3Com Switch 4500 26-Port Скачать руководство пользователя страница 385 | Manualshive

Страница: 385 / 396

background image

Setting Up the RADIUS Client

383

Windows 2000 Built-in

Client

Windows 2000 requires Service Pack 3 and the IEEE 802.1X client patch for
Windows 2000.

1

Downloaded the patches if required from:

http://www.microsoft.com/Downloads/details.aspx?displaylang=en&Famil

yID=6B78EDBE-D3CA-4880-929F-453C695B9637

2

After the updates have been installed, start the

Wireless Authentication Service

in

Component Services

on the Windows 2000 workstation (set the service to startup

type

Automatic

).

3

Open the

Network and Dial up

connections folder, right-click the desired Network

Interface and select

Properties

.

4

Select the

Authentication

tab and check

Enable Network Access Control using IEEE

802.1X

5

Set

Smart Card or Certificate

as

EAP type

and select the previously imported

certificate as shown below.

Windows XP Built-in

Client

The RADIUS client shipped with Windows XP has a security issue which affects the
port authentication operation. If the RADIUS client is configured to use EAP-MD5,
after a user logs-off, then the next user to log-on will remain authorized with the
original user’s credentials. This occurs because the Microsoft client does not
generate an EAPOL-Logoff message when the user logs-off, which leaves the port
authorized. To reduce the impact of this issue, decrease the "session-timeout"
return list attribute to force re-authentication of the port more often. Alternatively,
use a RADIUS client without this security flaw, for example the Aegis client

A patch for the Windows XP RADIUS client may be available from Microsoft since
publishing this guide.

Aegis Client Installation

The Aegis Client is a standards-based implementation of IEEE 802.1X and supports
many different encrypted algorithms such as MD5. It works on different Windows
and Linux operating systems, such as Win XP, 2000, NT, 98, ME, Mac OSX. Details
of the Aegis client can be found at

http://www.mtghouse.com

/

«
...
383
384
385
386
387
...
»

Содержание Switch 4500 26-Port

Страница 1: ...3Com Switch 4500 Family Configuration Guide Switch 4500 26 Port Switch 4500 50 Port Switch 4500 PWR 26 Port Switch 4500 PWR 50 Port www 3Com com Part No 10015033 Rev AB Published January 2007...

Страница 2: ...or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be r...

Страница 3: ...Through a Dial up Modem 21 Command Line Interface 24 Command Line View 24 Features and Functions of Command Line 28 User Interface Configuration 30 User Interface Overview 30 User Interface Configura...

Страница 4: ...sabling the PoE Feature on a Port 74 Setting the Maximum Power Output on a Port 75 Setting Power Supply Management Mode in Overload and Port Priority 75 Setting the PoE Mode on a Port 76 Enabling Disa...

Страница 5: ...hooting IP Performance 100 6 IP ROUTING PROTOCOL OPERATION IP Routing Protocol Overview 103 103 Selecting Routes Through the Routing Table 104 Routing Management Policy 105 Static Routes 106 Configuri...

Страница 6: ...ew 153 Configuring IGMP Snooping 156 Enabling Disabling IGMP Snooping 156 Configuring Router Port Aging Time 157 Configuring Maximum Response Time 157 Configuring Aging Time of Multicast Group Member...

Страница 7: ...the Switch Security Function 184 Display and Debug RSTP 185 RSTP Configuration Example 186 11 802 1X CONFIGURATION IEEE 802 1X Overview 189 802 1X System Architecture 189 802 1X Authentication Process...

Страница 8: ...US Accounting Servers and the Related Attributes 211 Setting the RADIUS Packet Encryption Key 213 Setting Retransmission Times of RADIUS Request Packet 214 Setting the Supported Type of the RADIUS Ser...

Страница 9: ...nt of MAC Addresses Learned by a Port 241 Displaying MAC Address Table 241 MAC Address Table Management Display Example 242 Networking Requirements 242 MAC Address Table Management Configuration Examp...

Страница 10: ...ersions and Supported MIB 279 Configuring SNMP 280 Setting Community Name 281 Enabling Disabling SNMP Agent to Send Trap 281 Setting the Destination Address of Trap 282 Setting Lifetime of Trap Messag...

Страница 11: ...02 Configuration Examples 302 Configuring NTP Server Mode 302 Configuring NTP Peer Mode 303 Configuring NTP Broadcast Mode 305 Configuring NTP Multicast Mode 306 Configuring NTP Server Mode with Authe...

Страница 12: ...ce 350 Displaying all Files in Flash 350 Skipping the Current Configuration File 351 Bootrom Passwords 351 Bootrom Password Recovery 352 B RADIUS SERVER AND RADIUS CLIENT SETUP Setting Up a RADIUS Ser...

Страница 13: ...hernet configuration Network Protocol Operation Details how to configure network protocols IP Routing Protocol Operation Details how to configure routing protocols Multicast Protocol Details how to co...

Страница 14: ...s the variable part of a command text You must type a value here and press Return or Enter when you are ready to enter the command Example in the command super level a value in the range 0 to 3 must b...

Страница 15: ...3 Related Documentation The 3Com Switch 4500 Getting Started Guide provides information about installation The 3Com Switch 4500 Command Reference Guide provides all the information you need to use the...

Страница 16: ...14 ABOUT THIS GUIDE...

Страница 17: ...tropolitan area network enterprise campus networking Multicast service multicast routing and audio and video multicast service Table 3 Models in the Switch 4500 family Model Power Supply Unit PSU Numb...

Страница 18: ...Switch 4500 stacking makes use of existing Gigabit connections for interconnecting the members of the stack Figure 1 Stacking Networking Topology Product Features Table 4 lists the function features...

Страница 19: ...level user management and password protect 802 1X authentication Packet filtering Quality of Service QoS Traffic classification Bandwidth control Priority Queues of different priority on the port Mana...

Страница 20: ...18 CHAPTER 1 GETTING STARTED Databit 8 Parity check none Stopbit 1 Flow control none Terminal type VT100 Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...

Страница 21: ...port using the ip address command in VLAN Interface View and added the port that connects to a terminal to this VLAN using the port command in VLAN View you can Telnet this Switch and configure it 1...

Страница 22: ...et do not modify the IP address of the Switch unnecessarily for the modification might end the Telnet connection By default when a Telnet user passes the password authentication to log on to the Switc...

Страница 23: ...address of the Telnet Server If it is the hostname use the ip host command to specify 4 Enter the preset login password and you will see the prompt such 4500 If the prompt All user interfaces are use...

Страница 24: ...r AT V to verify the Modem settings The Modem configuration commands and outputs may be different according to different Modems For details refer to the User Guide of the Modem 3Com recommends that th...

Страница 25: ...Enter the preset login password on the remote terminal emulator and wait for the prompt 4500 Then you can configure and manage the Switch Enter to view online help For details of specific commands re...

Страница 26: ...mmands are classified into four levels namely visit level monitoring level system level and management level Visit level Commands in this level include network diagnosis tools such as ping and tracert...

Страница 27: ...erent command views are implemented according to different requirements They are related to one another For example after logging in to the Switch you will enter User View in which you can only use so...

Страница 28: ...vlan interface 1 in System View quit returns to System View return returns to User View Local User View Configure local user parameters 4500 luser user1 Enter local user user1 in System View quit retu...

Страница 29: ...d ACL View Define the rule of user defined ACL 4500 acl user 5000 Enter acl number 5000 in System View quit returns to System View return returns to User View QoS profile View Define QoS profile 4500...

Страница 30: ...initials in the command will be listed 4500 display ver version 5 Enter the first letters of a keyword of a command and press Tab If no other keywords begin with these letters then this unique keywor...

Страница 31: ...story command display history command Display history command by user inputting Retrieve the previous history command Up cursor key or Ctrl P Retrieve the previous history command if there is any Retr...

Страница 32: ...ort are the same port There is only the one type of AUX user interface The user interface is numbered by absolute number or relative number To number the user interface by absolute number The AUX user...

Страница 33: ...e only View By default the user interface supports Telnet and SSH protocols If the Telnet protocol is specified to ensure a successful login through Telnet you must configure the password by default I...

Страница 34: ...and Configure the transmission speed on the AUX console port speed speed_value Restore the default transmission speed on the AUX console port undo speed Table 13 Configuring the Flow Control on the AU...

Страница 35: ...Note the following points For security the undo shell command can only be used on the user interfaces other than AUX user interface You cannot use this command on the user interface through which you...

Страница 36: ...ation method to deny the access of an unauthorized user Perform the following configuration in User Interface View By default terminal authentication is not required for users logged in through the co...

Страница 37: ...cal user zbr 4500 luser zbr password simple 3Com 4500 luser zbr service type telnet 3 No authentication 4500 ui vty0 authentication mode none By default the password is required for authenticating Mod...

Страница 38: ...of level 3 and lower Setting the Command Priority The following command is used for setting the priority of a specified command in a certain view The command levels include visit monitoring system an...

Страница 39: ...ion before you use the auto execute command command and save the configuration Telnet 10 110 100 1 after the user logs in through VTY0 automatically 4500 ui vty0 auto execute command telnet 10 110 100...

Страница 40: ...ation information of the user interface display users all Display the physical attributes and some configurations of the user interface display user interface type number number summary Table 29 Displ...

Страница 41: ...ull duplex and auto auto negotiation and its speed can be set to 1000 1000Mbps and auto auto negotiation The configuration of these Ethernet ports is fundamentally the same and is described in the fol...

Страница 42: ...et Port To configure a port to send and receive data packets at the same time set it to full duplex To configure a port to either send or receive data packets set it to half duplex If the port has bee...

Страница 43: ...e Ethernet Port Ethernet ports support straight through and cross over network cables Use the following command to configure the cable type Perform the following configuration in Ethernet Port View By...

Страница 44: ...ed for connecting to both Switches and the user s computers The difference between a hybrid port and a trunk port is that a hybrid port allows the packets from multiple VLANs to be sent without tags b...

Страница 45: ...r than VLAN 1 The VLAN to which a hybrid port is added must already exist The one to which a trunk port is added cannot be VLAN 1 After adding an Ethernet port to specified VLANs the local port can fo...

Страница 46: ...r an Ethernet Port Use the following command to enable port loopback detection and set the detection interval for the external loopback condition of each port If there is a loopback port found the Swi...

Страница 47: ...n group take the port with minimum ID as the source if the copy destination is an aggregation group make the configurations of all group member ports identical with that of the source Displaying and D...

Страница 48: ...port Ethernet1 0 1 Configure the trunk port with a default VLAN ID so that When receiving packets without a VLAN Tag the port can forward them to the member ports belonging to the default VLAN When i...

Страница 49: ...Take the following steps 1 Use the display interface or display port command to check if the port is a trunk port or a hybrid port If it is neither configure it as a trunk port or a hybrid port 2 Con...

Страница 50: ...ing which port into from a certain dynamic aggregation group The operation key is a configuration set generated by LACP based on port setting speed duplex mode basic configuration and management key W...

Страница 51: ...w speed half duplex high speed half duplex low speed The system sets to inactive state the ports which connect to different peer devices from one that the active port with minimum port number connects...

Страница 52: ...riority then the selected or standby state is determined by the port priority of the system You can decide whether the port is selected or standby by setting system priority and port priority Load Sha...

Страница 53: ...ration in Ethernet Port View By default LACP is disabled at the port Note that You cannot enable LACP at a stack port mirrored port port with a static MAC address configured port with static ARP confi...

Страница 54: ...ge a dynamic or static LACP aggregation group to a manual one or a dynamic LACP aggregation group to a static one In the former case LACP shall be disabled at the member ports automatically while in t...

Страница 55: ...system ID is given priority Changing system priority may affect the priority levels of member ports and further their selected or standby state Perform the following configuration in System View By de...

Страница 56: ...splay summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group display link aggregation verbose agg_id Display local...

Страница 57: ...4500 link aggregation group 1 mode static b Add Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 into aggregation group 1 4500 interface ethernet1 0 1 4500 Ethernet1 0 1 port link aggregation group 1 450...

Страница 58: ...56 CHAPTER 2 PORT OPERATION...

Страница 59: ...VLANs Therefore VLAN configurations are very helpful in controlling network traffic saving device investment simplifying network management and improving security Configuring a VLAN VLAN configuration...

Страница 60: ...ame for example Vlan interface1 Interface Specifying Removing the VLAN Interface Use the following command to specify remove the VLAN interface To implement the network layer function on a VLAN interf...

Страница 61: ...erface is enabled Displaying and Debugging VLAN After the above configuration enter the display command in any view to display the running of the VLAN configuration and to verify the effect of the con...

Страница 62: ...nfigure an IP address on a VLAN interface Networking Diagram Figure 15 VLAN Configuration Example 2 Configuration Procedure 1 If the VLAN does not currently exist then create it This example uses VLAN...

Страница 63: ...guration of Voice VLAN is described in the following sections Enabling Disabling Voice VLAN Features Enabling Disabling Voice VLAN Features on a Port Voice VLAN Mode Type of IP Phone Port Mode Auto mo...

Страница 64: ...emoving the OUI Address Learned by Voice VLAN Configure OUI addresses which can be learned by Voice VLAN using the following command otherwise the system uses the default OUI addresses as the standard...

Страница 65: ...By default Voice VLAN auto mode is enabled Setting the Aging Time of Voice VLAN In auto mode using the follow command you can set the aging time of Voice VLAN After the OUI address the MAC address of...

Страница 66: ...net1 0 2 as the IP Phone access port The type of IP Phone is untagged Network Diagram Figure 16 Voice VLAN Configuration Configuration Steps 4500 vlan 2 4500 vlan2 port ethernet1 0 2 4500 vlan2 interf...

Страница 67: ...tup The Voice VLAN must be set and enabled both globally for the switch and at the system view level Each port where a VoIP phone may be connected must have Voice VLAN enabled locally Each port where...

Страница 68: ...ress If used in a 3Com NBX network be sure NBX Call processor is set to Standard IP Likewise ensure the NBX Call Processor default Gateway is set to the VLAN interface IP address Note that any IP rela...

Страница 69: ...ver Phone 1 can call Phone 2 and the PC can ping all networks 10 10 11 0 10 10 12 0 and 50 1 1 0 Voice VLAN in Auto Mode This section provides a detailed listing of a Switch configuration file The lin...

Страница 70: ...rip version 2 multicast interface Aux1 0 0 interface Ethernet1 0 1 poe enable stp edged port enable broadcast suppression PPS 3000 priority trust packet filter inbound link group 4999 rule 0 interfac...

Страница 71: ...le stp edged port enable broadcast suppression PPS 3000 priority trust packet filter inbound link group 4999 rule 0 interface Ethernet1 0 9 poe enable stp edged port enable port link type trunk undo p...

Страница 72: ...nable stp edged port enable broadcast suppression PPS 3000 priority trust packet filter inbound link group 4999 rule 0 interface Ethernet1 0 18 poe enable stp edged port enable broadcast suppression P...

Страница 73: ...ion mode interface NULL0 rip Dynamic Routing setup only required if deploying L3 network undo summary network 10 0 0 0 network 50 0 0 0 voice vlan 50 enable Set Vlan 50 as the Voice Vlan snmp agent sn...

Страница 74: ...vlan 5 broadcast suppression PPS 3000 priority trust voice vlan enable packet filter inbound link group 4999 rule 0 interface Ethernet1 0 8 poe enable stp edged port enable broadcast suppression PPS...

Страница 75: ...328 feet z Each Ethernet port can supply at most 15400 mW of power to a PD z When AC power input is adopted for the switch the maximum total power that can be provided by the PWR switches is 300 W Th...

Страница 76: ...use the following command to enable disable the PoE feature on a port in accordance with the network requirement Perform the following configuration in Ethernet Port View Table 67 Enabling disabling P...

Страница 77: ...to mode when the switch is reaching its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs that...

Страница 78: ...h the 802 3af standard and then supply power to them You can use the following commands to enable disable the PD compatibility detect function Perform the following configuration in System View Table...

Страница 79: ...tion of the PoE feature on the switch and verify the effect of the configuration Table 74 PoE Information Display For more information on the parameters refer to the Command Reference Guide Configurat...

Страница 80: ...4500 Ethernet1 0 2 poe enable 4500 Ethernet1 0 24 poe enable Set the maximum power output of Ethernet1 0 1 and Ethernet1 0 2 to 12000 and 3000 mW respectively 4500 Ethernet1 0 1 poe max power 12000 4...

Страница 81: ...ternet It consists of two fields net id field and host id field There are five types of IP address See Figure 21 Figure 21 Five Classes of IP Address Class A Class B and Class C are unicast addresses...

Страница 82: ...is not put into use after starting up The IP address with network number as 0 indicates the current network and its network can be cited by the router without knowing its network number Network ID wi...

Страница 83: ...face in one of three ways Using the IP address configuration command Allocated by BOOTP server Allocated by DHCP server These three methods are mutually exclusive and a new configuration will replace...

Страница 84: ...lowing configuration in VLAN Interface View By default the IP address of a VLAN interface is null Displaying and Debugging IP Address After the above configuration enter the display command in any vie...

Страница 85: ...same network segment If the configuration is correct enable ARP debugging on the Switch and check whether the Switch can correctly send and receive ARP packets If it can only send but cannot receive...

Страница 86: ...t A The reply packet will be directly sent to Host A in stead of being broadcast Receiving the reply packet Host A will extract the IP address and the corresponding MAC address of Host B and add them...

Страница 87: ...ging time of the dynamic ARP aging timer is 20 minutes Configuring the Creation of ARP Entries for Multicast Packets Use the following command to specify whether the Switch should create ARP table ent...

Страница 88: ...e DHCP relay serves as conduit between the DHCP Client and the server located on different subnets The DHCP packets can be relayed to the destination DHCP server or Client across network segments The...

Страница 89: ...ent the client only accepts the first received one and then broadcasts DHCP_Request messages respectively to those DHCP servers The message contains the information of the IP address request from the...

Страница 90: ...above applies only when DHCP clients and server s are in the same subnet and it does not support trans segment networking To achieve dynamic address configuration you would have to configure a DHCP se...

Страница 91: ...ng sections Configuring the IP address for the DHCP server Configuring the DHCP Server Group for the VLAN Interfaces Configuring the IP address for the DHCP server You can configure a master and a bac...

Страница 92: ...e 85 Configuring the DHCP Server Group Corresponding to VLAN Interfaces Operation Command Configure DHCP server group corresponding to VLAN interfaces dhcp server groupNo Delete DHCP server group undo...

Страница 93: ...erver 0 4500 Vlan interface1 quit 4500 interface vlan interface 10 4500 Vlan interface10 dhcp server 0 4500 Vlan interface10 quit DHCP Relay Configuration Example Two Networking Requirements The segme...

Страница 94: ...igured 2 Use the display vlan and display ip interface vlan interface commands to check if the VLAN and the corresponding interface IP address have been configured 3 Ping the configured DHCP Server to...

Страница 95: ...P Address Pool Based on the Port Configuring Layer 2 Isolation Between Ports Enabling Disabling Access Management Trap Enabling Disabling Access Management You can use the following command to enable...

Страница 96: ...n the same unit within an aggregation group Note the following When a port in an aggregation group is added to or removed from an isolation group then all the other ports of this aggregation group on...

Страница 97: ...1 is connected to port 1 of the Switch and organization 2 to port 2 Ports 1 and 2 belong to the same VLAN The IP addresses range 202 10 20 1 to 202 10 20 20 can be accessed from port 1 and the range 2...

Страница 98: ...g the CLI the following commands should be entered from System View 4500 system view 4500 acl number 2500 4500 acl basic 2500 rule 0 permit source 10 10 10 1 0 0 0 255 To delete this feature enter 450...

Страница 99: ...following configuration in System View Note that You must first enable the UDP Helper function and then configure the UDP port with the relay function Otherwise error information will appear The para...

Страница 100: ...r the above configuration enter the display command in any view to display the running of the UDP Helper destination server and to verify the effect of the configuration Enter the debugging command in...

Страница 101: ...t timer If response packets are not received before synwait timeout the TCP connection will be terminated The timeout of synwait timer range is 2 to 600 seconds and it is 75 seconds by default finwait...

Страница 102: ...Attributes Operation Command Table 98 Displaying and Debugging IP Performance Operation Command Display TCP connection state display tcp status Display TCP connection statistics data display tcp stati...

Страница 103: ...estination IP Address 202 38 160 1 Destination port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets Operations include 4500 terminal debugging 4500 debug...

Страница 104: ...102 CHAPTER 5 NETWORK PROTOCOL OPERATION...

Страница 105: ...wo nodes and these two nodes are considered adjacent in the Internet Adjacent routers are two routers connected to the same network The number of route segments between a router and hosts in the same...

Страница 106: ...segment where the destination host or router is located For example if the destination address is 129 102 8 10 the address of the network where the host or the router with the mask 255 255 0 0 is loca...

Страница 107: ...te with the highest preference becomes the current route Routing protocols and the default preferences of the routes that they learn are shown in Table 99 The smaller the value the higher the preferen...

Страница 108: ...sends data via the main route When the line fails the main route will hide itself and the router will choose from one of the remaining routes as a backup route whose precedence is higher than the oth...

Страница 109: ...entry of the routing table the router selects the default route to forward this packet If there is no default route and the destination address of the packet fails to match any entry in the routing ta...

Страница 110: ...address of the local Switch as the next hop address of an static route Preference For different configurations of preference_value you can flexibly apply the routing management policy Other parameters...

Страница 111: ...View routing table summary display ip routing table View routing table details display ip routing table verbose View the detailed information of a specific route display ip routing table ip_address m...

Страница 112: ...responding route is valid RIP Routing Information Protocol RIP is a simple dynamic routing protocol that is Distance Vector D V algorithm based It uses hop counts to measure the distance to the destin...

Страница 113: ...on about their local routing tables 2 After receiving the response packets the router that sent the request modifies its own routing table and sends a modification triggering packet to the neighbor ro...

Страница 114: ...al Routing Metrics Configuring Route Filtering Enabling RIP and Entering the RIP View Perform the following configurations in System View By default RIP is not enabled Enabling RIP on a Specified Netw...

Страница 115: ...ommands rip work rip output rip input and network Specifying the RIP Version RIP has two versions RIP 1 and RIP 2 You can specify the version of the RIP packet used by the interface RIP 1 broadcasts t...

Страница 116: ...time of the garbage collection timer is not fixed If the period update timer is set to 30 seconds the garbage collection timer might range from 90 to 120 seconds Before RIP completely deletes an unre...

Страница 117: ...bling Host Route In some cases the router can receive many host routes from the same segment and these routes are of little help in route addressing but consume a lot of network resources Routers can...

Страница 118: ...is not encrypted and can be seen in a network trace so simple authentication should not be applied when there are high security requirements MD5 authentication This mode uses two packet formats One f...

Страница 119: ...mmand to import the routes of other protocols you can specify their cost If you do not specify the cost of the imported route RIP will set the cost to the default cost specified by the default cost pa...

Страница 120: ...y the router and RIP routes generated by the router itself which means that it has no effect on the routes imported to RIP by other routing protocols Configuring Route Filtering The Router provides a...

Страница 121: ...Filter the Received Routes Operation Command Filter the received routing information distributed by the specified address filter policy gateway ip_prefix_name import Cancel filtering of the received...

Страница 122: ...addresses for the VLAN interfaces are configured 1 Configure RIP on Switch A Switch A rip Switch A rip network 110 11 2 0 Switch A rip network 155 10 1 0 2 Configure RIP on Switch B Switch B rip Swit...

Страница 123: ...fying the characteristics of the routing information to be filtered You can set the rules based on such attributes as the destination address and source address of the information The rules can be set...

Страница 124: ...and the domain of the routing information In addition in the IP Prefix you can specify the gateway options and require it to receive only the routing information distributed by some certain routers A...

Страница 125: ...outing policy denies the routing information If all the nodes in the route policy are in deny mode all routing information is denied by the route policy Defining If match Clauses for a Route policy Th...

Страница 126: ...istribution If the destination routing protocol that imports the routes cannot directly reference the route costs of the source routing protocol you should satisfy the requirement of the destination p...

Страница 127: ...e routing policy configuration and to verify the effect of the configuration Typical IP Routing Policy Configuration Example Configuring the Filtering of the Received Routing Information Networking Re...

Страница 128: ...h A rip 1 area 0 0 0 0 network 10 0 0 0 0 255 255 255 d Import the static routes Switch A rip 1 import route static 2 Configure Switch B a Configure the IP address of VLAN interface Switch B interface...

Страница 129: ...oute Policy When all the nodes of the Route Policy are in the deny mode then all the routing information cannot pass the filtering of the Route Policy The if match mode of at least one list item of th...

Страница 130: ...128 CHAPTER 6 IP ROUTING PROTOCOL OPERATION...

Страница 131: ...cket with the access control rule the issue of match order arises Filtering or Classifying Data Transmitted by the Hardware ACL can be used to filter or classify the data transmitted by the hardware o...

Страница 132: ...smaller range is listed ahead If the port numbers are in the same range follow the configuration sequence ACL Supported by the Switch The table below lists the limits to the numbers of different types...

Страница 133: ...DP port number in use and packet priority to process the data packets The advanced ACL supports the analysis of three types of packet priorities ToS Type of Service IP and DSCP priorities You can use...

Страница 134: ...o understand the Layer 2 data frame structure Any packet ending up at the FFP Fast Filter Processor that performs ACL functionality will contain a VLAN tag Even packets that ingress the Switch untagge...

Страница 135: ...and in all views to display the running of the ACL configuration and to verify the effect of the configuration Execute reset command in User View to clear the statistics of the ACL module Table 133 Di...

Страница 136: ...on Example Configuration Procedure In the following configurations only the commands related to ACL configurations are listed 1 Define the work time range Define time range from 8 00 to 18 00 4500 tim...

Страница 137: ...fine the time range Define time range from 8 00 to 18 00 4500 time range 3Com 8 00 to 18 00 daily 2 Define the ACL for packet which source IP is 10 1 1 1 a Enter the number basic ACL number as 2000 45...

Страница 138: ...GigabitEthernet1 0 50 packet filter inbound link group 4000 QoS Configuration Traffic Traffic refers to all packets passing through a Switch Traffic Classification Traffic classification means identif...

Страница 139: ...an be used and defined in different QoS modules Queue Scheduling When congestion occurs several packets will compete for the resources The queue scheduling algorithm is used to overcome the problem We...

Страница 140: ...by a packet with the port priority Configuring Trust Packet Priority The system replaces the 802 1p priority carried by a packet with the port priority by default The user can configure system trusti...

Страница 141: ...rnet Port View Table 137 Configure Mirroring Port Delete Port Mirroring 1 Delete mirroring port Perform the following configuration in the Ethernet Port View Table 138 Delete Mirroring Port 2 Delete m...

Страница 142: ...Guide Configuring the Mapping Relationship Between COS and Local Precedence The default mapping relationship between 802 1p priority and output queue of the port is as follows Table 144 Mapping betwe...

Страница 143: ...to rate limit based on the port that is limiting the total rate at the port The granularity of line rate is 64 kbps Perform the following configurations in the Ethernet Port View Table 147 Setting Lin...

Страница 144: ...ubnet address 129 110 1 2 For the wage server the inbound traffic is limited at 128 kbps and the inbound port rate at 128 kbps Those packets exceeding the threshold will be labeled with dscp priority...

Страница 145: ...he wage server a Limit average traffic from the wage server at 128 Kbps and label over threshold packets with priority level 4 4500 Ethernet1 0 1 traffic limit inbound ip group 3000 128 exceed remark...

Страница 146: ...ng two levels Level 1 User connection control Configured access control list ACL filters login users so that only legal users can be connected to the switch Level 2 User password authentication Before...

Страница 147: ...view rule rule id permit deny source source addr wildcard any fragment source source addr wildcard any When TELNET and SSH users use basic and advanced ACLs only the source IP and the corresponding ma...

Страница 148: ...ason for login failure L2 ACL Configuration Example Configuration Prerequisites Only the TELNET users with 00e0 fc01 0101 and 00e0 fc01 0303 source MAC addresses are allowed to access switches Figure...

Страница 149: ...Switch Configuration Steps Define basic ACLs 4500 system view System View return to User View with Ctrl Z 4500 acl number 2000 match order config Define rules 4500 acl basic 2000 rule 1 permit source...

Страница 150: ...s have correctly configured to log into switches by SNMP Configuration Tasks Table 151 lists the commands that you can execute to configure SNMP user ACL Table 151 Commands for Controlling ACL Access...

Страница 151: ...ACLs when you configure the SNMP group name command snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name a...

Страница 152: ...p acl 2000 Configuring ACL Control for HTTP Users The Switch 4500 Family supports the remote management through the Web interface The users can access the Switch through HTTP Controlling such users wi...

Страница 153: ...alled for WEB NM user control Configuration Example Networking Requirements Only permit Web NM user from 10 110 100 46 access Switch Networking Diagram Figure 43 Controlling Web NM users with ACL Conf...

Страница 154: ...152 CHAPTER 7 ACL CONFIGURATION...

Страница 155: ...IGMP host it will remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2 And then it...

Страница 156: ...4500 Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query messages before the timer times out it is no longer considered a router port...

Страница 157: ...When a router port receives an IGMP general query message the Switch 4500 will reset the aging timer of the port When a port other than a router port receives the IGMP general query message the Switch...

Страница 158: ...ed the message to the group starts the port aging timer and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table Meanwhile it creates an IP multicast g...

Страница 159: ...o manually configure the maximum response time If the Switch 4500 receives no report message from a port within the maximum response time the switch will remove the port from the multicast group Perfo...

Страница 160: ...first enable it The switch is connected to the router via the router port and with user PCs through the non router ports on vlan 10 Table 158 Configuring aging time of the multicast member Operation...

Страница 161: ...tch disabled IGMP Snooping check whether the IGMP Snooping is enabled globally and also enabled on the VLAN If IGMP Snooping is not enabled globally first input the igmp snooping enable command in Sys...

Страница 162: ...p snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent You may also input the display mac vlan command in any view to check if...

Страница 163: ...ices within the stack can backup each other This feature brings you many advantages Realizes unified management of multiple devices Only one connection and one IP address are required to manage the en...

Страница 164: ...ge the unit ID If you choose to change the existing unit ID is replaced and the priority is set to 5 Then you can use the fabric save unit id command to save the modified unit ID into the unit Flash m...

Страница 165: ...gabit combo ports can be used to interconnect the Switch units to form a stack In the 3Com switch operating system the term fabric is used as a general expression for stack Setting Unit Names for Swit...

Страница 166: ...System View Table 167 Setting an XRN Authentication Mode for Switches By default no authentication mode is set on the Switches Displaying and Debugging a Stack Following completion of the above confi...

Страница 167: ...ethernet2 0 51 enable 4500 fabric port gigabitethernet2 0 52 enable 4500 sysname hello hello xrn fabric authentication mode simple welcome Configure Switch C 4500 change unit id 1 to auto numbering 45...

Страница 168: ...rnet4 0 51 enable 4500 fabric port gigabitethernet4 0 52 enable 4500 sysname hello hello xrn fabric authentication mode simple welcome In the example it is assumed that the system will automatically c...

Страница 169: ...led configuration Bridge Protocol Data Units or BPDU in IEEE 802 1D to decide the topology of the network The configuration BPDU contains the information enough to ensure the Switches to compute the s...

Страница 170: ...h B forwards BPDU to LAN So the designated bridge of LAN is Switch B and the designated port is BP2 AP1 AP2 BP1 BP2 CP1 and CP2 respectively delegate the ports of Switch A Switch B and Switch C The Sp...

Страница 171: ...he same perform the comparison based on root path costs The cost comparison is as follows the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local por...

Страница 172: ...1 0 1 BP2 Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are upd...

Страница 173: ...certain rules The basic calculation process is described below Configuration BPDU Forwarding Mechanism in STP Upon the initiation of the network all the Switches regard themselves as the roots The des...

Страница 174: ...n the upstream has begun forwarding data The conditions for rapid state transition of the designated port are The port is an edge port that does not connect with any Switch directly or indirectly If t...

Страница 175: ...witch The configuration of STP feature status on the port will not take effect if the STP feature is disabled from the Switch Configure RSTP operational mode The Switch works in RSTP mode If there are...

Страница 176: ...port Specify the standard to follow in Path Cost calculation The Switch gets the path cost of a port from the link rate under the IEEE 802 1t standard The path cost of a port is closely related to th...

Страница 177: ...wo ports connected with a peer to peer link can rapidly transit to the forwarding status by sending synchronous packets eliminating unnecessary forwarding delay Specify the Path Cost on a port Specify...

Страница 178: ...re at the preference 128 The port preference plays an important role in root port selection You can make a port to be root port by giving it a smallest preference value Configure whether to connect a...

Страница 179: ...o set the RSTP operating mode Perform the following configurations in System View Table 172 Set RSTP Operating Mode Normally if there is a bridge provided to execute STP in the Switching network the p...

Страница 180: ...n the Switching network are the same the bridge with the smallest MAC address will be selected as the root When RSTP is enabled an assignment of a priority to the bridge will lead to recalculation of...

Страница 181: ...y of a Specified Bridge Link failure will cause recalculation of the spanning tree and change its structure However the newly calculated configuration BPDU cannot be propagated throughout the network...

Страница 182: ...form the following configuration in System View Table 178 Set Max Age of the Specified Bridge If the Max Age is too short it will result in frequent calculation of spanning tree or misjudge the networ...

Страница 183: ...s therefore recommended to use the default value By default an Ethernet port can transmit at most 3 STP packets within one Hello Time Set Specified Port to be an EdgePort EdgePort is not connected to...

Страница 184: ...ed to the transmission rate of the link the port connects to The larger the link rate is the smaller the path cost shall be RSTP can automatically detect the link rate and calculate the path cost for...

Страница 185: ...ports are 128 Configure a Specified Port to be Connected to Point to Point Link Generally a point to point link connects the Switches You can use the following command to configure a specified port to...

Страница 186: ...the bridge runs RSTP in STP compatible mode Configure the Switch Security Function An RSTP Switch provides BPDU protection and root protection functions It looks like flapping refers to Spanning Tree...

Страница 187: ...port has not received any higher priority BPDU for a certain period of time thereafter it will resume to the normal state When you configure a port only one configuration at a time can be effective am...

Страница 188: ...lly so only the RSTP configuration on Switch D will be introduced Networking Diagram Figure 54 RSTP Configuration Example Configuration Procedure 1 Configure Switch A a Enable RSTP globally 4500 stp e...

Страница 189: ...those ports that are not involved in RSTP calculation however be careful and do not disable those involved The following configuration takes Ethernet 1 0 4 as an example 4500 interface Ethernet 1 0 4...

Страница 190: ...igure Switch D a Enable RSTP globally 4500 stp enable b The port RSTP defaults are enabled after global RSTP is enabled You can disable RSTP on those ports that are not involved in RSTP calculation ho...

Страница 191: ...enticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the user can access the resources in the L...

Страница 192: ...nly after the user passes the authentication Then the user is allowed to access the network resources Figure 55 802 1X System Architecture 802 1X Authentication Process 802 1X configures EAP frame to...

Страница 193: ...figure the 802 1X state of the port The configured items will take effect after the global 802 1X is enabled When 802 1X is enabled on a port the maximum number of MAC address learning which is config...

Страница 194: ...nsmitting and does not permit the user to access the network resources If the authentication flow is passed the port will be switched to the authorized state and permit the user to access the network...

Страница 195: ...t By default 802 1X allows up to 256 users on each port for Series 4500 Switches Setting the Authentication in DHCP Environment If in a DHCP environment the users configure static IP addresses you can...

Страница 196: ...mum Times of the Authentication Request Message Retransmission By default the max retry value is 3 That is the Switch can retransmit the authentication request message to a user for a maximum of 3 tim...

Страница 197: ...he Authenticator begins to run If the user does not respond back successfully within the time range set by this timer the Authenticator will resend the above packet supp timeout value Specify how long...

Страница 198: ...is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2 kbps consistently over 20 minutes they will be disconnected A server group consisting of two RAD...

Страница 199: ...ius1 and enters its view 4500 radius scheme radius1 4 Set IP address of the primary authentication accounting RADIUS servers 4500 radius radius1 primary authentication 10 11 1 1 4500 radius radius1 pr...

Страница 200: ...Enable idle cut function for the user and set the idle cut parameter in the domain 3com163 net 4500 isp 3com163 net idle cut enable 20 2000 15 Add a local user and sets its parameter 4500 local user l...

Страница 201: ...e 201 Enabling Disabling Centralized MAC Address Authentication You can configure the centralized MAC address authentication status on the ports first However the configuration does not function on ea...

Страница 202: ...tch needs a period of quiet time set by the quiet timer before it re authenticates The Switch does not authenticate during the quiet time Server timeout During the authentication to the user if the co...

Страница 203: ...e a local user are shown as follows For other configurations see 802 1X Configuration Example The configurations of centralized MAC address authentication is similar to 802 1x their differences are 1...

Страница 204: ...etwork server Authorization authorizes the user with specified services Accounting traces network resources consumed by the user RADIUS Protocol Overview As mentioned above AAA is a management framewo...

Страница 205: ...receive from the RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication and the REJECT message indicates that the user has...

Страница 206: ...figure a complete set of exclusive ISP domain attributes on a per ISP domain basis which includes AAA policy RADIUS scheme applied etc For the Switch 4500 each user belongs to an ISP domain Up to 16 d...

Страница 207: ...e Table 210 Configuring ISP Domain State By default after an ISP domain is created the state of the domain is active Setting Access Limit Maximum number of users specifies how many users can be contai...

Страница 208: ...clients to inform the online users about their remaining online time through the message alert dialog box The implementation of this function is as follows On the switch use the following command to e...

Страница 209: ...in the command line The Change user password option is available only when the user passes the authentication otherwise this option is in grey and unavailable Creating a Local User A local user is a...

Страница 210: ...es and specify the user levels then only the last configured user level is valid Some of the service types allow a user privilege level to be entered as an optional extra parameter For example Telnet...

Страница 211: ...the same configuration but two different IP addresses Accordingly attributes of every RADIUS scheme include IP addresses of primary and secondary servers shared key and RADIUS server type etc RADIUS p...

Страница 212: ...es are all default values The default attribute values will be introduced in the following text Configuring RADIUS Authentication Authorization Servers After creating a RADIUS scheme you have to set I...

Страница 213: ...reated RADIUS scheme the IP address of the primary accounting server is 0 0 0 0 and the UDP port number of this server is 1813 as for the system RADIUS scheme created by the system the IP address of t...

Страница 214: ...fied number of times You can use the following command to set the maximum number of times of a real time accounting request failing to be responded to Perform the following configurations in RADIUS Sc...

Страница 215: ...IUS client Switch system and the RADIUS server use MD5 algorithm to encrypt the exchanged packets The two ends verify the packet through setting the encryption key Only when the keys are identical can...

Страница 216: ...ype of the RADIUS Server By default the newly created RADIUS scheme supports the server type standard while the system RADIUS scheme created by the system supports the server type 3com Setting the RAD...

Страница 217: ...ng configurations in RADIUS Scheme View Table 231 Setting the Username Format Transmitted to the RADIUS Server If a RADIUS scheme is configured not to allow usernames including ISP domain names the RA...

Страница 218: ...Source Address for the RADIUS Packets sent by the NAS You can use either command to bind a source address with the NAS By default no source address is specified and the source address of a packet is t...

Страница 219: ...s more than 1000 inclusive 3Com suggests a larger value The following table recommends the ratio of minute value to the number of users Table 237 Recommended Ratio of Minute to Number of Users By defa...

Страница 220: ...ucib_index user name user_name Display related information of the local user display local user domain isp_name idle cut disable enable service type telnet ftp lan access ssh terminal state active bl...

Страница 221: ...nging messages between the Switch and the authentication server is expert The Switch cuts off the domain name from username and sends the remaining part to the RADIUS server Networking Topology Figure...

Страница 222: ...y AAA authentication to Telnet users 4500 ui vty0 4 authentication mode scheme b Create a local user telnet 4500 local user telnet 4500 luser telnet service type telnet 4500 luser telnet password simp...

Страница 223: ...created as follows 4500 radius scheme NewSchemeName New Radius scheme 4500 radius NewSchemeName 2 Next we need to add the attributes of the RADIUS scheme This involves configuring the RADIUS server I...

Страница 224: ...led on port Ethernet1 0 18 802 1X is enabled on port Ethernet1 0 19 802 1X is enabled on port Ethernet1 0 20 4500 xx 802 1X login is now enabled on the port When a device with an 802 1X client connect...

Страница 225: ...server defined you need to login as user domain for example joe demo This will try to log you into the demo domain which uses the external rather than the internal RADIUS server By default the userna...

Страница 226: ...ht be some communication fault between NAS and RADIUS server which can be discovered through pinging RADIUS from NAS So ensure there is normal communication between NAS and RADIUS Fault Two RADIUS Pac...

Страница 227: ...mand 4500 xx debugging radius packet 3Com User Access Level This determines the Access level a user will have with Switch login This can be administrator manager monitor or visitor You may need to add...

Страница 228: ...226 CHAPTER 11 802 1X CONFIGURATION...

Страница 229: ...Operation You can use the file system to create or delete a directory display the current working directory and display the information about the files or directories under a specified directory You c...

Страница 230: ...he following configuration in System View Table 242 Execute the Specified Batch File Storage Device Operation The file system can be used to format a specified memory device You can use the following...

Страница 231: ...ve the current configuration Erase configuration files from Flash Memory Displaying the Current configuration and Saved configuration of the Switch After being powered on the system reads the configur...

Страница 232: ...s from Flash Memory The system will use the default configuration parameters for initialization when the Switch is powered on for the next time Perform the following configuration in User View Table 2...

Страница 233: ...igure 60 FTP Configuration Table 250 Configuration of the Switch as FTP Client Table 251 Configuration of the Switch as FTP Server Operation Command Display the information of the file used at startup...

Страница 234: ...passed the authentication and authorization successfully can access the FTP server Configuring the Running Parameters of FTP Server You can use the following commands to configure the connection timeo...

Страница 235: ...connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations such as creating or deleting a directory FTP Client Configuration Example Networking...

Страница 236: ...ord to log into the FTP server 4500 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none switch 331 Give me your password pl...

Страница 237: ...r enable 4500 local user switch 4500 luser switch service type ftp ftp directory flash 4500 luser switch password simple hello 3 Run FTP client on the PC and establish FTP connection Upload the switch...

Страница 238: ...ad files by means of TFTP Perform the following configuration in User View Table 257 Download Files by means of TFTP Uploading Files by means of TFTP To upload a file the client sends a request to the...

Страница 239: ...zed TFTP directory 2 Configure the Switch Log into the Switch locally through the Console port or remotely using Telnet 4500 CAUTION If the flash memory of the Switch is not enough you need to first d...

Страница 240: ...HAPTER 12 FILE SYSTEM MANAGEMENT 7 Use the boot boot loader command to specify the downloaded program as the application at the next login and reboot the Switch 4500 boot boot loader switch app 4500 r...

Страница 241: ...ort as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addre...

Страница 242: ...ddress table entries the learned entries will be deleted simultaneously Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging Too long or too short an aging tim...

Страница 243: ...s reaches the count value You can use the following commands to set the max count of MAC addresses learned by a port Perform the following configuration in Ethernet Port View Table 261 Set the Max Cou...

Страница 244: ...working Diagram Figure 66 Display MAC address table Configuration procedure The display command shows a stack wide view of the MAC address table 4500 display mac address MAC ADDR VLAN ID STATE PORT IN...

Страница 245: ...er the System View of the Switch 4500 system view 2 Add a MAC address specify the native VLAN port and state 4500 mac address static 00e0 fc35 dc71 interface ethernet1 0 2 vlan 1 3 Set the address agi...

Страница 246: ...n on the Switch the Switch will be rebooted at the specified time Perform the following configuration in User View and the display schedule reboot command can be performed in any view Table 264 Reboot...

Страница 247: ...pgrade using the right commands The Switch serves as FTP client and the remote PC as FTP server The configuration on the FTP server Configure an FTP user named as Switch with password hello and with r...

Страница 248: ...upload the new ones 3 Type in the correct command in User View to establish FTP connection then enter the correct username and password to log into the FTP server 4500 ftp 2 2 2 2 Trying Press CTRL K...

Страница 249: ...e the boot boot loader command to specify the downloaded program as the application at the next login and reboot the Switch 4500 boot boot loader switch app 4500 display boot loader The app to boot at...

Страница 250: ...248 CHAPTER 14 DEVICE MANAGEMENT...

Страница 251: ...ult the UTC time zone is adopted Setting the Summer Time You can set the name start and end time of the summer time Perform the following operations in the User View Table 271 Setting the Summer Time...

Страница 252: ...uration of multiple users You cannot configure the configuration agent but can view the statistics of the configuration agent Perform the following operations in all views Table 272 The Display Comman...

Страница 253: ...nd the debugging information of the slave is only displayed on the slave device You can view the debugging information including that of the master and the device in which the login port resides You c...

Страница 254: ...for Network Connection ping The ping command can be used to check the network connection and if the host is reachable Perform the following operation in all views Table 275 The ping Command The outpu...

Страница 255: ...xecution process of tracert is described as follows Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent for the TTL is timeou...

Страница 256: ...n perform an remote ping test after creating a test group and configuring the test parameters Being different from the ping command remote ping does not display the round trip time RTT and timeout sta...

Страница 257: ...equivalent to the n parameter in the ping command Automatic test interval This parameter is used to allow the system to automatically perform the same test at regular intervals Test timeout time Test...

Страница 258: ...or icmp count 10 S5500 remote ping administrator icmp timeout 3 4 Enable the test operation S5500 remote ping administrator icmp test enable Configure the test parameters Configure the destination IP...

Страница 259: ...info center the first part will be Priority For example 187 Jun 7 05 22 03 2003 4500 IFNET 6 UPDOWN Line protocol on interface Ethernet1 0 2 changed state to UP The description of the components of l...

Страница 260: ...e default value is 4500 You can change the host name through sysname command There is a blank between sysname and module name 4 Module name The module name is the name of module which created this log...

Страница 261: ...IPC Inter process communication module IPMC IP multicast module L2INF Interface management module LACL LAN switch ACL module LQOS LAN switch QoS module LS Local server module MPM Multicast port manage...

Страница 262: ...Output The settings in the six directions are independent from each other The settings will take effect only after enabling the information center The Switch info center has the following features Sup...

Страница 263: ...t out and the time stamp format of information and so on You must turn on the Switch of the corresponding module before defining output debugging information Enable terminal display function You can v...

Страница 264: ...onfiguration Description Switch Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to trapbuffe...

Страница 265: ...n define the information that sent to loghost is generated by which modules information type information level and so on Perform the following operation in system view Device Configuration Default Val...

Страница 266: ...configuring information source meantime using the debugging command to turn on the debugging switch of those modules You can use the following commands to configure log information debugging informat...

Страница 267: ...control terminal channel number or channel name must be set to the channel that corresponds to the Console direction Every channel has been set with a default record whose module name is default and...

Страница 268: ...1 Enabling info center Perform the following operation in System View Table 294 Enable Disable Info Center Info center is enabled by default After info center is enabled system performances are affect...

Страница 269: ...e When there are more than one Telnet users or monitor users at the same time some configuration parameters should be shared among the users such as module based filtering settings and severity thresh...

Страница 270: ...lt After info center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to...

Страница 271: ...specific configuration record for a module in the channel use the default one If you want to view the debugging information of some modules on the Switch you must select debugging as the information t...

Страница 272: ...vels severity specifies the severity level of information The information with the level below it will not be output channel number specifies the channel number and channel name specifies the channel...

Страница 273: ...fter info center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to SNMP...

Страница 274: ...ation and the time stamp output format of trap information Perform the following operation in System View Table 310 Configuring the Output Format of Time stamp 4 Configuring SNMP and a network managem...

Страница 275: ...command in User View you can clear the statistics of info center Perform the following operation in User View The display command still can be performed in any view Figure 74 Displaying and Debugging...

Страница 276: ...er source arp channel loghost log level informational 3com info center source ip channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost T...

Страница 277: ...onfigure facility severity filter and the file syslog conf synthetically you can get classification in great detail and filter the information Configuration examples of sending log to Linux loghost Ne...

Страница 278: ...og information level specified in etc syslog conf must be consistent with info center loghost and info center loghost a b c d facility configured on the switch Otherwise the log information probably c...

Страница 279: ...abling info center 4500 info center enable 2 Configure control terminal log output allow modules ARP and IP to output information the severity level is restricted within the range of emergencies to in...

Страница 280: ...278 CHAPTER 15 SYSTEM MAINTENANCE AND DEBUGGING...

Страница 281: ...ment Station and Agent Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView Agent is the server...

Страница 282: ...pports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Table 314 MIBs Supported by the Switch Configuring SNMP The main configuration of SNMP includes Set community name Set th...

Страница 283: ...the community name Perform the following configuration in System View Table 315 Set Community Name Enabling Disabling SNMP Agent to Send Trap The managed device transmits a trap without request to th...

Страница 284: ...he system information Perform the following configuration in System View Table 319 Set SNMP System Information By default the sysLocation is specified as a blank string that is Setting the Engine ID o...

Страница 285: ...he device snmp agent local engineid engineid Restore the default engine ID of the device undo snmp agent local engineid Operation Command Setting an SNMP group snmp agent group v1 v2c group name read...

Страница 286: ...ort Transmitting Trap Information SNMP Agent Disabling SNMP Agent To disable SNMP Agent perform the following configuration in System View Table 327 Disable SNMP Agent If user disable NMP Agent it wil...

Страница 287: ...Switch location and enable the Switch to send trap packet Display the group name the security mode the states for all types of views and the storage mode of each group of the Switch display snmp agent...

Страница 288: ...e2 ip address 129 102 0 1 255 255 255 0 4 Set the administrator ID contact and the physical location of the Switch 4500 snmp agent sys info contact Mr Wang Tel 3306 4500 snmp agent sys info location t...

Страница 289: ...4500 snmp agent group v3 sdsdsd 4500 snmp agent usm user v3 paul sdsdsd authentication mode md5 hello 4500 snmp agent mib view included ViewDefault snmpUsmMIB 4500 snmp agent mib view included ViewDef...

Страница 290: ...288 CHAPTER 16 SNMP CONFIGURATION View name ViewDefault MIB Subtree snmpModules 18 Subtree mask Storage type nonVolatile View Type excluded View status active...

Страница 291: ...ws multiple monitors It can collect data in two ways One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resou...

Страница 292: ...p messages to NMS or performing both at the same time You can use the following commands to add delete an entry to from the event table Perform the following configuration in System View Table 330 Add...

Страница 293: ...on execute the display command in all views to display the running of the RMON configuration and to verify the effect of the configuration Table 334 Display and Debug RMON Operation Command Add an ent...

Страница 294: ...on is VALID Gathers statistics of interface Ethernet1 0 1 Received octets 270149 packets 1954 broadcast packets 1570 multicast packets 365 undersized packets 0 oversized packets 0 fragments packets 0...

Страница 295: ...e clocks of all network devices be consistent Some functions such as restarting all network devices in a network simultaneously require that they adopt the same time When multiple systems cooperate to...

Страница 296: ...LS_A LS_A LS_A LS_B LS_B LS_B LS_B NTP Packet NTP Packet Network Network NTP Packet 10 00 00 am Network Network 11 00 01 am 10 00 00 am 11 00 01 am 11 00 02 am 10 00 00 am NTP Packet received at 10 0...

Страница 297: ...reference clocks the one with a smaller stratum number is adopted Network Client Server Clock synchronization request packet Response packet Filters and selects a clocks and synchronize the local clo...

Страница 298: ...ast client mode In this mode the local Switch 4500 receives broadcast NTP packets through the VLAN interface configured on the switch Network Client Works in the server mode automatically and sends re...

Страница 299: ...mode Configure the local Switch 4500 Ethernet switch to operate in NTP multicast server mode In this mode the local switch sends multicast NTP packets through the VLAN interface configured on the swit...

Страница 300: ...lticast address or the IP address used by the local reference clock NTP peer mode The remote server specified by the remote ip or peer name argument serves as the peer of the local Ethernet switch and...

Страница 301: ...figuring Access Control Right The access control right to the NTP server only provides a minimal degree of security measure A more secure way is to perform identity authentication The right of an acce...

Страница 302: ...ion on the server Operation Command Description Enter system view system view Enable the NTP authentication function globally ntp service authentication enable Required By default the NTP authenticati...

Страница 303: ...n key is configured Enter VLAN interface view interface Vlan interface vlan id Associate the specified key with the corresponding NTP server Broadcast server mode ntp service broadcast server authenti...

Страница 304: ...is the NTP server and operates in client mode while SW4500 operates in server mode automatically Network Diagram Table 342 Network diagram for the NTP server mode configuration Configuration procedur...

Страница 305: ...es that Switch4500 is synchronized with Switch1 and the stratum level of its clock is 3 one level lower than that of Switch1 View the information about NTP sessions of the Switch 4500 You can see that...

Страница 306: ...of Switch3 is 1 and that of the SW4500 Ethernet switch is 3 the SW4500 Ethernet switch is synchronized to Switch3 View the status of the SW4500 Ethernet switch after synchronization Sw4500 display ntp...

Страница 307: ...ter clock Network diagram Figure 87 Network diagram for the NTP broadcast mode configuration Configuration procedure 1 Configure Switch3 Enter system view Switch3 system view Switch3 Enter Vlan interf...

Страница 308: ...ck precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information...

Страница 309: ...500 2 interface Vlan interface 2 Set SW4500 2 to a multicast client SW4500 2 Vlan interface2 ntp service multicast client After the above configurations SW4500 1 and SW4500 2 respectively listen to mu...

Страница 310: ...service sessions source reference stra reach poll now offset delay disper 1 3 0 1 31 127 127 1 0 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Conf...

Страница 311: ...tch1 ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key as a trusted key Switch1 ntp service reliable authentication keyid 42 After the above configurations the SW450...

Страница 312: ...310 CHAPTER 18 NTP CONFIGURATION...

Страница 313: ...etwork environment A Switch can connect to multiple SSH clients SSH 2 0 and SSH1 x are currently available SSH client functions to enable SSH connections between users and the Switch or UNIX host that...

Страница 314: ...public key from the server and the random number generated locally as parameters to calculate the session key Using the public key from the server the client encrypts the random number for calculatin...

Страница 315: ...tication procedure The server configures an RSA public key for the client The client sends its RSA public key member module to the server The server performs validity authentication on the member modu...

Страница 316: ...pair destroy System view Optional 3 Configure the SSH user authentication mode ssh user username authentication type System view Required 4 Set the SSH authentication timeout ssh server timeout Syste...

Страница 317: ...e server key are 512 bits and 2048 bits respectively Perform the following configuration in system view Table 345 Generate an RSA key pair CAUTION Generating the RSA key pair of the server is the firs...

Страница 318: ...n SSH user can request for a connection thereby preventing illegal behaviors such as malicious guessing Perform the following configuration in system view Table 349 Configure the number of SSH authent...

Страница 319: ...y edit view Use this configuration task to return from the public key edit view to the public key view and save the input public key Before saving the input public key the system will check the validi...

Страница 320: ...H Server 2 0 now select 2 0 for the client Specifying the RSA private key file On the server if RSA authentication is enabled for an SSH user and a public key is set for the user the private key file...

Страница 321: ...the client key 1 While generating the key pair you must move the mouse continuously The mouse should be restricted off the green process bar in the blue box of Figure 93 Otherwise the process bar does...

Страница 322: ...320 CHAPTER 19 SSH TERMINAL SERVICES Figure 93 Generating the client key 2 After the key pair is generated click Save public key and enter the file name public for here to save the key pair...

Страница 323: ...warning window pops up to prompt you whether to save a private key without any precautions Click Yes and enter a name private for here to save the private key Figure 95 Generating the client key 4 To...

Страница 324: ...322 CHAPTER 19 SSH TERMINAL SERVICES Figure 96 Generating the client key 5 Specifying the IP address of the server Launch PuTTY exe and the following window appears...

Страница 325: ...he IP address can be the IP address of any interface on the server that has SSH in the state of up and a route to the client Selecting the protocol for remote connection As shown in Figure 97 select t...

Страница 326: ...red SSH protocol version section Open an SSH Connection with RSA If the client needs to use RSA authentication you must specify the RSA private key file If the client needs to use password authenticat...

Страница 327: ...SSH Terminal Service 325 Figure 99 Figure 8 10 SSH client interface 3 Click Browse to bring up the file selection window navigate to the private key file and click OK...

Страница 328: ...n SSH client Table 355 SSH client configuration 1 Starting the SSH client Use this configuration task to enable the connection with the SSH client and the server and specify the preferred key exchange...

Страница 329: ...n there is no local copy of the public key of the connected server the client assumes that the server is illegal and will refuse to access the server Perform the following configuration in system view...

Страница 330: ...leted skip this step 2 Set the user login authentication mode The following shows the configuration methods for both password authentication and RSA public key authentication Password authentication S...

Страница 331: ...ng the SSH 2 0 enabled client software randomly generate an RSA key pair and send the public key to the server 4 Configure the public key of the client and specify the name of the public key as 3com00...

Страница 332: ...key code BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 3Com rsa key code public key code end 3Com rsa public key peer public key end 3Com ssh client 10 165 87 136 assign rsa key hello CAUTION Before lo...

Страница 333: ...eering shall be allowed 3Com SFTP Service SFTP Overview Secure FTP SFTP is a new feature introduced in SSH 2 0 SFTP is established on SSH connections which makes remote users able to securely log in t...

Страница 334: ...the SFTP server By default the SFTP server is shut down SFTP Client Configuration SFTP client configuration tasks are described in this section Operation Command Configure the service type to be used...

Страница 335: ...3 SFTP directory operations Change the current directory cd SFTP client view Optional Return to the upper directory cdup Display the current directory pwd Display the list of files in the specified di...

Страница 336: ...4 SFTP file operations As shown in Table 366 available SFTP file operations include change the name of a file download a file upload a file display the list of files and delete a file Perform the foll...

Страница 337: ...e 103 A secure SSH connection has been established between Switch A and Switch B Switch A is used as the SFTP server and its IP address is 10 111 27 91 Switch B is used as the SFTP client An SFTP user...

Страница 338: ...1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noo...

Страница 339: ...nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Download file pubkey2 from the server to a local device and change the file na...

Страница 340: ...338 CHAPTER 19 SSH TERMINAL SERVICES...

Страница 341: ...password ages out its user must update it otherwise the user cannot log in the switch Password update after a password ages out the user can update it when logging in the switch Alert before password...

Страница 342: ...swords and save the passwords in ciphertext mode in the configuration file Telnet SSH super and FTP passwords Login attempts limitation and failure procession You can use this function to enable the s...

Страница 343: ...imitation the configured User blacklist If the maximum attempt times is exceeded the user cannot log in the switch and is added to the blacklist by the switch All users in the blacklist are not allowe...

Страница 344: ...rt time In this case the system alerts the user to the remaining time in days before the password expires and prompt the user to change the password If the user chooses to change the password and chan...

Страница 345: ...gle password for a long time or using an old password that was once used to enhance the security CAUTION When adding a new record but the number of the recorded history passwords exceeds the configure...

Страница 346: ...control history record super level level value Executing this command without the level level value option will remove the history records of all super passwords Executing this command with the level...

Страница 347: ...rocedure starts from the time the local remote server of the switch receives the user name and ends at the time the user authentication is completed Whether the user is authenticated on the local serv...

Страница 348: ...76 Configuring the Timeout for User Password Authentication Operation Command Description Enter system view system view Configure the timeout time of user password authentication password control auth...

Страница 349: ...ntrol super aging 10 The super password aging time is 10 days Display the information about the global password control for all users 4500 display password control Global password settings for all use...

Страница 350: ...348 CHAPTER 20 PASSWORD CONTROL CONFIGURATION OPERATIONS...

Страница 351: ...s disabled and the user configurable bootrom password is lost there is no recovery mechanism available In this instance the Switch will need to be returned to 3Com for repair The following commands ar...

Страница 352: ...switch startup mode 0 Reboot Enter your choice 0 9 Enter the boot menu number to display that menu option Displaying all Files in Flash Enter boot menu option 3 to display the following Boot menu choi...

Страница 353: ...is followed by either of the following entries Simple this enables you to read and or change a password and send the configuration file via TFTP back into the Switch Cipher change this word to simple...

Страница 354: ...based on switch mac address is invalid The current mode is enable bootrom password recovery Are you sure to disable bootrom password recovery Yes or No Y N This option allows the user to disable the f...

Страница 355: ...om products and are not supported by 3Com Configuring Microsoft IAS RADIUS 3Com has successfully installed and tested Microsoft IAS RADIUS running on a Windows server in a network with Switch 4500 dep...

Страница 356: ...hoose Properties select Change Mode c Add a user that is allowed to use the network Go to Active Directory Users and Computers from the left hand window right click the Users folder and choose New Use...

Страница 357: ...select Reset Password 3 Enable the server as a certificate server To use EAP TLS certificate based authentication you need to enable the Certificate services in windows Make sure you have completed s...

Страница 358: ...location on the Data Storage Location window To complete the installation and set up of the certificates server the wizard will require the Install CD for Microsoft Windows 2000 Server 4 Install the I...

Страница 359: ...ification Authority and right click Policy Settings under your Certificate Authority server b Select New Certificate to Issue c Select Authenticated Session and select OK d Go to Programs Administrati...

Страница 360: ...mputer Configuration Windows Settings Security Settings Public Key Policies and right click Automatic Certificate Request Settings Select New Automatic Certificate Request g The Certificate Request Wi...

Страница 361: ...nd Select New Client b Enter a name for your device that supports IEEE 802 1X Click Next c Enter the IP address of your device that supports IEEE 802 1X and set a shared secret Select Finish Leave all...

Страница 362: ...ropriate certificate and click OK There should be at least one certificate This is the certificate that has been created during the installation of the Certification Authority Service Windows may ask...

Страница 363: ...certsrv b When you are prompted for a login enter the user account name and password that you will be using for the certificate c Select Request a certificate and click Next There are two ways to requ...

Страница 364: ...and click Next e Select the first option and click Next f Either copy the settings from the screenshot below or choose different key options Click Save to save the PKCS 10 file The PKCS 10 file is use...

Страница 365: ...a portable certificate using PKCS 10 click the Home hyperlink at the top right of the CA Webpage i Select Request a certificate Next Advanced request Next j Select the second option as shown in the s...

Страница 366: ...e the certificate Save the file as DER encoded Click on the Download CA certification path hyperlink to save the PKCS 7 and select Save The certificate is also installed on the Certification Authority...

Страница 367: ...t screen as is click Next followed by Finish and OK This will install the certificate q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder You s...

Страница 368: ...k Next when the wizard is launched Save the certificate using DER x 509 encoding select DER encoded binary followed by Next Provide a name for the certificate and save it to a specified location Click...

Страница 369: ...ick Open Click OK w In the Security Identity Mapping screen click OK to close it x Close the Active Directory Users and Domains management tool This completes the configuration of the RADIUS server 10...

Страница 370: ...CLIENT SETUP b Create a new remote access policy under IAS and name it Switch Login Select Next c Specify Switch Login to match the users in the switch access group select Next d Allow Switch Login to...

Страница 371: ...Setting Up a RADIUS Server 369 e Use the Edit button to change the Service Type to Administrative f Add a Vendor specific attribute to indicate the access level that should be provided...

Страница 372: ...are prompted to select a certificate it could be that there are additional active certificates on your client computer select the certificate that you have installed for this specific Certification Au...

Страница 373: ...omputers a For example to create one group that will represent VLAN 4 select the Users folder from the domain see below b Name the VLAN Group with a descriptive name that describes the function of the...

Страница 374: ...inistrative Tools Internet Authentication Service and select Remote Access Policies Select the policy that you configured earlier right click and select Properties e Click Add to add policy membership...

Страница 375: ...u have just created and click Add and then OK to confirm h Click OK again to return you to the Security Policy properties i Click Edit Profile and select the Advanced tab Click Add Refer to Table 379...

Страница 376: ...Ensure that the Attribute value is set to 802 and click OK l Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen Table 380 For Auto VLAN Return Strin...

Страница 377: ...n Click Add ensure that the Attribute value is set to 4 Attribute value in string format and click OK This value represents the VLAN ID o Click OK again on the Multivalued Attribute Information scree...

Страница 378: ...e that there is a DHCP server connected to the Switch that resides on a switch port that is an untagged member of VLAN 4 The RADIUS server should reside in the same VLAN as the workstation Once authen...

Страница 379: ...as a RADIUS server for networks with the Switch 4500 follow these steps 1 Open file eap ini in radius service and remove the before the MD5 Challenge Line This enables the MD5 challenge 2 Open file ra...

Страница 380: ...tart it Funk RADIUS is now ready to run If you intend to use auto VLAN and QoS you will need to create VLAN and QoS profiles on the 3Com Switch 4500 and follow the instructions in Configuring Auto VLA...

Страница 381: ...ive 6 Enter the shared secret to encrypt the authentication data The shared secret must be identical on the Switch 4500 and the RADIUS Server a Select RAS Clients from the left hand list enter a Clien...

Страница 382: ...s will now appear as potential Return list attributes for every user 2 After saving the edited radius dct file stop and restart the Funk RADIUS service 3 To use these return list attributes they need...

Страница 383: ...eeRADIUS To configure FreeRADIUS as a RADIUS server for networks with the Switch 4500 follow these steps 1 Add each Switch 4500 as a RADIUS client to the FreeRADIUS server a Locate the existing file c...

Страница 384: ...Auto VLAN and QOS using FreeRADIUS It is slightly more complex to set up auto VLAN and QoS using FreeRADIUS as the dictionary file needs to be specially updated 1 Update the dictionary tunnel file wi...

Страница 385: ...ipped with Windows XP has a security issue which affects the port authentication operation If the RADIUS client is configured to use EAP MD5 after a user logs off then the next user to log on will rem...

Страница 386: ...ID can be found when running the Aegis Client application for the first time To apply the license key a Run the Aegis Client software b Go to Aegis Client Register and select Help on the menu c Copy...

Страница 387: ...ion e Restart the client either by rebooting or stopping and re starting the service f Click the OK button then return to the Aegis Client main interface To restart the client press the button with th...

Страница 388: ...386 APPENDIX B RADIUS SERVER AND RADIUS CLIENT SETUP...

Страница 389: ...the RADIUS protocol Users that already exist on the TACACS server can be authorized using the TACACS or RADIUS server an optional VLAN and QoS profile can be applied to the user Network administrator...

Страница 390: ...to the Cisco Secure ACS interface follow these steps 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients 3 Enter the details of the 3Com Switch Spaces are...

Страница 391: ...de 6 Select RADIUS IETF from the list under Interface Configuration 7 Check the RADIUS attributes that you wish to install If you want to use auto VLAN and QoS ensure that you have the following optio...

Страница 392: ...start Adding a User for Network Login Existing users on a network with a Secure ACS server can be authorized using the TACACS or RADIUS server New users connected through a Switch 4500 to the network...

Страница 393: ...ghtly more complex as 3Com specific RADIUS attributes need to be returned to the 3Com Switch 4500 These RADIUS attributes define the access level of the user to the management interface Follow these s...

Страница 394: ...will stop the Cisco Secure ACS server add the RADIUS information by adding the contents of 3Com ini to UDV User Defined Vendor slot 0 and then restart the server Once complete log into the Secure ACS...

Страница 395: ...rface Configuration followed by RADIUS 3Com a Ensure that the 3Com User Access Level option is selected for both User and Group setup as shown below 5 Select User Setup and either modify the attribute...

Страница 396: ...e there should be the option for configuring the access level as shown below 6 In the RADIUS 3Com Attribute box check 3Com User Access Level and select Administrator from the pull down list see below...

Отзывы:

Нет отзывов

Похожие инструкции для Switch 4500 26-Port

Бренд: Datavideo Страницы: 58

Бренд: GarrettCom Страницы: 24

Бренд: Adler Страницы: 8

PowerSwitch Z9332F-ON

Бренд: Dell EMC Страницы: 16

Бренд: N-Tron Страницы: 132

Бренд: Imtex-Controls Страницы: 2

Бренд: KinAn Страницы: 4

852-1411/000-001

Бренд: WAGO Страницы: 40

Бренд: Comm-Tec Страницы: 48

Бренд: Lightwave Страницы: 53

AV Selector 310

Бренд: Hama Страницы: 21

Vertical Horizon VH-2402-L3

Бренд: Enterasys Страницы: 201

Бренд: Cabletron Systems Страницы: 85

Бренд: Ortech Страницы: 3

Extricom AT-EXLS-3000

Бренд: Allied Telesis Страницы: 120

Бренд: Justin Страницы: 8

Бренд: Hored Страницы: 4

Бренд: Netis Страницы: 9

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды