3Com E4500-24 Скачать руководство пользователя страница 420

Страница: 420 / 848

2-11

ARP Attack Defense Configuration Example III

Network Requirements

Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To

prevent ARP attacks such as ARP flooding:

Enable ARP packet source MAC address consistency check on Switch A to block ARP packets

with the sender MAC address different from the source MAC address in the Ethernet header.

Limit the number of dynamic ARP entries learned on VLAN-interface 1.

Network Diagram

Figure 2-5

Network diagram for ARP attack defense

Switch A (Gateway)

Switch B

Host B

Host A

Vlan-int
192.168.1.1/24

Configuration Procedures

# Enter system view.

<SwitchA> system-view

# Enable ARP source MAC address consistency check.

[SwitchA] arp anti-attack valid-check enable

# Enter VLAN-interface 1 view.

[SwitchA] interface vlan-interface 1

# Configure an IP address for VLAN-interface 1.

[SwitchA-Vlan-interface1] ip address 192.168.1.1 24

# Configure the maximum number of ARP entries that can be learned by VLAN-interface 1 as 500.

[SwitchA-Vlan-interface1] arp max-learning-num 500

[SwitchA-Vlan-interface1] quit

ARP Attack Defense Configuration Example IV

Network Requirements

Host A is assigned with an IP address statically and installed with an 802.1x client.

A CAMS authentication, authorization and accounting server serves as the authentication server.

Содержание E4500-24

Страница 1: ...he CLI 1 1 Command Hierarchy 1 1 Command Level and User Privilege Level 1 1 Modifying the Command Level 1 2 Switching User Level 1 3 CLI Views 1 7 CLI Features 1 11 Online Help 1 11 Terminal Display 1...

Страница 2: ...nd locate network problems z Command history function This enables users to check the commands that they have lately executed and re execute the commands z Partial matching of commands The system will...

Страница 3: ...levels By default the Console user a user who logs into the switch through the Console port is a level 3 user and can use commands of level 0 through level 3 while Telnet users are level 0 users and c...

Страница 4: ...the level of a command Sysname system view Sysname command privilege level 0 view shell tftp Sysname command privilege level 0 view shell tftp 192 168 0 1 Sysname command privilege level 0 view shell...

Страница 5: ...switching The low to high user level switching requires the corresponding authentication The super password authentication mode and HWTACACS authentication mode are available at the same time to prov...

Страница 6: ...performed by level 3 users administrators Follow these steps to set a password for use level switching To do Use the command Remarks Enter system view system view Set the super password for user leve...

Страница 7: ...level super level Required Execute this command in user view z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the pa...

Страница 8: ...configuration procedures Enable HWTACACS authentication for VTY 0 user level switching Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0...

Страница 9: ...hernet1 0 25 Execute the interface gigabitethernet command in system view Aux1 0 0 port the console port view The 3com switch 4500 does not support configuration on port Aux1 0 0 Sysname Aux1 0 0 Exec...

Страница 10: ...lic ke y end command to return to system view Edit the RSA public key for SSH users Sysname rsa key code Public key editing view Edit the RSA or DSA public key for SSH users Sysname peer ke y code Exe...

Страница 11: ...e ping test group parameters Sysname remote ping a123 a123 Execute the remote ping command in system view HWTACACS view Configure HWTACACS parameters Sysname hwtaca cs a123 Execute the hwtacacs scheme...

Страница 12: ...on Other information is omitted 2 Enter a command a space and a question mark If the question mark is at a keyword position in the command all available keywords at the position and their descriptions...

Страница 13: ...p the display output and execution of the command Press any character except Space Enter and when the display output pauses Stop the display output Press the space key Get to the next page Press Enter...

Страница 14: ...plete command The command entered is incomplete Too many parameters The parameters entered are too many Ambiguous command The parameters entered are ambiguous Wrong parameter A parameter entered is wr...

Страница 15: ...entifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parameter you can display them one by one in complete form by...

Страница 16: ...uration Example 2 9 Console Port Login Configuration with Authentication Mode Being Scheme 2 10 Configuration Procedure 2 10 Configuration Example 2 12 3 Logging In Through Telnet 3 1 Introduction 3 1...

Страница 17: ...Packets 7 1 Displaying Source IP Address Configuration 7 2 8 User Control 8 1 Introduction 8 1 Controlling Telnet Users 8 2 Prerequisites 8 2 Controlling Telnet Users by Source IP Addresses 8 2 Contro...

Страница 18: ...e console port of a 3Com low end and mid range Ethernet switch are the same port referred to as console port in the following part You will be in the AUX user interface if you log in through this port...

Страница 19: ...pport Fabric A Fabric can contain up to eight devices Accordingly the AUX user interfaces in a Fabric can be numbered from AUX0 to AUX7 through which all the console ports of the units in a Fabric can...

Страница 20: ...r logs in successfully Enter user interface view user interface type first number last number Display the information about the current user interface all user interfaces display users all Display the...

Страница 21: ...to an Ethernet switch through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 19 200 bps Flow c...

Страница 22: ...e following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of...

Страница 23: ...switch Console Port Login Configuration Common Configuration Table 2 2 Common configuration of console port login Configuration Remarks Baud rate Optional The default baud rate is 19 200 bps Check mod...

Страница 24: ...To configure a console port you are recommended to log in to the switch in other ways To log in to a switch through its console port after you modify the console port settings you need to modify the...

Страница 25: ...users Required Scheme Perform common configuration Perform common configuration for console port login Optional Refer to Table 2 2 Changes made to the authentication mode for console port login takes...

Страница 26: ...fault the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size...

Страница 27: ...hrough the console port Sysname ui aux0 authentication mode none Specify commands of level 2 are available to users logging in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the...

Страница 28: ...de of a console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a console port is 1 Configure the console port Set the data bits databits...

Страница 29: ...is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users using passwords z Set the local...

Страница 30: ...n to the switch successfully Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure console port login with the authentication m...

Страница 31: ...none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a console port is 1 Configure the console port Set the data bits databits 7 8 Optional The default data b...

Страница 32: ...mple Network requirements Assume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for...

Страница 33: ...to authenticate users logging in through the console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of the console port to 19 200 bps Sysname ui aux0 speed 19200...

Страница 34: ...dress is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Prot...

Страница 35: ...igurations for Different Authentication Modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Telnet configuration Description None Perform common configuration...

Страница 36: ...TCP 22 port will be enabled Telnet Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure Telnet with the authentication mode being none To do Use t...

Страница 37: ...he connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if...

Страница 38: ...6 Telnet Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure Telnet with the authentication mode being password To do Use the command Remarks...

Страница 39: ...idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operatio...

Страница 40: ...screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeo...

Страница 41: ...ed AAA scheme determines whether to authenticate users locally or remotely Users are authenticated locally by default Configure the command level available to users logging in to the user interface us...

Страница 42: ...type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level Determined...

Страница 43: ...el command is executed and the service type command specifies the available command level Determined by the service type command Refer to AAA Operation and SSH Operation of this manual for information...

Страница 44: ...vty 0 Configure to authenticate users logging in to VTY 0 in the scheme mode Sysname ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet S...

Страница 45: ...heme for more 3 Connect your PC terminal and the Switch to an Ethernet as shown in Figure 3 5 Make sure the port through which the switch is connected to the Ethernet belongs to VLAN 1 and the route b...

Страница 46: ...net client you can Telnet to another switch labeled as Telnet server by executing the telnet command and then configure it Figure 3 7 Network diagram for Telnetting to another switch from the current...

Страница 47: ...to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is a...

Страница 48: ...authentication mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch whe...

Страница 49: ...omote end 82882285 Modem Modem 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 through Figure 4 4...

Страница 50: ...e prompt appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration comm...

Страница 51: ...he VLAN interface of the switch is assigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance Con...

Страница 52: ...e 5 2 The login page of the Web based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through...

Страница 53: ...a route is available between the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the...

Страница 54: ...server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Ena...

Страница 55: ...perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is co...

Страница 56: ...itch A as 192 168 2 5 and then log in to Switch B through Switch A Configuring Source IP Address for Telnet Service Packets The feature of configuring source IP address for Telnet service packets can...

Страница 57: ...ion failure z Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets z If a source IP add...

Страница 58: ...users Login mode Control method Implementation Related section By source IP address Through basic ACL Controlling Telnet Users by Source IP Addresses By source and destination IP address Through adva...

Страница 59: ...face type first number last number Apply the ACL to control Telnet users by source IP addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Tel...

Страница 60: ...CLs which are numbered from 4000 to 4999 Follow these steps to control Telnet users by source MAC addresses To do Use the command Remarks Enter system view system view Create or enter Layer 2 ACL view...

Страница 61: ...users can access switches through SNMP You need to perform the following two operations to control network management users by source IP addresses z Defining an ACL z Applying the ACL to control user...

Страница 62: ...ew write view notify view notify view acl acl number Apply the ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name...

Страница 63: ...determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controlling Web Users by Source IP Addresses Controlling Web users by source IP addresse...

Страница 64: ...to access the switch Network diagram Figure 8 3 Network diagram for controlling Web users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic...

Страница 65: ...ement 1 1 Introduction to Configuration File 1 1 Configuration Task List 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 4 Specifying a Configuration File for Next St...

Страница 66: ...nd view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are...

Страница 67: ...either the main nor the backup configuration file exists but the default configuration file config def exists the switch initializes with the default configuration file if the default configuration fi...

Страница 68: ...tmp to cfg using the rename command The switch will use the renamed configuration file to initialize itself when it starts up next time For details of the rename command refer to the File System Manag...

Страница 69: ...f these reasons z After you upgrade software the old configuration file does not match the new software z The startup configuration file is corrupted or not the one you needed The following two situat...

Страница 70: ...startup saved configuration cfgfile backup command to set the file as backup startup configuration file The configuration file must use cfg as its extension name and the startup configuration file mu...

Страница 71: ...ID for a Port 1 5 2 VLAN Configuration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Configuration 2 3...

Страница 72: ...network receives a lot of packets whose destination is not the host itself causing potential serious security problems z Related to the point above someone on a network can monitor broadcast packets...

Страница 73: ...of the virtual workgroup the host can access the network without changing its network configuration VLAN Principles VLAN tag To enable a network device to identify frames of different VLANs a VLAN tag...

Страница 74: ...rames encapsulated in these formats for VLAN identification VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN ta...

Страница 75: ...And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3 based on IP addresses VLAN Classification Depending on how VLANs are established VLANs fall into the following s...

Страница 76: ...AN ID for a Port An access port can belong to only one VLAN Therefore the VLAN an access port belongs to is also the default VLAN of the access port A hybrid trunk port can belong to multiple VLANs so...

Страница 77: ...ID is not the default VLAN ID keep the original tag unchanged and send the packet Table 1 3 Packet processing of a hybrid port Processing of an incoming packet For an untagged packet For a tagged pac...

Страница 78: ...nfiguration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Cre...

Страница 79: ...the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan id Required By default there is no VLAN interface on a switch Spec...

Страница 80: ...ed VLAN Task Remarks Configuring the Link Type of an Ethernet Port Optional Assigning an Ethernet Port to a VLAN Required Configuring the Default VLAN for a Port Optional Displaying and Maintaining Po...

Страница 81: ...port access vlan vlan id Trunk port port trunk permit vlan vlan id list all Assign the current port to one or multiple VLANs Hybrid port port hybrid vlan vlan id list tagged untagged Optional By defau...

Страница 82: ...n vlan id Optional The link type of a port is access by default The local and remote trunk or hybrid ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted prope...

Страница 83: ...lan 100 SwitchB vlan100 description Dept1 SwitchB vlan100 port GigabitEthernet 1 0 13 SwitchB vlan103 quit Create VLAN 200 specify its descriptive string as Dept2 and add GigabitEthernet 1 0 11 and Gi...

Страница 84: ...1 0 2 port trunk permit vlan 200 Configure GigabitEthernet 1 0 10 of Switch B SwitchB interface GigabitEthernet 1 0 10 SwitchB GigabitEthernet1 0 10 port link type trunk SwitchB GigabitEthernet1 0 10...

Страница 85: ...Configuration Examples 1 5 IP Address Configuration Example I 1 5 IP Address Configuration Example II 1 5 Static Domain Name Resolution Configuration Example 1 7 2 IP Performance Optimization Configu...

Страница 86: ...32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z...

Страница 87: ...P address 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zeros host ID Identifies a network z IP address with an all ones host ID Identifies a directed...

Страница 88: ...its for the host ID and thus have only 126 27 2 hosts in each subnet The maximum number of hosts is thus 64 512 512 126 1022 less after the network is subnetted Class A B and C networks before being s...

Страница 89: ...ow these steps to configure static domain name resolution To do Use the command Remarks Enter system view system view Configure a mapping between a host name and an IP address ip host hostname ip addr...

Страница 90: ...interface 1 Switch Vlan interface1 ip address 129 2 2 1 255 255 255 0 IP Address Configuration Example II Network requirements As shown in Figure 1 4 VLAN interface 1 on a switch is connected to a LAN...

Страница 91: ...6 1 2 PING 172 16 1 2 56 data bytes press CTRL_C to break Reply from 172 16 1 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 1 2 bytes 56 Sequence 2 ttl 255 time 27 ms Reply from 172 16 1...

Страница 92: ...gram Figure 1 5 Network diagram for static DNS configuration Configuration procedure Configure a mapping between host name host com and IP address 10 1 1 2 Sysname system view Sysname ip host host com...

Страница 93: ...can know the forwarding information of the switch through the FIB table Each FIB entry includes destination address mask length next hop current flag timestamp and outbound interface When the switch i...

Страница 94: ...transport layer protocols to notify corresponding devices so as to facilitate control and management Although sending ICMP error packets facilitate control and management it still has the following di...

Страница 95: ...he FIB entries matching the destination IP address display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer Display the FIB entries filtering through a specific ACL disp...

Страница 96: ...ous Ports 1 4 Security Mode of Voice VLAN 1 6 Voice VLAN Configuration 1 7 Configuration Prerequisites 1 7 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 7 Configuring...

Страница 97: ...in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses to operate properly in a network A...

Страница 98: ...VLAN the IP phone can only send untagged packets in the default VLAN of the port the IP phone is connected to In this case you need to manually configure the default VLAN of the port as a voice VLAN...

Страница 99: ...r transmitting voice data You can configure OUI addresses for voice packets or specify to use the default OUI addresses An OUI address is a globally unique identifier assigned to a vendor by IEEE You...

Страница 100: ...AN assignment mode In this mode you need to add a port to a voice VLAN or remove a port from a voice VLAN manually Processing mode of tagged packets sent by IP voice devices Tagged packets from IP voi...

Страница 101: ...to the voice VLAN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and th...

Страница 102: ...r a port is assigned to the voice VLAN the switch receives and forwards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in...

Страница 103: ...n Configuration Prerequisites z Create the corresponding VLAN before configuring a voice VLAN z VLAN 1 the default VLAN cannot be configured as a voice VLAN In case a connected voice device sends VLAN...

Страница 104: ...be configured as the voice VLAN otherwise the system prompts you for unsuccessful configuration When the voice VLAN is working normally if the device restarts or the Unit ID of a device in a XRN fabr...

Страница 105: ...N legacy is disabled Set voice VLAN assignment mode on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter...

Страница 106: ...make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between 3Com device and other vendor s voice device by automatically adding...

Страница 107: ...0 0755 2002 GE1 0 2 IP phone A 010 1001 MAC 0011 1100 0001 Mask ffff ff00 0000 Internet PC A MAC 0022 1100 0002 PC B MAC 0022 2200 0002 VLAN 2 Configuration procedure Create VLAN 2 DeviceA system view...

Страница 108: ...cess Please wait Done DeviceA GigabitEthernet1 0 2 port link type hybrid DeviceA GigabitEthernet1 0 2 voice vlan enable Verification Display the OUI addresses OUI address masks and description strings...

Страница 109: ...Eth1 0 1 VLAN2 VLAN2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 Device B Configuration procedure Enable the security mode for the voice VLAN so that the ports in the voice VLAN permit valid voice...

Страница 110: ...ce vlan oui Oui Address Mask Description 0003 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 0000 Pingt...

Страница 111: ...GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maint...

Страница 112: ...portant functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices...

Страница 113: ...veAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set...

Страница 114: ...s Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attrib...

Страница 115: ...hree port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN informati...

Страница 116: ...iew system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type inter...

Страница 117: ...the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is...

Страница 118: ...so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network thus implementing dynamic VLAN information registration and refresh z By configuring the GVRP reg...

Страница 119: ...VRP on Ethernet1 0 3 SwitchA Ethernet1 0 3 gvrp SwitchA Ethernet1 0 3 quit 2 Configure Switch B The configuration procedure of Switch B is similar to that of Switch A and is thus omitted 3 Configure S...

Страница 120: ...3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch B SwitchB display vlan dynamic Total 3 dynamic VLAN exist s The following d...

Страница 121: ...1 10 5 8 Display the VLAN information dynamically registered on Switch E SwitchE display vlan dynamic No dynamic vlans exist...

Страница 122: ...rt to Other Ports 1 5 Configuring Loopback Detection for an Ethernet Port 1 5 Enabling Loopback Test 1 7 Enabling the System to Test Connected Cable 1 8 Configuring the Interval to Perform Statistical...

Страница 123: ...n optical port That is a Combo port cannot operate as both an electrical port and an optical port simultaneously When one is enabled the other is automatically disabled Configuring Combo port state Fo...

Страница 124: ...ace MDI mode of the Ethernet port mdi across auto normal Optional Be default the MDI mode of an Ethernet port is auto Set the maximum frame size allowed on the Ethernet port to 9 216 bytes jumboframe...

Страница 125: ...gured to support all the auto negotiation speeds 10 Mbps 100 Mbps and 1000 Mbps Limiting Traffic on individual Ports By performing the following configurations you can limit the incoming broadcast mul...

Страница 126: ...figure flow control in TxRx mode on Port B and flow control in Rx mode on Port A z When congestions occur on Port C Switch B buffers the frames When the amount of the buffered frames exceeds a certain...

Страница 127: ...agg id Required z If you specify a source aggregation group ID the system will use the port with the smallest port number in the aggregation group as the source z If you specify a destination aggrega...

Страница 128: ...net port To do Use the command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Optional By default the global loopback detection function is enabled...

Страница 129: ...r you use the undo loopback detection enable command in system view loopback detection will be disabled on all ports z The loopback detection control enable command and the loopback detection per vlan...

Страница 130: ...he test result will be returned in five seconds The system can test these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty c...

Страница 131: ...ription of the display brief interface command in Basic Port Configuration Command When the physical link status of an Ethernet port changes between Up and Down or Up and Administratively Down the swi...

Страница 132: ...nformation and execute the shutdown command or the undo shutdown command on Ethernet 1 0 1 No Up Down log information is generated or output for Ethernet 1 0 1 Sysname Ethernet1 0 1 undo enable log up...

Страница 133: ...type interface number begin include exclude regular expression Display port information about a specified unit display unit unit id interface Display the Combo ports and the corresponding optical elec...

Страница 134: ...1 port link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet 1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of E...

Страница 135: ...gation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregation...

Страница 136: ...otifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the pe...

Страница 137: ...led TPID on the ports State of inner to outer tag priority replication enabled or disabled The S4500 series Ethernet switches support cross device link aggregation if XRN fabric is enabled Link Aggreg...

Страница 138: ...also including initially down port you want to add to a manual aggregation group Static LACP Aggregation Group Introduction to static LACP aggregation A static LACP aggregation group is also manually...

Страница 139: ...status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP...

Страница 140: ...groups The system always allocates hardware aggregation resources to the aggregation groups with higher priorities When load sharing aggregation resources are used up by existing aggregation groups n...

Страница 141: ...ess max mac count command is configured cannot be added to an aggregation group Contrarily the mac address max mac count command cannot be configured on a port that has already been added to an aggreg...

Страница 142: ...ynamic static group to a manual group the system will automatically disable LACP on the member ports When you change a dynamic group to a static group the system will remain the member ports LACP enab...

Страница 143: ...based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports which you want to participa...

Страница 144: ...oups and their descriptions still exists but that of dynamic aggregation groups and their descriptions gets lost Displaying and Maintaining Link Aggregation Configuration To do Use the command Remarks...

Страница 145: ...edure The following only lists the configuration on Switch A you must perform the similar configuration on Switch B to implement link aggregation 1 Adopting manual aggregation mode Create manual aggre...

Страница 146: ...t1 0 3 Sysname Ethernet1 0 3 port link aggregation group 1 3 Adopting dynamic LACP aggregation mode Enable LACP on Ethernet 1 0 1 through Ethernet 1 0 3 Sysname system view Sysname interface Ethernet...

Страница 147: ...of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying and Maintaining Port Isolation Configuration 1 2 Port Isolation Configuration Exa...

Страница 148: ...p does not forward traffic to the other ports in the isolation group The ports in an isolation group must reside on the same switch or different units of an XRN fabric z Currently you can create only...

Страница 149: ...if XRN fabric is enabled z For Switch 4500 series switches belonging to the same XRN Fabric the port isolation configuration performed on a port of a cross device aggregation group cannot be synchroni...

Страница 150: ...me interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface...

Страница 151: ...s Allowed on a Port 1 5 Setting the Port Security Mode 1 6 Configuring Port Security Features 1 7 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode 1 8 Ignoring the Authorization I...

Страница 152: ...kes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are prov...

Страница 153: ...red manually When the number of security MAC addresses reaches the upper limit configured by the port security max count command the port changes to work in secure mode and no more MAC addresses can b...

Страница 154: ...gle 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode th...

Страница 155: ...tions In this mode up to one user can access the network macAddressAndUs erLoginSecureExt This mode is similar to the macAddressAndUserLoginSecure mode except that more than one user can access the ne...

Страница 156: ...802 1x disabled port access control method macbased and port access control mode auto z MAC authentication disabled In addition you cannot perform the above mentioned configurations manually because t...

Страница 157: ...curity Mode Follow these steps to set the port security mode To do Use the command Remarks Enter system view system view Set the OUI value for user authentication port security oui OUI value index ind...

Страница 158: ...ses that the port can learn z Reflector port for port mirroring z Fabric port z Link aggregation Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK...

Страница 159: ...nt port security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default no trap is sent Configuring Guest VLAN for a Port in macAd...

Страница 160: ...at the users need z If one user of the port has passed or is undergoing authentication you cannot specify a guest VLAN for it z When a user using a port with a guest VLAN specified fail the authentica...

Страница 161: ...can only be added to the forwarding table of one port This feature allows binding a security MAC address with a port in the same VLAN After the security port is set to autolearn the port changes its...

Страница 162: ...nfigure an aging time for learned security MAC address entries To do Use the command Remarks Enter system view system view Enable port security port security enable Configure the aging time for learne...

Страница 163: ...z To ensure that Host can access the network add the MAC address 0001 0002 0003 of Host as a security MAC address to the port in VLAN 1 z After the number of security MAC addresses reaches 80 the por...

Страница 164: ...connectivity z The switch s port Ethernet 1 0 3 connects to the Internet This port is assigned to VLAN 1 Normally the port Ethernet 1 0 2 is also assigned to VLAN z VLAN 10 is intended to be a guest V...

Страница 165: ...nfigure the ISP domain for MAC address authentication Switch mac authentication domain system Enable port security Switch port security enable Specify the switch to trigger MAC address authentication...

Страница 166: ...DLDP Status 1 4 DLDP Timers 1 4 DLDP Operating Mode 1 5 DLDP Implementation 1 6 DLDP Neighbor State 1 8 Link Auto recovery Mechanism 1 8 DLDP Configuration 1 9 Performing Basic DLDP Configuration 1 9...

Страница 167: ...two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional link appears the local device can receive packets from the peer device through the link...

Страница 168: ...rovides the following features z As a link layer protocol it works together with the physical layer protocols to monitor the link status of a device z The auto negotiation mechanism at the physical la...

Страница 169: ...packets are used to notify unidirectional link emergencies a unidirectional link emergency occurs when the local port is down and the peer port is up Linkdown packets carry only the local port inform...

Страница 170: ...corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor...

Страница 171: ...n the user defined DLDP down mode DLDP disables the local port automatically or prompts you to disable the port manually Meanwhile DLDP deletes the neighbor entry DelayDown timer When a device in the...

Страница 172: ...however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires As Port B i...

Страница 173: ...witches to the probe state Advertisement packet Extracts neighbor information If the corresponding neighbor entry already exists on the local device DLDP resets the aging timer of the entry Flush pack...

Страница 174: ...ects the link connecting to the port is a unidirectional link A port in DLDP down state does not forward service packets or receive send protocol packets except DLDPDUs A port in the DLDP down state r...

Страница 175: ...the handling mode is auto Set the DLDP operating mode dldp work mode enhance normal Optional By default DLDP works in normal mode Note the following when performing basic DLDP configuration z DLDP can...

Страница 176: ...nks caused by fiber cross connection z When the device is busy with services and the CPU utilization is high DLDP may issue mistaken reports You are recommended to configure the operating mode of DLDP...

Страница 177: ...DP configuration Device A GE1 0 49 GE1 0 50 Device B GE1 0 49 GE1 0 50 PC Configuration procedure 1 Configure Switch A Configure the ports to work in mandatory full duplex mode at a rate of 1000 Mbps...

Страница 178: ...vice correctly on one end with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end i...

Страница 179: ...Table Management 1 4 MAC Address Table Management Configuration Task List 1 4 Configuring a MAC Address Entry 1 5 Setting the MAC Address Aging Timer 1 6 Setting the Maximum Number of MAC Addresses a...

Страница 180: ...ddress table recording the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to...

Страница 181: ...h 1 2 After learning the MAC address of User A the switch starts to forward the packet Because there is no MAC address and port information of User B in the existing MAC address table the switch forwa...

Страница 182: ...ircumstances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts the packets...

Страница 183: ...configured manually z Blackhole MAC address entry This type of MAC address entries are configured manually A switch discards the packets destined for or originated from the MAC addresses contained in...

Страница 184: ...ackhole mac address interface interface type interface number vlan vlan id Required z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by...

Страница 185: ...seconds The capacity of the MAC address table on a switch is limited After the limit is reached the switch will forward the frames received with unknown source MAC addresses without learning MAC addr...

Страница 186: ...s Triggered Update By default a switch updates its MAC address entries based on the source MAC addresses of packets However this may cause the switch to perform unnecessary broadcasts in some applicat...

Страница 187: ...spiciously on the network you can add a blackhole MAC address entry for the MAC address to drop all packets destined for the host for security sake Configuration procedure Enter system view Sysname sy...

Страница 188: ...tect Basic Configuration 1 2 Auto Detect Implementation in Static Routing 1 2 Auto Detect Implementation in VLAN Interface Backup 1 3 Auto Detect Configuration Examples 1 4 Configuration Example for A...

Страница 189: ...and waits for the ICMP replies from the group based on the user defined policy which includes the number of ICMP requests and the timeout waiting for a reply Then according to the check result the sw...

Страница 190: ...2 Set a timeout waiting for an ICMP reply timer wait seconds Optional By default the timeout is 2 seconds Display the detected group configuration display detect group group number Available in any vi...

Страница 191: ...e the command Remarks Enter system view system view Bind a detected group to a static route ip route static ip address mask mask length interface type interface number next hop preference preference v...

Страница 192: ...backup VLAN interface z When the link between the active VLAN interface and the destination recovers that is the detected group becomes reachable again the system shuts down the standby VLAN interfac...

Страница 193: ...4 nexthop 192 168 1 2 SwitchA detect group 8 quit Enable the static route when the detected group is reachable The static route is invalid when the detected group is unreachable SwitchA ip route stat...

Страница 194: ...tchA detect group 10 Add the IP address of 10 1 1 4 to detected group 10 to detect the reachability of the IP address with the IP address of 192 168 1 2 as the next hop and the detecting number set to...

Страница 195: ...g the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling...

Страница 196: ...l 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 44 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 45 Enab...

Страница 197: ...RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree prot...

Страница 198: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root po...

Страница 199: ...see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port is...

Страница 200: ...dge priority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime f...

Страница 201: ...h cost the following fields are compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The smaller these values the...

Страница 202: ...root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each...

Страница 203: ...on BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration...

Страница 204: ...ort CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port...

Страница 205: ...ty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with...

Страница 206: ...gnated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the f...

Страница 207: ...mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped...

Страница 208: ...ing tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 6 CIST A common and internal spanning tree CIST is the spanning tree in a switched n...

Страница 209: ...of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect u...

Страница 210: ...y MSTP At the same time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST reg...

Страница 211: ...figure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are perf...

Страница 212: ...nsmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priori...

Страница 213: ...onfiguration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configurati...

Страница 214: ...10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region config...

Страница 215: ...o new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the ne...

Страница 216: ...le switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the current switch to 4 096 in MSTI 1 Sysname s...

Страница 217: ...rmat Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp compliance dot1s Restore the default mode for Ethernet 1 0 1 to recognize send MSTP packets Sysname Ethernet1 0 1 un...

Страница 218: ...chanism disables the switches that are beyond the maximum hop count from participating in spanning tree calculation and thus limits the size of an MST region With such a mechanism the maximum hop coun...

Страница 219: ...re the network diameter of a switched network an MSTP enabled switch adjusts its hello time forward delay and max age settings accordingly to better values The network diameter setting only applies to...

Страница 220: ...As for the max age parameter if it is too small network congestion may be falsely regarded as link failures which results in frequent spanning tree recalculation If it is too large link problems may...

Страница 221: ...tch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time Configuration example Configure the timeou...

Страница 222: ...0 1 Sysname Ethernet1 0 1 stp transmit limit 15 Configuring the Current Port as an Edge Port Edge ports are ports that neither directly connects to other switches nor indirectly connects to other swit...

Страница 223: ...le 2 Configure Ethernet 1 0 1 as an edge port in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp edged port enable Setting the Link Type of a Port to...

Страница 224: ...can configure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration applies to all the MSTIs the port belongs to If the actual...

Страница 225: ...Optional By default MSTP is enabled on all ports To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculati...

Страница 226: ...998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports z dot1t Adopts the IEEE 802 1t standard to calculate the default path costs of ports z legacy Adopts the proprieta...

Страница 227: ...aggregated link measured in 100 Kbps Configure the path cost for specific ports Follow these steps to configure the path cost for specified ports in system view To do Use the command Remarks Enter sy...

Страница 228: ...rd dot1d 1998 Configuring Port Priority Port priority is an important criterion on determining the root port In the same condition the port with the smallest port priority value becomes the root port...

Страница 229: ...Sysname stp interface Ethernet 1 0 1 instance 1 port priority 16 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp insta...

Страница 230: ...1 0 1 mcheck 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp mcheck Configuring Guard Functions The following guard fu...

Страница 231: ...able to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports Configuring Root Guard A root bridge and its secondary root bridges must reside in the same...

Страница 232: ...d Remarks Enter system view system view Enable the root guard function on specified ports stp interface interface list root protection Required The root guard function is disabled by default Follow th...

Страница 233: ...ard on the root port and alternate port of a non root bridge z Loop guard root guard and edge port settings are mutually exclusive With one of these functions enabled on a port any of the other two fu...

Страница 234: ...ng operation For example if you set the maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC BPDUs in the period the switch removes the MAC...

Страница 235: ...h MSTIs in an MST region only when the two switches have the same MST region related configuration Interconnected MSTP enabled switches determine whether or not they are in the same MST region by chec...

Страница 236: ...e protocol MSTP and the network operate normally Configuration procedure Follow these steps to configure digest snooping To do Use the command Remarks Enter system view system view Enter Ethernet port...

Страница 237: ...tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to instance mapping table cannot be modified z The digest snooping feature is not applicable to b...

Страница 238: ...he upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufactu...

Страница 239: ...uration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view sy...

Страница 240: ...e service provider network and the lower part comprises the customer networks The service provider network comprises packet input output devices and the customer network has networks A and B On the se...

Страница 241: ...tch MSTP Maintenance Configuration Introduction In a large scale network with MSTP enabled there may be many MSTP instances and so the status of a port may change frequently In this case maintenance p...

Страница 242: ...tion example Enable a switch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp...

Страница 243: ...yer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 Network diagram Figure 1 10 Network diagram for MSTP...

Страница 244: ...er MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instanc...

Страница 245: ...ion between the customer networks and the service provider network Network diagram Figure 1 11 Network diagram for VLAN VPN tunnel configuration Eth 1 0 1 Switch A Switch D Switch C Switch B Eth 1 0 1...

Страница 246: ...Ns Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add Gigab...

Страница 247: ...Route 2 2 Displaying and Maintaining Static Routes 2 2 Static Route Configuration Example 2 3 Troubleshooting a Static Route 2 4 3 RIP Configuration 3 1 RIP Overview 3 1 Basic Concepts 3 1 RIP Startup...

Страница 248: ...Route Policy 4 3 Defining if match Clauses and apply Clauses 4 3 IP Prefix Configuration 4 5 Configuration Prerequisites 4 5 Configuring an ip prefix list 4 5 Displaying IP Route Policy 4 5 IP Route P...

Страница 249: ...ter Routes in a routing table can be divided into three categories by origin z Direct routes Routes discovered by data link protocols also known as interface routes z Static routes Routes that are man...

Страница 250: ...e The router is directly connected to the network where the destination resides z Indirect route The router is not directly connected to the network where the destination resides In order to avoid an...

Страница 251: ...ically including RIP OSPF and IS IS z Exterior Gateway Protocols EGPs Work between autonomous systems The most popular one is BGP An autonomous system refers to a group of routers that share the same...

Страница 252: ...ocol has the highest priority among all the active protocols these routes will be considered valid and are used to forward packets thus achieving load sharing Route backup You can configure multiple r...

Страница 253: ...routes permitted by a prefix list display ip routing table ip prefix ip prefix name verbose Display routes to a specified destination display ip routing table ip address mask mask length longer match...

Страница 254: ...y thus resulting in network interruption In this case the network administrator needs to modify the configuration of static routes manually Static routes are divided into three types z Reachable route...

Страница 255: ...Static Route Follow these steps to configure a static route To do Use the command Remarks Enter system view system view Configure a static route ip route static ip address mask mask length interface t...

Страница 256: ...re be simple and stable The company hopes that the existing devices that do not support any dynamic routing protocol can be fully utilized In this case static routes can implement communication betwee...

Страница 257: ...ip route static 1 1 1 0 255 255 255 0 1 1 2 1 SwitchC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 2 Perform the following configurations on the host Set the default gateway address of Host A to 1 1...

Страница 258: ...to a destination address In RIP the hop count from a router to its directly connected network is 0 and that to a network which can be reached through another router is 1 and so on To restrict the tim...

Страница 259: ...llowing mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable When a routing loop occurs the metric value of the route will increment to 16 z Spli...

Страница 260: ...ing split horizon Optional Configuring RIP 1 packet zero field check Optional Setting RIP 2 packet authentication mode Optional RIP Network Adjustment and Optimization Configuring RIP to unicast RIP p...

Страница 261: ...nd RIP update packets rip output Enable the interface to receive and send RIP update packets rip work Optional Enabled by default Specifying the RIP version on an interface Follow these steps to speci...

Страница 262: ...ional routing metric To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the additional routing metric to be added for incomi...

Страница 263: ...oming outgoing routes The route filtering function provided by a router enables you to configure inbound outbound filter policy by specifying an ACL address prefix list or route policy to make RIP fil...

Страница 264: ...e RIP preference preference value Required 100 by default Enabling load sharing among RIP interfaces Follow these steps to enable load sharing among RIP interfaces To do Use the command Remarks Enter...

Страница 265: ...djacent nodes are reachable to each other at the network layer z Configuring basic RIP functions Configuration Tasks Configuring RIP timers Follow these steps to configure RIP timers To do Use the com...

Страница 266: ...modes simple authentication and message digest 5 MD5 authentication Simple authentication cannot provide complete security because the authentication keys sent along with packets that are not encrypt...

Страница 267: ...ion display rip routing Available in any view Reset the system configuration related to RIP reset Available in RIP view RIP Configuration Example Network requirements A small sized company requires th...

Страница 268: ...rip SwitchB rip network 196 38 165 0 SwitchB rip network 110 11 2 0 3 Configure Switch C Configure RIP SwitchC system view SwitchC rip SwitchC rip network 117 102 0 0 SwitchC rip network 110 11 2 0 Tr...

Страница 269: ...may need to import the routing information discovered by other protocols to enrich its routing knowledge While importing routing information from another protocol it possibly only needs to import the...

Страница 270: ...ng order of their node numbers Each node comprises a set of if match and apply clauses The if match clauses define the matching rules The matching objects are some attributes of routing information Th...

Страница 271: ...d Not defined by default z The permit argument specifies the matching mode for a defined node in the route policy to be in permit mode If a route matches the rules for the node the apply clauses for t...

Страница 272: ...n Apply a cost to routes satisfying matching rules apply cost value Optional By default no cost is applied to routes satisfying matching rules Define an action to set the tag field of routing informat...

Страница 273: ...hecks the entries in ascending order of index number Once the route matches an entry the route passes the filtering of the IP prefix list and no other entry will be matched Follow these steps to confi...

Страница 274: ...If a fault occurs to the main link of one service dynamic backup can prevent service interruption Network diagram According to the network requirements the network topology is designed as shown in Fig...

Страница 275: ...chB rip network 1 0 0 0 SwitchB rip network 3 0 0 0 SwitchB rip network 6 0 0 0 3 Configure Switch C Create VLANs and configure IP addresses for the VLAN interfaces The configuration procedure is omit...

Страница 276: ...C route policy quit Create node 50 with the matching mode being permit to allow all routing information to pass SwitchC route policy in permit node 50 SwitchC route policy quit Configure RIP and apply...

Страница 277: ...ne if you try to set it to 0 z The cost will still be 16 if you try to set it to 16 2 Using the if match interface command will match the routes whose outgoing interface to the next hop is the specifi...

Страница 278: ...Packets 1 3 Displaying and Maintaining Common Multicast Configuration 1 3 3 IGMP Snooping Configuration 1 1 IGMP Snooping Overview 1 1 Principle of IGMP Snooping 1 1 Basic Concepts in IGMP Snooping 1...

Страница 279: ...ii Configuring IGMP Snooping 1 16 Configuring Multicast VLAN 1 18 Troubleshooting IGMP Snooping 1 21...

Страница 280: ...and tele education have come into being These services have higher requirements for information security legal use of paid services and network bandwidth In the network packets are sent in three mode...

Страница 281: ...Broadcast Mode When you broadcast traffic the system transmits information to all users on a network Any user on the network can receive the information no matter if the information is needed or not F...

Страница 282: ...t Hosts B D and E need the information To transmit the information to the right users it is necessary to group Hosts B D and E into a receiver set The routers on the network duplicate and distribute t...

Страница 283: ...sends to the multicast group 4 The user turns off the TV set The receiver leaves the multicast group z A multicast source does not necessarily belong to a multicast group Namely a multicast source is...

Страница 284: ...y time SFM model The SFM model is derived from the ASM model From the view of a sender the two models have the same multicast group membership architecture Functionally the SFM model is an extension o...

Страница 285: ...about multicast addressing To enable the communication between the information source and members of a multicast group a group of information receivers network layer multicast addresses namely IP mul...

Страница 286: ...etwork 232 0 0 0 to 232 255 255 255 Available source specific multicast SSM multicast group addresses 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses which are for specific lo...

Страница 287: ...MAC address of the receiver When a multicast packet is transported in an Ethernet network a multicast MAC address is used as the destination address because the destination is a group with an uncerta...

Страница 288: ...cols Typically the Internet Group Management Protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with the hosts These protocols define the mechanism of establishing an...

Страница 289: ...traditional multicast on demand mode when users in different VLANs on a Layer 2 device need multicast information the upstream Layer 3 device needs to forward a separate copy of the multicast data to...

Страница 290: ...ming interface of the existing S G entry this means that the S G entry is no longer valid The router replaces the incoming interface of the S G entry with the interface on which the packet actually ar...

Страница 291: ...in the multicast forwarding table of Switch C Switch C performs an RPF check and finds in its unicast routing table that the outgoing interface to 192 168 0 0 24 is VLAN interface 2 This means that t...

Страница 292: ...use of network bandwidth and transmission of multicast data of authorized users by taking network resources You can configure multicast source port suppression on certain ports to prevent unauthorized...

Страница 293: ...ered on the switch the switch will flood the packet within the VLAN to which the port belongs You can configure a static multicast MAC address entry to avoid this Follow these steps to configure a mul...

Страница 294: ...e flooded in the VLAN which the multicast packet belongs to When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address is not...

Страница 295: ...is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP...

Страница 296: ...icast group members Figure 3 2 IGMP Snooping related ports Router A Switch A Switch B Eth1 0 1 Eth1 0 2 Eth1 0 3 Eth1 0 1 Eth1 0 2 Receiver Receiver Host A Host B Host C Host D Source Multicast packet...

Страница 297: ...ng an IGMP general query the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port z If the receiving port is a router port existi...

Страница 298: ...ely delete the forwarding entry corresponding to that port from the forwarding table instead it resets the aging timer of the member port Upon receiving the IGMP leave message from a host the IGMP que...

Страница 299: ...Traffic in a VLAN Optional Configuring Static Member Port for a Multicast Group Optional Configuring a Static Router Port Optional Configuring a Port as a Simulated Group Member Optional Configuring...

Страница 300: ...2 messages but not IGMPv3 messages which will be flooded in the VLAN z IGMP snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages Follow these steps to configure the version of IGMP Snoopin...

Страница 301: ...esource usage If fast leave processing and unknown multicast packet dropping or non flooding are enabled on a port to which more than one host is connected when one host leaves a multicast group the o...

Страница 302: ...rt If the receiving port can join this multicast group the switch adds this port to the IGMP Snooping multicast group list otherwise the switch drops this report message Any multicast data that has fa...

Страница 303: ...programs on demand available to users thus to regulate traffic on the port Follow these steps to configure the maximum number of multicast groups on a port To do Use the command Remarks Enter system...

Страница 304: ...g failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem configure a non all zero IP address as the source IP address of IGMP queries IGMP Snooping qu...

Страница 305: ...oup an IGMP Snooping switch creates a nonflooding entry and relays the packet to router ports only instead of flooding the packet within the VLAN If the switch has no router ports it drops the multica...

Страница 306: ...gure specified port s as static member port s of a multicast group in the VLAN multicast static group group address interface interface list Required By default no port is configured as a static multi...

Страница 307: ...witch will respond As a result the port of the VLAN can continue to receive multicast traffic Through this configuration the following functions can be implemented z When an Ethernet port is configure...

Страница 308: ...apping vlan vlan id Required By default the VLAN tag in IGMP general and group specific query messages is not changed It is not recommended to configure this function while the multicast VLAN function...

Страница 309: ...ticast VLAN if the port type is hybrid Follow these steps to configure multicast VLAN on the Layer 2 switch To do Use the command Remarks Enter system view system view Enable IGMP Snooping igmp snoopi...

Страница 310: ...ame time Displaying and Maintaining IGMP Snooping To do Use the command Remarks Display the current IGMP Snooping configuration display igmp snooping configuration Available in any view Display IGMP S...

Страница 311: ...e PIM DM on each interface and enable IGMP on Ethernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface Ethernet 1 0 1 RouterA Ethernet1 0 1 igmp enable RouterA Ethernet1 0...

Страница 312: ...ports Ethernet 1 0 3 and Ethernet 1 0 4 This means that Host A and Host B have joined the multicast group 224 1 1 1 Configuring Multicast VLAN Network requirements As shown in Figure 3 4 Workstation i...

Страница 313: ...ext describes the configuration details You can also configure these ports as trunk ports The configuration procedure is omitted here For details see Configuring Multicast VLAN Configure a multicast V...

Страница 314: ...st VLAN and then enable IGMP Snooping on it SwitchB vlan 2 to 3 Please wait Done SwitchB vlan 10 SwitchB vlan10 service type multicast SwitchB vlan10 igmp snooping enable SwitchB vlan10 quit Define Et...

Страница 315: ...ng is disabled check whether it is disabled globally or in the specific VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globall...

Страница 316: ...Guest VLAN 1 18 Configuring 802 1x Re Authentication 1 18 Configuring the 802 1x Re Authentication Timer 1 19 Displaying and Maintaining 802 1x Configuration 1 20 Configuration Example 1 20 802 1x Co...

Страница 317: ...4 1 Configuring System Guard 4 1 Configuring System Guard Against IP Attacks 4 1 Configuring System Guard Against TCN Attacks 4 2 Enabling Layer 3 Error Control 4 3 Displaying and Maintaining System...

Страница 318: ...port based network access control protocol It is used to perform port level authentication and control of devices connected to the 802 1x enabled ports With the 802 1x protocol employed a user side d...

Страница 319: ...s user name password the VLAN a user should belong to priority and any Access Control Lists ACLs to be applied There are four additional basic concepts related 802 1x port access entity PAE controlled...

Страница 320: ...he Mechanism of an 802 1x Authentication System IEEE 802 1x authentication system uses the Extensible Authentication Protocol EAP to exchange information between the supplicant system and the authenti...

Страница 321: ...ength field indicates the size of the Packet body field A value of 0 indicates that the Packet Body field does not exist z The Packet body field differs with the Type field Note that EAPoL Start EAPoL...

Страница 322: ...to a RADIUS protocol packet for EAP authentication Refer to the Introduction to RADIUS protocol section in the AAA Operation for information about the format of a RADIUS protocol packet The EAP messag...

Страница 323: ...icant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn encrypts the passwords using the MD5 keys z EAP TLS allows the suppl...

Страница 324: ...est identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP response identity packet to the switch with the user name contained in it The switch then...

Страница 325: ...e if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authenticating ways used on the supplicant system and the RADIUS server are the same However...

Страница 326: ...Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the RADIUS server interact in an orderly way z Handshake timer handshake peri...

Страница 327: ...ulticast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multicast request identity packets z Client version r...

Страница 328: ...ersion check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 802 1x client to prevent unauthorized users or...

Страница 329: ...user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and password or however use re...

Страница 330: ...he AAA scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you need to configure the user names and passwords...

Страница 331: ...quit Optional By default an 802 1x enabled port operates in the auto mode In system view dot1x port method macbased portbased interface interface list interface interface type interface number dot1x p...

Страница 332: ...e acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z The handshake packe...

Страница 333: ...in port view In this case this command applies to the current port only and the interface list argument is not needed z As for the configuration of 802 1x timers the default values are recommended Ad...

Страница 334: ...Checking Follow these steps to configure client version checking To do Use the command Remarks Enter system view system view In system view dot1x version check interface interface list interface inter...

Страница 335: ...ased Required The default access control method on a port is MAC based That is the macbased keyword is used by default In system view dot1x guest vlan vlan id interface interface list interface interf...

Страница 336: ...ch the switch determines the re authentication interval in one of the following two ways z The switch uses the value of the Session timeout attribute field of the Access Accept packet sent by the RADI...

Страница 337: ...connection is terminated if the total size of the data passes through it during a period of 20 minutes is less than 2 000 bytes z The switch is connected to a server comprising of two RADIUS servers w...

Страница 338: ...based is the default Sysname dot1x port method macbased interface Ethernet 1 0 1 Create a RADIUS scheme named radius1 and enter RADIUS scheme view Sysname radius scheme radius1 Assign IP addresses to...

Страница 339: ...nd enter its view Sysname domain aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme Sysname isp aa...

Страница 340: ...ck EAD Deployment Quick EAD deployment is achieved with the two functions restricted access and HTTP redirection Restricted access Before passing 802 1x authentication a user is restricted through ACL...

Страница 341: ...onfiguring a free IP range z With dot1x enabled but quick EAD deployment disabled users cannot access the DHCP server if they fail 802 1x authentication With quick EAD deployment enabled users can obt...

Страница 342: ...Use the command Remarks Enter system view system view Set the ACL timer dot1x timer acl timeout acl timeout value Required By default the ACL timeout period is 30 minutes Displaying and Maintaining Q...

Страница 343: ...ormat other than the dotted decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and trie...

Страница 344: ...anagement devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server...

Страница 345: ...servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to configure an HA...

Страница 346: ...re received on the ports If a port receives an excessive number of TCN TC packets within a given period of time the switch sends only one TCN TC packet in every 10 seconds to the CPU and discards the...

Страница 347: ...a period of 10 seconds the system considers that it is being attacked the system sorts out the source IP address and decreases the precedence of delivering packets from the source IP address to the C...

Страница 348: ...and Maintaining System Guard Configuration To do Use the command Remarks Display the monitoring result and parameter settings of System Guard against IP attacks display system guard ip state Display...

Страница 349: ...US Servers to be Supported 2 14 Configuring the Status of RADIUS Servers 2 15 Configuring the Attributes of Data to be Sent to RADIUS Servers 2 15 Configuring the Local RADIUS Server 2 17 Configuring...

Страница 350: ...orization of Telnet Users 2 29 Troubleshooting AAA 2 30 Troubleshooting RADIUS Configuration 2 30 Troubleshooting HWTACACS Configuration 2 31 3 EAD Configuration 3 1 Introduction to EAD 3 1 Typical Ne...

Страница 351: ...this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage c...

Страница 352: ...r structure It can prevent unauthorized access to your network and is commonly used in network environments where both high security and remote user access service are required The RADIUS service invo...

Страница 353: ...e 1 2 depicts the message exchange procedure between user switch and RADIUS server Figure 1 2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows 1...

Страница 354: ...timer management retransmission and backup server Figure 1 3 depicts the format of RADIUS messages Figure 1 3 RADIUS message format 1 The Code field one byte decides the type of RADIUS message as sho...

Страница 355: ...arded 4 The Authenticator field 16 bytes is used to authenticate the response from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authenti...

Страница 356: ...or occupies four bytes where the first byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Le...

Страница 357: ...mmand authorization Does not support In a typical HWTACACS application as shown in 0 a terminal user needs to log into the switch to perform some operations As a HWTACACS client the switch sends the u...

Страница 358: ...client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the password Upon receiving the response the TACACS client r...

Страница 359: ...ends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS c...

Страница 360: ...tes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of...

Страница 361: ...e the form of the delimiter between the username and the ISP domain name domain delimiter at dot Optional By default the delimiter between the username and the ISP domain name is Create an ISP domain...

Страница 362: ...counting server or fails to communicate with any accounting server when it performs accounting for a user it does not disconnect the user as long as the accounting optional command has been executed t...

Страница 363: ...switch and a TACACS server is normal the local scheme is not used if the TACACS server is not reachable or there is a key error or NAS IP error the local scheme is used z If you execute the scheme loc...

Страница 364: ...local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authorization configuration for a domain When the scheme radius...

Страница 365: ...ID assigned by the RADIUS authentication server the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID If no such a VLAN exists the switch first creates a VLAN with th...

Страница 366: ...o implement dynamic VLAN assignment on a port where both MSTP and 802 1x are enabled you must set the MSTP port to an edge port Configuring the Attributes of a Local User When local scheme is chosen a...

Страница 367: ...cess specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of...

Страница 368: ...d with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommended to connect only one MAC address authentic...

Страница 369: ...local RADIUS server Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared K...

Страница 370: ...n exchange between switch and RADIUS server To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view refer to AAA Configuration...

Страница 371: ...fy one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respecti...

Страница 372: ...ing request that gets no response from the RADIUS accounting server and then retransmits the request to the RADIUS accounting server until it gets a response or the maximum number of transmission atte...

Страница 373: ...no answer after it has tried the maximum number of times to transmit the request the switch considers that the request fails Follow these steps to configure the maximum transmission attempts of a RADI...

Страница 374: ...ry server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged When both the primary and secondary servers are in active...

Страница 375: ...giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet unit for outgoing RADIUS flows are byte and one pac...

Страница 376: ...efault z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is...

Страница 377: ...servers and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit th...

Страница 378: ...when a RADIUS server is down radius trap authentication server down accounting server down Optional By default the switch does not send trap message when a RADIUS server is down z This configuration t...

Страница 379: ...se from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting On...

Страница 380: ...TACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to creat...

Страница 381: ...horization Servers Follow these steps to configure TACACS authorization servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme...

Страница 382: ...nal By default the stop accounting messages retransmission function is enabled and the system can transmit a buffered stop accounting request for 100 times z You are not allowed to configure the same...

Страница 383: ...ain names data flow format data byte giga byte kilo byte mega byte Set the units of data flows to TACACS servers data flow format packet giga packet kilo packet mega packet one packet Optional By defa...

Страница 384: ...y sends online users accounting information to the TACACS server at the set interval z The real time accounting interval must be a multiple of 3 z The setting of real time accounting interval somewhat...

Страница 385: ...tics reset radius statistics Available in user view Displaying and Maintaining HWTACACS Protocol Configuration To do Use the command Remarks Display the configuration or statistic information about on...

Страница 386: ...nd login passwords The Telnet usernames added to the RADIUS server must be in the format of userid isp name if you have configured the switch to include domain names in the usernames to be sent to the...

Страница 387: ...ly takes Telnet users as example to describe the configuration procedure for local authentication Network requirements In the network environment shown in Figure 2 2 you are required to configure the...

Страница 388: ...respectively z Configure local users HWTACACS Authentication and Authorization of Telnet Users Network requirements You are required to configure the switch so that the Telnet users logging into the...

Страница 389: ...ure to input the correct password z The switch and the RADIUS server have different shared keys Compare the shared keys at the two ends make sure they are identical z The switch cannot communicate wit...

Страница 390: ...2 31 Troubleshooting HWTACACS Configuration See the previous section if you encounter an HWTACACS fault...

Страница 391: ...Dynamically adjusts the VLAN rate and packet scheduling priority for user terminals according to session control packets whereby to control the access rights of users dynamically Typical Network Appl...

Страница 392: ...Each RADIUS scheme supports up to eight IP addresses of security policy servers EAD Configuration Example Network requirements In Figure 3 2 z A user is connected to Ethernet 1 0 1 on the switch z The...

Страница 393: ...system view Sysname domain system Sysname isp system quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams account...

Страница 394: ...1 2 Quiet MAC Address 1 2 Configuring Basic MAC Address Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 3 MAC Address Authentication Enhanced Function Config...

Страница 395: ...itch in advance In this case the user name the password and the limits on the total number of user names are the matching criterion for successful authentication For details refer to AAA of this manua...

Страница 396: ...from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network Quiet MAC Address When a user fails MAC address...

Страница 397: ...dress authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value Optional The default timeout values are as follows 300 se...

Страница 398: ...to fixed user names and passwords The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the ne...

Страница 399: ...adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in...

Страница 400: ...cation cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled Configuring the Maximum Num...

Страница 401: ...ac authentication interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type inter...

Страница 402: ...ISP domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the...

Страница 403: ...k Detection 2 1 Introduction to ARP Packet Rate Limit 2 3 Introduction to ARP Packet Filtering Based on Gateway s Address 2 3 Configuring ARP Attack Defense 2 4 ARP Attack Defense Configuration Task L...

Страница 404: ...device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address...

Страница 405: ...efer to Table 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in by...

Страница 406: ...Dynamically generated ARP entries of this type age with time The aging period is set by the ARP aging timer ARP Process Figure 1 2 ARP process Suppose that Host A and Host B are on the same subnet and...

Страница 407: ...ardware address stored in their caches With the gratuitous ARP packet learning function enabled A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic...

Страница 408: ...ntries cannot be configured on the ports of an aggregation group Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view E...

Страница 409: ...isplay arp timer aging Available in any view Clear specific ARP entries reset arp dynamic static interface interface type interface number Available in user view ARP Configuration Examples Network req...

Страница 410: ...tacks you can configure ARP source MAC address consistency check on S4500 series Ethernet switches operating as gateways With this function the device can verify whether an ARP packet is valid by chec...

Страница 411: ...appings of authenticated 802 1x users according to different network environments z If all the clients connected to the switch use IP addresses obtained through DHCP you are recommended to enable DHCP...

Страница 412: ...P packets received on the port within each second If the number of ARP packets received on the port per second exceeds the preconfigured value the switch considers that the port is attacked by ARP pac...

Страница 413: ...z To filter ARP attack packets arriving on the upstream port you can bind the IP and MAC addresses of the gateway to the cascaded port or upstream port of the access switch After that the port will di...

Страница 414: ...N Interface Can Learn Follow these steps to configure the maximum number of dynamic ARP entries that a VLAN interface can learn To do Use the command Remarks Enter system view system view Enter VLAN i...

Страница 415: ...ess or based on gateway s IP and MAC addresses on an Ethernet port Generally ARP packet filtering based on gateway s IP address is configured on the switch s port directly connected to a host and ARP...

Страница 416: ...tatic IP binding entries on the switch These functions can cooperate with ARP attack detection to check the validity of packets z You need to use ARP attack detection based on authenticated 802 1x cli...

Страница 417: ...you can configure the port state auto recovery interval z You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or an aggregation group ARP Attack Defense Co...

Страница 418: ...e the ARP packet rate limit function on Ethernet 1 0 2 and set the maximum ARP packet rate allowed on the port to 20 pps SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 arp rate limit enable Sw...

Страница 419: ...C 000D 88F8 528C Gateway Host A Host B Configuration Procedures Enter system view Switch system view Configure ARP packet filtering based on the gateway s IP and MAC addresses on Ethernet 1 0 1 Switch...

Страница 420: ...A Vlan int 192 168 1 1 24 Configuration Procedures Enter system view SwitchA system view Enable ARP source MAC address consistency check SwitchA arp anti attack valid check enable Enter VLAN interface...

Страница 421: ...N 1 Switch vlan 1 Switch vlan1 arp detection enable Switch vlan1 quit Configure Ethernet 1 0 2 and Ethernet 1 0 3 as ARP trusted ports Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 arp detectio...

Страница 422: ...g WINS Servers for the DHCP Client 2 10 Configuring Gateways for the DHCP Client 2 11 Configuring BIMS Server Information for the DHCP Client 2 11 Configuring Option 184 Parameters for the Client with...

Страница 423: ...r Group with a Relay Agent Interface 3 4 Configuring DHCP Relay Agent Security Functions 3 5 Configuring the DHCP Relay Agent to Support Option 82 3 7 Displaying and Maintaining DHCP Relay Agent Confi...

Страница 424: ...tion 6 1 Introduction to DHCP Client 6 1 Introduction to BOOTP Client 6 1 Configuring a DHCP BOOTP Client 6 2 DHCP Client Configuration Example 6 3 BOOTP Client Configuration Example 6 3 Displaying DH...

Страница 425: ...iguration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration parameters and the DHCP servers retu...

Страница 426: ...R packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledge In this phase the DHCP servers acknowledge the I...

Страница 427: ...llowing figure describes the packet format the number in the brackets indicates the field length in bytes Figure 1 2 DHCP packet format The fields are described as follows z op Operation types of DHCP...

Страница 428: ...type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol...

Страница 429: ...z Large sized networks where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way z Networks where the number of available IP addresses is less...

Страница 430: ...e you just need to configure them on the network segment or the corresponding subnets The following is the details of configuration inheritance 1 A newly created child address pool inherits the config...

Страница 431: ...found in a proper DHCP address pool 5 If no IP address is available the DHCP server queries lease expired and conflicted IP addresses If the DHCP server finds such IP addresses it assigns them otherwi...

Страница 432: ...it adopts the configurations on the new XRN system And you need to perform DHCP server configurations if the new XRN system does not have DHCP server related configurations z In an XRN system the UDP...

Страница 433: ...ace s Required Creating a DHCP Global Address Pool Required Configuring the static IP address allocation mode Configuring an Address Allocation Mode for the Global Address Pool Configuring the dynamic...

Страница 434: ...ol and only one mode can be configured for one DHCP global address pool For dynamic IP address allocation you need to specify the range of the IP addresses to be dynamically assigned But for static IP...

Страница 435: ...equired By default no MAC address or client ID to which an IP address is to be statically bound is configured z The static bind ip address command and the static bind mac address command or the static...

Страница 436: ...ts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation The lease time can differ...

Страница 437: ...bout DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address p...

Страница 438: ...WINS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding...

Страница 439: ...efore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP clie...

Страница 440: ...option is defined Voice VLAN Configuration sub option 3 The voice VLAN configuration sub option carries the ID of the voice VLAN and the flag indicating whether the voice VLAN identification function...

Страница 441: ...onse packet to be sent to the DHCP client Only when the DHCP client specifies in Option 55 of the request packet that it requires Option 184 does the DHCP server add Option 184 in the response packet...

Страница 442: ...e DHCP server but you do not need to perform any configuration on the DHCP client When Option 55 in a client s request contains parameters of Option 66 Option 67 or Option 150 the DHCP server will ret...

Страница 443: ...s and those obtained from interface address pools are not on the same network segment so the clients cannot communicate with each other Therefore in the interface address pool mode if the DHCP clients...

Страница 444: ...ign to a client is the primary IP address of the interface Enabling the Interface Address Pool Mode on Interface s If the DHCP server works in the interface address pool mode it picks IP addresses fro...

Страница 445: ...ly allocated to DHCP clients Configuring the static IP address allocation mode Some DHCP clients such as WWW servers need fixed IP addresses This is achieved by binding IP addresses to the MAC address...

Страница 446: ...o be dynamically assigned is unnecessary To avoid address conflicts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbi...

Страница 447: ...DHCP server The DHCP server provides the domain name suffix together with an IP address for a requesting DHCP client Follow these steps to configure a domain name suffix for the client To do Use the...

Страница 448: ...etBIOS nodes fall into the following four categories z B node Nodes of this type establish their mappings through broadcasting The character b stands for the word broadcast The source node obtains the...

Страница 449: ...nterface number all Required By default no NetBIOS node type is specified If b node is specified for the client you don t need to specify any WINS server address Configuring BIMS Server Information fo...

Страница 450: ...ig ncp ip ip address all interface interface type interface number to interface type interface number Required Not specified by default Specify the backup network calling processor dhcp server voice c...

Страница 451: ...ootfile name bootfile name all interface interface type interface number Optional Not specified by default Configuring a Self Defined DHCP Option By configuring self defined DHCP options you can z Def...

Страница 452: ...nformation to check out any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable the unauthorize...

Страница 453: ...t For the authentication process of the DHCP server acting as a RADIUS client refer to AAA Operation in this manual The following describes only the accounting interaction between DHCP server and RADI...

Страница 454: ...CP Server to Process Option 82 If a DHCP server is enabled to process Option 82 after the DHCP server receives packets containing Option 82 the DHCP server adds Option 82 into the responses when assig...

Страница 455: ...pe interface number all Clear the statistics on a DHCP server reset dhcp server statistics Available in user view Executing the save command will not save the lease information on a DHCP server to the...

Страница 456: ...s for example gateway also are based on the configuration of the parent address pool For example in the network to which VLAN interface 1 is connected if multiple clients apply for IP addresses the ch...

Страница 457: ...p server ip pool 1 SwitchA dhcp pool 1 network 10 1 1 0 mask 255 255 255 128 SwitchA dhcp pool 1 gateway list 10 1 1 126 SwitchA dhcp pool 1 expired day 10 hour 12 SwitchA dhcp pool 1 nbns list 10 1 1...

Страница 458: ...4 Sysname vlan 2 Sysname vlan2 port ethernet 1 0 1 Sysname vlan2 quit Sysname interface vlan interface 2 Sysname Vlan interface2 ip address 10 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configur...

Страница 459: ...gram Figure 2 3 Network diagram for DHCP accounting configuration Configuration procedure Enter system view Sysname system view Create VLAN 2 Sysname vlan 2 Sysname vlan2 quit Create VLAN 3 Sysname vl...

Страница 460: ...Analysis With DHCP enabled IP address conflicts are usually caused by IP addresses that are manually configured on hosts Solution z Disconnect the DHCP client from the network and then check whether...

Страница 461: ...the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment that is you need to de...

Страница 462: ...he DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further implement security control and accounting The Option 82...

Страница 463: ...cket with its own or leaves the original Option 82 unchanged in the packet and forwards the packet if not discarded to the DHCP server z If the request packet does not contain Option 82 the DHCP relay...

Страница 464: ...m view Enable DHCP dhcp enable Required Enabled by default Correlating a DHCP Server Group with a Relay Agent Interface To enhance reliability you can set multiple DHCP servers on the same network The...

Страница 465: ...re the group number specified in the dhcp server groupNo command in VLAN interface view by using the command dhcp server groupNo ip ip address 1 8 in advance Configuring DHCP Relay Agent Security Func...

Страница 466: ...gh unicast when the DHCP clients release IP addresses the user address entries maintained by the DHCP cannot be updated in time You can solve this problem by enabling the DHCP relay agent handshake fu...

Страница 467: ...view system view Enable unauthorized DHCP server detection dhcp server detect Required Disabled by default With the unauthorized DHCP server detection enabled the relay agent will log all DHCP server...

Страница 468: ...y Agent Configuration To do Use the command Remarks Display the information about a specified DHCP server group display dhcp server groupNo Display the information about the DHCP server group to which...

Страница 469: ...configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server The DHCP server configurations vary with different DHCP server devices so the configurations ar...

Страница 470: ...e DHCP server z Check the DHCP relay agent Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides Check if the IP address of...

Страница 471: ...network layer z Switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains...

Страница 472: ...as follows z sub option 1 circuit ID sub option Padded with the port index smaller than the physical port number by 1 and VLAN ID of the port that received the client s request z sub option 2 remote...

Страница 473: ...est containing Option 82 it will handle the packet according to the handling policy and the configured contents in sub options For details see Table 4 1 Table 4 1 Ways of handling a DHCP packet with O...

Страница 474: ...or will directly forward the packet if the packet does not contain the Option 82 field Introduction to IP Filtering A denial of service DoS attack means an attempt of an attacker sending a large numb...

Страница 475: ...e IP static binding table or IP to MAC mappings of authenticated 802 1x clients according to actual network requirements The switch can filter IP packets in the following modes z Filtering packets bas...

Страница 476: ...ve Q in Q function on the switch which may result in the DHCP snooping to function abnormally Configuring DHCP Snooping to Support Option 82 Enable DHCP snooping and specify trusted ports on the switc...

Страница 477: ...iguration overrides the globally configured handling policy for requests received on this port while the globally configured handling policy applies on those ports where a handling policy is not nativ...

Страница 478: ...igured on the primary port z The circuit ID sub option configured on a port will neither be synchronized in the case of port aggregation nor support XRN Configuring the remote ID sub option You can co...

Страница 479: ...m other VLANs z In a port aggregation group you can use this command to configure the primary and member ports respectively When Option 82 is added however the remote ID is subject to the one configur...

Страница 480: ...clients can be updated for corresponding IP to MAC entries you are recommended to enable 802 1x authentication handshake function otherwise you need to disable 802 1x authentication triggered by DHCP...

Страница 481: ...ly connected to Client A Client B and Client C z Enable DHCP snooping on the switch z Specify Ethernet 1 0 5 on the switch as a trusted port for DHCP snooping z Enable DHCP snooping Option 82 support...

Страница 482: ...he DHCP server and Ethernet 1 0 2 is connected to Host A The IP address and MAC address of Host A are 1 1 1 1 and 0001 0001 0001 respectively Ethernet 1 0 3 and Ethernet 1 0 4 are connected to DHCP Cl...

Страница 483: ...0 2 Switch Ethernet1 0 2 ip check source ip address mac address Switch Ethernet1 0 2 quit Switch interface ethernet 1 0 3 Switch Ethernet1 0 3 ip check source ip address mac address Switch Ethernet1 0...

Страница 484: ...us impact on the device CPU For details about ARP packet rate limit refer to ARP Operation in this manual The following describes only the DHCP packet rate limit function After DHCP packet rate limit...

Страница 485: ...t state auto recovery function is disabled Set the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds z Enab...

Страница 486: ...witch Networking diagram Figure 5 1 Network diagram for DHCP packet rate limit configuration Configuration procedure Enable DHCP snooping on the switch Switch system view Switch dhcp snooping Specify...

Страница 487: ...5 4 Sysname Ethernet1 0 11 dhcp rate limit 100...

Страница 488: ...pecify an interface as a Bootstrap Protocol BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP...

Страница 489: ...ailed information about the default route run the display ip routing table command on the switch z If a switch belongs to an XRN fabric you need to enable the UDP Helper function on the switch before...

Страница 490: ...ment Switch B s port belonging to VLAN1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Network diagram See Figure 2 1 Configuration procedure The fo...

Страница 491: ...pplying ACL Rules on Ports 1 10 Applying ACL Rules to Ports in a VLAN 1 10 Displaying and Maintaining ACL Configuration 1 11 Examples for Upper layer Software Referencing ACLs 1 11 Example for Control...

Страница 492: ...port numbers carried in the packets According to their application purposes ACLs fall into the following four types z Basic ACL Rules are created based on source IP addresses only z Advanced ACL Rule...

Страница 493: ...dence fragment Comparison rules are listed below z The smaller the weighting value left which is a fixed weighting value minus the weighting value of every parameter of the rule the higher the match p...

Страница 494: ...ftware for packet filtering ACL Configuration Task List Complete the following tasks to configure ACL Task Remarks Configuring Time Range Optional Configuring Basic ACL Required Configuring Advanced A...

Страница 495: ...ange is active only when the system time is within one of the absolute time sections z If both a periodic time section and an absolute time section are defined in a time range the time range is active...

Страница 496: ...tion about rule string refer to ACL Command Configure a description string to the ACL description text Optional Not configured by default Note that z With the config match order specified for the basi...

Страница 497: ...Using advanced ACLs you can define classification rules that are more accurate more abundant and more flexible than those defined for basic ACLs Configuration prerequisites z To configure a time range...

Страница 498: ...ced from the network 129 9 0 0 16 and destined for the network 202 38 160 0 24 and with the destination port number being 80 Sysname system view Sysname acl number 3000 Sysname acl adv 3000 rule permi...

Страница 499: ...ication or creation will fail and the system prompts that the rule already exists Configuration example Configure ACL 4000 to deny packets sourced from the MAC address 000d 88f5 97ed destined for the...

Страница 500: ...you modify the rule string rule mask offset combinations however the new combinations will replace all of the original ones z If you do not specify the rule id argument when creating an ACL rule the...

Страница 501: ...L Commands Configuration example Apply ACL 2000 on Ethernet 1 0 1 to filter inbound packets Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 packet filter inbound ip group 20...

Страница 502: ...the command Remarks Display a configured ACL or all the ACLs display acl all acl number Display a time range or all the time ranges display time range all time name Display information about packet f...

Страница 503: ...through HTTP Network diagram Figure 1 2 Network diagram for controlling Web login users by source IP Switch PC 10 110 100 46 Internet Configuration procedure Define ACL 2001 Sysname system view Sysnam...

Страница 504: ...Sysname acl basic 2000 quit Apply ACL 2000 on Ethernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 packet filter inbound ip group 2000 Advanced ACL Configuration Example Network requi...

Страница 505: ...011 0011 Apply an ACL to filter packets with the source MAC address of 0011 0011 0011 and the destination MAC address of 0011 0011 0012 from 8 00 to 18 00 everyday Network diagram Figure 1 5 Network d...

Страница 506: ...192 168 0 1 from 8 00 to 18 00 everyday provided that VLAN VPN is not enabled on any port In the ACL rule 0806 is the ARP protocol number ffff is the mask of the rule 16 is the protocol type field of...

Страница 507: ...ime range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysname...

Страница 508: ...nce 1 12 Traffic mirroring 1 13 QoS Configuration 1 13 Configuring Priority Trust Mode 1 13 Configuring the Mapping between 802 1p Priority and Local Precedence 1 14 Setting the Priority of Protocol P...

Страница 509: ...urces of the network Network resources available to the packets completely depend on the time they arrive This service policy is known as Best effort which delivers the packets to their destination wi...

Страница 510: ...onfines traffic to a specific specification and is usually applied in the inbound direction of a port You can configure restriction or penalty measures against the exceeding traffic to protect carrier...

Страница 511: ...series z Priority trust mode z Protocol packet priority z Line rate z For information about priority trust mode refer to Priority Trust Mode z For information about specifying priority for protocol pa...

Страница 512: ...icate ToS precedence in the range of 0 to 15 z In RFC2474 the ToS field in IP packet header is also known as DS field The first six bits bit 0 through bit 5 of the DS field indicate differentiated ser...

Страница 513: ...s a special class without any assurance in the CS class The AF class can be degraded to the BE class if it exceeds the limit Current IP network traffic belongs to this class by default Table 1 3 Descr...

Страница 514: ...1p priority also known as CoS precedence which ranges from 0 to 7 Table 1 4 Description on 802 1p priority 802 1p priority decimal 802 1p priority binary Description 0 000 best effort 1 001 backgroun...

Страница 515: ...is 0 z Trusting port priority In this mode the switch replaces the 802 1p priority of the received packet with the port priority searches for the local precedence corresponding to the port priority o...

Страница 516: ...ted resources during a time period to avoid network congestion caused by excessive bursts Traffic policing is a kind of traffic control policy used to limit the traffic and the resource occupied by su...

Страница 517: ...riority of the packets Traffic policing is widely used in policing the traffic into the network of internet service providers ISPs Traffic policing can identify the policed traffic and perform pre def...

Страница 518: ...3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the que...

Страница 519: ...WFQ can classify the traffic automatically according to the session information of traffic including the protocol types source and destination TCP or UDP port numbers source and destination IP address...

Страница 520: ...f a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use Congestion Avoidance Congestion may cause network resource unavailable and thus need to be pre...

Страница 521: ...different rates in any case and the link bandwidth can be fully utilized Traffic mirroring Traffic mirroring identifies traffic using ACLs and duplicates the matched packets to the destination mirrori...

Страница 522: ...on Ethernet 1 0 1 and set the priority of Ethernet 1 0 1 to 7 Configuration procedure Sysname system view Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 priority 7 z Configure to trust packet p...

Страница 523: ...edence map 2 3 4 1 7 0 5 6 Sysname display qos cos local precedence map cos local precedence map cos 802 1p 0 1 2 3 4 5 6 7 local precedence queue 2 3 4 1 7 0 5 6 Setting the Priority of Protocol Pack...

Страница 524: ...precedence of the packets Configuration prerequisites The following items are defined or determined before the configuration z The ACL rules used for traffic classification have been specified Refer t...

Страница 525: ...ce Ethernet1 0 1 Sysname Ethernet1 0 1 traffic priority inbound ip group 2000 dscp 56 2 Method II Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 2...

Страница 526: ...network segment setting the rate to 128 kbps z Mark the DSCP precedence as 56 for the inbound packets exceeding the rate limit Configuration procedure Sysname system view Sysname acl number 2000 Sysna...

Страница 527: ...equisites z The ACL rules used for traffic classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The ports on which the configuration is to...

Страница 528: ...ueue0 weight queue1 weight queue2 weight queue3 weight queue4 weight queue5 weight queue6 weight queue7 weight Required By default the queue scheduling algorithm adopted on all the ports is WRR The de...

Страница 529: ...weight or bandwidth value takes effect only on the port z The display queue scheduler command cannot display the queue weight or bandwidth value specified in Ethernet port view Configuration example...

Страница 530: ...ined Refer to the ACL module of this manual for information about defining ACL rules z The source mirroring ports and mirroring direction have been determined z The destination mirroring port has been...

Страница 531: ...command Remarks Display the mapping between 802 1p priority and local precedence display qos cos local precedence map Display the priority marking configuration display qos interface interface type i...

Страница 532: ...op the packets exceeding the rate limit Network diagram Figure 1 9 Network diagram for traffic policing and rate limiting configuration Configuration procedure 1 Define an ACL for traffic classificati...

Страница 533: ...twork diagram Figure 1 10 Network diagram for priority marking and queue scheduling configuration PC 3 PC 2 PC 1 Switch Eth1 0 1 Server 1 192 168 0 1 PC 6 Eth1 0 2 Server 2 192 168 0 2 Server 3 192 16...

Страница 534: ...etwork VLANs z Switch A provides network access for terminal devices in VLAN 100 and VLAN 200 through Ethernet 1 0 11 and Ethernet 1 0 12 On the other side of the public network Switch B provides netw...

Страница 535: ...Ethernet1 0 12 port trunk pvid vlan 200 SwitchA Ethernet1 0 12 port trunk permit vlan 200 600 SwitchA Ethernet1 0 12 quit Configure Ethernet 1 0 10 of Switch A as a trunk port and assign it to VLAN 10...

Страница 536: ...c remark vlanid inbound link group 4001 remark vlan 600 SwitchA Ethernet1 0 12 quit Configure VLAN mapping on Ethernet 1 0 10 to replace VLAN tag 500 with VLAN tag 100 and replace VLAN tag 600 with VL...

Страница 537: ...roring 1 2 Traffic Mirroring 1 3 Mirroring Configuration 1 3 Configuring Local Port Mirroring 1 4 Configuring Remote Port Mirroring 1 4 Displaying and Maintaining Port Mirroring 1 7 Mirroring Configur...

Страница 538: ...e mirroring port or monitored port and the port to which duplicated packets are sent is called the destination mirroring port or the monitor port as shown in the following figure Figure 1 1 Mirroring...

Страница 539: ...switch through the remote probe VLAN z Intermediate switch Intermediate switches are switches between the source switch and destination switch on the network An intermediate switch forwards mirrored t...

Страница 540: ...3 interface for the remote probe VLAN run other protocol packets or carry other service packets on the remote prove VLAN and do not use the remote prove VLAN as the voice VLAN and protocol VLAN otherw...

Страница 541: ...system view or you can configure the source port in specific port view The configurations in the two views have the same effect In system view mirroring group group id monitor port monitor port id int...

Страница 542: ...uired By default the port type is Access Configure the trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Return to system view quit Create a...

Страница 543: ...h To do Use the command Remarks Enter system view system view Create a VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure the current VLAN as the remote probe V...

Страница 544: ...monitor port monitor port Required Configure the remote probe VLAN for the remote destination mirroring group mirroring group group id remote probe vlan remote probe vlan id Required When configuring...

Страница 545: ...t mirroring function to meet the requirement Perform the following configurations on Switch C z Configure Ethernet 1 0 1 and Ethernet 1 0 2 as mirroring source ports z Configure Ethernet 1 0 3 as the...

Страница 546: ...or the packets sent from Department 1 and 2 through the data detection device Use the remote port mirroring function to meet the requirement Perform the following configurations z Use Switch A as the...

Страница 547: ...trunk Sysname Ethernet1 0 3 port trunk permit vlan 10 Sysname Ethernet1 0 3 quit Display configuration information about remote source mirroring group 1 Sysname display mirroring group 1 mirroring gro...

Страница 548: ...group 1 monitor port Ethernet 1 0 2 Sysname mirroring group 1 remote probe vlan 10 Configure Ethernet 1 0 1 as the trunk port allowing packets of VLAN 10 to pass Sysname interface Ethernet 1 0 1 Sysna...

Страница 549: ...ng the Fabric Port of a Switch 1 5 Specifying the VLAN Used to Form an XRN Fabric 1 6 Setting a Unit ID for a Switch 1 7 Assigning a Unit Name to a Switch 1 8 Assigning an XRN Fabric Name to a Switch...

Страница 550: ...an XRN fabric An XRN fabric typically has a bus topology structure As shown in Figure 1 1 each switch has two ports connected with two other switches in the fabric but the switches at both ends of the...

Страница 551: ...one group of ports can be configured as fabric ports at a time Given a group either GigabitEthernet 1 0 25 49 or GigabitEthernet 1 0 27 51 can be configured as the left fabric port and either Gigabit...

Страница 552: ...fabric ports of the same device that is the right port and the left port are connected Pull out one end of the cable and connect it to a fabric port of another switch The left and right fabric ports o...

Страница 553: ...XRN function each device considers its Unit ID as 1 and after a fabric connection is established the FTM program automatically re numbers the devices or you can manually configure the Unit ID of them...

Страница 554: ...these steps to specify a fabric port To do Use the command Remarks Enter system view system view Specify the fabric port of a switch fabric port interface type interface number enable Required Not spe...

Страница 555: ...re an XRN fabric as a DHCP relay or DHCP client configure the UDP Helper function in the fabric at the same time to ensure that the client can successfully obtain an IP address Since this configuratio...

Страница 556: ...hange the unit ID of the local switch After an XRN fabric is established you can use the following command to change the unit IDs of the switches in the XRN fabric Follow these steps to set a unit ID...

Страница 557: ...Follow these steps to save the unit ID of each unit in the XRN fabric To do Use the command Remarks Save the unit ID of each unit in the XRN fabric fabric save unit id Optional Assigning a Unit Name...

Страница 558: ...ic system does not perform your configuration properly In this case you need to verify your previous configuration or perform your configuration again Displaying and Maintaining XRN Fabric To do Use t...

Страница 559: ...gure Switch B Configure fabric ports Sysname system view Sysname fabric port GigabitEthernet1 0 25 enable Sysname fabric port GigabitEthernet1 0 26 enable Set the unit ID to 2 Sysname change unit id 1...

Страница 560: ...mode simple welcome 4 Configure Switch D Configure fabric ports Sysname system view Sysname fabric port GigabitEthernet1 0 26 enable Set the unit ID to 4 Sysname change unit id 1 to 4 Configure the u...

Страница 561: ...ent Device 1 9 Configuring Member Devices 1 14 Managing a Cluster through the Management Device 1 16 Configuring the Enhanced Cluster Features 1 17 Displaying and Maintaining Cluster Configuration 1 1...

Страница 562: ...hrough Huawei Group Management Protocol HGMP HGMP version 2 HGMPv2 is used at present A switch in a cluster plays one of the following three roles z Management device z Member device z Candidate devic...

Страница 563: ...very and display function which assists in monitoring and maintaining the network z It allows you to configure and upgrade multiple switches at the same time z It enables you to manage your remotely d...

Страница 564: ...of a cluster z Discovers the information about its neighbors processes the commands forwarded by the management device and reports log The member devices of a luster are under the management of the m...

Страница 565: ...cluster is established z All devices use NDP to collect the information about their neighbors including software version host name MAC address and port name z The management device uses NTDP to collec...

Страница 566: ...cally You can also launch an operation of topology information collection by executing related commands The process of topology information collection is as follows z The management device sends NTDP...

Страница 567: ...formation for you to establish the cluster z By collecting NDP NTDP information the management device learns network topology so as to manage and monitor network devices z Before performing any cluste...

Страница 568: ...ithin the information holdtime it changes the state of the member device to Active otherwise it changes the state of the member device in Connect state to Disconnect in which case the management devic...

Страница 569: ...re is only one network management interface on a management device any newly configured network management interface will overwrite the old one Tracing a device in a cluster In practice you need to im...

Страница 570: ...ess entry corresponding to the IP address does not exist the trace of the device fails z To trace a specific device using the tracemac command make sure that all the devices passed support the tracema...

Страница 571: ...is closed On the management device the preceding functions are implemented as follows z When you create a cluster by using the build or auto build command UDP port 40000 is opened at the same time z...

Страница 572: ...red Enabled by default Configuring NTDP related parameters Follow these steps to configure NTDP related parameters To do Use the command Remarks Enter system view system view Configure the range to co...

Страница 573: ...red By default VLAN 1 is used as the management VLAN Enter cluster view cluster Configure a IP address pool for the cluster ip pool administrator ip address ip mask ip mask length Required Build a clu...

Страница 574: ...To do Use the command Remarks Enter system view system view Enter cluster view cluster Required Configure a shared FTP server for the cluster ftp server ip address Optional By default the management d...

Страница 575: ...Vlan interface vlan id Required By default the management VLAN interface is used as the NM interface Configuring Member Devices Member device configuration task list Complete the following tasks to c...

Страница 576: ...e device s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 i...

Страница 577: ...r of the cluster tftp cluster get source file destination file Optional Available in user view Upload a file to the shared TFTP server of the cluster tftp cluster put source file destination file Opti...

Страница 578: ...evice When errors occur to the cluster topology you can replace the current topology with the standard cluster topology and restore the administrative device using the backup topology on the Flash mem...

Страница 579: ...dard topology topology accept all save to local flash mac address mac address member id member id administrator Required Save the standard topology to the Flash memory of the administrative device top...

Страница 580: ...t delete member member id to black list Optional Displays the information about the devices in the cluster blacklist display cluster black list Optional This command can be executed in any view Displa...

Страница 581: ...ter where z A Switch 4500 series switch serves as the management device z The rest are member devices Serving as the management device the Switch 4500 switch manages the two member devices The configu...

Страница 582: ...ysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ndp enable Sysname Ethernet1 0 1 quit Enable NTDP globally and on Ethernet 1 0 1 Sysname ntdp enable Sysname interface Ethernet 1 0 1 Sysname Ethe...

Страница 583: ...ace Ethernet 1 0 2 Sysname Ethernet1 0 2 ntdp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet 1 0 3 Sysname Ethernet1 0 3 ntdp enable Sysname Ethernet1 0 3 quit Set the topology collectio...

Страница 584: ...agement device to the cluster perform the following operations on a member device Connect the member device to the remote shared FTP server of the cluster aaa_1 Sysname ftp cluster Download the file n...

Страница 585: ...4 Ethernet 1 0 2 Network diagram Figure 1 5 Network diagram for network management interface configuration FTP Server Switch A Switch C Vlan interface3 192 168 5 30 Eth1 0 1 Vlan interface 2 192 168 4...

Страница 586: ...p pool 192 168 5 1 255 255 255 224 Name and build the cluster Sysname cluster build aaa aaa_0 Sysname cluster Configure VLAN interface 2 as the network management interface aaa_0 Sysname cluster aaa_0...

Страница 587: ...gement device Member device Member device Member device 1 Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster b...

Страница 588: ...ility Detection Function 1 5 Configuring a PD Disconnection Detection Mode 1 5 Configuring PoE Over Temperature Protection on the Switch 1 5 Upgrading the PSE Processing Software Online 1 6 Upgrading...

Страница 589: ...rtable devices card readers network cameras and data collection system PoE components PoE consists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of...

Страница 590: ...nism Using this mechanism the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE feature on all its ports when the t...

Страница 591: ...Maximum Output Power on a Port The maximum power that can be supplied by each Ethernet electrical port of a PoE capable Switch 4500 to its PD is 15 400 mW In practice you can set the maximum power on...

Страница 592: ...he PoE feature is enabled on the port perform the following configuration to set the PoE management mode and PoE priority of a port Follow these steps to set the PoE management mode and PoE priority o...

Страница 593: ...ection mode Follow these steps to configure a PD disconnection detection mode To do Use the command Remarks Enter system view system view Configure a PD disconnection detection mode poe disconnect ac...

Страница 594: ...aged that is no PoE command can be executed successfully use the full update mode to upgrade and thus restore the software z The refresh update mode is to upgrade the original processing software in t...

Страница 595: ...ay poe powersupply Display the status enabled disabled of the PoE over temperature protection feature on the switch display poe temperature protection Available in any view PoE Configuration Example P...

Страница 596: ...wer of Ethernet 1 0 2 to 2500 mW SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 poe enable SwitchA Ethernet1 0 2 poe max power 2500 SwitchA Ethernet1 0 2 quit Enable the PoE feature on Etherne...

Страница 597: ...e PoE features Features of PoE profile z Various PoE profiles can be created PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles These PoE profil...

Страница 598: ...ch 4500 according to the following rules z When the apply poe profile command is used to apply a PoE profile to a port the PoE profile is applied successfully only if one PoE feature in the PoE profil...

Страница 599: ...s of group A who have the following requirements z The PoE function can be enabled on all ports in use z Signal mode is used to supply power z The PoE priority for Ethernet 1 0 1 through Ethernet 1 0...

Страница 600: ...Profile1 poe enable SwitchA poe profile Profile1 poe mode signal SwitchA poe profile Profile1 poe priority critical SwitchA poe profile Profile1 poe max power 3000 SwitchA poe profile Profile1 quit D...

Страница 601: ...or Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile 1 to Ethernet 1 0 1 through Ethernet 1 0 5 ports SwitchA a...

Страница 602: ...1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 2 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Example 1 3 Cross Network Computer Search Th...

Страница 603: ...rver With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the pa...

Страница 604: ...tch UDP broadcasts otherwise the configuration fails When the UDP helper function is disabled all configured UDP ports are disabled including the default ports z The dns netbios ds netbios ns tacacs t...

Страница 605: ...an find PC B through computer search Broadcasts with UDP port 137 are used for searching Network diagram Figure 1 1 Network diagram for UDP Helper configuration Configuration procedure Enable UDP Help...

Страница 606: ...tions 1 4 Configuring Basic Trap Functions 1 4 Configuring Extended Trap Function 1 5 Enabling Logging for Network Management 1 5 Displaying SNMP 1 6 SNMP Configuration Example 1 6 SNMP Configuration...

Страница 607: ...ient program At present the commonly used network management platforms include QuidView Sun NetManager IBM NetView and so on z Agent is server side software running on network devices such as switches...

Страница 608: ...efined by the standard variables of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object ide...

Страница 609: ...engine ID snmp agent local engineid engineid Optional By default the device engine ID is enterprise number device information Create Update the view information snmp agent mib view included excluded v...

Страница 610: ...ib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 A Switch 4500 provides the following functions to prevent attacks through unu...

Страница 611: ...old the traps to be sent to the destination host snmp agent trap queue size size Optional The default is 100 Set the aging time for traps snmp agent trap life seconds Optional 120 seconds by default C...

Страница 612: ...Remarks Display the SNMP information about the current device display snmp agent sys info contact location version Display SNMP packet statistics display snmp agent statistics Display the engine ID o...

Страница 613: ...entication and encryption z authentication protocol to HMAC MD5 z authentication password to passmd5 z encryption protocol to DES z encryption password to cfb128cfb128 Sysname snmp agent group v3 mana...

Страница 614: ...00 params securityname public Configuring the NMS Authentication related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully For more inf...

Страница 615: ...actory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP agents can be reduced thus facilitating the management of large scale internetworks Wor...

Страница 616: ...alarm variables periodically z Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter Extended alarm group With extended alarm entry you can...

Страница 617: ...event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable sampling time delta absolute...

Страница 618: ...mation display rmon prialarm prialarm entry number Display RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry Available in any view RMON Configuration...

Страница 619: ...ratio between samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1...

Страница 620: ...10 Configuration Procedure 1 10 Configuring NTP Authentication 1 11 Configuration Prerequisites 1 11 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 13 Configuring an Interface on...

Страница 621: ...hronize or be synchronized by other systems by exchanging NTP messages Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensu...

Страница 622: ...et as a reference clock It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized Implementation Principle of NTP Figure 1 1 shows the implementa...

Страница 623: ...he NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When Device A receives the NTP message the local time of Device A is 10 00 03am T4 At this time Devic...

Страница 624: ...y In peer mode both sides can be synchronized to each other Response packet In the symmetric peer mode the local S4500 Ethernet switch serves as the symmetric active peer and sends clock synchronizati...

Страница 625: ...00 switch and the local switch serves as the symmetric active peer Broadcast mode z Configure the local S4500 Ethernet switch to work in NTP broadcast server mode In this mode the local switch broadca...

Страница 626: ...nfigure NTP Task Remarks Configuring NTP Implementation Modes Required Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Di...

Страница 627: ...p or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server z remote ip...

Страница 628: ...ages through the source interface keyword the source IP address of the NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetri...

Страница 629: ...server periodically sends NTP multicast messages to multicast clients The switches working in the NTP multicast client mode will respond to the NTP messages so as to start the clock synchronization z...

Страница 630: ...right permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch to synchronize its clock to the peer device z peer Peer access This...

Страница 631: ...Configuring NTP authentication on the client z Configuring NTP authentication on the server Observe the following principles when configuring NTP authentication z If the NTP authentication function i...

Страница 632: ...respo nding NTP server Configure on the symmetric active peer in the symmetric peer mode ntp service unicast peer remote ip peer name authentication keyid key id Required For the client in the NTP bro...

Страница 633: ...hile configuring NTP mode You can also use this command to associate them after configuring the NTP mode The procedure for configuring NTP authentication on the server is the same as that on the clien...

Страница 634: ...associations will be created at the symmetric active peer side and dynamic associations will be created at the symmetric passive peer side In the broadcast or multicast mode static associations will...

Страница 635: ...automatically work in the server mode Network diagram Figure 1 6 Network diagram for the NTP server client mode configuration Configuration procedure Perform the following configurations on Device B...

Страница 636: ...that Device B establishes a connection with Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 1 64 1 350 1 15 1 0 0 no...

Страница 637: ...lay ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 32 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 66 ms Root d...

Страница 638: ...m view Set Device C as the broadcast server which sends broadcast messages through VLAN interface 2 DeviceC interface Vlan interface 2 DeviceC Vlan interface2 ntp service broadcast server z Configure...

Страница 639: ...ons of Device D and you can see that a connection is established between Device D and Device C DeviceD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1...

Страница 640: ...ce 2 DeviceA Vlan interface2 ntp service multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own VLAN interface 2 and Device C...

Страница 641: ...es Device A as the NTP server Device B is set to work in client mode while Device A works in server mode automatically z The NTP authentication function is enabled on Device A and Device B Network dia...

Страница 642: ...status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequence 100 0000 Hz Actual frequence 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion...

Страница 643: ...H Client 1 13 SSH Client Configuration Task List 1 13 Configuring an SSH Client that Runs SSH Client Software 1 13 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 19 Displaying and Maint...

Страница 644: ...SSH can also provide data compression to increase transmission speed take the place of Telnet and provide a secure channel for transfers using File Transfer Protocol FTP SSH adopts the client server...

Страница 645: ...ignature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encr...

Страница 646: ...ine whether it can cooperate with the client z If the negotiation is successful the server and the client go on to the key and algorithm negotiation If not the server breaks the TCP connection All the...

Страница 647: ...y is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform the success or failure of the authentication...

Страница 648: ...functions Configuring the SSH Server Configuring an SSH Client that Runs SSH Client Software An 3Com switch Another 3Com switch Configuring the SSH Server Configuring an SSH Client Assumed by an SSH2...

Страница 649: ...Optional If a client does not support first time authentication you need to export the server s public key and configure the key on the client Note The SSH server needs to cooperate with an SSH clien...

Страница 650: ...the interface corresponding to the IP address for the SSH server to provide SSH access services for clients In this way the SSH client accesses the SSH server only using the specified IP address This...

Страница 651: ...ey pairs To do Use the command Remarks Enter system view system view Generate an RSA key pairs public key local create rsa Required By default no key pairs are generated z The command for generating a...

Страница 652: ...server and authentication is implemented through the cooperation of the SSH server and the authentication server For AAA details refer to AAA Operation z Publickey authentication Publickey authentica...

Страница 653: ...configured on the remote server to access the network z Under the publickey authentication mode the level of commands available to a logged in SSH user can be configured using the user privilege level...

Страница 654: ...rated by the client to complete the configuration on the server but the client s public key should be transferred from the client to the server beforehand through FTP TFTP Follow these steps to config...

Страница 655: ...SSH user ssh user username assign publickey keyname Required If you issue this command multiple times the last command overrides the previous ones Exporting the Host Public Key to a File In tasks of C...

Страница 656: ...sword Configuring an SSH Client that Runs SSH Client Software Configuring an SSH Client Assumed by an SSH2 Capable Switch The authentication mode is publickey Configuring an SSH Client that Runs SSH C...

Страница 657: ...SSH connection you must select SSH z Selecting the SSH version Since the device supports only SSH2 0 now select 2 0 for the client z Specifying the private key file On the server if public key authen...

Страница 658: ...x of shown in Figure 1 4 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 4 Generate the client keys 2 After the key pair is generated click Save public k...

Страница 659: ...e name of the file for saving the private key private in this case to save the private key Figure 1 6 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse a...

Страница 660: ...ote that there must be a route available between the IP address of the server and the client Selecting a protocol for remote connection As shown in Figure 1 8 select SSH under Protocol Selecting an SS...

Страница 661: ...tion From the window shown in Figure 1 9 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection T...

Страница 662: ...ed for publickey authentication unnecessary for password authentication Configuring whether first time authentication is supported Optional Specifying a source IP address interface for the SSH client...

Страница 663: ...first time authentication support To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Required By default the client is en...

Страница 664: ...fer_kex dh_group1 dh_exchange_group prefer_ctos_cipher 3des des aes128 prefer_stoc_cipher 3des des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In...

Страница 665: ...isplay information about the peer RSA public keys display rsa peer public key brief name keyname display public key peer brief name pubkey name Generate RSA key pairs rsa local key pair create public...

Страница 666: ...e host SSH Client and the switch SSH Server for secure data exchange The host runs SSH2 0 client software Password authentication is required Network diagram Figure 1 11 Switch acts as server for loca...

Страница 667: ...ord Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 0 2 in this case for the SSH client This IP address and that of the VLAN interface...

Страница 668: ...ion succeeds you will log in to the server 1 1 1 When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 14 an SSH connection is required between th...

Страница 669: ...ration from the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations...

Страница 670: ...lo and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 16 Add an account for device management 2 Configure the SSH server Creat...

Страница 671: ...Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme...

Страница 672: ...ce 1 In the Host Name or IP address text box enter the IP address of the SSH server z From the category on the left pane of the window select Connection SSH The window as shown in Figure 1 18 appears...

Страница 673: ...or secure data exchange Password and HWTACACS authentication is required z The host runs SSH2 0 client software to establish a local connection with the switch z The switch cooperates with an HWTACACS...

Страница 674: ...s hwtac quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authen...

Страница 675: ...word Once authentication succeeds you will log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACA...

Страница 676: ...nt s command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Configure the authentication type of the SSH client named client 001 as publickey Switch ssh user client...

Страница 677: ...nt key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 24 Otherwise the process bar stops moving and the key pa...

Страница 678: ...for saving the public key public in this case Figure 1 25 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save t...

Страница 679: ...ation before you continue to configure the client Establish a connection with the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 27 SSH client configuration interface 1 In the...

Страница 680: ...28 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 29 SSH client configurati...

Страница 681: ...procedure z Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface...

Страница 682: ...165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s...

Страница 683: ...nbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify the authentication type of user client001 as publickey SwitchB ssh user cli...

Страница 684: ...SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to sa...

Страница 685: ...public key local create rsa Set AAA authentication on user interfaces SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Configure the user interfaces to support SSH SwitchB u...

Страница 686: ...ient s address in an SSH connection SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit Generate a RSA ke...

Страница 687: ...client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10 165 87 136 SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected...

Страница 688: ...ile Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 4 File System Configuration Examples 1 4 File Attribute Configuration 1 5 Introduction to File Attributes 1 5 Booting with th...

Страница 689: ...ry Operations Optional Prompt Mode Configuration Optional The 3com 4500 series Ethernet switches support Expandable Resilient Networking XRN and allow you to access a file on a switch in one of the fo...

Страница 690: ...Only empty directories can be deleted by using the rmdir command z In the output information of the dir all command deleted files that is those stored in the recycle bin are embraced in brackets File...

Страница 691: ...leted files whose names are the same only the latest deleted file is kept in the recycle bin and can be restored z The files which are deleted by the delete command without the unreserved keyword are...

Страница 692: ...ration Examples Display all the files in the root directory of the file system on the local unit Sysname dir all Directory of unit1 flash 1 rw 5822215 Jan 01 1970 00 07 03 test bin 2 rwh 4 Apr 01 2000...

Страница 693: ...b with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following three startup files support file attribute configuration z App files An app file is an...

Страница 694: ...ttribute If you download a valid file with the same name as the deleted file to the flash memory the file will possess the main attribute After the Boot ROM of a switch is upgraded the original defaul...

Страница 695: ...enu startup bootrom access enable Optional By default the user is enabled to use the customized password to enter the BOOT menu Available in user view Display the information about the app file used a...

Страница 696: ...ric File Backup and Restoration Configuration prerequisites Before performing the following operations you must first ensure that z The relevant units support TFTP client z The TFTP server is started...

Страница 697: ...mple A Switch Operating as an FTP Server 1 9 FTP Banner Display Configuration Example 1 11 FTP Configuration A Switch Operating as an FTP Client 1 12 SFTP Configuration 1 14 SFTP Configuration A Switc...

Страница 698: ...1 1 Roles that a 3com switch 4500 acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log...

Страница 699: ...n FTP server Optional Disconnecting a specified user Optional Configuring the banner for an FTP server Optional FTP Configuration A Switch Operating as an FTP Server Displaying FTP server information...

Страница 700: ...will be disconnected with the FTP server due to lack of storage space on the FTP server z When you log in to a Fabric consisting of multiple switches through an FTP client after the FTP client passes...

Страница 701: ...interface and source IP address for an FTP server To do Use the command Remarks Enter system view system view Specify the source interface for an FTP server ftp server source interface interface type...

Страница 702: ...connect the user after the data transmission is completed Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through...

Страница 703: ...Use the command Remarks Display the information about FTP server configurations on a switch display ftp server Display the source IP address set for an FTP server display ftp server source ip Display...

Страница 704: ...ectory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pwd Create a directory on the remote FTP server mkdir pathname Remove a directory on the re...

Страница 705: ...nterface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP server Follow these steps to specify the source interface and source IP address for an FTP cl...

Страница 706: ...switch operates as an FTP server and a remote PC as an FTP client The application switch bin of the switch is stored on the PC Upload the application to the remote switch through FTP and use the boot...

Страница 707: ...t switch through FTP Input the username switch and password hello to log in and enter FTP view C ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none switch 331 Password required f...

Страница 708: ...is upgraded Sysname boot boot loader switch bin Sysname reboot For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and...

Страница 709: ...quired for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration A Switch Operating as an FTP Client Network requirements A switch operates as an FTP client and a remote PC...

Страница 710: ...to be uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP server the user n...

Страница 711: ...l SFTP Configuration A Switch Operating as an SFTP Server Enabling an SFTP server Before enabling an SFTP server you need to enable the SSH server function and specify the service type of the SSH user...

Страница 712: ...ers attempt to log in to the SFTP server or multiple connections are enabled on a client only the first user can log in to the SFTP user The subsequent connection will fail z When you upload a large f...

Страница 713: ...y on the remote SFTP server rmdir pathname Optional delete remotefile Delete a specified file remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file...

Страница 714: ...s Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source IP a...

Страница 715: ...ication timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user c...

Страница 716: ...1 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Su...

Страница 717: ...lly ended Upload file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received sta...

Страница 718: ...3com switch 4500 serving as a TFTP client downloads files from the TFTP server the seven segment digital LED on the front panel of the switch rotates clockwise and it stops rotating when the file dow...

Страница 719: ...rce file dest file Optional Upload a file to a TFTP server tftp tftp server put source file dest file Optional Enter system view system view Set the file transmission mode tftp ascii binary Optional B...

Страница 720: ...erface source IP address set for each connection That is for a connection between a TFTP client and a TFTP server if you specify the source interface source IP address only used for the connection thi...

Страница 721: ...m through the Boot ROM menu Enter system view Sysname system view Sysname Configure the IP address of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch con...

Страница 722: ...2 5 For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual...

Страница 723: ...stem Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information to the...

Страница 724: ...gnosing network problems The information center of the system has the following features Classification of system information The system is available with three types of information z Log information...

Страница 725: ...d output destinations Information channel number Default channel name Default output destination 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log t...

Страница 726: ...le FTM Fabric topology management module FTMCMD Fabric topology management command module FTPS FTP server module HA High availability module HTTPD HTTP server module IFNET Interface management module...

Страница 727: ...tions z If the output destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content z The...

Страница 728: ...the time when system information is generated to allow users to check and identify system events Note that there is a space between the timestamp and sysname host name fields The time stamp has the f...

Страница 729: ...anual for details Note that there is a space between the sysname and module fields This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn Th...

Страница 730: ...on to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output...

Страница 731: ...s to configure to display time stamp with the UTC time zone To do Use the command Remarks Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is...

Страница 732: ...en configuring the system information output rules and use the debugging command to enable debugging for the corresponding modules Table 1 4 Default output rules for different output destinations LOG...

Страница 733: ...ch is a user terminal that has login connections through the AUX or VTY user interface Setting to output system information to a monitor terminal Follow these steps to set to output system information...

Страница 734: ...stem information on a monitor terminal To do Use the command Remarks Enable the debugging log trap information terminal display function terminal monitor Optional Enabled by default Enable debugging i...

Страница 735: ...nnel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to...

Страница 736: ...he command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the log buffer info center logbuffer channel...

Страница 737: ...ration refer to the SNMP RMON part Displaying and Maintaining Information Center To do Use the command Remarks Display information on an information channel display channel channel number channel name...

Страница 738: ...ce default channel loghost Configure the host whose IP address is 202 38 1 10 as the log host Permit ARP and IP modules to output information with severity level higher than informational to the log h...

Страница 739: ...the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations...

Страница 740: ...separator instead of a space z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must be the same wit...

Страница 741: ...le log information output to the console Permit ARP and IP modules to output log information with severity level higher than informational to the console Switch info center console channel console Swi...

Страница 742: ...C time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch...

Страница 743: ...ugging Status 2 3 Displaying Operating Information about Modules in System 2 3 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device Management 4 1 Introduction t...

Страница 744: ...or information you are interested in z Introduction to Loading Approaches z Local Boot ROM and Software Loading z Remote Boot ROM and Software Loading Introduction to Loading Approaches You can load s...

Страница 745: ...eation date Sep 8 2008 14 35 39 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 00e0fc003962 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password To ente...

Страница 746: ...iation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the pack...

Страница 747: ...0 bps as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not display th...

Страница 748: ...baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start tr...

Страница 749: ...to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done z If the HyperTerminal s baudrate is not reset to...

Страница 750: ...the Console port of the switch and logs onto the switch through the Console port Step 1 Execute the xmodem get command in user view In this case the switch is ready to receive files Step 2 Enable the...

Страница 751: ...your choice 0 3 Step 4 Enter 1 in the above menu to download the Boot ROM using TFTP Then set the following TFTP related parameters as required Load File name Switch btm Switch IP address 1 1 1 2 Ser...

Страница 752: ...networks You can use the switch as an FTP client or a server and download software to the switch through an Ethernet port The following is an example Loading Procedure Using FTP Client z Loading Boot...

Страница 753: ...download and update the program Upon completion the system displays the following information Loading done Bootrom updating done z Loading host software Follow these steps to load the host software S...

Страница 754: ...P address is 10 1 1 1 to the switch Figure 1 8 Remote loading using FTP Client Step 1 Download the program to the switch using FTP commands Sysname ftp 10 1 1 1 Trying Press CTRL K to abort Connected...

Страница 755: ...n the Flash memory before software downloading For information about deleting files refer to File System Management part of this manual z Ensure the power supply during software loading Loading Proced...

Страница 756: ...sname ftp server enable Sysname local user test New local user added Sysname luser test password simple pass Sysname luser test service type ftp Step 4 Enable FTP client software on the PC Refer to Fi...

Страница 757: ...Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file...

Страница 758: ...hat the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed abo...

Страница 759: ...name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Execute this command in user view z When the system r...

Страница 760: ...information z Screen output switch which controls whether to display the debugging information on a certain screen Figure 2 1 illustrates the relationship between the protocol debugging switch and the...

Страница 761: ...it id interface interface type interface number module name Display all enabled debugging in the Fabric by module display debugging fabric by module Available in any view Displaying Operating Informat...

Страница 762: ...cket percentage and the minimum average and maximum values of response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This c...

Страница 763: ...e switches in the Fabric z Identifying and Diagnosing Pluggable Transceivers Device Management Configuration Device Management Configuration Task list Complete the following tasks to configure device...

Страница 764: ...d yyyy yyyy mm dd Optional Schedule a reboot on the switch and set the delay time for reboot schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and s...

Страница 765: ...Boot ROM With this command a remote user can conveniently upgrade the Boot ROM by uploading the Boot ROM to the switch through FTP and running this command The Boot ROM can be used when the switch re...

Страница 766: ...e 4 1 Table 4 1 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable...

Страница 767: ...gital diagnosis function which enables a transceiver to monitor the main parameters such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take...

Страница 768: ...ration on the FTP server z Configure an FTP user whose name is switch and password is hello Authorize the user with the read write right on the directory Switch on the PC z Make configuration so that...

Страница 769: ...er none switch 331 Give me your password please Password 230 Logged in successfully ftp 5 Enter the authorized path on the FTP server ftp cd switch 6 Execute the get command to download the switch bin...

Страница 770: ...switch to upgrade the Boot ROM and host software of the switch Sysname reboot Start to check configuration with next startup configuration file please wait This command will reboot the device Current...

Страница 771: ...1 4 Configuring the Inner to Outer Tag Priority Replicating and Mapping Feature 1 5 Displaying and Maintaining VLAN VPN Configuration 1 5 VLAN VPN Configuration Example 1 6 Transmitting User Packets t...

Страница 772: ...cific ways establish dedicated tunnels for user traffic on public network devices and thus improve data security VLAN VPN feature is a simple yet flexible Layer 2 tunneling technology It tags private...

Страница 773: ...f the default VLAN When a packet reaches a VLAN VPN enabled port z If the packet already carries a VLAN tag the packet becomes a dual tagged packet z Otherwise the packet becomes a packet carrying the...

Страница 774: ...configuring inner to outer tag priority replicating or mapping for a VLAN VPN enabled port you can replicate the inner tag priority to the outer tag or assign outer tags of different priorities to pac...

Страница 775: ...view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable Required By default the VLAN VPN feature is disabled on a port Configuri...

Страница 776: ...r Enable the inner to outer tag priority replicating feature vlan vpn inner cos trust enable Enable the inner to outer tag priority mapping feature and create a priority mapping vlan vpn priority old...

Страница 777: ...tches of other vendors are used in the public network They use the TPID value 0x9200 z Employ VLAN VPN on Switch A and Switch B to enable the PC users and PC servers to communicate with each through a...

Страница 778: ...21 SwitchB Ethernet1 0 22 port link type trunk SwitchB Ethernet1 0 22 port trunk permit vlan 1040 z Do not configure VLAN 1040 as the default VLAN of Ethernet 1 0 12 of Switch A and Ethernet 1 0 22 of...

Страница 779: ...ernet1 0 22 of Switch B 4 After the packet reaches Switch B it is forwarded through Ethernet1 0 21 of Switch B As the port belongs to VLAN 1040 and is an access port the outer VLAN tag the tag of VLAN...

Страница 780: ...e flexible You can classify the terminal users on the port connecting to the access layer device according to their VLAN tags and add different outer VLAN tags to these users In the public network you...

Страница 781: ...port However the port with selective QinQ enabled can insert an outer VLAN tag other than that of the default VLAN to the packets Thus when packets are forwarded from the service provider to users th...

Страница 782: ...e Inter VLAN MAC Address Replicating Feature Optional If XRN Fabric has been enabled on a device you cannot enable the VLAN VPN feature and the selective QinQ feature on any port of the device Enablin...

Страница 783: ...tion are removed z MAC address entries obtained through the inter VLAN MAC address replicating feature cannot be removed manually To remove a MAC address entry of this kind you need to disable the int...

Страница 784: ...tive QinQ Network diagram Figure 2 3 Network diagram for selective QinQ configuration Public Network VLAN1000 VLAN1200 PC User VLAN100 108 IP Phone User VLAN200 230 Eth1 0 3 Eth1 0 5 For PC User VLAN1...

Страница 785: ...the MAC address table of the default VLAN and replicate the MAC address entries of the MAC address table of the default VLAN to the MAC address tables of the outer VLANs SwitchA Ethernet1 0 3 vid 1200...

Страница 786: ...ged After the above configuration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through Ethernet 1 0 12 and Ethernet 1 0 13 respectively To make the packets from...

Страница 787: ...e ping Configuration 1 1 Introduction to remote ping 1 1 remote ping Configuration 1 1 Introduction to remote ping Configuration 1 1 Configuring remote ping 1 2 Displaying remote ping Configuration 1...

Страница 788: ...lows setting the parameters of remote ping test groups and starting remote ping test operations through network management system Figure 1 1 Illustration for remote ping remote ping Configuration Intr...

Страница 789: ...group remote ping administrator name operation tag Required By default no remote ping test group is configured Configure the destination IP address of the test destination ip ip address Required By de...

Страница 790: ...strator icmp Sysname remote ping administrator icmp Specify the test type as ICMP Sysname remote ping administrator icmp test type icmp Specify the destination IP address as 1 1 1 99 Sysname remote pi...

Страница 791: ...or icmp remote ping entry admin administrator tag icmp history record Index Response Status LasrRC Time 1 1 1 0 2004 11 25 16 28 55 0 2 1 1 0 2004 11 25 16 28 55 0 3 1 1 0 2004 11 25 16 28 55 0 4 1 1...

Страница 792: ...ICMP Error Packets Sent within a Specified Time 1 13 Configuring the Hop Limit of ICMPv6 Reply Packets 1 13 Displaying and Maintaining IPv6 1 14 IPv6 Configuration Example 1 15 IPv6 Unicast Address Co...

Страница 793: ...igned by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from...

Страница 794: ...ateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatica...

Страница 795: ...esses zeros in IPv6 addresses can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in shorter format as 2001 0 130F 0 0 9C0...

Страница 796: ...dress 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses Unicast address There are several forms of...

Страница 797: ...etection Each IPv6 unicast or anycast address has one corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1...

Страница 798: ...e change Router solicitation RS message After started a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of auto...

Страница 799: ...s of node A and returns an NA message containing the link layer address of node B in the unicast mode 4 Node A acquires the link layer address of node B from the NA message After that node A and node...

Страница 800: ...Pv6 Unicast Address Allocation z RFC 1981 Path MTU Discovery for IP version 6 z RFC 2375 IPv6 Multicast Address Assignments z RFC 2460 Internet Protocol Version 6 IPv6 Specification z RFC 2461 Neighbo...

Страница 801: ...are configured manually IPv6 link local addresses can be acquired in either of the following ways z Automatic generation The device automatically generates a link local address for an interface accor...

Страница 802: ...ou first adopt the manual assignment and then the automatic generation the automatically generated link local address will not take effect and the link local address of an interface is still the manua...

Страница 803: ...m view system view Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an interface ipv6 neighbors max learning num num...

Страница 804: ...rface To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the neighbor reachable timeout time ipv6 nd nud reachabl...

Страница 805: ...in the bucket In addition you can set the update period of the token bucket namely the interval for updating the number of tokens in the token bucket to the configured capacity One token allows one I...

Страница 806: ...ighbors all dynamic static interface interface type interface number vlan vlan id count Display information about the routing table display ipv6 route table verbose Display information related to a sp...

Страница 807: ...2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchA Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface V...

Страница 808: ...2 1 FF00 1 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for ad...

Страница 809: ...6 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 5 hop limit 255 time 60 ms 2001 20F...

Страница 810: ...is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For details about the...

Страница 811: ...s the destination host As there is no application using the UDP port the destination returns a port unreachable ICMP error message z The source receives the port unreachable ICMP error message and und...

Страница 812: ...lient application of IPv6 to set up an IPv6 Telnet connection with Device A which serves as the Telnet server If Device A again connects to Device B through Telnet the Device A is the Telnet client an...

Страница 813: ...e to the switch respectively It is required that you telnet to the telnet server from SWA and download files from the TFTP server Network diagram Figure 2 3 Network diagram for IPv6 applications SWA S...

Страница 814: ...route from SWA to SWC SWA tracert ipv6 3002 1 traceroute to 3002 1 30 hops max 60 bytes packet 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms 10 ms 0 ms SWA downloads a file from TFTP server 3001 3 SWA tftp...

Страница 815: ...ther the UDP port that was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port Unable to Run TFTP Sy...

Страница 816: ...e Limitation of Minimum Password Length 1 5 Configuring History Password Recording 1 6 Configuring a User Login Password in Interactive Mode 1 7 Configuring Login Attempt Times Limitation and Failure...

Страница 817: ...change it when logging into the device Password aging Alert before password expiration Users can set their respective alert time If a user logs into the system when the password is about to age out t...

Страница 818: ...failure processing modes By default the switch adopts the first mode but you can actually specify the processing mode as needed Allow the user to log in again without any inhibition Telnet and SSH pa...

Страница 819: ...ording the maximum number of history password records the alert time before password expiration the timeout time for password authentication the maximum number of attempts and the processing mode for...

Страница 820: ...ther the user password ages out when a user logging into the system is undergoing the password authentication This has three cases 1 The password has not expired The user logs in before the configured...

Страница 821: ...ssword does not meet the limitation it informs the user of this case and requires the user to input a new password Table 1 3 Configure the limitation of the minimum password length Operation Command D...

Страница 822: ...for each user The purpose is to inhibit the users from using one single password or using an old password for a long time to enhance the security Table 1 4 Configure history password recording Operat...

Страница 823: ...and _ The password must conform to the related configuration of password control when you set the local user password in interactive mode Table 1 6 Configure a user login password in interactive mode...

Страница 824: ...ress the blacklist will not affect the user anymore when the user logs into the switch The system administrator can perform the following operations to manually remove one or all user entries in the b...

Страница 825: ...ee categories and level 4 four categories When you set or modify a password the system will check if the password satisfies the component requirement If not an error message will occur Table 1 10 Conf...

Страница 826: ...words the settings in local user view override those in system view unless the former are not provided z For super passwords the separate settings for super password override those in system view unle...

Страница 827: ...word to 3 and the minimum number of characters in each composition type to 3 Sysname password control super composition type number 3 type length 3 Configure a super password Sysname super password le...

Страница 828: ...agement Configuration 1 1 Access Management Overview 1 1 Configuring Access Management 1 2 Access Management Configuration Examples 1 3 Access Management Configuration Example 1 3 Combining Access Man...

Страница 829: ...n Figure 1 1 Switch A is an access switch Switch B is a Layer 2 switch Figure 1 1 Typical Ethernet access networking scenario Switch A Switch B Eth1 0 1 PC1_1 PC1_2 PC1_n PC2 PC3 Internet Organization...

Страница 830: ...e access management IP address pool of the port am ip pool address list Required By default no access management IP address pool is configured Display current configuration of access management displa...

Страница 831: ...hat are not of Organization 1 PC 2 and PC 3 from accessing the external network through Ethernet 1 0 1 of Switch A Network diagram Figure 1 2 Network diagram for access management configuration Switch...

Страница 832: ...k through Ethernet 1 0 2 of Switch A z Ethernet 1 0 1 and Ethernet 1 0 2 belong to VLAN 1 The IP address of VLAN interface 1 is 202 10 20 200 24 z PCs of Organization 1 are isolated from those of Orga...

Страница 833: ...nterface Ethernet 1 0 1 Sysname Ethernet1 0 1 am ip pool 202 10 20 1 20 Add Ethernet 1 0 1 to the port isolation group Sysname Ethernet1 0 1 port isolate Sysname Ethernet1 0 1 quit Configure the acces...

Страница 834: ...g Mode 1 5 Configuring LLDPDU TLVs 1 5 Enable LLDP Polling 1 6 Configuring the Parameters Concerning LLDPDU Sending 1 7 Configuring the Encapsulation Format for LLDPDUs 1 7 Configuring CDP Compatibili...

Страница 835: ...perating mode LLDP can operate in one of the following modes z TxRx mode A port in this mode sends and receives LLDPDUs z Tx mode A port in this mode only sends LLDPDUs z Rx mode A port in this mode o...

Страница 836: ...o 65535 seconds TTLs longer than it will be rounded off to 65535 seconds TLV Types TLVs encapsulated in LLDPDUs fall into these categories basic TLV organization defined TLV and MED media endpoint dis...

Страница 837: ...ate of auto negotiation current speed and current duplex state z Power via MDI TLV which carries information about power supply capabilities z Link aggregation TLV which carries the capability and sta...

Страница 838: ...ons For detailed information about LLDP TLV refer to IEEE 802 1AB 2005 and ANSI TIA 1057 Protocols and Standards z IEEE 802 1AB 2005 Station and Media Access Control Connectivity Discovery z ANSI TIA...

Страница 839: ...ng mode To do Use the command Remarks Enter system view system view Set the initialization delay period lldp timer reinit delay value Optional 2 seconds by default Enter Ethernet interface view interf...

Страница 840: ...t If the IP address of the VLAN interface is not configured IP address 127 0 0 1 is used as the management address z To enable MED related LLDP TLV sending you need to enable LLDP MED capabilities TLV...

Страница 841: ...nal 2 seconds by default To enable local device information to be updated on neighboring devices before being aged out make sure the interval to send LLDPDUs is shorter than the TTL of the local devic...

Страница 842: ...apsulation Configuring CDP Compatibility For detailed information about voice VLAN refer to Voice VLAN Operation in this manual You need to enable CDP compatibility for your device to work with Cisco...

Страница 843: ...current port only By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is 255 seconds your TTL configuration that is the product of the TTL multiplier and the LLDP...

Страница 844: ...ghbor information interface interface type interface number brief Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in an...

Страница 845: ...2 SwitchA GigabitEthernet1 0 2 lldp enable SwitchA GigabitEthernet1 0 2 lldp admin status rx SwitchA GigabitEthernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB ll...

Страница 846: ...umber of neighbors 1 Number of MED neighbors 0 Number of CDP neighbors 0 Number of sent optional TLV 0 Number of received unknown TLV 3 Tear down the link between Switch A and Switch B and then displa...

Страница 847: ...e LLDP Configuration Example Network requirements z GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch A are each connected to a Cisco IP phone z Configure voice VLAN 2 on Switch A Enable CDP c...

Страница 848: ...Ethernet1 0 1 lldp enable SwitchA GigabitEthernet1 0 1 lldp admin status txrx SwitchA GigabitEthernet1 0 1 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 1 quit SwitchA interface gig...

Результаты поиска

Содержание E4500-24

Отзывы:

3Com E4500-24, Руководство по настройке CLI, Страница: 420 / 848

Результаты поиска

Содержание E4500-24

Отзывы: