timer Echo packet Checks whether the l...

Страница 93: ...e SRPU board switchover the standby board takes over unidirectional link detection In this case the DLDP parameters do not change and DLDP checks every port again for unidirectional links For the conf...

Страница 94: ...switches support DLDP n Unidirectional links due to incorrect fiber connections between the two switches including disconnection in one direction and cross connection are expected to be detected and t...

Страница 95: ...abitethernet 2 0 3 S5500A GigabitEthernet2 0 3 duplex full S5500A GigabitEthernet2 0 3 speed 1000 S5500A GigabitEthernet2 0 3 quit S5500A interface gigabitethernet 2 0 4 S5500A GigabitEthernet2 0 4 du...

Страница 96: ...enable c Set the time interval for sending DLDP packets to 15 seconds S5500B dldp interval 15 d Configure DLDP to work in enhanced mode S5500B dldp work mode enhance S5500B dldp work mode enhance e Se...

Страница 97: ...are very helpful in controlling network traffic saving device investment simplifying network management and improving security Configuring a VLAN VLAN configuration is described in the following sect...

Страница 98: ...VLAN Interface Use the following command to specify remove the VLAN interface To implement the network layer function on a VLAN interface the VLAN interface must be configured with an IP address and a...

Страница 99: ...led Displaying and Debugging VLAN After the above configuration enter the display command in any view to display the running of the VLAN configuration and to verify the effect of the configuration VLA...

Страница 100: ...quit 2 Enter the VLAN interface view SW5500 interface vlan interface 3 3 Provide the IP address and subnet mask SW5500 Vlan interface3 ip address 192 168 1 5 255 255 255 SW5500 Vlan interface3 quit Pr...

Страница 101: ...ecuting the display command in any view Table 85 Create a VLAN protocol type Operation Command Description Enter system view system view Enter VLAN view vlan vlan id Required Create a VLAN protocol ty...

Страница 102: ...etting Removing the OUI Address Learned by Voice VLAN Enabling Disabling Voice VLAN Security Mode Enabling Disabling Voice VLAN Auto Mode Setting the Aging Time of Voice VLAN If you change the status...

Страница 103: ...m can learn 16 MAC addresses at most Adding the OUI addresses you need only input the first three byte values of the MAC address Perform the following configuration in System View There are four defau...

Страница 104: ...using the follow command you can set the aging time of Voice VLAN After the OUI address the MAC address of IP Phone is aged on the port this port enters the aging phase of Voice VLAN If OUI address i...

Страница 105: ...able the voice VLAN function for the port voice vlan enable Required By default the voice VLAN function is disabled Set voice VLAN operation mode to manual mode undo voice vlan mode auto Required The...

Страница 106: ...ernet1 0 2 as the IP Phone access port The type of IP Phone is untagged Network Diagram Figure 25 Voice VLAN Configuration Configuration Steps SW5500 vlan 2 SW5500 vlan2 port ethernet1 0 2 SW5500 vlan...

Страница 107: ...configure the operation mode for a voice VLAN according to data stream passing through the ports of the voice VLAN When a voice VLAN operates in the automatic mode the switch learns source MAC addres...

Страница 108: ...ist of the tagged VLANs whose packets are permitted by the access port Untagged voice stream Access Not supported because the default VLAN of the port must be a voice VLAN and the access port is in th...

Страница 109: ...function is disabled Set the voice VLAN operation mode to automatic mode voice vlan mode auto Optional The default voice VLAN operation mode is automatic mode Quit to system view quit Set an OUI addre...

Страница 110: ...UI address S5500 voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test 5 Enable the voice VLAN function globally S5500 voice vlan 3 enable 6 Display the configuration S5500 displa...

Страница 111: ...Working Scheme GARP Timers The information exchange between GARP members is completed by messages The messages performing important functions for GARP fall into three types Join Leave and LeaveAll Wh...

Страница 112: ...the switch joins the current port to this VLAN and add a VLAN entry to the local GVRP database a table maintained by GVRP but GVRP cannot learn dynamic VLAN through this port and the dynamic VLANs le...

Страница 113: ...ute Type It is defined by specific GARP application The attribute type of GVRP is 0x01 Attribute List It contains multiple attributes Attribute Each general attribute consists of three parts Attribute...

Страница 114: ...r value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number This port must be a Trunk port Enable GVRP on the port gv...

Страница 115: ...between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one half of the value of the Join timer You can change the threshold by cha...

Страница 116: ...the display commands here to display the GVRP configuration You can execute the display commands in any view Table 105 Displaying GVRP Operation Command Display the GARP statistics display garp stati...

Страница 117: ...ags Compared with MPLS based L2VPN VLAN VPN has the following features It allows Layer 2 VPN tunnels that are simpler VLAN VPN can be implemented without the support of signalling protocols You can en...

Страница 118: ...tags of the received packets with the user defined TPID value through which the VLAN VPN packets sent to public networks can be recognized by devices of other vendors VLAN VPN Configuration This sect...

Страница 119: ...PN function for a port continued Operation Command Description Table 107 Configure to replicate the tag priority of the inner VLAN tag Operation Command Description Enter system view system view Enter...

Страница 120: ...on contains a VLAN VPN configuration example Network requirements Switch A and Switch C are S5500 series switches Switch B is a switch comes from another vendor which uses a TPID value of 0x9100 Two n...

Страница 121: ...isted as shown below Configure Ethernet3 1 1 and Ethernet3 1 2 ports of Switch B to be trunk ports Add the two ports to VLAN 10 The following describes how a packet is forwarded from Switch A to Switc...

Страница 122: ...122 CHAPTER 8 VLAN VPN CONFIGURATION...

Страница 123: ...ubnet masks and default gateway IP addresses and the DHCP servers returns the corresponding configuration information Both BOOTP and DHCP are encapsulated with UDP They adopt almost the same packet fo...

Страница 124: ...aimed by DHCP servers That is those in the Option fields of DHCP REQUEST packets sent by DHCP clients The IP addresses in the DHCP address pool IP addresses that are expired or conflict Sending Device...

Страница 125: ...ies to find a DHCP server by broadcasting a DHCP DISCOVER packet Offer Each DHCP server that receives the DHCP DISCOVER packet chooses an unassigned IP address from the address pool and sends a DHCP O...

Страница 126: ...e of the slaves can change to the master and operates as the DHCP server immediately DHCP is an UDP based protocol operating at the application layer When a DHCP server in a fabric system runs on a La...

Страница 127: ...lease time of the IP address to the DHCP client You can configure multiple address pools for one DHCP server Currently a DHCP server supports up to 128 global address pools Types of address pool The a...

Страница 128: ...P related configurations which take effect only when DHCP is enabled Table 110 Global address pool based DHCP server configuration Operation Description Related section Enable DHCP Required Enabling D...

Страница 129: ...of the DHCP client and assigns the IP address to the DHCP client Currently only one IP address in a global DHCP address pool can be statically bound to a MAC address The static bind ip address comman...

Страница 130: ...cally assigned to DHCP clients Configuring DNS Services for DHCP Clients If a host accesses the Internet through domain names DNS domain name system is needed to translate the domain names into the co...

Страница 131: ...eer to peer M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the word mixed H node Nodes of this type are b nodes mixed with peer to peer features The...

Страница 132: ...address and you execute the dhcp select interface command in interface view The IP addresses contained in it belong to the network segment where the interface resides in and are available to the inter...

Страница 133: ...ls to DHCP clients Required Configuring to Assign the IP addresses of Local Interface based address pools to DHCP Clients Configure to assign IP addresses of interface DHCP address pool to DHCP client...

Страница 134: ...e IP addresses to be dynamically assigned to DHCP clients are those that are not occupied by specific network devices such as gateways and FTP servers The lease time can differ with address pools But...

Страница 135: ...assigned dhcp server forbidden ip low ip address high ip address Optional By default all IP addresses in a DHCP address pool are available for being dynamically assigned Table 123 Configure to assign...

Страница 136: ...with broadcasting features The character m stands for the word mixed H node Nodes of this type are b nodes mixed with peer to peer features The character h stands for the word hybrid Table 125 Configu...

Страница 137: ...signing the same IP address to multiple DHCP clients simultaneously you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client IP address detecting is achie...

Страница 138: ...CP When used in option 184 this sub option must be the first sub option that is sub option 1 The IP address of the NCP server carried by sub option 1 of option 184 is intended for identifying the serv...

Страница 139: ...e the DHCP server to add sub option 1 Mechanism of using option 184 on DHCP server The DHCP server encapsulates the information for option 184 to carry in the response packets sent to the DHCP clients...

Страница 140: ...ip address all interface interface type interface number to interface type interface number Required Configure the AS IP sub option dhcp server voice config as ip ip address all interface interface t...

Страница 141: ...onfigure the interface to operate in DHCP server mode and assign the IP addresses of an interface based address pool to DHCP clients dhcp select interface Required Configure the NCP IP sub option dhcp...

Страница 142: ...em view Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface based address pool to DHCP clients dhcp select global subaddress all interface interface type...

Страница 143: ...500 Vlan interface2 quit c Configure VLAN 2 interface to operate in the DHCP server mode S5500 dhcp select global interface vlan interface 2 d Enter DHCP address pool view S5500 dhcp server ip pool 12...

Страница 144: ...ynamically to the DHCP clients on the same network segment The network segment 10 1 1 0 24 to which the IP addresses of the address pool belong is divided into two sub network segment 10 1 1 0 25 and...

Страница 145: ...00 system view 2 Enable DHCP S5500 dhcp enable 3 Configure the IP addresses that are not dynamically assigned That is the IP addresses of the DNS server NetBIOS server and gateways S5500 dhcp server f...

Страница 146: ...ed by IP addresses that are manually configured on hosts Solution Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping...

Страница 147: ...mentals Figure 35 illustrates a typical DHCP relay application Figure 35 Typical DHCP relay application A DHCP relay works as follows A DHCP client broadcasts a configuration request packet in the loc...

Страница 148: ...rnal DHCP IP addresses in a DHCP server group You can map multiple VLAN interfaces to one DHCP server group But one VLAN interface can be mapped to only one DHCP server group If you execute the dhcp s...

Страница 149: ...ddresses and related configuration information from the DHCP server Network diagram Figure 36 Network diagram for DHCP relay Configuration procedure 1 Enter system view S5500 system view 2 Enable DHCP...

Страница 150: ...on through a DHCP relay Analyse This problem may be caused by improper DHCP relay configuration When a DHCP relay operates improperly you can locate the problem by enabling debugging and checking the...

Страница 151: ...r 3 Switch implementing communication between these hosts and the external network If Switch fails all the hosts on this segment taking Switch as the next hop through the default routes are cut off fr...

Страница 152: ...witch with the highest priority will function as the new master switch to guarantee normal communication between the hosts and the external networks This ensures the communications between the hosts a...

Страница 153: ...rtual router IP addresses as needed The MAC address can be a virtual MAC address or the real MAC address of a Layer 3 switch routing interface You need to map the IP addresses of the backup group to t...

Страница 154: ...twork congestions even if the master operates properly This causes the master of the backup group being determined frequently With the configuration of delay period the backup switch will wait for a w...

Страница 155: ...tracking function expands the backup group function With this function enabled the backup group function is provided not only when the interface where the backup group resides fails but also when othe...

Страница 156: ...preemptive mode and delay period for the backup group vrrp vrid virtual router ID preempt mode timer delay delay value Optional virtual router ID Backup group ID delay value Delay value in seconds By...

Страница 157: ...Figure 39 Network diagram for single VRRP backup group configuration Table 139 Display and Clear VRRP Information Operation Command Description Display VRRP state information and statistics informatio...

Страница 158: ...e2 ip address 202 38 160 2 255 255 255 0 LSW B Vlan interface2 quit b Configure VRRP LSW B vrrp ping enable LSW B interface vlan 2 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 LSW B Vla...

Страница 159: ...60 111 d Set the priority for the backup group LSW A Vlan interface2 vrrp vrid 1 priority 110 e Set the authentication key for the backup group LSW A Vlan interface2 vrrp authentication mode md5 switc...

Страница 160: ...advertise 5 Normally Switch A functions as the gateway but when VLAN 3 interface on Switch A goes down its priority will be reduced by 30 lower than that of Switch B so that Switch B will preempt the...

Страница 161: ...lan interface2 vrrp vrid 2 virtual ip 202 38 160 112 2 Configure Switch B a Configure VLAN 2 LSW B system view System View return to User View with Ctrl Z LSW B vlan 2 LSW B vlan2 port Ethernet 1 0 6...

Страница 162: ...ond possibility is caused by the malicious attempt of some devices non technical measures should be resorted to Symptom 2 More than one master existing within a backup group There are also 2 reasons O...

Страница 163: ...for packet forwarding implementing the forwarding load balancing of VLAN packets MSTP is compatible with both STP and RSTP Moreover it overcomes the drawbacks that STP and RSTP suffer from It allows...

Страница 164: ...T region configuration the same region name the same VLAN to spanning tree mapping that is VLAN 1 is mapped to spanning tree instance 1 VLAN 2 is mapped to spanning tree 2 and the other VLANs are mapp...

Страница 165: ...e A common root bridge is the root of a CIST The common root bridge of the network shown in Figure 42 is a switch in region A0 Port role In MSTP the following port roles exist root port designated por...

Страница 166: ...e combinations of port states and port roles Fundamentals of MSTP MSTP divides a network into multiple MST regions at Layer 2 and calculates the CST of these MST regions In each MST region it generate...

Страница 167: ...cost of the port has a higher priority For BPDUs with the same root ID and root path cost the designated bridge ID designated port ID the ID of the port from which the BPDU is received are compared in...

Страница 168: ...completing other related configurations Enabling MSTP Configure an MST region Required Configuring an MST Region Set the switch as the root secondary root bridge Required Setting a switch as the root...

Страница 169: ...me MST region only when they have the same MST region name the same VLAN mapping table and the same MST region revision level Table 142 Configure an MST region Operation Command Description Enter syst...

Страница 170: ...g a switch as a secondary root bridge of a spanning tree Using the stp root primary stp root secondary command you can specify a switch to be the root bridge or a secondary root bridge of the spanning...

Страница 171: ...h to be the root bridge by setting the priority of the switch to 0 Note that once a switch is configured to be the root bridge or secondary root bridge its priority cannot be modified Configuration ex...

Страница 172: ...he current switch to operate in STP mode S5500 system view System View return to User View with Ctrl Z S5500 stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count of an...

Страница 173: ...dingly The network diameter setting only applies to CISTs Configuration example Configure the diameter of the switched network to 6 S5500 system view System View return to User View with Ctrl Z S5500...

Страница 174: ...n time without consuming too many network resources A too great Hello time may cause normal links to be regarded as failed when only some packets get lost which in turn causes spanning trees to be rec...

Страница 175: ...t the upstream switch is down and recalculates the spanning trees Spanning tree recalculation may also occur in a very stable network where certain upstream switches are busy In this case you can incr...

Страница 176: ...ected to them directly or through networks After a port is configured to be an edge port the port can perform rapid transition that is it can move from the blocking state to the forwarding state witho...

Страница 177: ...dged port enable Specifying whether a Port Connect to Point to Point Link A point to point link directly connects two switches If the two ports at the two ends of a point to point link meet certain ro...

Страница 178: ...rue force false auto Required The auto keyword is specified by default The force true keyword specifies that the specified ports connect to point to point links The force false keyword specifies that...

Страница 179: ...Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on some ports stp interface interface list disable Optional By default MSTP is enabled on all por...

Страница 180: ...in the spanning trees that is whether a switch will be the root a branch or a leaf in a spanning tree Configuring an MST Region Refer to Configuring an MST Region Table 159 Leaf node configuration Op...

Страница 181: ...ds are available for calculating path costs of ports on a switch dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports dot1t Adopts the IEEE 802 1t standard to c...

Страница 182: ...666 50 000 200 200 180 160 140 1 000 Mbps Full Duplex Aggregated Link 2 Ports Aggregated Link 3 Ports Aggregated Link 4 Ports 4 3 3 3 20 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Full Duplex Aggrega...

Страница 183: ...return to User View with Ctrl Z S5500 interface ethernet1 0 1 S5500 Ethernet1 0 1 undo stp instance 1 cost S5500 Ethernet1 0 1 quit S5500 stp pathcost standard dot1d 1998 Configuring the Priority of...

Страница 184: ...ty 16 Configuring a Port to Connect to Point to Point Link Refer to Configuring a Port to Connect to Point to Point Link Enabling MSTP Refer to Enabling MSTP mCheck Configuration As mentioned previous...

Страница 185: ...U protection root protection loop prevention and TC BPDU attack prevention BPDU protection Typically access ports of access layer devices have terminals such as PCs or file servers directly connected...

Страница 186: ...ing BPDUs from the upstream switch However the switch may not receive the BPDUs due to network congestions or unidirectional link failures In this case the switch reelects a root port sets the origina...

Страница 187: ...t port view S5500 system view System View return to User View with Ctrl Z S5500 interface ethernet1 0 1 S5500 Ethernet1 0 1 stp root protection Table 168 Enable the BPDU protection function Operation...

Страница 188: ...keep independent of those of the operator s networks As shown in Figure 44 the upper part is the operator s network and the lower part is the user network The operator s network comprises packet ingr...

Страница 189: ...2 1x GVRP GMRP STP or NTDP employed the BPDU tunnel function is unavailable to these ports Table 173 Configure the BPDU tunnel function Operation Command Description Enter system view system view Enab...

Страница 190: ...AN 40 are forwarded along spanning tree instance 4 and those of VLAN 20 are forwarded along spanning tree instance 0 In this network Switch A and Switch B operate at the distribution layer Switch C an...

Страница 191: ...Configure the MST region S5500 mst region region name example S5500 mst region instance 1 vlan 10 S5500 mst region instance 3 vlan 30 S5500 mst region instance 4 vlan 40 S5500 mst region revision lev...

Страница 192: ...witches Switch C and Switch D shown in Figure 46 operate as the access devices of the operator s network Two S2000 series switches Switch A and Switch B shown in Figure 46 are used as the access devic...

Страница 193: ...S5500 Ethernet1 0 1 vlan vpn enable S5500 Ethernet1 0 1 quit e Configure Ethernet1 0 2 port to be a trunk port S5500 interface Ethernet 1 0 2 S5500 Ethernet1 0 2 port link type trunk f Add the trunk...

Страница 194: ...tunnel function is only available to access ports To implement the BPDU tunnel function the links between operator networks must be trunk links As the VLAN VPN function is unavailable to the ports wi...

Страница 195: ...ized MAC address authentications are carried out as follows In MAC address mode a switch sends newly detected MAC addresses to the RADIUS server as both the user names and passwords The rest handling...

Страница 196: ...ed MAC address authentication is also enabled Configuring an ISP Domain for MAC Address Authentication Users Table 176 lists the operations to configure an ISP domain for centralized MAC address authe...

Страница 197: ...based and global centralized MAC address authentication and local user configuration 1 Enable centralized MAC address authentication on GigabitEthernet1 0 2 port S5500 system view S5500 mac authentic...

Страница 198: ...TICATION CONFIGURATION 4 Enable global centralized MAC address authentication S5500 mac authentication 5 Configure the domain name for centralized MAC address authentication user to be aabbcc163 net S...

Страница 199: ...onment A Switch can connect to multiple SSH clients SSH 2 0 and SSH1 x are currently available SSH client functions to enable SSH connections between users and the Switch or UNIX host that support SSH...

Страница 200: ...server then decrypts the received data with the server private key to get the client random number The server then uses the same algorithm to work out the session key based on server public key and th...

Страница 201: ...ends the authentication data calculated back to the server The server compares it with its authentication data obtained locally If they match exactly the user is allowed to access the switch 3 Session...

Страница 202: ...be more than 1 024 bits Otherwise clients cannot be authenticated For a successful SSH login you must generate the local RSA key pairs first You just need to execute the command once with no further a...

Страница 203: ...figure server SSH attributes Configuring client public keys This operation is not required for password authentication type You can configure RSA public keys for client users on the server in two ways...

Страница 204: ...n key in a blank space between characters since the system can remove the blank space automatically But the public key should be composed of hexadecimal characters Return to public key view and save t...

Страница 205: ...oup prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required You can use this command to enable the connec...

Страница 206: ...ssword authentication 1 Set AAA authentication on the user interfaces S5500 user interface vty 0 4 S5500 ui vty0 4 authentication mode scheme 2 Set the user interfaces to support SSH S5500 ui vty0 4 p...

Страница 207: ...00 rsa key code 308186028180739A291ABDA704F5D93DC8FDF84C427463 S5500 rsa key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 S5500 rsa key code D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 S5500...

Страница 208: ...de BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 S5500 rsa key code public key code end S5500 rsa public key peer public key end S5500 ssh client 10 165 87 136 assign rsa key public 3 Start SSH client...

Страница 209: ...ssh_rsa_key t rsa This will create two files ssh_rsa_key which is the Private key and ssh_rsa_key pub which is the Public key 2 Copy the public key file ssh_rsa_key pub to a windows pc from the linux...

Страница 210: ...P server Setting connection timeout time Configuring service type for an SSH user Enabling the SFTP server Setting connection timeout time After you set the timeout time for the SFTP user connection t...

Страница 211: ...ptional Return to the upper directory cdup Display the current directory pwd Display the list of the files in a directory dir ls Create a new directory mkdir Delete a directory rmdir 4 SFTP file relat...

Страница 212: ...name Change the current directory cd remote path Return to the upper directory cdup Display the current directory pwd Display the list of the files in a directory dir remote path Optional The dir and...

Страница 213: ...Figure 51 Network diagram for SFTP configuration Configuration procedure 1 Configure Switch B SFTP server a Enable the SFTP server S5500 sftp server enable b Specify SFTP service for SSH user 8040 S55...

Страница 214: ...pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub c Create directory new1 and verify the operation sftp client mkdir new1 New directory created sftp...

Страница 215: ...ir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 2...

Страница 216: ...216 CHAPTER 15 SSH TERMINAL SERVICES...

Страница 217: ...uters are two routers connected to the same network The number of route segments between a router and hosts in the same network is zero A router can be connected to any physical link that constitutes...

Страница 218: ...is located is 129 102 0 0 The output interface Indicates an interface through which an IP packet should be forwarded The next hop address Indicates the next router that an IP packet will pass through...

Страница 219: ...g and BGP IBGP and EBGP the preferences of various dynamic routing protocols can be manually configured to meet the user requirements The preferences for individual static routes can be different Forw...

Страница 220: ...lf and the router will choose from one of the remaining routes as a backup route whose precedence is higher than the others to send data This process is the switchover from the main route to the backu...

Страница 221: ...te to forward this packet If there is no default route and the destination address of the packet fails to match any entry in the routing table the packet is discarded and an Internet Control Message P...

Страница 222: ...address of the local Switch as the next hop address of an static route Preference For different configurations of preference_value you can flexibly apply the routing management policy Other parameters...

Страница 223: ...ting table Operation Command View routing table summary display ip routing table View routing table details display ip routing table verbose View the detailed information of a specific route display i...

Страница 224: ...D V algorithm based It uses hop counts to measure the distance to the destination host This is called the routing cost In RIP the hop count from a router to its directly connected network is 0 the ho...

Страница 225: ...he updated route globally available RIP uses the timeout mechanism to handle timed out routes to ensure the timeliness and validity of the routes With these mechanisms RIP an interior routing protocol...

Страница 226: ...fied network and does not forward its interface route When the network command is used for an address the effect is to enable the interface of the network with this address For example for network 129...

Страница 227: ...s and sends the RIP 1 packets It transmits packets in multicast mode when the interface RIP version is set to RIP 2 Configuring RIP Timers As stipulated in RFC1058 RIP is controlled by three timers pe...

Страница 228: ...ro processing is refused There are no zero fields in RIP 2 packets so configuring a zero field check is invalid for RIP 2 Perform the following configurations in RIP View Specifying the Operating Stat...

Страница 229: ...s with natural mask that is it always sends routes in the route aggregation form RIP 2 supports subnet mask and classless inter domain routing To advertise all the subnet routes the route aggregation...

Страница 230: ...ormation of other protocols Configuring the Default Cost for the Imported Route When you use the import route command to import the routes of other protocols you can specify their cost If you do not s...

Страница 231: ...router itself which means that it has no effect on the routes imported to RIP by other routing protocols Configuring Route Filtering The Router provides a route filtering function You can configure th...

Страница 232: ...uring RIP to Filter the Received Routes Operation Command Filter the received routing information distributed by the specified address filter policy gateway ip_prefix_name import Cancel filtering of t...

Страница 233: ...witch B are connected to the networks 155 10 1 0 and 196 38 165 0 respectively Switch C Switch A and Switch B are connected using Ethernet 110 11 2 0 Correctly configure RIP to ensure that Switch C Sw...

Страница 234: ...Troubleshooting RIP The Switch 5500 cannot receive the update packets when the physical connection to the peer routing device is normal RIP does not operate on the corresponding interface for example...

Страница 235: ...e the security of the route calculation Multicast transmission Uses multicast address to receive and send packets Calculating OSPF Routes The OSPF protocol calculates routes as follows Each OSPF capab...

Страница 236: ...peer router It contains a collection of multiple LSAs complete contents Link State Acknowledgment LSAck Packet The packet is used for acknowledging the received LSU packets It contains the HEAD s of L...

Страница 237: ...e area is called an area border router ABR An ABR can connect to the backbone area physically or logically Backbone Area After the area division of OSPF one area is different from all the other areas...

Страница 238: ...mport Routes of Other Protocols Configuring Parameters for OSPF to Import External routes Configuring OSPF to Import the Default Route Setting OSPF Route Preference Configuring OSPF Route Filtering Co...

Страница 239: ...ddress wildcard shielded text similar to the complement of the IP address mask Configuring a Router ID A Router ID is a 32 bit unsigned integer that uniquely identifies a router within an AS A Router...

Страница 240: ...ork without multi access capability Configure the interface type to P2MP if not all the routers are directly accessible on an NBMA network Change the interface type to P2P if the router has only one p...

Страница 241: ...f a router is 0 it will not be elected as DR or BDR If DR fails the routers on the network must elect a new DR and synchronize with the new DR The process takes a relatively long time during which rou...

Страница 242: ...hello timer According to RFC2328 the consistency of hello intervals between network neighbors should be kept The hello interval value is in inverse proportion to the route convergence rate and networ...

Страница 243: ...itted every second Setting an Interval for LSA Retransmission between Neighboring Routers If a router transmits an LSA Link State Advertisements to the peer it requires an acknowledgement packet from...

Страница 244: ...located at the AS boundaries are those non backbone areas with only one ABR Even if this area has multiple ABRs no virtual links are established between these ABRs To ensure that the routes to destina...

Страница 245: ...R generates type 7 LSAs which are propagated in Area 1 When a type 7 LSA reaches the NSSA ABR the NSSA ABR transforms it into a type 5 LSA which is propagated to Area 0 and Area 2 RIP routes of the AS...

Страница 246: ...d an aggregate LSA and all the LSAs in the range of the aggregate segment specified by the command are not transmitted separately Once the aggregate segment of a certain network is added to the area a...

Страница 247: ...onnection can take effect only when both ends are configured The virtual link is identified by the ID of the remote router The area which provides the ends of the virtual link with a non backbone area...

Страница 248: ...formation As far as OSPF is concerned the routes discovered by other routing protocols are always processed as the external routes of AS In the import route commands you can specify the route cost typ...

Страница 249: ...es not import the routing information of other protocols The default type of the imported route is 2 cost is 1 and the tag is 1 The protocol variable specifies a source routing protocol that can be im...

Страница 250: ...orted external routing protocol is 150 Restore the default upper limit to the external routes that can be imported at a time undo default limit Configure the default cost for the OSPF to import extern...

Страница 251: ...ally specify an interface to fill in the MTU field in a DD packet when it transmits the packet The MTU should be set to the real MTU on the interface Perform the following configuration in Interface V...

Страница 252: ...anagement System NMS Configuring OSPF MIB binding After multiple OSPF processes are enabled you can configure to which OSPF process MIB is bound Perform the following configuration in System View By d...

Страница 253: ...able 250 Enabling disabling OSPF TRAP function Operation Command Enable OSPF TRAP function snmp agent trap enable ospf process_id ifstatechange virifstatechange nbrstatechange virnbrstatechange ifcfge...

Страница 254: ...Figure 57 Networking Diagram Figure 57 Networking for configuring DR election based on OSPF priority Display OSPF routing table display ospf process_id routing Display OSPF virtual links display ospf...

Страница 255: ...itch C interface Vlan interface 1 Switch C Vlan interface1 ip address 196 1 1 3 255 255 255 0 Switch C Vlan interface1 ospf dr priority 2 Switch C router id 3 3 3 3 Switch C ospf Switch C ospf 1 area...

Страница 256: ...g diagram Figure 58 OSPF virtual link configuration networking The following commands configure a virtual link between Switch B and Switch C in Area 1 Configuration procedure 1 Configure Switch A Swit...

Страница 257: ...ther routers is in FULL state Execute the display ospf peer command to view neighbors Execute the display ospf interface command to view OSPF information in the interface Use the ping command to check...

Страница 258: ...licy When a router distributes or receives routing information it must implement policies to filter the routing information so that it can receive or distribute only the routing information that meets...

Страница 259: ...tion refer to Chapter 7 Using QoS ACL Commands IP Prefix The function of the IP Prefix is similar to that of the ACL but it is more flexible and easier for users to understand When the IP Prefix is ap...

Страница 260: ...em should be in permit mode Apply the route policy to filter routing information If the routing information does not match any node the routing policy denies the routing information If all the nodes i...

Страница 261: ...tribution If the destination routing protocol that imports the routes cannot directly reference the route costs of the source routing protocol you should satisfy the requirement of the destination pro...

Страница 262: ...fined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no route will pass the ip prefix filtering You can define an item of permit 0 0...

Страница 263: ...in the subnet segment When a switch forwards this kind of packet the switch cannot tell whether the packet is a broadcast packet if the switch is not connected with the subnet If a broadcast packet re...

Страница 264: ...ram Figure 60 Filtering the received routing information Configuration procedure 1 Configure Switch A a Configure the IP address of VLAN interface Switch A interface vlan interface 100 Switch A Vlan i...

Страница 265: ...e When a Route Policy is used for the routing information filtering if a piece of routing information does not pass the filtering of any node then it means that the route information does not pass the...

Страница 266: ...Safety Value of the Switch Memory When the Switch memory is equal to or lower than the lower limit OSPF is disconnected and OSPF routes are removed from the routing table Perform the following config...

Страница 267: ...in any view to display the operation of the Route Capacity configuration Table 264 Displaying and debugging route capacity Operation Command Display the route capacity memory information display memor...

Страница 268: ...268 CHAPTER 16 IP ROUTING PROTOCOL OPERATION...

Страница 269: ...o fields net id field and host id field There are five types of IP address See Figure 61 Figure 61 Five Classes of IP Address Class A Class B and Class C are unicast addresses while Class D addresses...

Страница 270: ...ates the broadcast address that is broadcast to all hosts on the network IP address 0 0 0 0 is used for the host that is not put into use after starting up The IP address with network number as 0 indi...

Страница 271: ...figure an IP address with the IP address configuration command The other two methods are described in subsequent chapters The IP address configuration is described in the following sections Configurin...

Страница 272: ...dary IP address if its IP address is set to be allocated by BOOTP or DHCP Displaying and Debugging IP Address After the above configuration enter the display command in any view to display the IP addr...

Страница 273: ...ck whether the Switch can correctly send and receive ARP packets If it can only send but cannot receive ARP packets there are possibly errors occurring on the Ethernet physical layer ARP Configuration...

Страница 274: ...B all the packets standing in the queue Normally dynamic ARP automatically executes and searches for the resolution from the IP address to the Ethernet MAC address without the administrator Configurin...

Страница 275: ...whether the Switch should create ARP table entries for multicast MAC addresses Address resolution for multicast packets is not required because the IANA Internet Assigned Numbers Authority have reserv...

Страница 276: ...Table 272 describes the procedure to configure the gratuitous ARP packet learning function Displaying and Debugging ARP After the above configuration enter the display command in any view to display t...

Страница 277: ...ceiving resilient ARP messages regularly so as to determine if a device serves as a Layer 3 or Layer 2 device Resilient ARP configuration is described in the following sections Enabling Disabling Resi...

Страница 278: ...d respectively Unit 1 through Unit 4 in the XRN network Unit 1 and Unit 3 are connected to the Switch in link aggregation mode Resilient ARP runs on the XRN fabric to avoid packet forwarding problems...

Страница 279: ...ng an IP address using BOOTP the BOOTP client sends the server the BOOTP Request message Upon receiving the request message the server returns the BOOTP Response message The BOOTP client can then obta...

Страница 280: ...Client Server mode With this protocol the DHCP Client can dynamically request configuration information and the DHCP server can configure the information for the Client The DHCP relay serves as condu...

Страница 281: ...he message contains the information of the IP address request from the selected DHCP server Acknowledge stage the stage when the DHCP server acknowledges the IP address When receiving the DHCP_Request...

Страница 282: ...roduction of DHCP relay has solved this problem the clients in a LAN can communicate with DHCP servers in another subnet through DHCP relay to get valid IP addresses Then DHCP clients of multiple diff...

Страница 283: ...s Currently the commonly used sub options in option 82 are sub option 1 sub option 2 and sub option 5 Sub option 1 A sub option of option 82 Sub option 1 represents the agent circuit ID namely Circuit...

Страница 284: ...5 which have the following meanings 1 represents this sub option is for agent circuit ID Circuit ID 2 represents this sub option is for remote agent ID Remote ID 5 represents this sub option is for li...

Страница 285: ...t packet forwarded by the DHCP relay the DHCP server stores the information contained in the option field and sends a packet that contains DHCP configuration information and option 82 to the DHCP rela...

Страница 286: ...re an IP address for the backup DHCP server together with that of the master server Configuring the DHCP Server Group for the VLAN Interfaces Perform the following configuration in VLAN Interface View...

Страница 287: ...ser from accessing external networks if the IP address configured on the user end and the MAC address of the user end do not match any entries including the entries dynamically tracked by the DHCP rel...

Страница 288: ...DHCP security feature is disabled on the VLAN interface Option 82 Supporting Configuration This section contains supporting configuration information for Option 82 Prerequisites Before configuring opt...

Страница 289: ...mask to the VLAN interface so that it is on the same network segment with the two DHCP clients S5500 interface vlan interface 100 S5500 Vlan interface 100 ip address 10 110 1 1 255 255 0 0 4 Specify...

Страница 290: ...ens DHCP broadcast packets When an unauthorized DHCP server exists in the network a DHCP client may obtains an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP se...

Страница 291: ...g Configuration Table 288 shows the configuration specifications for DHCP snooping Table 288 Configure the DHCP snooping function Operation Command Description Enter system view system view Enable the...

Страница 292: ...nd of accounting when it assigns releases a lease The cooperation of DHCP server and RADIUS server implements the network accounting function and at the same time secures the network to a certain degr...

Страница 293: ...s to start account Service Type Type of the service the user applies for NAS IP Address IP address of the network access server NAS Acct Delay Time Time delay in seconds in sending accounting packets...

Страница 294: ...counting START packets including the first sending attempt at regular intervals If the three packets bring no response from the RADIUS server the DHCP server does not send Accounting START packets any...

Страница 295: ...Client DHCP Server DHCP Server RADI US Server 10 1 2 2 24 DHCP Client RADI US Server 10 1 2 2 24 DHCP Client DHCP Server DHCP Server DHCP Client DHCP Client DHCP Server DHCP Server DHCP Server DHCP S...

Страница 296: ...the above configuration enter the display command in any view to display the running of the DHCP configuration and to verify the effect of the configuration Enter the debugging command in User View t...

Страница 297: ...hcp server groupNo Display information about the DHCP server group to which a specified VLAN interface is mapped display dhcp server interface vlan interface vlan id Display one or all user address en...

Страница 298: ...8 1 2 The DHCP packets should be forwarded using the Switch with DHCP Relay enabled A DHCP Client can get its IP address and other configuration information from the DHCP Server Networking Diagram Fig...

Страница 299: ...mmand to output the debugging information to the console In this way you can view the detailed information of all DHCP packets on the console as they apply for the IP address and so locate the problem...

Страница 300: ...net Port View By default a port is not in an isolation group that is Layer 2 forwarding is achievable between this port and other ports Note that One unit only supports one isolation group That is a p...

Страница 301: ...rts on Layer 2 Enabling Disabling Access Management Trap You can enable the access management trap function using the following commands When this function is enabled the trap information of access ma...

Страница 302: ...dd port 1 into isolation group SW5500 Ethernet1 0 1 port isolate 4 Configure the IP address pool for access management on port 2 SW5500 Ethernet1 0 1 interface ethernt1 0 2 SW5500 Ethernet1 0 2 am ip...

Страница 303: ...it unicasts the response message UDP Helper Configuration UDP Helper configuration includes Enabling Disabling UDP Helper Function Configuring UDP Port with Replay Function Configuring the Relay Desti...

Страница 304: ...is enabled on the VLAN interface then the broadcast packets of a designated UDP port received at the VLAN interface will be unicasted to the destination server Perform the following configuration in V...

Страница 305: ...ay forward the broadcast packets with destination UDP port 55 SW5500 udp helper port 55 3 Set the IP address of the destination server corresponding to VLAN interface 2 as 202 38 1 2 SW5500 interface...

Страница 306: ...timeout time_value Restore synwait timer undo tcp timer syn timeout Configure FIN_WAIT_2 timer in TCP tcp timer fin timeout time_value Restore FIN_WAIT_2 timer undo tcp timer fin timeout Configure the...

Страница 307: ...n port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets Operations include SW5500 terminal debugging SW5500 debugging tcp packet Then the TCP packets rece...

Страница 308: ...308 CHAPTER 17 NETWORK PROTOCOL OPERATION...

Страница 309: ...e can be used if you intend to send the information to all users on the network In either case the end users will receive the information For example if the same information is required by 200 users o...

Страница 310: ...239 255 255 255 Class D addresses cannot appear in the source IP address fields of IP packets During unicast data transmission a packet is transmitted from the source address to the destination addre...

Страница 311: ...ass D address range Meaning 224 0 0 0 224 0 0 255 Reserved multicast addresses addresses of permanent groups Address 224 0 0 0 is reserved The other addresses can be used by routing protocols 224 0 1...

Страница 312: ...t group through IGMP declaration the multicast router on the network will transmit the information sent to the multicast group through the multicast routing protocol Finally the network will be added...

Страница 313: ...forwarded along the shared tree rooted at the RP and with members as the branches To prevent the branches of the shared tree from being deleted PIM sparse mode sends join messages to branches periodi...

Страница 314: ...It is used for multicast group management and control When receiving IGMP messages transmitted between the host and router the Switch 5500 uses IGMP Snooping to analyze the information carried in the...

Страница 315: ...Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query messages before the timer times out it is no longer considered a router port Multi...

Страница 316: ...to the IGMP query message When received the switch checks if the MAC multicast group is ready to join If the corresponding MAC multicast group does not exist the switch notifies the router that a mem...

Страница 317: ...th in System View and in VLAN View By default IGMP Snooping is disabled Configuring Router Port Aging Time Use the commands in Table 311 to manually configure the router port aging time If the switch...

Страница 318: ...e following configuration in system view By default the aging time of the multicast member is 260 seconds Enabling IGMP Fast Leave Processing Normally when receiving an IGMP Leave message IGMP Snoopin...

Страница 319: ...t You can use the command here to limit the number of multicast groups on a switch port After that users on this port cannot unlimitedly order multicast programs because you have limited the number of...

Страница 320: ...oin Table 316 Configure the maximum number of multicast groups on a port continued Operation Command Description Table 317 Configure multicast VLAN on Layer 3 switch Operation Command Description Ente...

Страница 321: ...LAN service type multicast Required Exit the VLAN view quit Enter the view of the Ethernet port connected to the Layer 3 switch interface interface type interface num Define the port as a trunk or hyb...

Страница 322: ...oping is disabled 1 Input the display current configuration command to display the status of IGMP Snooping 2 If the switch disabled IGMP Snooping check whether the IGMP Snooping is enabled globally an...

Страница 323: ...on multicast configuration includes Enabling multicast Configuring the multicast route limit Clearing MFC forwarding entries or statistics information Clearing route entries from the core multicast ro...

Страница 324: ...f the entry The system does not support the configuring of multicast MAC address on an IRF port If you do this the system will give you a prompt that the multicast MAC address configuration fails You...

Страница 325: ...specifying the interface list argument will enable the feature globally that is on all the ports of the switch Executing this command with the interface list argument specified will enable the feature...

Страница 326: ...hosts participating in multicast must implement IGMP Hosts participating in IP multicast can join and leave a multicast group at any time The number of members of a multicast group can be any integer...

Страница 327: ...ter is necessary to send membership query messages In this case the router election mechanism is required to specify a router as the querier In IGMP Version 1 selection of the querier is determined by...

Страница 328: ...figuration on page 323 Enabling IGMP on an Interface You must enable multicast before you can execute the igmp enable command After this you can initiate IGMP feature configuration Perform the followi...

Страница 329: ...in igmp robust count with the default value as 1 second and at a time interval defined by the seconds in igmp lastmember queryinterval with the default value as 2 3 When other hosts receive the messa...

Страница 330: ...ill cancel the corresponding path Configuring one interface of the router as multicast member can avoid such problem When the interface receives IGMP query packet the router will respond thus ensuring...

Страница 331: ...peration Command Configure a router to join specified multicast group VLAN Interface View igmp host join group_address port interface_type interface_ num interface_name to interface_type interface_ nu...

Страница 332: ...status of the members of the multicast group Perform the following configuration in Interface view The smaller the maximum query response time value the faster the router prunes groups The actual res...

Страница 333: ...router will perform RPF check according to the unicast routing table first If the RPF check is passed the router will create an S G entry and then flood the data to all downstream PIM DM nodes If the...

Страница 334: ...y specified unicast routing protocol such as the routing information learned by RIP and OSPF Assert Mechanism As shown in the Figure 84 both routers A and B on the LAN have their own receiving paths t...

Страница 335: ...DM needs to be enabled in the configuration of all interfaces After PIM DM is enabled on an interface it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors P...

Страница 336: ...view If resource address filtering is configured as well as basic ACLs then the router filters the resource addresses of all multicast data packets received Those not matched will be discarded If res...

Страница 337: ...hen it means only the RP item will be cleared If in this command the group address is any a group address and source address is 0 where group address can have a mask and source address has no mask the...

Страница 338: ...source_address mask mask_length mask incoming interface interface type interface_number null dense mode sparse mode Display the PIM interface information display pim interface interface type interface...

Страница 339: ...interface12 pim dm PIM SM Overview PIM SM Protocol Independent Multicast Sparse Mode is a multicast routing protocol appropriate for large scale networks for example a WAN where multicast group membe...

Страница 340: ...zvous point RP Each router along the path between the leaf routers and the RP will generate G entries in the forwarding table indicating that all packets sent to multicast group G are applicable to th...

Страница 341: ...ails you can switch over to another BSR A BSR is elected among the C BSRs automatically The C BSR with the highest priority is elected as the BSR If the priority is the same the C BSR with the largest...

Страница 342: ...any direction In this way the PIM SM domain can be split Perform the following configuration in Interface view By default no domain border is set After this configuration is performed a bootstrap mes...

Страница 343: ...in PIM view Candidate BSRs should be configured on the routers in the network backbone By default no BSR is set The default priority is 0 One Switch can only be configured with one candidate BSR When...

Страница 344: ...erval is 30 seconds Users can configure the value according to different network environments This configuration can be performed only after the PIM PIM DM or PIM SM is enabled in Interface view Confi...

Страница 345: ...illegal router is accessed into the network the attacker may set itself as C BSR and try to win the contention and gain authority to advertise RP information among the network Since the router config...

Страница 346: ...xecute debugging command in user view for the debugging of PIM SM PIM SM Configuration Example Networking Requirements In actual network we assume that the switches can intercommunicate Suppose that H...

Страница 347: ...11 pim sm SW5500 vlan interface11 quit SW5500 vlan 12 SW5500 vlan12 port ethernet 1 0 6 to ethernet 1 0 7 SW5500 vlan12 quit SW5500 interface vlan interface 12 SW5500 vlan interface12 igmp enable SW55...

Страница 348: ...e vlan interface 12 SW5500 vlan interface12 pim bsr boundary After VLAN interface 12 is configured as the domain border Switch_D will be excluded from the local PIM domain and will no longer receive t...

Страница 349: ...349...

Страница 350: ...350 CHAPTER 18 MULTICAST PROTOCOL...

Страница 351: ...tching a data packet with the access control rule the issue of match order arises The case of filter or classify the data transmitted by the hardware ACL can be used to filter or classify the data tra...

Страница 352: ...head If the port numbers are in the same range follow the configuration sequence ACL Supported by the Switch Table 361 lists the limits to the numbers of different types of ACL on a Switch Table 361 Q...

Страница 353: ...by the hardware of the Switch the match order defined in the acl command will not be effective If ACL is used to filter or classify the data treated by the software of the Switch the match order of A...

Страница 354: ...lowing command to define the numbered Layer 2 ACL Perform the following configuration in corresponding view Operation Command Enter basic ACL view from System View acl number acl_number match order co...

Страница 355: ...ing from the packet and compares it with the user defined rule string to identify and process the matched packets Activating ACL The defined ACL can be active after being activated globally on the Swi...

Страница 356: ...e ACL and limit Financial Dept access to the payment query server between 8 00 and 18 00 Networking Diagram Figure 88 Access Control Configuration Example Operation Command Activate an ACL packet filt...

Страница 357: ...W5500 acl adv 3000 rule 2 permit ip source 129 111 1 2 0 0 0 0 destination 129 110 1 2 0 0 0 0 3 Activate ACL Activate the ACL 3000 SW5500 GigabitEthernet1 0 50 packet filter inbound ip group 3000 Bas...

Страница 358: ...on Example Configuration Procedure In the following configurations only the commands related to ACL configurations are listed 1 Define the time range Define time range from 8 00 to 18 00 SW5500 time r...

Страница 359: ...affic classification rule while allowing other traffic to pass through With the complex traffic classification rules the Switch enables the filtering of various information carried in Layer 2 traffic...

Страница 360: ...ut the packets of lower priority like e mail in the lower priority queue can guarantee the key service packets of higher priority are transmitted first while the packets of lower service priority are...

Страница 361: ...nfigure the port priority to your requirements priority level ranges from 0 to 7 Configuring the Priority for Protocol Packets Each protocol packet has its own priority Users can modify the priority o...

Страница 362: ...ew Table 371 Configure Monitor Port Only one monitor port can be configured on one Switch If a group of Switches form a fabric only one monitor port can be configured on one fabric 2 Configure the mir...

Страница 363: ...uling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens The queue scheduling function puts the packet to the output queue of the p...

Страница 364: ...fining their priority levels Perform the following configurations in the Ethernet Port View Table 382 Setting Traffic Limit 5 5 6 6 7 7 Operation Command Configure COS Local precedence map qos cos loc...

Страница 365: ...ion is used for counting the data packets of the specified traffic that is this function counts the transmitted data which matches the ACL rules After the traffic statistics function is configured the...

Страница 366: ...le rule ip group acl_number rule rule link group acl_number rule rule link group acl_number rule rule Cancel the configuration of traffic statistics undo traffic statistic inbound user group acl_numbe...

Страница 367: ...ion Procedure Command Description Enter system view system view Create or enter advanced ACL view acl number acl number match order config auto By default the matching order is config Define the rule...

Страница 368: ...face vty 0 4 S5500 ui vty0 4 acl 2000 inbound Table 390 Control Telnet using Source MAC Configuration Procedure Command Description Enter system view system view Create or enter Layer 2 ACL view acl n...

Страница 369: ...eration Command Display mirroring configuration display mirror Display queue scheduling mode display queue scheduler Display line rate for outbound packets display qos interface interface_name interfa...

Страница 370: ...for the wage server a Limit average traffic from the wage server at 128 Kbps and label over threshold packets with priority level 4 SW5500 Ethernet1 0 1 traffic limit inbound ip group 3000 128 exceed...

Страница 371: ...or the upper layer device Networking Diagram Figure 95 QoS Configuration Example Configuration Procedure 1 Define the time range Define the time range 8 00 18 00 SW5500 time range 3Com 8 00 to 18 00 d...

Страница 372: ...CLs for the traffic actions before adding the actions to the QoS profile Entering QoS Profile View To configure the QoS profile you must first enter QoS profile view Device Configuration Default Descr...

Страница 373: ...profile to the user port Operation Command Enter QoS profile view qos profile profile name Delete the QoS profile undo qos profile profile name Table 394 Adding Removing Traffic Action to QoS Profile...

Страница 374: ...mand in any view to check the configuration result of the QoS profile Table 398 Displaying QoS Profile Configuration QoS Profile Configuration Example Networking Requirement The Switch implements the...

Страница 375: ...me radius1 SW5500 radius radius1 primary authentication 10 11 1 1 SW5500 radius radius1 primary accounting 10 11 1 2 SW5500 radius radius1 secondary authentication 10 11 1 2 SW5500 radius radius1 seco...

Страница 376: ...t passwords can log successfully onto the Switch In this section only the first level security control ACL configuration is detailed See the Getting Started for the second level control Configuring AC...

Страница 377: ...2 0 SW5500 acl basic 2000 rule 2 permit source 10 110 100 46 0 SW5500 acl basic 2000 quit 2 Import the ACL SW5500 user interface vty 0 4 SW5500 ui vty0 4 acl 2000 inbound Configuring ACL for SNMP User...

Страница 378: ...fferent ACLs in the three commands listed above See the Command Manual for details about these commands You can import only the basic ACLs with digit IDs Operation Command Import the defined ACL into...

Страница 379: ...e management through the Web interface The users can access the Switch through HTTP Controlling such users with ACL can help filter the illegal users and prevent them from accessing the local Switch A...

Страница 380: ...working Diagram Figure 100 Controlling Web NM users with ACL Configuration Procedure 1 Define the basic ACL SW5500 acl number 2030 match order config SW5500 acl basic 2030 rule 1 permit source 10 110...

Страница 381: ...ion switch the switch to which the remote mirroring destination port belong Table 403 gives an illustration of how various ports are involved in the mirroring operation Table 403 The ports involved in...

Страница 382: ...ID set as Remote probe VLAN ID All the ports in this VLAN must be Trunk ports rather than Access ports or Hybrid ports The default VLAN Management VLAN Fabric VLAN and Protocol VLAN cannot be configur...

Страница 383: ...ts of remote mirroring mirroring group group id reflector port reflector port Required The reflector ports of remote mirroring cannot enable STP and have to be Access ports The reflector ports cannot...

Страница 384: ...mand Description Enter system view system view Establish remote probe VLAN and enter VLAN view vlan vlan id The parameter vlan id represents the ID of the remote probe VLAN Define the current VLAN as...

Страница 385: ...mit vlan 10 S5500 Ethernet1 0 1 quit S5500 mirroring group 1 remote source S5500 mirroring group 1 mirroring port ethernet1 0 2 outbound S5500 mirroring group 1 reflector port ethernet1 0 5 S5500 mirr...

Страница 386: ...protocol range the higher the priority 2 Compare the range of source IP addresses Those with smaller source IP address range have higher priority 3 Compare the range of destination IP addresses Those...

Страница 387: ...e 0 permit ip For more information on the display acl command refer to the QoS ACL part of the Switch 5500 Series Ethernet Command Manual Subdividing DSCP while Defining ACL Rules The new version has...

Страница 388: ...duling features configured in a static or manual aggregation group This operation can be done either on a local device or in an XRN across various devices The new feature also supports the use of the...

Страница 389: ...switch outbound Performs ACL control over users Telnetting to other switches from the local switch Table 410 Control Telnet using source IP and destination IP Configuration Procedure Command Descript...

Страница 390: ...r interface vty 0 4 S5500 ui vty0 4 acl 2000 inbound Table 411 Control Telnet using Source MAC Configuration Procedure Command Description Enter system view system view Create or enter Layer 2 ACL vie...

Страница 391: ...devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the user can access the resources in the LAN Otherwise the user cannot access t...

Страница 392: ...Packet Authentication information frame used to carry the authentication information EAPoL Start Authentication originating frame actively originated by the user EAPoL Logoff Logoff request frame act...

Страница 393: ...ach port Setting the Authentication in DHCP Environment Configuring the authentication method for 802 1x user Setting the maximum times of authentication request message retransmission Configuring tim...

Страница 394: ...on the port is macbased That is authentication is performed based on MAC addresses Checking the Users that Log on the Switch using Proxy The following commands are used for checking the users that lo...

Страница 395: ...the Switch sends authentication information to the RADIUS server in the form of EAP packets directly and the RADIUS server must support EAP authentication Perform the following configurations in Syst...

Страница 396: ...extracts the authentication information and delivers it to the AAA server to accomplish the authentication As the four authentication modes that is PEAP EAP TLS EAP TTLS and EAP MD5 are all EAP authe...

Страница 397: ...used for setting the maximum retransmission times of the authentication request message that the Switch sends to the user Perform the following configurations in System View Table 420 Setting the Maxi...

Страница 398: ...pecify how long the duration of a timeout timer of an Authentication Server is The value ranges from 100 to 300 in units of second and defaults to 100 supp timeout Specify the authentication timeout t...

Страница 399: ...end Version Checking Request Packets Configuring the Version Checking Timer Enabling the 802 1x Client Version Checking Function As for the dot1x version check command if you execute it in system view...

Страница 400: ...ax 6 4 Set the version checking timer to 5 seconds S5500 dot1x timer ver period 5 Guest VLAN Configuration The Guest VLAN function enables supplicant systems that are not authenticated to access speci...

Страница 401: ...configured for a switch Supplicant systems that are not authenticated fail to pass the authentication or are offline belong to Guest VLANs Guest VLAN Configuration Example Network requirements Create...

Страница 402: ...units That is the MAC address can only be recognized by the unit the supplicant system directly connected to This may result in broadcast storms in the fabric In an IRF that supports the 802 1x trust...

Страница 403: ...tribute Table 429 Auto QoS 802 1x Configuration Example Networking Requirements As shown in the Figure 106 the workstation of a user is connected to the port Ethernet 1 0 1 of the Switch The switch ad...

Страница 404: ...ADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted 1 Enable the 802 1x performance on the specified port Ethernet 1 0 1 SW5500 dot1x interf...

Страница 405: ...rs to the domain 3com163 net SW5500 isp 3com163 net access limit enable 30 14 Enable idle cut function for the user and set the idle cut parameter in the domain 3com163 net SW5500 isp 3com163 net idle...

Страница 406: ...0 Enabling Disabling Centralized MAC Address Authentication You can configure the centralized MAC address authentication status on the ports first However the configuration does not function on each p...

Страница 407: ...before it re authenticates The Switch does not authenticate during the quiet time Server timeout During the authentication to the user if the connection between the Switch and the RADIUS server times...

Страница 408: ...e 802 1x Configuration Example The configurations of centralized MAC address authentication is similar to 802 1x their differences are 1 Enabling centralized MAC address authentication both globally a...

Страница 409: ...specified services Accounting traces network resources consumed by the user RADIUS Protocol Overview As mentioned above AAA is a management framework so it can be implemented by some protocols RADIUS...

Страница 410: ...which the ACCEPT message indicates that the user has passed the authentication and the REJECT message indicates that the user has not passed the authentication and needs to input their username and pa...

Страница 411: ...plied For the Switch 5500 each user belongs to an ISP domain Up to 16 domains can be configured in the system If a user has not reported their ISP domain name the system will put them into the default...

Страница 412: ...any users can be contained in the ISP For any ISP domain there is no limit to the number of users by default Table 440 Setting Access Limit By default there is no limit to the amount of users Enabling...

Страница 413: ...ent framework for network access control It provides the following three services Authentication Checks if a user can access the network Authorization Authorizes a user to use a specific service Accou...

Страница 414: ...s connected to the switch This server will be used as an authentication server On the switch set the shared key it uses to exchange packets with the RADIUS server to expert Configure the RADIUS scheme...

Страница 415: ...tion Servers IP address 10 110 91 164 Internet Switch Remote user Internet Remote user Internet Authentication Servers IP address 10 110 91 164 Internet Switch Authentication Servers IP address 10 110...

Страница 416: ...e client opens the default explorer IE or NetScape locate the specified URL page used to change the user password on the self service server Change user password on this page Perform the following con...

Страница 417: ...LAN name assigned by the RADIUS server is a string that contains only digital characters for example 1024 and the string can be transformed to an integer number in the valid VLAN range the switch tran...

Страница 418: ...Creating a Local User A local user is a group of users set on NAS The user name is the unique identifier of a user A user requesting network service may use local authentication only if its correspond...

Страница 419: ...l when you configure a service type If you set multiple service types and specify the user levels then only the last configured user level is valid Some of the service types allow a user privilege lev...

Страница 420: ...attributes of every RADIUS scheme include IP addresses of primary and secondary servers shared key and RADIUS server type RADIUS protocol configuration only defines some necessary parameters used for...

Страница 421: ...r groups of IP addresses and UDP port numbers However as a minimum you have to set one group of IP address and UDP port number for each pair of primary secondary servers to ensure the normal AAA opera...

Страница 422: ...ervers as the primary and the secondary accounting servers respectively or specify one server to function as both To guarantee the normal interaction between NAS and RADIUS server you are supposed to...

Страница 423: ...me accounting request can fail to be responded to no more than 5 times Enabling Disabling the Stopping Accounting Request Buffer Because the stopping accounting request concerns the account balance an...

Страница 424: ...er s online information The user re authentication at reboot feature is designed to resolve this problem After this feature is enabled every time the switch reboots The switch generates an Accounting...

Страница 425: ...5 algorithm to encrypt the exchanged packets The two ends verify the packet through setting the encryption key Only when the keys are identical can both ends accept the packets from each other and giv...

Страница 426: ...an RADIUS authentication packet is to fill the Framed Protocol attribute in the RADIUS authentication request packet based on the access mode of the user Setting Retransmission Times of RADIUS Request...

Страница 427: ...servers are in the state of active and the secondary accounting authentication servers are in the state of block Setting the Username Format Transmitted to the RADIUS Server As mentioned above the use...

Страница 428: ...authorization packet configured by the command key authentication in RADIUS Scheme View Configuring Source Address for RADIUS Packets Sent by NAS Perform the following configurations in the correspond...

Страница 429: ...the following command to set a real time accounting interval Perform the following configurations in RADIUS Scheme View Table 467 Setting a Real time Accounting Interval minute specifies the real time...

Страница 430: ...ut Table 470 Displaying and Debugging AAA and RADIUS Protocol Operation Command Display the configuration information of the specified or all the ISP domains display domain isp_name Display related in...

Страница 431: ...entication server is expert The Switch cuts off the domain name from username and sends the remaining part to the RADIUS server Networking Topology Figure 110 Configuring the Remote RADIUS Authenticat...

Страница 432: ...ng the FTP Telnet User Local Authentication Configuring local authentication for FTP users is similar to that for Telnet users The following example is based on Telnet users Networking Requirements Co...

Страница 433: ...Disable Self service Disable Messenger Time Disable This system domain uses the local scheme It is not recommended that you change the system domain as it could result in locking all users out of the...

Страница 434: ...802 1x is enabled on port Ethernet1 0 11 802 1x is enabled on port Ethernet1 0 12 802 1x is enabled on port Ethernet1 0 14 802 1x is enabled on port Ethernet1 0 15 802 1x is enabled on port Ethernet1...

Страница 435: ...d RADIUS server of ISP So it is likely to be invalid Fault One User authentication authorization always fails Troubleshooting The username may not be in the userid isp name format or NAS has not been...

Страница 436: ...h 5500 provides debugging of RADIUS Terminal debugging can be enabled with the command 5500 xx terminal debugging Once enabled different debug traces can be enabled to the terminal For example to turn...

Страница 437: ...SSH Terminal Services File Attribute Configuration FTP Lighting Configuration TFTP Lighting Configuration File System Overview The Switch provides a flash file system for efficient management of the...

Страница 438: ...e separate For example you delete a file with the main attribute from the flash memory however the mapping relationship between the main attribute and the name of this file is not cancelled And after...

Страница 439: ...boot boot loader file url fabric Optional Assign the backup attribute to a file so as to use this file as the backup boot file upon next startup boot boot loader backup attribute file url fabric Optio...

Страница 440: ...cd directory command for changing focus to a different switches file system or the unit2 flash device name parameter for the command reset recycle You can use the following commands to perform file o...

Страница 441: ...on files includes Display the current configuration and saved configuration of the Switch Save the current configuration Erase configuration files from Flash Memory Displaying the Current configuratio...

Страница 442: ...rs for initialization when the Switch is powered on for the next time Perform the following configuration in User View Table 480 Erase Configuration Files from Flash Memory You may erase the configura...

Страница 443: ...is still used widely while most users transmit files using e mail and Web FTP a TCP IP protocol on the application layer is used for transmitting files between a remote server and a local host The Swi...

Страница 444: ...the ftp command You need first get FTP user command and password and then log into the remote FTP server Then you can get the directory and file authority PC Start FTP server and make such settings as...

Страница 445: ...Table 489 Configure FTP Server Connection Timeout By default the FTP server connection timeout is 30 minutes Use a specified source interface to establish a connection with an FTP server ftp cluster...

Страница 446: ...creating or deleting a directory Configuring Source IP Address for TFTP Service Packets You can configure source IP address or source interface for the TFTP server and TFTP client to enhance service...

Страница 447: ...purpose Networking Diagram Figure 113 Networking for FTP Configuration Configuration Procedure 1 Configure the FTP server parameters on the PC a user named as Switch password hello read and write auth...

Страница 448: ...TP client The configuration on FTP server Configure a FTP user named as Switch with password hello and with read and write authority over the flash root directory on the PC The IP address of a VLAN in...

Страница 449: ...een the clients and server TFTP is implemented on the basis of UDP TFTP transmission is originated from the client end To download a file the client sends a request to the TFTP server and then receive...

Страница 450: ...erver The IP address of a VLAN interface on the Switch is 1 1 1 1 and that of the PC is 2 2 2 2 The interface on the Switch connecting the PC belong to the same VLAN The Switch application switch app...

Страница 451: ...of a device and the port ID of the Switch connected to it The dynamic entries not configured manually are learned by the Switch The Switch learns a MAC address in the following way after receiving a d...

Страница 452: ...can manually add modify or delete the entries in MAC address table according to the actual needs They can also delete all the unicast MAC address table entries related to a specified port or delete a...

Страница 453: ...ies Setting the Max Count of MAC Addresses Learned by a Port With the address learning function a Switch can learn new MAC addresses After its received a packet destined for an already learned MAC add...

Страница 454: ...nts The user logs into the switch using the Console port to display the MAC address table Switch display the entire MAC address table of the the switch If this switch is a member of a stack then the e...

Страница 455: ...0s and add a static address 00e0 fc35 dc71 to Ethernet1 0 2 in vlan1 Networking Diagram Figure 119 Typical Configuration of Address Table Management Configuration Procedure 1 Enter the System View of...

Страница 456: ...the following configuration in User View and the display schedule reboot command can be performed in any view Table 502 Reboot the Switch Designating the APP Adopted when Booting the Switch Next Time...

Страница 457: ...ote upgrade using the right commands The Switch serves as FTP client and the remote PC as FTP server The configuration on the FTP server Configure an FTP user named as Switch with password hello and w...

Страница 458: ...t command in User View to establish FTP connection then enter the correct username and password to log into the FTP server SW5500 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 servi...

Страница 459: ...urce IP Address Source Interface IP Address When you use the telnet ip address port command to log into another device from your current switch that acts as a Telnet client you cannot specify the sour...

Страница 460: ...ault the UTC time zone is adopted Setting the Summer Time You can set the name start and end time of the summer time Perform the following operations in the User View Table 511 Setting the Summer Time...

Страница 461: ...e relevant chapters The following display commands are used for displaying the system state and the statistics information Configuration agent is one of the XRN features You can log into one Switch of...

Страница 462: ...witches Figure 121 Debug Output You can use the following commands to control the above mentioned debugging Perform the following operations in User View Display the current configuration display curr...

Страница 463: ...ynchronization switch of the whole fabric If you enabled the information synchronization switch after the synchronization information statistics and detection you must execute the undo info center swi...

Страница 464: ...iodical testing Perform the following configuration in System View Table 518 Test Periodically if the IP address is Reachable The Switch can ping an IP address every one minute to test if it is reacha...

Страница 465: ...g on network It is an enhanced alternative to the ping command Remote ping test group is a set of remote ping test parameters A test group contains several test parameters and is uniquely identified b...

Страница 466: ...is equivalent to the n parameter in the ping command Automatic test interval This parameter is used to allow the system to automatically perform the same test at regular intervals Test timeout time T...

Страница 467: ...ount 10 S5500 remote ping administrator icmp timeout 3 4 Enable the test operation S5500 remote ping administrator icmp test enable Configure the test parameters Configure the destination IP address o...

Страница 468: ...info center the first part will be Priority For example 187 Jun 7 05 22 03 2003 SW5500 IFNET 6 UPDOWN Line protocol on interface Ethernet1 0 2 changed state to UP The description of the components of...

Страница 469: ...ule name 4 Module name The module name is the name of module which created this logging information the following sheet lists some examples Table 520 Module Names in Logging Information Module name De...

Страница 470: ...nformation is in Table 521 IP IP module IPC Inter process communication module IPMC IP multicast module L2INF Interface management module LACL LANswitch ACL module LQOS LANswitch QoS module LS Local s...

Страница 471: ...tions that is Console monitor to Telnet terminal logbuffer loghost trapbuffer and SNMP The log is divided into 8 levels according to the significance and it can be filtered based on the levels The inf...

Страница 472: ...ne which modules and information to be sent out and the time stamp format of information and so on You must turn on the Switch of the corresponding module before defining output debugging information...

Страница 473: ...current terminal display function using the terminal monitor command Device Configuration Default Value Configuration Description Switch Enable info center By default info center is enabled Other con...

Страница 474: ...d only if the info center is enabled Set the information output direction to SNMP Set information source You can define which modules and information to be sent out and the time stamp format of inform...

Страница 475: ...have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one If you want to view the debugging information...

Страница 476: ...information classification and outputting 2 Configuring to output information to the control terminal Perform the following operation in Table 534 Table 532 Configure the information to be sent to lo...

Страница 477: ...configuring information source meantime using the debugging command to turn on the debugging Switch of those modules You can use the following commands to configure log information debugging informat...

Страница 478: ...so on Perform the following operation in System View Table 540 Defining Information Source Operation Command Enable terminal display function of debugging information terminal debugging Disable termi...

Страница 479: ...ommands to configure log information debugging information and the time stamp output format of trap information Perform the following operation in System View Table 541 Configuring the Output Format o...

Страница 480: ...ow it will not be output channel number specifies the channel number and channel name specifies the channel name When defining the information sent to the log buffer channel number or channel name mus...

Страница 481: ...ng operation in System View Table 548 Configuring to Output Information to Trap Buffer 3 Configuring the information source on the Switch With this configuration you can define the information that is...

Страница 482: ...se the following commands to configure log information debugging information and the time stamp output format of trap information Perform the following operation in System View Table 550 Configuring t...

Страница 483: ...ugging Switch of those modules You can use the following commands to configure log information debugging information and the time stamp output format of trap information Perform the following operatio...

Страница 484: ...nter You can also authenticate the effect of the configuration by viewing displayed information By performing the reset command in User View you can clear the statistics of info center Perform the fol...

Страница 485: ...ity level above informational will be sent to the loghost The output language is English The modules that allowed to output information are ARP and IP Networking Diagram Figure 127 Schematic Diagram o...

Страница 486: ...t be consistent with info center loghost and info center loghost a b c d facility configured on the Switch Otherwise the log information probably cannot be output to the loghost correctly c After the...

Страница 487: ...mmand as the super user root mkdir var log SW5500 touch var log SW5500 information b Edit file etc syslog conf as the super user root add the following selector actor pairs SW5500 configuration messag...

Страница 488: ...the log information of the Switch to Unix loghost The IP address of the loghost is 202 38 1 10 The information with the severity level above informational will be sent to the loghost The output langua...

Страница 489: ...twork devices such as a Switch Hub so that the devices become network facilities with RMON probe function RMON NMS uses the basic SNMP commands to exchange data information with SNMP Agent and collect...

Страница 490: ...ds to add delete an entry to from the history control terminal Perform the following configuration in Ethernet Port View Table 560 Add Delete an Entry to from the History Control Terminal Adding Delet...

Страница 491: ...onfiguration Display and Debug RMON Operation Command Add an entry to the extended RMON alarm table rmon prialarm entry number alarm var alarm des sampling timer delta absolute changeratio rising thre...

Страница 492: ...rs packets 0 CRC alignment errors 0 collisions 0 Dropped packet events due to lack of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 10...

Страница 493: ...system clocks are synchronized as follows Switch A sends an NTP packet to Switch B The packet carries the timestamp 10 00 00am T1 that tells when it left Switch A When the NTP packet arrives at Switc...

Страница 494: ...the local Switch the local equipment operates in symmetric active mode If you configure an interface on the local Switch to transmit NTP broadcast packets the local Switch will operate in broadcast mo...

Страница 495: ...cal Switch to the peer will be taken priority indicates the peer will be the first choice for the time server Configuring NTP Broadcast Server Mode Designate an interface on the local Switch to transm...

Страница 496: ...tication key ID keyid ranges from 0 to 4294967295 ttl number of the multicast packets ranges from 1 to 255 and the multicast IP address defaults to 224 0 1 1 This command can only be configured on the...

Страница 497: ...571 Set the Specified Key as Reliable Key number key number ranges from 1 to 4294967295 Designating an Interface to Transmit NTP Message If the local equipment is configured to transmit all the NTP m...

Страница 498: ...itation The first matched authority will be given Perform the following configurations in System View Table 574 Set Authority to Access a Local Switch IP address ACL number is specified through the ac...

Страница 499: ...typical NTP configurations Configure NTP Server Network Requirements On Switch1 set the local clock as the NTP master clock at stratum 2 On Switch 2 configure Switch 1 as the time server in server mo...

Страница 500: ...by Switch 1 Before the synchronization the Switch 2 is shown in the following status switch2 display ntp service status clock status unsynchronized clock stratum 16 reference clock ID none nominal fr...

Страница 501: ...5 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 5 1 0 1 11 0 0 0 016 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured N...

Страница 502: ...811A112 By this time Switch 4 has been synchronized by Switch 5 and it is at stratum 2 or higher than Switch 5 by 1 Display the sessions of Switch 4 and you will see Switch 4 has been connected with S...

Страница 503: ...from Switch 3 while Switch 4 is synchronized by Switch 3 after receiving its broadcast packet After the synchronization you can find the state of Switch 4 as follows switch4 display ntp service status...

Страница 504: ...t as a multicast server switch3 Vlan Interface2 ntp service multicast server 2 Configure Switch 4 a Enter System View switch4 system view b Enter Vlan interface2 view switch4 interface vlan interface...

Страница 505: ...a Enter System View switch2 system view b Set Switch 1 as time server switch2 ntp service unicast server 1 0 1 11 c Enable authentication switch2 ntp service authentication enable d Set the key switc...

Страница 506: ...egotiation stage Otherwise the server clears the TCP connection Key negotiation stage Both ends negotiate key algorithm and compute session key The server randomly generates its RSA key and sends the...

Страница 507: ...ther a username they key in exists or not This is also a way to protect a username Configuring SSH Server Basic configuration tasks refer to those required for successful connection from SSH client to...

Страница 508: ...the client user must be configured on the Switch that is to perform the 7 and 8 serial number marked configuration By default no authentication type is specified for a new user so they cannot access t...

Страница 509: ...n characters since the system can remove the blank space automatically But the public key should be composed of hexadecimal characters Terminate public key editing and save the result with the public...

Страница 510: ...ivate key file If you specify RSA authentication for the SSH user you must specify RSA private key file The RSA key which includes the public key and private key are generated by the client software T...

Страница 511: ...the following lines of text before the existing text rsa peer public key mykey public key code begin where myKey is a name used to identify the key within the switch you may choose any name for this...

Страница 512: ...ion e g keys bat This file can be transferred to the switch using FTP or TFTP The key is installed using the execute command in the System view SW5500 execute keys bat Specifying Server IP Address Sta...

Страница 513: ...ocol Select SSH for the Protocol item Choosing SSH Version Click the left menu Category Connection SSH to enter the interface shown in Figure 140 Figure 140 SSH Client Configuration Interface 2 You ca...

Страница 514: ...Choose a desired file and click OK Opening SSH Connection Click Open to enter SSH client interface If it runs normally you are prompted to enter username and password See Figure 142 Figure 142 SSH cl...

Страница 515: ...n mode scheme SW5500 ui vty0 4 protocol inbound ssh SW5500 local user client001 SW5500 luser client001 password simple 3com SW5500 luser client001 service type ssh SW5500 ssh user client001 authentica...

Страница 516: ...5500 rsa public peer public key end SW5500 ssh user client002 assign rsa key key002 You need to specify RSA private key which corresponds to the public key for the SSH user client002 Run SSH1 5 client...

Страница 517: ...al You can use the undelete command to restore the files which are deleted by using the delete command without the unreserved keyword Delete the files in the recycle bin completely reset recycle bin f...

Страница 518: ...ocol in the TCP IP protocol suite It is used for file transfer between remote server and local host The Ethernet switch provides the following FTP services FTP server A user runs FTP client on a PC an...

Страница 519: ...g into the remote FTP server Required For detailed configuration refer to the configuration instruction relevant to FTP client Upload file from the FTP client to the FTP server Required For detailed c...

Страница 520: ...used to transfer programs ASCII code used to transfer text files Before configuring TFTP the network administrator should first configure the IP addresses of the TFTP client and server and ensure that...

Страница 521: ...t the SWITCH 5500 switch is downloading file from a TFTP server and will stop rotating when the file downloading is finished as show in Figure 145 S w itc h P C N e tw o rk S w itc h S w itc h P C N e...

Страница 522: ...522 CHAPTER 22 FILE SYSTEM MANAGEMENT...

Страница 523: ...port The backup switch is connected to the upstream network through its Ethernet1 0 2 port The virtual router IP address of the backup group is 10 100 10 1 Enable the port tracking function on Ethern...

Страница 524: ...w and enable the port tracking function S5500 interface vlan interface2 S5500 Vlan interface2 vrrp vlan Interface 2 vrid 1 track Ethernet Master Host 1 Host 2 Host 3 10 100 10 7 10 100 10 8 10 100 10...

Страница 525: ...describes the Dynamically Apply ACL by RADIUS Server configurations Table 590 Configuring Dynamically Apply ACL by RADIUS Server Device Configuration Configuration link RADIUS server Configure user a...

Страница 526: ...a The user name is test and its authentication password is test It is accessed on Ethernet1 0 1 of the switch and belongs to the test163 net domain Its corresponding ACL is ACL 3000 and the content of...

Страница 527: ...sers See Figure 150 Figure 150 The first step 2 Create a new user and then on the General Attributes page input the password of the user meanwhile set the Account Expiration Date as Dec 31 2049 See Fi...

Страница 528: ...LY APPLY ACL BY RADIUS SERVER CONFIGURATION Figure 152 The third step 4 Click Options Encryption Keys set the encryption key See Figure 153 Figure 153 The fourth step 5 Input the NAS IP and the encryp...

Страница 529: ...radius radius1 key accounting aaaa 4 Order the switch to delete the user domain name from the user name and then send the user name to the RADIUS sever S5500 radius radius1 user name format without d...

Страница 530: ...0 153 1 9 Access 8021X Auth CHAP Port Ether Port NO 0x10001001 Initial VLAN 1 Authorization VLAN 1 ACL Group 3000 CAR Disable Priority Disable Start 2005 01 02 20 43 56 Current 2005 01 02 20 50 00 Onl...

Страница 531: ...ommand Set the detecting interval to 60 seconds the maximum number of retries to 3 and the timeout time to 3 seconds Table 591 Configure the auto detect function Operation Command Description Enter sy...

Страница 532: ...5500 detect group 10 timer wait 3 S5500 detect group 10 quit Auto Detect Implementation The results of auto detect operations reachable or unreachable can be used to determine whether or not to enable...

Страница 533: ...detecting group 8 is reachable Network diagram Figure 156 Network diagram for static routing Table 592 Configure the auto detect function for a static route Operation Command Description Enter system...

Страница 534: ...iguring the Auto Detect Function for VRRP You need to create a detecting group and perform VRRP related configurations before the following operations Configuration Example Network requirements Switch...

Страница 535: ...500 B vlan interface1 vrrp vrid 1 priority 110 S5500 B vlan interface1 vrrp vrid 1 track detect group 9 reduced 20 2 Configure Switch D a Assign an IP address to VLAN 1 interface S5500 D system view S...

Страница 536: ...up that is the result of the detecting group becomes reachable again the system enables the primary VLAN interface and shuts down the secondary Configuring the Auto Detect Function for VLAN Interface...

Страница 537: ...24 d Add Ethernet1 0 2 port to VLAN 2 S5500 A vlan 2 S5500 A vlan2 port ethernet1 0 2 e Assign an IP address to VLAN 2 interface S5500 A interface vlan interface 2 S5500 A vlan interface2 ip address 1...

Страница 538: ...address of 192 168 1 2 as the next hop and set the detecting number to 1 S5500 A detect group 10 detect list 1 ip address 10 1 1 4 nexthop 192 168 1 2 S5500 A detect group 10 quit h Specify to enable...

Страница 539: ...decide the topology of the network The configuration BPDU contains the information enough to ensure the Switches to compute the spanning tree The configuration BPDU mainly contains the following info...

Страница 540: ...strates the network Figure 160 Switch Networking To facilitate the descriptions only the first four parts of the configuration BPDU are described in the example They are root ID expressed as Ethernet...

Страница 541: ...o root with the value made by the root path cost plus the path cost corresponding to the root port the designated bridge ID with the local Switch ID and the designated port ID with the local port ID T...

Страница 542: ...ications made on its configuration BPDU However CP2 will be blocked and its BPDU also remains the same but it will not receive the data excluding the STP packet forwarded from Switch B until spanning...

Страница 543: ...an occasional loop may still occur In RSTP a transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and desi...

Страница 544: ...Switch A and Switch B Enable the STP feature on the Switch Enable the STP feature on the port The STP feature is disabled from the Switch but will be enabled on all ports once being enabled on the Sw...

Страница 545: ...ynchronous packets eliminating unnecessary forwarding delay Specify the Path Cost on a port Specify the standard to follow in Path Cost calculation The Switch gets the path cost of a port from the lin...

Страница 546: ...culation The Switch gets the path cost of a port from the link rate under the IEEE 802 1t standard The path cost of a port is closely related to the transmission rate of the link the port connected wi...

Страница 547: ...nt role in root port selection You can make a port to be root port by giving it a smallest preference value Configure whether to connect a port with a peer to peer link RSTP can detect automatically w...

Страница 548: ...one spanning tree will be generated on one Switched network To ensure the successful communication between VLANs on a network all of them must be distributed consecutively along the STP path otherwise...

Страница 549: ...root bridge or secondary root bridge you cannot modify the bridge priority of the Switch A Switch can either be a primary or secondary root bridge but not both of them If the primary root of a spannin...

Страница 550: ...red too short occasional path redundancy may occur If the Forward Delay is configured too long restoring the network connection may take a long time It is recommended to use the default setting By def...

Страница 551: ...eout Factor of the Bridge It is recommended to set 5 6 or 7 as the value of multiple in the steady network By default the multiple value of hello time of the bridge is 3 Specifying the Maximum Transmi...

Страница 552: ...t directly connected to the terminal as an EdgePort so that the port can transfer immediately to the forwarding state By default all the Ethernet ports are configured as non EdgePort Specifying the Pa...

Страница 553: ...hernet port you can put a specified Ethernet port into the final spanning tree Generally the lower the value is set the higher priority the port has and the more likely it is for this Ethernet port to...

Страница 554: ...the port to work in RSTP mode This command can only be issued if the bridge runs RSTP in RSTP mode and has no effect in the STP compatible mode You can use the following command to configure mCheck o...

Страница 555: ...e the security functions of the Switch Perform the following configuration in corresponding views Table 613 Configure the Switch Security Function After being configured with BPDU protection the Switc...

Страница 556: ...m user computers and they are connected to Switch C and Switch B with uplink ports You can configure RSTP on the Switch B through Switch F to meet these requirements Only the configurations related to...

Страница 557: ...itEthernet2 0 1 stp root protection SW5500 interface Gigabitethernet 2 0 2 SW5500 GigabitEthernet2 0 2 stp root protection 2 Configure Switch B a Enable RSTP globally SW5500 stp enable b The port RSTP...

Страница 558: ...ection SW5500 interface Ethernet 1 0 3 SW5500 Ethernet1 0 3 stp root protection RSTP operating mode time parameters and port parameters take default values 4 Configure Switch D a Enable RSTP globally...

Страница 559: ...le Configuration Operation Command Description Enter system view system view Create PoE Profile poe profile profilename Required Enter PoE Profile view while creating PoE Profile Configure the relevan...

Страница 560: ...the PoE Profile configuration of each Unit remains the same as it was before the split PoE Profile Configuration Example Network requirements Ethernent1 0 1 through thernet1 0 10 ports of the Switch...

Страница 561: ...me Profile1 4 Create Profile 2 and enter poe profile view S5500 poe profile profile2 5 In Profile 2 add the PoE policy configuration applicable to Ethernet1 0 6 through Ethernet1 0 10 ports for type A...

Страница 562: ...to Ethernet1 0 1 through Ethernet1 0 5 ports S5500 apply poe profile profile1 interface ethernet1 0 1 to ethernet1 0 5 8 Apply the configured Profile 2 to Ethernet1 0 6 through Ethernet1 0 10 ports S...

Страница 563: ...server software operated on network devices Network Management Station can send GetRequest GetNextRequest and SetRequest messages to the Agent Upon receiving the requests from the Network Management S...

Страница 564: ...PV2 RFC1907 RMON II Probe Config RFC2021 IP FORWARDING MIB RFC2096 Interfaces MIB RFC2233 SNMP FRAMEWORK MIB RFC2571 SNMP MPD MIB RFC2572 SNMP NOTIFICATION MIB SNMP TARGET MIB RFC2573 RADIUS AUTH CLIE...

Страница 565: ...Deleting a View Set the Size of SNMP Packet Sent Received by an Agent Enable Disable a Port Transmitting Trap Information SNMP Agent Disable SNMP Agent Private MIB Configuration Management MIB Flash...

Страница 566: ...ble 618 Enable Disable SNMP Agent to Send Trap Setting the Destination Address of Trap You can use the following commands to set or delete the destination address of the trap Perform the following con...

Страница 567: ...r Remote Device You can use the following commands to set the engine ID of a local or remote device Perform the following configuration in System View Table 622 Set the Engine ID of a Local or Remote...

Страница 568: ...uration in System View Operation Command Setting an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl list snmp agent group v3 gro...

Страница 569: ...mmand setting the set command device status Configuring the Network Management Operation Logging Function In a network that contains no fabric you can use the display logbuffer command to view the log...

Страница 570: ...splay the modules with trap enabled and the module with trap not enabled display snmp agent trap list Display the statistics information about SNMP packets display snmp agent statistics Display the en...

Страница 571: ...ch SW5500 snmp agent sys info contact Mr Wang Tel 3306 SW5500 snmp agent sys info location telephone closet 3rd floor 5 Enable SNMP agent to send the trap to Network Management Station whose ip addres...

Страница 572: ...nmp agent mib view included ViewDefault snmpVacmMIB SW5500 display snmp agent mib view View name ViewDefault MIB Subtree iso Subtree mask Storage type nonVolatile View Type included View status active...

Страница 573: ...interface type interface number Optional Use a specified source IP address to establish a connection with a TFTP server tftp tftp server source ip ip addr Optional Use a specified source interface to...

Страница 574: ...type interface number Optional Table 632 Configure source IP address for service packets continued Operation Command Remarks Table 633 Display the source IP address configuration Operation Command Dis...

Страница 575: ...and prompts the user to change the password as soon as possible Telnet and SSH passwords all password aging sub functions are applicable Super passwords only the password aging time setting and the p...

Страница 576: ...rom re logging in forever The user is allowed to log into the switch again only after the administrator manually removes the user from the user blacklist 3 Allow the user to log in again without any i...

Страница 577: ...Table 635 Configure password aging Operation Command Description Enter system view system view Enable password aging password control aging enable Optional By default password aging is enabled Set ag...

Страница 578: ...assword or the two input passwords are inconsistent After the user changes the password successfully the switch saves the old password in a readable file in the flash memory The switch does not provid...

Страница 579: ...ng Operation Command Description Enter system view system view Enable history password recording password control history enable Optional By default history password recording is enabled Configure the...

Страница 580: ...ddress the blacklist will not affect the user any more when the user logs into the switch Table 639 Configuring a user login password in encryption mode Operation Command Description Enter system view...

Страница 581: ...ration of the password control and verify your configuration Table 641 Manually remove one or all user entries in the blacklist Operation Command Description Enter system view system view Delete one s...

Страница 582: ...est password Password Confirm Updating the password file please wait 3 Enable password aging S5500 S5500 password control aging enable Password aging enabled for all users Default 90 days 4 Enable the...

Страница 583: ...tion Disable Password History was last reset 38 days ago 8 Display the names and corresponding IP addresses of all the users that have been added to the blacklist because of password attempt failure S...

Страница 584: ...584 CHAPTER 30 PASSWORD CONTROL CONFIGURATION OPERATIONS...

Страница 585: ...other protocol independent multicast sparse mode PIM SM domains MSDP is only valid for the any source multicast ASM model MSDP describes a mechanism of interconnecting multiple PIM SM domains It requ...

Страница 586: ...accept SA messages only from the correct paths and forward the SA messages thus avoiding SA message loop In addition you can configure a mesh group among MSDP peers to avoid SA flooding among MSDP pee...

Страница 587: ...icast data sent by all the multicast sources in the entire PIM SM domain As described above RPs exchange information among one another through MSDP a multicast source registers with the nearest RP and...

Страница 588: ...he SA message and the first multicast data received by the RP in the PIM SM1 domain 5 If group members namely receivers exists in the PIM SM domains where MSDP peers of RP1 reside for example if group...

Страница 589: ...elongs to the same MSDP mesh group with the receiver the receiver accepts the SA message and forwards it to peers out of the mesh group For example when RP2 sends an SA message to RP4 RP4 accepts the...

Страница 590: ...d to handle them based on the configured filtering policy using the rp policy parameter When configuring multiple static RPF peers for the same router you must follow the following two configuration m...

Страница 591: ...there will be no reconnection attempts However the configuration information is kept Configuration Prerequisites Before configuring an MSDP peer connection you need to configure A unicast routing pro...

Страница 592: ...one another The same group name must be configured on all the peers If you add the same MSDP peer into multiple mesh groups only the latest configuration takes effect Table 645 Configure description...

Страница 593: ...receiver In order for the new receiver to know about the currently active multicast source as quickly as possible the router needs to send SA request messages to the MSDP peer Generally a router accep...

Страница 594: ...A message An MSDP peer can be configured to advertise only the S G entries in the multicast routing table that satisfy the filtering rule when the MSDP creates the SA message that is to control the S...

Страница 595: ...ext SA message You can configure the number of SA entries cached in each MSDP peer on the router by executing the following command but the number must be within the system limit The system sets the m...

Страница 596: ...up the switch directly connected to the receiver can send a Join message to the nearest RP on the topology Configure the maximum number of SA messages cached peer peer address sa cache maximum sa limi...

Страница 597: ...100 SwitchC Vlan interface100 pim sm SwitchC Vlan interface100 interface vlan interface 200 SwitchC Vlan interface200 pim sm SwitchC Vlan interface200 interface vlan interface 110 SwitchC Vlan interf...

Страница 598: ...lag SPT ACT UpTime 00 03 32 Upstream interface Vlan interface101 RPF neighbor 192 168 3 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol pim sm UpTime 00...

Страница 599: ...eck that the address of the local connect interface interface is consistent with the address of the corresponding MSDP peer No SA Entry in the SA Cache of the Router Symptom An MSDP fails to send S G...

Страница 600: ...600 CHAPTER 31 MSDP CONFIGURATION...

Страница 601: ...is not necessary Topology discovery and display functions that help network monitoring and debugging Concurrent software upgrade and parameter configurations on multiple switches Being free from topo...

Страница 602: ...uster can be the management device a member device or a candidate device Figure 175 shows the role changing rule Table 655 Devices in a cluster Role Configurations Functions Management device Is confi...

Страница 603: ...all the activated ports regularly The packet carries the holdtime indicating how long the receiving device has to keep the updating data The receiver only keeps the information in the NDP packet but...

Страница 604: ...ce collects topology information about all the member and candidate devices to provide useful information for a user when he establishes a cluster The management device learns the network topology thr...

Страница 605: ...Enter the Ethernet port interface interface type interface number Enable port NDP ndp enable Required Table 657 Configure NDP parameters Operation Command Remark Enter system view system view Configu...

Страница 606: ...ers continued Operation Command Remark Table 661 Configure cluster parameters manually Operation Command Remark Enter system view system view Specify the management VLAN management vlan vlan id This i...

Страница 607: ...based on your instructions Table 661 Configure cluster parameters manually continued Operation Command Remark Table 663 Configure internal external interaction Operation Command Description Enter syst...

Страница 608: ...the Ethernet port interface interface type interface number Enable port NDP ndp enable Required Table 666 Enable system and port NTDP Operation Command Remark Enter system view system view Enable syst...

Страница 609: ...switch to a member device according to the MAC address Table 669 Display and maintain cluster configurations Operation Command Remark Display global NDP configuration information including NDP packet...

Страница 610: ...of the SNMP site and logging host is 69 172 55 4 Network diagram Cluster Management Configuration procedure 1 Configure the management device a Enable system NDP and port NDP on E1 0 2 and E1 0 3 S55...

Страница 611: ...n collection as 3 minutes S5500 ntdp timer 3 i Enable the cluster function S5500 cluster enable j Enter cluster view S5500 cluster S5500 cluster k Configure an IP address pool for cluster members The...

Страница 612: ...command on the management device to switch to member device view to maintain and manage a member device You can then execute the cluster switch to administrator command to resume the management devic...

Страница 613: ...terface S5500 cluster S5500 cluster nm interface Vlan interface 2 P o rte 1 0 2 V L A N 2 V L A N 2 F T P S e v e r IP A d d re s s1 9 2 1 6 8 4 3 IP A d d re s s 1 9 2 1 6 8 4 2 2 S 3 5 2 6 E IP A d...

Страница 614: ...614 CHAPTER 32 CLUSTERING...

Страница 615: ...econdary authorization HWTACACS Configuring the secondary authorization server Configuring HWTACACS Accounting Servers and the Related Attributes Configuring the TACACS accounting server and related f...

Страница 616: ...ters HWTACACS view The system supports up to 16 HWTACACS schemes You can only delete the schemes that are not being used Setting the Username Format Acceptable to the TACACS Server Setting the usernam...

Страница 617: ...ring HWTACACS authentication servers Operation Command Configure the HWTACACS primary authentication server primary authentication ip address port Delete the HWTACACS primary authentication server und...

Страница 618: ...erform the following configuration in HWTACACS view By default each username sent to a TACACS server contains a domain name Table 676 Configuring source address for HWTACACS packets sent by the NAS Op...

Страница 619: ...ine users to the TACACS accounting server periodically Perform the following configuration in HWTACACS view The interval is in minutes and must be a multiple of 3 Table 679 Setting the unit of data fl...

Страница 620: ...domain domain name interface interface type interface number ip ip address mac mac address radius scheme radius scheme name vlan vlanid ucibindex ucib index user name user name Display related inform...

Страница 621: ...ith the switch to expert add the usernames and passwords of users Networking diagram See Figure 177 Networking topology Figure 177 Configuring the remote RADIUS authentication for Telnet users Reset t...

Страница 622: ...10 110 91 164 49 S5500 hwtacacs hwtac primary authorization 10 110 91 164 49 S5500 hwtacacs hwtac key authentication expert S5500 hwtacacs hwtac key authorization expert S5500 hwtacacs hwtac undo use...

Страница 623: ...is disabled and the user configurable bootrom password is lost there is no recovery mechanism available In this instance the Switch will need to be returned to 3Com for repair The following commands a...

Страница 624: ...cation file to boot 3 Display all files in flash 4 Delete file from flash 5 Modify bootrom password 6 Enter bootrom upgrade menu 7 Skip current configuration file 8 Set bootrom password recovery 9 Set...

Страница 625: ...following entries n Simple this enables you to read and or change a password and send the configuration file using TFTP back into the Switch n Cipher change this word to simple and replace the encrypt...

Страница 626: ...Bootrom Password Recovery Select option 8 to set the bootrom password discovery The following is displayed Warning if disable the bootrom password recovery the super password based on switch mac addr...

Страница 627: ...rver using these products Microsoft IAS RADIUS Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com Configuring Microsoft IAS RADIUS 3Com has successfully installed and teste...

Страница 628: ...t available in Mixed mode To change mode go to the Active Directory Users and Computers window right click Domain and choose Properties select Change Mode c Add a user that is allowed to use the netwo...

Страница 629: ...abelled Store password using reversible encryption f Now re enter the password for the account right click the user account and select Reset Password 3 Enable the server as a certificate server To use...

Страница 630: ...continue through the wizard In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window Enter th...

Страница 631: ...le Networking Services and ensure Internet Authentication Service component is checked b Select OK to end the wizard 5 Configure a Certificate Authority a Go to Programs Administrative Tools Certifica...

Страница 632: ...ve directory domain Select Properties e Select the Group Policy tab and ensure that the Default Domain Policy is highlighted Click Edit to launch the Group Policy editor f Go to Computer Configuration...

Страница 633: ...icy machine_policy The command may take a few minutes to take effect 6 Setup the Internet Authentication Service IAS RADIUS Server a Go to Programs Administrative Tools Internet Authentication Service...

Страница 634: ...And Time Restrictions and click Add Click Permitted then OK Select Next h Select Grant remote access permission and select Next i Click on Edit Profile and select the Authentication tab Ensure Extensi...

Страница 635: ...Enable Remote Access Login for Users a Select Programs Administrative Tools Active Directory Users and Computers Double click the user account for which you want to enable authentication b Select the...

Страница 636: ...e following steps show an Advanced Request The Standard Request differs in the way the certificate is stored on the local computer it allows you to install the certificate on your computer directly af...

Страница 637: ...file is used to generate a certificate g You will receive this warning messages select Yes followed by this warning message select Yes and then OK The PKCS 10 file is now saved to the local drive h To...

Страница 638: ...ot below and click Next k Open the previously saved PKCS 10 certificate file in Notepad select all Control a and copy Control c as shown below l Paste the copied information into the Saved Request fie...

Страница 639: ...elect Save The certificate is also installed on the Certification Authority You can verify this in the CA Administration tool under Issued Certificates The PKCS 7 file is not actually required for IEE...

Страница 640: ...gement tool on the server and expand the Issued Certificates folder You should see the newly created certificate r Double click the certificate that was generated by the client and select the Details...

Страница 641: ...by Next Provide a name for the certificate and save it to a specified location Click Finish and followed by OK t Exit the Certification Authority management tool and launch the Active Directory Users...

Страница 642: ...ted and click Open Click OK w In the Security Identity Mapping screen click OK to close it x Close the Active Directory Users and Domains management tool This completes the configuration of the RADIUS...

Страница 643: ...3 b Create a new remote access policy under IAS and name it Switch Login Select Next c Specify Switch Login to match the users in the switch access group select Next d Allow Switch Login to grant acce...

Страница 644: ...CHAPTER B RADIUS SERVER AND RADIUS CLIENT SETUP e Use the Edit button to change the Service Type to Administrative f Add a Vendor specific attribute to indicate the access level that should be provid...

Страница 645: ...select a certificate it could be that there are additional active certificates on your client computer select the certificate that you have installed for this specific Certification Authority server...

Страница 646: ...Users and Computers a For example to create one group that will represent VLAN 4 select the Users folder from the domain see below b Name the VLAN Group with a descriptive name that describes the func...

Страница 647: ...Tools Internet Authentication Service and select Remote Access Policies Select the policy that you configured earlier right click and select Properties e Click Add to add policy membership f Select t...

Страница 648: ...8 CHAPTER B RADIUS SERVER AND RADIUS CLIENT SETUP g Select the VLAN group that you have just created and click Add and then OK to confirm h Click OK again to return you to the Security Policy properti...

Страница 649: ...hat the Attribute value is set to 802 and click OK l Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen Table 686 Summary of auto VLAN attributes For...

Страница 650: ...lick Add n Click Add ensure that the Attribute value is set to 4 Attribute value in string format and click OK This value represents the VLAN ID o Click OK again on the Multivalued Attribute Informati...

Страница 651: ...vice 2 To test the configuration connect the workstation to a port on the Switch 5500 the port does not have to be a member of VLAN 4 Ensure that there is a DHCP server connected to the switch that re...

Страница 652: ...teel Belted RADIUS Server application from www funk com and install the application Once installed you have a 30 day license to use it To configure Funk RADIUS as a RADIUS server for networks with the...

Страница 653: ...k RADIUS is now ready to run If you intend to use auto VLAN and QoS you will need to create VLAN and QoS profiles on the 3Com Switch 5500 and follow the instructions in Configuring auto VLAN and QoS f...

Страница 654: ...case sensitive 6 Enter the shared secret to encrypt the authentication data The shared secret must be identical on the Switch 5500 and the RADIUS Server a Select RAS Clients from the left hand list en...

Страница 655: ...will now appear as potential Return list attributes for every user 2 After saving the edited radius dct file stop and restart the Funk RADIUS service 3 To use these return list attributes they need t...

Страница 656: ...p www freeradius org and install the application following the instructions from the website The following instructions assume that you have installed a standard version of FreeRADIUS To configure Fre...

Страница 657: ...vendor specific attribute 3Com User Access Level in the Access Accept message for that user b Add an entry for Network Login For example user name Auth Type Local User Password password 4 Run the Free...

Страница 658: ...ylang en Famil yID 6B78EDBE D3CA 4880 929F 453C695B9637 2 After the updates have been installed start the Wireless Authentication Service in Component Services on the Windows 2000 workstation set the...

Страница 659: ...ems such as Win XP 2000 NT 98 ME Mac OSX Details of the Aegis client can be found at http www mtghouse com Follow these steps to install the Aegis client 1 Registering the Aegis Client When using the...

Страница 660: ...on the RADIUS Server with the Password d Click OK to finish the configuration e Restart the client either by rebooting or stopping and re starting the service f Click the OK button then return to the...

Страница 661: ...the RADIUS protocol Users that already exist on the TACACS server can be authorized using the TACACS or RADIUS server an optional VLAN and QoS profile can be applied to the user Network administrators...

Страница 662: ...o the Cisco Secure ACS interface follow these steps 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients 3 Enter the details of the 3Com switch Spaces are n...

Страница 663: ...Select RADIUS IETF from the list under Interface Configuration 7 Check the RADIUS attributes that you wish to install If you want to use auto VLAN and QoS ensure that you have the following options s...

Страница 664: ...Restart Adding a User for Network Login Existing users on a network with a Secure ACS server can be authorized using the TACACS or RADIUS server New users connected through a Switch 5500 to the netwo...

Страница 665: ...n is slightly more complex as 3Com specific RADIUS attributes need to be returned to the 3Com Switch 5500 These RADIUS attributes define the access level of the the user to the management interface Fo...

Страница 666: ...ogram files Cisco Secure ACS utils c Copy the 3Com ini file into the utils directory d At the command prompt enter csutil addUDV 0 3Com ini This will stop the Cisco Secure ACS server add the RADIUS in...

Страница 667: ...ration from the left hand side and select an existing device or add a new device In the AAA Client Setup window select RADIUS 3COM from the Authenticate Using pull down list 3 Select Submit Restart Th...

Страница 668: ...w 6 Select User Setup and either modify the attributes of an existing user select Find to display the User List in the right hand window or Add a new user see Adding a User for Network Login Set the u...

Страница 669: ...r 669 7 In the RADIUS 3Com Attribute box check 3Com User Access Level and select Administrator from the pull down list see below 8 Select Submit The Switch 5500 can now be managed by the Network Admin...

Страница 670: ...670 CHAPTER C AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS...

Страница 671: ...ations n Network Example using XRN n Recovering your XRN Network The sections below provide supplementary information that are not essential reading but may be of interest to advanced users n How XRN...

Страница 672: ...tion DLA DLA is the configuration of Aggregated Links across interconnected devices in the Distributed Fabric 3Com and non 3Com devices can connect to the XRN Distributed Fabric using DLA For further...

Страница 673: ...In the event of failure in one of the Switches in the Distributed Fabric management access to the remaining Switch is retained on the same IP address DDM allows you to manage the Distributed Fabric us...

Страница 674: ...within the Distributed Fabric However it will interoperate with other routers outside of the XRN Distributed Fabric Figure 178 Network Example illustrating Distributed Resilient Routing Distributed L...

Страница 675: ...STP RSTP for resilience however this does not provide the bandwidth advantage of link aggregation For more information about STP RSTP refer to Chapter 17 Network Protocol Operation Figure 179 Distrib...

Страница 676: ...a single IP address 4 Set up the IP information so you can begin managing and configuring the Switches in the Distributed Fabric For more information on setting up IP information for your Switch so i...

Страница 677: ...ble in the normal way that is you cannot control port features such as auto negotiation VLANs static addresses STP Aggregated Links Resilient Links and so on Recommendations for Achieving Maximum Resi...

Страница 678: ...ssign unit IDs to a Switch using the change command the IDs will be retained after a power cycle If you add a unit to a Fabric that has previously been manually configured with a unit ID and this conf...

Страница 679: ...om the aggregated link 2 Create the VLANs and assign VLAN membership to all ports 3 Connect up your ports As LACP was enabled in step 1 the aggregated links will now automatically configure themselves...

Страница 680: ...interconnect failure within your Distributed Fabric 1 Obtain a new cable 2 Install the new cable How XRN Interacts with other 3Com Switches This section provides guidelines on connecting legacy and ne...

Страница 681: ...ferent VLANs not being able to communicate 3Com recommends that you set individual ports that are to be members of an aggregated link to the same VLAN membership This ensures communication between all...

Страница 682: ...f the interconnect fails the aggregation is still a single logical entity at the legacy Switch end but it is now split over both units within the Distributed Fabric The legacy Switch is not aware that...

Страница 683: ...y link to Switch B active and pass all traffic down the link to Switch B When using resilient links in a Distributed Fabric network the resilient links must be configured at the remote end rather than...

Страница 684: ...ion on Distributed Fabric unit failure Should Switch A fail the network will react in the following way LACP IEEE 802 3ad and Legacy Aggregated Links The Switch 4400 and Switch 4300 Aggregated Links w...

Страница 685: ...have STP RSTP and LACP enabled as recommended in Important Considerations and Recommendations on page 676 your traffic flow should continue through your network Figure 187 XRN Network reaction on Fabr...

Страница 686: ...ks The Switch 3300 will continue to send traffic down the active link to Switch A and keep the link to Switch B in standby mode VLANs As all VLANs will have been configured on all links the traffic wi...

Отзывы:

Нет отзывов

Похожие инструкции для 5500 SI - Switch - Stackable

Бренд: N-Tron Страницы: 20

SmartSwitch 6500

Бренд: Cabletron Systems Страницы: 150

MMAC-Plus 9H421-12

Бренд: Cabletron Systems Страницы: 38

Бренд: Cabletron Systems Страницы: 86

MMAC-Plus 9T125-24

Бренд: Cabletron Systems Страницы: 30

7C03 MMAC SmartSWITCH

Бренд: Cabletron Systems Страницы: 16

IO-Link BNI LH1-303-S11-K091

Бренд: Balluff Страницы: 12

Бренд: Black Box Страницы: 4

Бренд: CYP Страницы: 32

Бренд: Velleman Страницы: 5

Бренд: Eaton Страницы: 120

Бренд: Lindy Страницы: 38

Бренд: Uniclass Страницы: 32

PFS4226-24ET-240

Бренд: Dahua Страницы: 3

Бренд: Televes Страницы: 24

pro-trim PT1000

Бренд: Seastar Solutions Страницы: 2

Бренд: DX Engineering Страницы: 4

Palert PX-01 Series

Бренд: JenLogix Страницы: 48

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды