manualshive.com logo in svg

H3C H3C S5100-SI, Руководство по эксплуатации, Страница: 256 / 830

Поделиться
Скачать
H3C H3C S5100-SI Скачать руководство пользователя страница 256

 

1-13 

Figure 1-10 

802.1x re-authentication 

PC

Internet

PC

PC

RADIUS 

Server

Switch

 

 

802.1x re-authentication can be enabled in one of the following two ways: 

z

 

The RADIUS server has the switch perform 802.1x re-authentication of users. The 

RADIUS server sends the switch an Access-Accept packet with the Termination-Action 

attribute field of 1. Upon receiving the packet, the switch re-authenticates the user 

periodically.  

z

 

You enable 802.1x re-authentication on the switch. With 802.1x re-authentication 

enabled, the switch re-authenticates users periodically.  

 

 

802.1x re-authentication will fail if a CAMS server is used and configured to perform 

authentication but not accounting. This is because a CAMS server establishes a user 

session after it begins to perform accounting. Therefore, to enable 802.1x 

re-authentication, do not configure the 

accounting none 

command in the domain. This 

restriction does not apply to other types of servers.  

 

Introduction to 802.1x Configuration 

802.1x provides a solution for authenticating users. To implement this solution, you need to 

execute 802.1x-related commands. You also need to configure AAA schemes on switches 

and specify the authentication scheme (RADIUS or local authentication scheme). 

Содержание H3C S5100-SI

Страница 1: ...H3C S5100 SI EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20100115 C 1 05 Product Version Release 220X series...

Страница 2: ...V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective...

Страница 3: ...rt Binding Introduces port security port binding and the related configuration 11 DLDP Introduces DLDP and the related configuration 12 MAC Address Table Management Introduces MAC address forwarding t...

Страница 4: ...ces PoE PoE profile and the related configuration 38 UDP Helper Introduces UDP Helper and the related configuration 39 Access Management Introduces Access Management and the related configuration 40 A...

Страница 5: ...EI Series Ethernet Switches Installation Manual It provides information for the system installation H3C S5100 SI EI Series Ethernet Switches Command Manual Release 220X Series It is used for assistin...

Страница 6: ...Documentation Feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Страница 7: ...3C Website 1 1 Software Release Notes 1 1 2 Correspondence Between Documentation and Software 2 1 Manual List 2 1 Software Version 2 1 3 Product Overview 3 1 4 Networking Applications 4 1 Convergence...

Страница 8: ...se of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website H3C Website Perfor...

Страница 9: ...rsion of Release2200 Release2201 and Release2203P08 of the S5100 SI EI series products The supported features are different between these software versions For details refer to Table 2 1 Added and Mod...

Страница 10: ...120 instead of 10 to 120 in seconds 14 802 1x and System Guard Deleted features The S5100 EI series Ethernet switches do not support to specify a secondary IP address of an interface 17 IP Address an...

Страница 11: ...lusters The H3C S5100 series come in two series S5100 SI and S5100 EI which are available in the following models Table 3 1 H3C S5100 SI EI series Series Model 10 100 1000Base T autosensing Ethernet p...

Страница 12: ...se X SFP port 10 100 1000Base T autosensing Ethernet port 17 14 18 16 19 13 S5100 16P SI S5100 16P EI S5100 16P PWR EI 20 15 25 22 26 24 27 21 S5100 24P SI S5100 24P EI S5100 26C EI S5100 26C PWR EI 2...

Страница 13: ...orking applications are described as follows The following applications are for S5100 EI series Convergence Layer Devices In medium and small sized enterprises or branches of large enterprises S5100 E...

Страница 14: ...of a data center S5100 EI series are deployed on the core network to provide 10GE GE access core network functions The server cluster can be connected to the core network at the Gigabit Ethernet rate...

Страница 15: ...d 2 8 Configuration Procedure 2 8 Configuration Example 2 9 Console Port Login Configuration with Authentication Mode Being Scheme 2 10 Configuration Procedure 2 10 Configuration Example 2 11 3 Loggin...

Страница 16: ...isabling the WEB Server 6 3 7 Logging In Through NMS 7 1 Introduction 7 1 Connection Establishment Using NMS 7 1 8 Configuring Source IP Address for Telnet Service Packets 8 1 Overview 8 1 Configuring...

Страница 17: ...Configuration Web based Network Management Interface Logging In Through the Web based Network Management Interface Network Management Station Logging In Through NMS Introduction to the User Interface...

Страница 18: ...with the smallest number based on the user login mode The login process of the user is restricted by the configurations under this user interface z The user interface assigned to a user depending on...

Страница 19: ...system name for the switch sysname string Optional By default the system name is H3C Enable copyright information displaying copyright info enable Optional By default copyright displaying is enabled...

Страница 20: ...fault you can locally log in to an S5100 SI EI Ethernet switch through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Set...

Страница 21: ...rminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP The following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4...

Страница 22: ...to establish the connection Figure 2 4 Set port parameters 3 Turn on the switch You will be prompted to press the Enter key if the switch successfully completes POST power on self test The prompt such...

Страница 23: ...By default the check mode of the console port is set to none which means no check bit Stop bits Optional The default stop bits of a console port is 1 Console port configuration Data bits Optional The...

Страница 24: ...onfiguration of console port login To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Set the baud rate speed speed value Optional The defau...

Страница 25: ...peration is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Console Port Login Configurations for Different Authentication Mode...

Страница 26: ...By default users logging in through the console port AUX user interface are not authenticated Configuration Example Network requirements Assume that the switch is configured to allow users to log in t...

Страница 27: ...onsole port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history comma...

Страница 28: ...Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users usin...

Страница 29: ...20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility runn...

Страница 30: ...sts by default Set the authentication password for the local user password simple cipher password Required Specify the service type for AUX users service type terminal level level Required Note that I...

Страница 31: ...ysname system view Create a local user named guest and enter local user view Sysname local user guest Set the authentication password to 123456 in plain text Sysname luser guest password simple 123456...

Страница 32: ...the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in...

Страница 33: ...ss is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protoco...

Страница 34: ...arks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure the command level available to users logging in to VTY user interfac...

Страница 35: ...imeout 0 command to disable the timeout function Telnet Configurations for Different Authentication Modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Authent...

Страница 36: ...nfigure Telnet with the authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last numbe...

Страница 37: ...commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Configuration with Authenticatio...

Страница 38: ...entication mode being password Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to...

Страница 39: ...fy to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply RADIUS or HWTACACS scheme you need to perform the following configuration a...

Страница 40: ...mmand buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme Configur...

Страница 41: ...l in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Windows NT Windows 2000 Windows XP on the PC terminal with the baud rate set to 9 600 bps data bits set to 8 parity check set to none and flo...

Страница 42: ...login password The CLI prompt such as Sysname appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message...

Страница 43: ...the Telnet server Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being...

Страница 44: ...to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is a...

Страница 45: ...authentication mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch whe...

Страница 46: ...e 4 1 Establish the connection by using modems 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 th...

Страница 47: ...authentication mode is specified enter the password when prompted If the password is correct the prompt such as Sysname appears You can then configure or manage the switch You can also enter the chara...

Страница 48: ...4 5 If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for information about command level...

Страница 49: ...detailed debugging information is provided to help users diagnose and locate network problems z Command history function This enables users to check the commands that they have lately executed and re...

Страница 50: ...nsole user a user who logs into the switch through the Console port is a level 3 user and Telnet users are level 0 users You can use the user privilege level command to set the default user privilege...

Страница 51: ...rom btm After the above configuration general Telnet users can use the tftp get command to download file bootrom btm and other files from TFTP server 192 168 0 1 and other TFTP servers Switching User...

Страница 52: ...set password to switch to user level 3 Sysname super 3 Password User privilege level is 3 and only those commands can be used whose level is equal or less than this Privilege note 0 VISIT 1 MONITOR 2...

Страница 53: ...re VLAN parameters Sysname vlan1 Execute the vlan command in system view VLAN interface view Configure VLAN interface parameters including the management VLAN parameters Sysname Vlan i nterface1 Execu...

Страница 54: ...lic key view Execute the public key cod e end command to return to public key view Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 Sysname acl basic 2000 Execute the acl...

Страница 55: ...ies switches provide this view Sysname port gr oup 1 Execute the port group command in system view QinQ view Configure QinQ parameters Only S5100 EI series Ethernet switches provide this view Sysname...

Страница 56: ...Sysname interface vlan interface 1 4094 VLAN interface number If only cr is displayed after you enter it means no parameter is available at the position and you can enter and execute the command dire...

Страница 57: ...listed in the following table Follow these steps to view history commands Purpose Operation Remarks Display the latest executed history commands Execute the display history command command This comma...

Страница 58: ...esponding character at the cursor position and move the cursor one character to the right if the command is shorter than 254 characters Backspace key Delete the character on the left of the cursor and...

Страница 59: ...t The VLAN interface of the switch is assigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance...

Страница 60: ...the Web based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is...

Страница 61: ...the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press Enter...

Страница 62: ...http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web s...

Страница 63: ...o perform related configuration on both the NMS and the switch Table 7 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is c...

Страница 64: ...attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific us...

Страница 65: ...d exists z If a source IP address or source interface is specified you need to make sure that the route between the IP addresses or interface of both sides is reachable Displaying Source IP Address Co...

Страница 66: ...d Implementation Related section By source IP address Through basic ACL By source and destination IP address Through advanced ACL Telnet By source MAC address Through Layer 2 ACL Controlling Telnet Us...

Страница 67: ...as needed Table 9 2 ACL categories Category ACL number Matching criteria Basic ACL 2000 to 2999 Source IP address Advanced ACL 3000 to 3999 Source IP address and destination IP address Layer 2 ACL 400...

Страница 68: ...10 110 100 52 are permitted to access the switch Network diagram Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Figure 9 1 Network diagram for controlling Telnet users using ACLs Configur...

Страница 69: ...ing Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name acl acl number mib view view name Apply the ACL while confi...

Страница 70: ...dress You can manage an S5100 SI EI Ethernet switch remotely through Web Web users can access a switch through HTTP connections You need to perform the following two operations to control Web users by...

Страница 71: ...r using the related command Follow the step below to log out a Web user To do Use the command Remarks Log out a Web user free web users all user id user id user name user name Required Available in us...

Страница 72: ...9 7 Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030...

Страница 73: ...ement 1 1 Introduction to Configuration File 1 1 Configuration Task List 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Next St...

Страница 74: ...nd view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are...

Страница 75: ...k List Complete these tasks to configure configuration file management Task Remarks Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration...

Страница 76: ...xecution of this command If the filename you entered is different from that existing in the system this command will erase its main attribute to allow only one main attribute configuration file in the...

Страница 77: ...to specify a configuration file for next startup To do Use the command Remarks Specify a configuration file for next startup startup saved configuration cfgfile backup main Required Available in user...

Страница 78: ...mand Remarks Display the initial configuration file saved in the Flash of a switch display saved configuration unit unit id by linenum Display the configuration file used for this and next startup dis...

Страница 79: ...uration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Configuration 2 3 Configuring a Port Based VLAN...

Страница 80: ...packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolati...

Страница 81: ...to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible VLAN Fundamentals VLAN tag To enable a network device to identify frames o...

Страница 82: ...02 3 encapsulation format VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the...

Страница 83: ...has a VLAN interface which can forward packets of the local VLAN to the destination IP addresses at the network layer Normally since VLANs can isolate broadcast domains each VLAN corresponds to an IP...

Страница 84: ...ple VLANs to be sent untagged but a trunk port only allows the packets of the default VLAN to be sent untagged The three types of ports can coexist on the same device Assigning an Ethernet Port to Spe...

Страница 85: ...t For an untagged packet For a tagged packet Processing of an outgoing packet z If the port has already been added to its default VLAN tag the packet with the default VLAN tag and then forward the pac...

Страница 86: ...he type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF Packets with the value of the type or length field being in the range 0x05DD to 0x05FF are regarded as illegal packets an...

Страница 87: ...encapsulation format In 802 2 SNAP encapsulation format the values of the DSAP field and the SSAP field are always 0xAA and the value of the control field is always 3 The switch differentiates betwee...

Страница 88: ...atch the type value Invalid packets that cannot be matched 802 2 802 3 encapsulation Control field Invalid packets that cannot be matched dsap ssap value 802 2 SNAP encapsulation Match the dsap ssap v...

Страница 89: ...ser defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring the protocol template you must add a port to the protoc...

Страница 90: ...ional Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan i...

Страница 91: ...prompt information Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interface create the corresponding VLAN Configuration procedure Follow these steps to perfor...

Страница 92: ...ce does not influence the physical status of the Ethernet ports belonging to this VLAN Displaying VLAN Configuration To do Use the command Remarks Display the VLAN interface information display interf...

Страница 93: ...multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Access port port access vlan vlan id Trunk port port trun...

Страница 94: ...s the default VLAN by default z After configuring the default VLAN for a trunk or hybrid port you need to use the port trunk permit command or the port hybrid vlan command to configure the port to all...

Страница 95: ...itchA vlan 201 SwitchA vlan201 port GigabitEthernet 1 0 2 SwitchA vlan201 quit z Configure Switch B Create VLAN 101 specify its descriptive string as DMZ and add GigabitEthernet1 0 11 to VLAN 101 Swit...

Страница 96: ...a Port with a Protocol Based VLAN Required Displaying Protocol Based VLAN Configuration Optional Configuring a Protocol Template for a Protocol Based VLAN Configuration prerequisites Create a VLAN bef...

Страница 97: ...et both the dsap id and ssap id arguments to 0xFF 0xE0 or 0xAA z When you use the mode keyword to configure a user defined protocol template if you set the etype id argument for ethernetii or snap pac...

Страница 98: ...t1 0 10 on the S5100 SI EI switch z IP network and AppleTalk network workstations hosts coexist in the Workroom z The S5100 SI EI switch connects to VLAN 100 using IP network through GigabitEthernet1...

Страница 99: ...the packets of VLAN 100 and VLAN 200 before forwarding the packets Sysname vlan100 quit Sysname interface GigabitEthernet 1 0 10 Sysname GigabitEthernet1 0 10 port link type hybrid Sysname GigabitEth...

Страница 100: ...2 11 transmission by matching the corresponding protocol templates so as to realize the normal communication between workstations and servers...

Страница 101: ...duction to Management VLAN 1 1 Management VLAN 1 1 Static Route 1 1 Default Route 1 1 Management VLAN Configuration 1 2 Prerequisites 1 2 Configuring the Management VLAN 1 2 Configuration Example 1 3...

Страница 102: ...to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former 0IP address will be released and the fin...

Страница 103: ...uired By default VLAN 1 operates as the management VLAN Create the management VLAN interface and enter the corresponding VLAN interface view interface vlan interface vlan id Required Assign an IP addr...

Страница 104: ...efault route Network diagram Figure 1 1 Network diagram for management VLAN configuration Configuration procedure Perform the following configurations after the current user logs in to Switch A throug...

Страница 105: ...o a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a specified IP address range display ip routing table ip address1 mask1 ip address2...

Страница 106: ...or Voice VLAN on Various Ports 1 4 Security Mode of Voice VLAN 1 6 Voice VLAN Configuration 1 6 Configuration Prerequisites 1 6 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment...

Страница 107: ...t analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voice com...

Страница 108: ...port Option 184 it returns the IP address assigned to the IP phone but ignores the other four special requests in the Option 184 field Without information about voice VLAN the IP phone can only send u...

Страница 109: ...a voice packet by checking its source MAC address against an organizationally unique identifier OUI list If a match is found the packet is considered as a voice packet Ports receiving packets of this...

Страница 110: ...VLAN assignment automatic mode ports can not be added to or removed from a voice VLAN manually z Manual voice VLAN assignment mode In this mode you need to add a port to a voice VLAN or remove a port...

Страница 111: ...y Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice...

Страница 112: ...sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose traffic is permitted by the access port Security Mode...

Страница 113: ...legacy is disabled Set the voice VLAN assignment mode of the port to automatic voice vlan mode auto Optional The default voice VLAN assignment mode on a port is automatic z A port working in automati...

Страница 114: ...equired Enable voice VLAN on a port voice vlan enable Required By default voice VLAN is disabled on a port Enable the voice VLAN legacy function on the port voice vlan legacy Optional By default voice...

Страница 115: ...mit both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication bet...

Страница 116: ...string being test Network diagram Figure 1 2 Network diagram for voice VLAN configuration automatic mode Internet 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 GE1 0 1 VLAN 2 VLAN 2 Device A Device...

Страница 117: ...security mode z The IP phone sends untagged packets It is connected to GigabitEthernet 1 0 1 a hybrid port Set this port to operates in manual mode z You need to add a user defined OUI address 0011 22...

Страница 118: ...net 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan enable Verification Display the OUI addresses the corresponding OUI address masks and the corresponding description strings that the system supports D...

Страница 119: ...GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maint...

Страница 120: ...portant functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices...

Страница 121: ...veAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set...

Страница 122: ...s Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attrib...

Страница 123: ...hree port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN informati...

Страница 124: ...iew system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type inter...

Страница 125: ...All timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by...

Страница 126: ...us implementing dynamic VLAN information registration and refresh z By configuring the GVRP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network...

Страница 127: ...dure of Switch B is similar to that of Switch A and is thus omitted 3 Configure Switch C Enable GVRP on Switch C which is similar to that of Switch A and is thus omitted Create VLAN 5 SwitchC vlan 5 S...

Страница 128: ...y vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE GigabitEthernet1 0 1 display vlan dynamic No...

Страница 129: ...1 10...

Страница 130: ...Enabling Flow Control on a Port 1 4 Duplicating the Configuration of a Port to Other Ports 1 4 Configuring Loopback Detection for an Ethernet Port 1 5 Enabling Loopback Test 1 6 Enabling the System to...

Страница 131: ...itEthernet1 0 16 GigabitEthernet1 0 19 GigabitEthernet1 0 13 S5100 16P SI S5100 16P EI S5100 16P PWR EI GigabitEthernet1 0 20 GigabitEthernet1 0 15 GigabitEthernet1 0 25 GigabitEthernet1 0 22 GigabitE...

Страница 132: ...nterface MDI mode of the Ethernet port mdi across auto normal Optional Be default the MDI mode of an Ethernet port is auto Set the maximum frame size allowed on the Ethernet port to 9 216 bytes jumbof...

Страница 133: ...to the default setting z The effect of executing speed auto 10 100 1000 equals to that of executing speed auto that is the port is configured to support all the auto negotiation speeds 10 Mbps 100 Mbp...

Страница 134: ...figuration of a port to specific ports Specifically the following types of port configuration can be duplicated from one port to other ports VLAN configuration protocol based VLAN configuration LACP c...

Страница 135: ...t loopback detection is disabled globally Set the interval for performing port loopback detection loopback detection interval time time Optional The default is 30 seconds Enter Ethernet port view inte...

Страница 136: ...nternal loop test In the internal loop test self loop is established in the switching chip to locate the chip failure which is related to the port Note that z After you use the shutdown command on a p...

Страница 137: ...view system view Enter Ethernet port view interface interface type interface number Set the interval to perform statistical analysis on port traffic flow interval interval Optional By default this int...

Страница 138: ...ing Up Down log information and execute the shutdown command or the undo shutdown command on GigabitEthernet 1 0 1 No Up Down log information is generated or output for GigabitEthernet 1 0 1 Sysname G...

Страница 139: ...opback detection Display information for a specified port group display port group group id Display brief information about port configuration display brief interface interface type interface number b...

Страница 140: ...egation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregatio...

Страница 141: ...otifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the pe...

Страница 142: ...es the following three types of link aggregation exist z Manual aggregation z Static LACP aggregation z Dynamic LACP aggregation Manual Aggregation Group Introduction to manual aggregation group A man...

Страница 143: ...tion group must contain at least one port When a static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group LACP is enabled on the member...

Страница 144: ...t number serves as the master port of the group and other selected ports serve as member ports of the group There is a limit on the number of selected ports in an aggregation group Therefore if the nu...

Страница 145: ...tion resources are allocated to aggregation groups in the following order z An aggregation group containing special ports which require hardware aggregation resources has higher priority than any aggr...

Страница 146: ...ot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP intrusion detection enabled to an aggregation group z Do not add po...

Страница 147: ...one or multiple dynamic aggregation groups For a static aggregation group a port can only be manually added removed to from the static aggregation group When you add an LACP enabled port to a manual a...

Страница 148: ...marks Enter system view system view Configure the system priority lacp system priority system priority Optional By default the system priority is 32 768 Enter Ethernet port view interface interface ty...

Страница 149: ...display link aggregation interface interface type interface number to interface type interface number Display local device ID display lacp system id Available in any view Clear LACP statistics about a...

Страница 150: ...LACP aggregation mode Create static aggregation group 1 Sysname system view Sysname link aggregation group 1 mode static Add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1...

Страница 151: ...tEthernet1 0 3 lacp enable The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate dup...

Страница 152: ...of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying and Maintaining Port Isolation Configuration 1 2 Port Isolation Configuration Exa...

Страница 153: ...way and improve your network security Currently you can create only one isolation group on an S5100SI EI Series Ethernet switch The number of Ethernet ports in an isolation group is not limited An is...

Страница 154: ...an isolated port to an aggregation group causes all the ports in the aggregation group on the local unit to be added to the isolation group Displaying and Maintaining Port Isolation Configuration To d...

Страница 155: ...solate Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port isolate Sysname GigabitEthernet1 0 3 quit Sysname interface GigabitEthernet1 0 4 Sysna...

Страница 156: ...figuring Port Security Features 1 7 Ignoring the Authorization Information from the RADIUS Server 1 8 Configuring Security MAC Addresses 1 8 Displaying and Maintaining Port Security Configuration 1 9...

Страница 157: ...kes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are prov...

Страница 158: ...ort security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses...

Страница 159: ...MAC address entries on the port macAddressWithRa dius In this mode MAC address based authentication is performed for access users macAddressOrUser LoginSecure In this mode both MAC authentication and...

Страница 160: ...OUI address does not match z On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode Intrusion Protection is triggered only after both MAC bas...

Страница 161: ...hentication configuration Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed...

Страница 162: ...in noRestriction mode In this mode access to the port is not restricted You can set a port security mode as needed z Before setting the port security mode to autolearn you need to set the maximum numb...

Страница 163: ...s to configure the intrusion protection feature To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the corresponding act...

Страница 164: ...orization information to the device You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a port to ignore the authorization informati...

Страница 165: ...lowed on the port is set z The security mode of the port is set to autolearn Configuring a security MAC address Follow these steps to configure a security MAC address To do Use the command Remarks Ent...

Страница 166: ...stay silent for 30 seconds Network diagram Figure 1 1 Network diagram for port security configuration Configuration procedure Enter system view Switch system view Enable port security Switch port sec...

Страница 167: ...ding Follow these steps to configure port binding To do Use the command Remarks Enter system view system view In system view am user bind mac addr mac address ip addr ip address interface interface ty...

Страница 168: ...they steal from Host A to access the network Network diagram Figure 2 1 Network diagram for port binding configuration Configuration procedure Configure Switch A as follows Enter system view SwitchA...

Страница 169: ...2 DLDP Status 1 4 DLDP Timers 1 4 DLDP Operating Mode 1 5 DLDP Implementation 1 6 DLDP Neighbor State 1 7 Link Auto recovery Mechanism 1 7 DLDP Configuration 1 8 Performing Basic DLDP Configuration 1...

Страница 170: ...A it is a bidirectional link two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional link appears the local device can receive packets from th...

Страница 171: ...s z As a link layer protocol it works together with the physical layer protocols to monitor the link status of a device z The auto negotiation mechanism at the physical layer detects physical signals...

Страница 172: ...packets are used to notify unidirectional link emergencies a unidirectional link emergency occurs when the local port is down and the peer port is up Linkdown packets carry only the local port inform...

Страница 173: ...corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor...

Страница 174: ...port automatically or prompts you to disable the port manually Meanwhile DLDP deletes the neighbor entry DelayDown timer When a device in the active advertisement or probe DLDP state receives a port...

Страница 175: ...e DLDP packets sent Active Advertisement packets with the RSY flag set or not set Advertisement Advertisement packets Probe Probe packets 2 A DLDP packet received is processed as follows z In authenti...

Страница 176: ...ced mode no echo packet is received when the enhanced timer expires DLDP switches to the disable state outputs log and tracking information and sends flush packets Depending on the user defined DLDP d...

Страница 177: ...The auto recovery mechanism does apply to ports that are shut down manually DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration To do Use the...

Страница 178: ...n the aggregation group as independent z When connecting two DLDP enabled devices make sure the software running on them is of the same version Otherwise DLDP may operate improperly z When you use the...

Страница 179: ...igure 1 3 z Switch A and Switch B are connected through two pairs of fibers Both of them support DLDP All the ports involved operate in mandatory full duplex mode with their rates all being 1 000 Mbps...

Страница 180: ...dp unidirectional shutdown auto Display the DLDP state SwitchA display dldp 1 When two switches are connected through fibers in a crossed way two or three ports may be in the disable state and the res...

Страница 181: ...guring MAC Address Table Management 1 4 Configuration Task List 1 4 Configuring a MAC Address Entry 1 5 Setting the Aging Time of MAC Address Entries 1 6 Setting the Maximum Number of MAC Addresses a...

Страница 182: ...MAC address table entries z Unicast forwarding If the destination MAC address carried in the packet is included in a MAC address table entry the switch forwards the packet through the forwarding egre...

Страница 183: ...1 to ensure that User B can receive the packet Figure 1 3 MAC address learning diagram 2 3 Because the switch broadcasts the packet both User B and User C can receive the packet However User C is not...

Страница 184: ...tances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts the packets destin...

Страница 185: ...nfigured manually A switch discards the packets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 1 1 lists the different types of MAC address entries...

Страница 186: ...e argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a static MAC...

Страница 187: ...tion applies to all ports but only takes effect on dynamic MAC addresses that are learnt or configured to age Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mech...

Страница 188: ...in any VLAN z If the VLAN is configured as a remote probe VLAN used by port mirroring you can not disable MAC address learning of this VLAN Similarly after you disable MAC address learning this VLAN c...

Страница 189: ...net 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view Sysname system view Sysname Add a MAC address with the VLAN ports and states specified Sysname mac address static 000f e20f dc71 i...

Страница 190: ...g the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling...

Страница 191: ...l 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 44 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 45 Enab...

Страница 192: ...RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree prot...

Страница 193: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root po...

Страница 194: ...ls see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port...

Страница 195: ...iority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the...

Страница 196: ...ared for their root path costs If the root path cost in a configuration BPDU plus the path cost corresponding to this port is S the configuration BPDU with the smallest S value has the highest priorit...

Страница 197: ...figuration BPDU which will be sent out periodically z If the configuration BPDU on the port is superior the device stops updating the configuration BPDUs of the port and blocks the port so that the po...

Страница 198: ...e configuration BPDU of each port and starts sending out configuration BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds th...

Страница 199: ...ort CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port...

Страница 200: ...ty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with...

Страница 201: ...gnated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the f...

Страница 202: ...mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped...

Страница 203: ...ing tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 6 CIST A common and internal spanning tree CIST is the spanning tree in a switched n...

Страница 204: ...of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect u...

Страница 205: ...ame time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST region MSTP genera...

Страница 206: ...nfigure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are per...

Страница 207: ...nsmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priori...

Страница 208: ...onfiguration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configurati...

Страница 209: ...Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configurat...

Страница 210: ...o new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the ne...

Страница 211: ...le switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the current switch to 4 096 in MSTI 1 Sysname s...

Страница 212: ...me system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp compliance dot1s Restore the default mode for GigabitEthernet 1 0 1 to recognize send MSTP packets Sysname Gigab...

Страница 213: ...chanism disables the switches that are beyond the maximum hop count from participating in spanning tree calculation and thus limits the size of an MST region With such a mechanism the maximum hop coun...

Страница 214: ...re the network diameter of a switched network an MSTP enabled switch adjusts its hello time forward delay and max age settings accordingly to better values The network diameter setting only applies to...

Страница 215: ...As for the max age parameter if it is too small network congestion may be falsely regarded as link failures which results in frequent spanning tree recalculation If it is too large link problems may...

Страница 216: ...tch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time Configuration example Configure the timeou...

Страница 217: ...rnet 1 0 1 Sysname GigabitEthernet1 0 1 stp transmit limit 15 Configuring the Current Port as an Edge Port Edge ports are ports that neither directly connects to other switches nor indirectly connects...

Страница 218: ...le 2 Configure GigabitEthernet 1 0 1 as an edge port in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp edged port enable Setting the Li...

Страница 219: ...ure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration applies to all the MSTIs the port belongs to If the actual physical...

Страница 220: ...disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports...

Страница 221: ...for calculating path costs of ports Currently a switch can calculate the path costs of ports based on one of the following standards z dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the...

Страница 222: ...02 1T standard does The following formula is used to calculate the path cost of an aggregated link Path cost 200 000 000 link transmission rate Where link transmission rate is the sum of the rates of...

Страница 223: ...Sysname stp pathcost standard dot1d 1998 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 undo stp instance 1...

Страница 224: ...hernet 1 0 1 in MSTI 1 to be 16 1 Perform this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 instance 1 port priority 16 2 Perform this configuration in...

Страница 225: ...ed Configuration Example Perform the mCheck operation on GigabitEthernet 1 0 1 1 Perform this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 mcheck 2 Perf...

Страница 226: ...PDU guard function Sysname system view Sysname stp bpdu protection Configuring Root Guard A root bridge and its secondary root bridges must reside in the same region The root bridge of the CIST and it...

Страница 227: ...view To do Use the command Remarks Enter system view system view Enter Ethernet port view Interface interface type interface number Enable the root guard function on the current port stp root protect...

Страница 228: ...the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the loop guard function on the current port stp loop protection Required Th...

Страница 229: ...ew system view Enable the TC BPDU attack guard function stp tc protection enable Required The TC BPDU attack guard function is disabled by default Set the maximum times that a switch can remove the MA...

Страница 230: ...onfiguration ID contains information such as region ID and configuration digest As some other manufacturers switches adopt proprietary spanning tree protocols they cannot communicate with the other sw...

Страница 231: ...operate normally Configuration procedure Follow these steps to configure digest snooping To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type...

Страница 232: ...tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to instance mapping table cannot be modified z The digest snooping feature is not applicable to b...

Страница 233: ...pstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufacturers...

Страница 234: ...figuration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view...

Страница 235: ...e service provider network and the lower part comprises the customer networks The service provider network comprises packet input output devices and the customer network has networks A and B On the se...

Страница 236: ...MSTP enabled there may be many MSTP instances and so the status of a port may change frequently In this case maintenance personnel may expect that log trap information is output to the log host when...

Страница 237: ...tch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp instance 1 dot1d trap new...

Страница 238: ...yer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 Network diagram Figure 1 10 Network diagram for MSTP...

Страница 239: ...er MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instanc...

Страница 240: ...between the customer networks and the service provider network Network diagram Figure 1 11 Network diagram for VLAN VPN tunnel configuration Eth 1 0 1 Switch A Switch D Switch C Switch B Eth 1 0 1 GE...

Страница 241: ...Ns Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add Gigab...

Страница 242: ...ered Authentication 1 19 Configuring Guest VLAN 1 19 Configuring 802 1x Re Authentication 1 20 Configuring the 802 1x Re Authentication Timer 1 20 Displaying and Maintaining 802 1x Configuration 1 21...

Страница 243: ...ii Configuring the System Guard Feature 4 1 Configuring the System Guard Feature 4 1 Displaying and Maintaining System Guard 4 2...

Страница 244: ...ort based network access control protocol It authenticates and controls devices requesting for access in terms of the ports of LAN access devices With the 802 1x protocol employed a user side device c...

Страница 245: ...thorization and Accounting AAA services to users It also stores user information such as user name password the VLAN a user belongs to priority and the Access Control Lists ACLs applied The four basic...

Страница 246: ...goes offline the others are denied as well z MAC based authentication All supplicant systems connected to a port have to be authenticated individually in order to access the network And when a supplic...

Страница 247: ...ket is an EAPoL start packet which initiates the authentication 02 Indicates that the packet is an EAPoL logoff packet which sends logging off requests 03 Indicates that the packet is an EAPoL key pac...

Страница 248: ...ure 1 5 The format of the Data field of a Request packet or a Response packet z The Type field indicates the EAP authentication type A value of 1 indicates Identity and that the packet is used to quer...

Страница 249: ...with a value of 79 and the Message authenticator field with a value of 80 Four authentication ways namely EAP MD5 EAP TLS transport layer security EAP TTLS tunneled transport layer security and Prote...

Страница 250: ...process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP re...

Страница 251: ...d to rejected In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authent...

Страница 252: ...Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the RADIUS server interact in an orderly way z Handshake timer handshake peri...

Страница 253: ...rom the supplicant system when this timer times out The second case is when the switch authenticates the 802 1x client who cannot request for authentication actively The switch sends multicast request...

Страница 254: ...is configured to disable use of multiple network adapters proxies or IE proxies it prompts the 802 1x client to disable use of multiple network adapters proxies or IE proxies through messages after t...

Страница 255: ...on Refer to AAA Operation for detailed information about the dynamic VLAN delivery function Enabling 802 1x re authentication 802 1x re authentication is timer triggered or packet triggered It re auth...

Страница 256: ...switch re authenticates users periodically 802 1x re authentication will fail if a CAMS server is used and configured to perform authentication but not accounting This is because a CAMS server establ...

Страница 257: ...S server and perform RADIUS client related configuration on the switches z You can also specify to adopt the RADIUS authentication scheme with a local authentication scheme as a backup In this case th...

Страница 258: ...r dot1x port method macbased portbased Set port access method for specified ports In port view quit Optional The default port access method is MAC address based that is the macbased keyword is used by...

Страница 259: ...shaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z The handshake packet protection function requires the cooperat...

Страница 260: ...e interface list argument the command applies to all ports You can also use this command in port view In this case this command applies to the current port only and the interface list argument is not...

Страница 261: ...line user handshaking function first z The configuration listed in the above table takes effect only when it is performed on CAMS as well as on the switch In addition the client version checking funct...

Страница 262: ...ated when they apply for dynamic IP addresses through DHCP Follow these steps to enable DHCP triggered authentication To do Use the command Remarks Enter system view system view Enable DHCP triggered...

Страница 263: ...hen re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and pas...

Страница 264: ...stics interface interface list Available in user view Configuration Example 802 1x Configuration Example Network requirements z Authenticate users on all ports to control their accesses to the Interne...

Страница 265: ...guration procedure Following configuration covers the major AAA RADIUS configuration commands Refer to AAA Operation for the information about these commands Configuration on the client and the RADIUS...

Страница 266: ...s1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with the domain name truncated Sysname radius radius1 user name format without domain Sysname radius radius1 quit C...

Страница 267: ...Defense EAD solution can improve the overall defense power of a network In real applications however deploying EAD clients proves to be time consuming and inconvenient To address the issue the H3C S5...

Страница 268: ...deployment feature takes effect only when the access control mode of an 802 1x enabled port is set to auto Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802 1x on the switch z...

Страница 269: ...e effect if you enable port security Setting the ACL timeout period The quick EAD deployment function depends on ACLs in restricting access of users failing authentication Each online user that has no...

Страница 270: ...t Configuration Example Network requirements A user connects to the switch directly The switch connects to the Web server and the Internet The user will be redirected to the Web server to download the...

Страница 271: ...decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and tries to resolve the name If the...

Страница 272: ...anagement devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server...

Страница 273: ...ttached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to...

Страница 274: ...t filtering rules according the characteristics of the attack source Thus system guard is implemented Configuring the System Guard Feature Through the following configuration you can enable the system...

Страница 275: ...ny view to display the running status of the system guard feature and to verify the configuration Table 4 2 Display and maintain system guard Operation Command Display the record of detected attacks d...

Страница 276: ...umber of RADIUS Request Transmission Attempts 2 14 Configuring the Type of RADIUS Servers to be Supported 2 15 Configuring the Status of RADIUS Servers 2 15 Configuring the Attributes of Data to be Se...

Страница 277: ...Users 2 28 HWTACACS Authentication and Authorization of Telnet Users 2 30 Troubleshooting AAA 2 31 Troubleshooting RADIUS Configuration 2 31 Troubleshooting HWTACACS Configuration 2 31 3 EAD Configura...

Страница 278: ...ated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardwar...

Страница 279: ...ervice for AAA is RADIUS What is RADIUS Remote Authentication Dial in User Service RADIUS is a distributed service based on client server structure It can prevent unauthorized access to your network a...

Страница 280: ...RADIUS client a switch for example and a RADIUS server are verified through a shared key This enhances the security The RADIUS protocol combines the authentication and authorization processes together...

Страница 281: ...accounting response Accounting Response 9 The access to network resources is ended RADIUS message format RADIUS messages are transported over UDP which does not guarantee reliable delivery of message...

Страница 282: ...Identifier Length Authenticator and Attributes fields The bytes beyond the length are regarded as padding and are ignored upon reception If a received message is shorter than what the Length field in...

Страница 283: ...0 CHAP Challenge 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol has good scalability Attribute 26 Vender Specific defined in this pro...

Страница 284: ...ation from authorization For example you can use one TACACS server for authentication and another TACACS server for authorization Combines authentication and authorization Is more suitable for securit...

Страница 285: ...client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the password Upon receiving the response the TACACS client r...

Страница 286: ...ends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS c...

Страница 287: ...tes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of...

Страница 288: ...e the form of the delimiter between the username and the ISP domain name domain delimiter at dot Optional By default the delimiter between the username and the ISP domain name is Create an ISP domain...

Страница 289: ...n any z If the system does not find any available accounting server or fails to communicate with any accounting server when it performs accounting for a user it does not disconnect the user as long as...

Страница 290: ...case no TACACS server is available That is if the communication between the switch and a TACACS server is normal the local scheme is not used if the TACACS server is not reachable or there is a key e...

Страница 291: ...configuration for a domain When the scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or lo...

Страница 292: ...the switch If it finds a match it adds the port to the corresponding VLAN Otherwise the VLAN assignment fails and the user fails the authentication In actual applications to use this feature together...

Страница 293: ...for the local user password simple cipher password Required Set the status of the local user state active block Optional By default the user is in active state that is the user is allowed to request n...

Страница 294: ...the MAC address authentication can be assigned with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommen...

Страница 295: ...ient Enabling the User Re Authentication at Restart Function Optional Configuring the RADIUS server Refer to the configuration of the RADIUS Server Complete the following tasks to configure RADIUS the...

Страница 296: ...d configure at least one authentication authorization server and one accounting server and you should keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers Act...

Страница 297: ...tion response sent from the RADIUS server to the RADIUS client carries authorization information Therefore you need not and cannot specify a separate RADIUS authorization server z In an actual network...

Страница 298: ...to configure the RADIUS authorization attribute ignoring function To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme nam...

Страница 299: ...al By default the maximum allowed number of continuous real time accounting failures is five If five continuous failures occur the switch cuts down the user connection z In an actual network environme...

Страница 300: ...authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication authorization server and the shared key on the a...

Страница 301: ...cheme Configuring the Status of RADIUS Servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate...

Страница 302: ...onfigure the attributes of data to be sent to RADIUS servers To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Requ...

Страница 303: ...z In the default RADIUS scheme system ISP domain names are removed from usernames by default z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets...

Страница 304: ...servers and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit th...

Страница 305: ...Enter system view system view Enable the sending of trap message when a RADIUS server is down radius trap authentication server down accounting server down Optional By default the switch does not sen...

Страница 306: ...date message 4 Once the switch receives the response from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured...

Страница 307: ...TACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to creat...

Страница 308: ...remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server Configuring TACACS Authorization Servers Follow these steps to...

Страница 309: ...d port number of the secondary TACACS accounting server secondary accounting ip address port Required By default the IP address of the secondary accounting server is 0 0 0 0 and the port number is 0 E...

Страница 310: ...Follow these steps to configure the attributes for data to be sent to TACACS servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs s...

Страница 311: ...tional By default the response timeout time is five seconds Set the time that the switch must wait before it can restore the status of the primary server to active timer quiet minutes Optional By defa...

Страница 312: ...command Remarks Display RADIUS message statistics about local RADIUS server display local server statistics Display configuration information about one specific or all RADIUS schemes display radius sc...

Страница 313: ...entication Network requirements In the network environment shown in Figure 2 2 you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS...

Страница 314: ...gure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams key authentication aabbcc Sysn...

Страница 315: ...AA authentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user...

Страница 316: ...authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc Configure the switch to strip domain names off usernames before sending usernames to t...

Страница 317: ...nging the RADIUS server from the switch Take measures to make the switch communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and s...

Страница 318: ...es the validity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as va...

Страница 319: ...s of access users such as username user type and password For local authentication you need to configure these attributes on the switch for remote authentication you need to configure these attributes...

Страница 320: ...the switch to use port number 1812 to communicate with the server z Configure the authentication server type to extended z Configure the encryption password for exchanging messages between the switch...

Страница 321: ...ert Sysname radius cams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme...

Страница 322: ...1 2 Quiet MAC Address 1 2 Configuring Basic MAC Address Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 4 MAC Address Authentication Enhanced Function Config...

Страница 323: ...ode where user names and passwords are configured on a switch in advance In this case the user name the password and the limits on the total number of user names are the matching criterion for success...

Страница 324: ...of a user if the switch receives no response from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network Qui...

Страница 325: ...name Required The default ISP domain default domain is used by default Configure the MAC address authentication timers mac authentication timer offline detect offline detect value quiet quiet value s...

Страница 326: ...tions for a switch this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords The switch will not learn MAC addresses of the clients fail...

Страница 327: ...adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in...

Страница 328: ...cation cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled Configuring the Maximum Num...

Страница 329: ...ion interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type interface number Av...

Страница 330: ...domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the IS...

Страница 331: ...4 IP Address Configuration Example I 1 4 IP Address Configuration Example II 1 5 2 IP Performance Optimization Configuration 2 1 IP Performance Overview 2 1 Introduction to IP Performance Configurati...

Страница 332: ...dress is used to identify a host An example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four...

Страница 333: ...s 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast...

Страница 334: ...nd Standards z RFC 1366 Guidelines for Management of IP Address Space z RFC 1367 Schedule for IP Address Space Management Guidelines Configuring IP Addresses S5100 Series Ethernet Switches support ass...

Страница 335: ...eside on the same network segment A VLAN interface cannot be configured with a secondary IP address if the interface has been configured to obtain an IP address through BOOTP or DHCP z The S5100 EI se...

Страница 336: ...nected to a LAN comprising two segments 172 16 1 0 24 and 172 16 2 0 24 To enable the hosts on the two network segments to communicate with the external network through the switch and the hosts on the...

Страница 337: ...es 56 Sequence 5 ttl 255 time 26 ms 172 16 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 26 27 ms The output information shows the S5100 SI...

Страница 338: ...forwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding information of the switch by viewing the...

Страница 339: ...es ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate management Advantages of sending ICMP error packets ICMP redirect packe...

Страница 340: ...antages z Sending a lot of ICMP packets will increase network traffic z If a device receives a lot of malicious packets that cause it to send ICMP error packets its performance will be reduced z As th...

Страница 341: ...ength1 ip_address2 mask2 mask length2 longer longer Display the FIB entries permitted by a specific ACL display fib acl number Display the FIB entries in the buffer which begin with include or exclude...

Страница 342: ...Agent Configuration 1 7 DHCP Relay Agent Configuration Example 1 7 Troubleshooting DHCP Relay Agent Configuration 1 8 3 DHCP Snooping Configuration 3 1 DHCP Snooping Overview 3 1 Introduction to DHCP...

Страница 343: ...iguration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration parameters and the DHCP servers retu...

Страница 344: ...R packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledge In this phase the DHCP servers acknowledge the I...

Страница 345: ...P packets The following figure describes the packet format the number in the brackets indicates the field length in bytes Figure 1 2 DHCP packet format The fields are described as follows z op Operati...

Страница 346: ...including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Config...

Страница 347: ...to DHCP Relay Agent Usage of DHCP Relay Agent Since the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers ar...

Страница 348: ...option in the DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further implement security control and accounting Th...

Страница 349: ...the packet with its own or leaves the original Option 82 unchanged in the packet and forwards the packet if not discarded to the DHCP server z If the request packet does not contain Option 82 the DHCP...

Страница 350: ...DHCP server group z You can configure up to eight DHCP server IP addresses in a DHCP server group z You can map multiple VLAN interfaces to one DHCP server group But one VLAN interface can be mapped...

Страница 351: ...re used z Before executing the address check enable command on the interface connected to the DHCP server you need to configure the static binding of the IP address to the MAC address of the DHCP serv...

Страница 352: ...ling Option 82 support on a DHCP relay agent Follow these steps to enable Option 82 support on a DHCP relay agent To do Use the command Remarks Enter system view system view Enable Option 82 support o...

Страница 353: ...ay Agent Configuration Example Network requirements VLAN interface 1 on the DHCP relay agent Switch A connects to the network where DHCP clients reside The IP address of VLAN interface 1 is 10 10 1 1...

Страница 354: ...d checking the information about debugging and interface state You can display the information by executing the corresponding display command Solution z Check if an address pool that is on the same ne...

Страница 355: ...yer z Layer 2 switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains an...

Страница 356: ...ess and other parameters for the clients Option 82 involves at most 255 sub options If Option 82 is defined at least one sub option must be defined Currently the DHCP relay agent supports two sub opti...

Страница 357: ...82 in the standard format Refer to Figure 3 4 and Figure 3 5 for the standard format of the sub options with the default padding contents In the standard format the Circuit ID or Remote ID sub option...

Страница 358: ...forward the packet For details see Table 3 2 Table 3 2 Ways of handling a DHCP packet without Option 82 Sub option configuration The DHCP Snooping device will Neither of the two sub options is config...

Страница 359: ...d MAC address of the client cannot be recorded in the DHCP snooping table Consequently this client cannot pass the IP filtering of the DHCP snooping table thus it cannot access external networks To so...

Страница 360: ...not recommended to configure both the DHCP snooping and selective Q in Q function on the switch which may result in the DHCP snooping to function abnormally Configuring DHCP Snooping to Support Option...

Страница 361: ...e Enter Ethernet port view interface interface type interface number Configure a handling policy for requests that contain Option 82 received on the specified interface dhcp snooping information strat...

Страница 362: ...circuit ID sub option contains the VLAN ID and port index related to the port that receives DHCP request packets from DHCP clients z If you have configured a circuit ID with the vlan vlan id argument...

Страница 363: ...t z If you configure a remote ID sub option in both system view and on a port the remote ID sub option configured on the port applies when the port receives a packet and the global remote ID applies t...

Страница 364: ...om this IP address cannot pass the IP filtering z A static entry has a higher priority than the dynamic DHCP snooping entry that has the same IP address as the static one That is if the static entry i...

Страница 365: ...ID field in Option 82 to the system name of the switch Set the circuit ID sub option to abcd in DHCP packets from VLAN 1 on GigabitEthernet 1 0 3 Network diagram Figure 3 6 Network diagram for DHCP s...

Страница 366: ...the switch and specify GigabitEthernet 1 0 1 as the DHCP snooping trusted port z Enable IP filtering on GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 to prevent attacks to the...

Страница 367: ...0 2 quit Switch interface GigabitEthernet1 0 3 Switch GigabitEthernet1 0 3 ip check source ip address mac address Switch GigabitEthernet1 0 3 quit Switch interface GigabitEthernet1 0 4 Switch Gigabit...

Страница 368: ...Before using BOOTP an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server The parameter file contains information such as MAC address and IP address of a...

Страница 369: ...hop being the gateway assigned by the DHCP server To view detailed information about the default route run the display ip routing table command on the switch To improve security and avoid malicious a...

Страница 370: ...dynamically obtain an IP address by using DHCP SwitchA system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc BOOTP Client Configuration Example Network requireme...

Страница 371: ...igning an ACL Globally 1 9 Assigning an ACL to a VLAN 1 9 Assigning an ACL to a Port Group 1 10 Assigning an ACL to a Port 1 11 Displaying ACL Configuration 1 12 Example for Upper layer Software Refer...

Страница 372: ...d destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2 ACL Rules are created based on the Layer 2 information such as source and destination MAC...

Страница 373: ...h priority z If the types of parameter are the same for multiple rules then the sum of parameters weighting values of a rule determines its priority The smaller the sum the higher the match priority W...

Страница 374: ...lease 2201 or earlier do not support Layer 2 ACL configuration z ACLs defined on S5100 SI series switches running Release 2201 or earlier can only be referenced by upper layer software they cannot be...

Страница 375: ...ge the time range is active only when the periodic time range and the absolute time range are both matched Assume that a time range contains an absolute time section ranging from 00 00 January 1 2004...

Страница 376: ...emains With the auto match order specified for the basic ACL you cannot modify any existent rule otherwise the system prompts error information z If you do not specify the rule id argument when creati...

Страница 377: ...arried by IP and protocol specific features are determined Configuration Procedure Table 1 3 Define an advanced ACL rule Operation Command Description Enter system view system view Create an advanced...

Страница 378: ...tcp source 129 9 0 0 0 0 255 255 destination 202 38 160 0 0 0 0 255 destination port eq www Configuring Layer 2 ACL Layer 2 ACLs filter packets according to their Layer 2 information such as the sour...

Страница 379: ...ss 0011 4301 991e and with their 802 1p priority being 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 source 000d 88f5 97ed ffff ffff ffff dest 0011 4301...

Страница 380: ...Assigning an ACL Globally Configuration prerequisites Before applying ACL rules to a VLAN you need to define the related ACLs For information about defining an ACL refer to section Configuring Basic A...

Страница 381: ...packets of VLAN 10 on all the ports Sysname system view Sysname packet filter vlan 10 inbound ip group 2000 Assigning an ACL to a Port Group Configuration prerequisites Before applying ACL rules to a...

Страница 382: ...define the related ACLs For information about defining an ACL refer to section Configuring Basic ACL section Configuring Advanced ACL section Configuring Layer 2 ACL Configuration procedure Table 1 8...

Страница 383: ...ormation about remaining ACL resources supported on S5100 EI series only display acl remaining entry In any view Example for Upper layer Software Referencing ACLs Example for Controlling Telnet Login...

Страница 384: ...Sysname acl number 2001 Sysname acl basic 2001 rule 1 permit source 10 110 100 46 0 Sysname acl basic 2001 quit Reference ACL 2001 to control users logging in to the Web server Sysname ip http acl 20...

Страница 385: ...ch The IP address of the wage query server is 192 168 1 2 The R D department is connected to GigabitEthernet 1 0 1 of the switch Apply an ACL to deny requests from the R D department and destined for...

Страница 386: ...MAC address of 0011 0011 0011 and the destination MAC address of 0011 0011 0012 Sysname acl number 4000 Sysname acl ethernetframe 4000 rule 1 deny source 0011 0011 0011 ffff ffff ffff dest 0011 0011 0...

Страница 387: ...me range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysname...

Страница 388: ...8 QoS Configuration 1 18 QoS Configuration Task List 1 18 Configuring Priority Trust Mode 1 19 Configuring Priority Mapping 1 20 Setting the Priority of Protocol Packets 1 24 Configuring Priority Mark...

Страница 389: ...to QoS Profile 2 1 QoS Profile Application Mode 2 1 QoS Profile Configuration 2 2 Configuring a QoS Profile 2 2 Applying a QoS Profile 2 3 Displaying and Maintaining QoS Profile Configuration 2 4 Con...

Страница 390: ...process Traditional Packet Forwarding Services On traditional IP networks devices treat all packets equally and handle them using the first in first out FIFO policy All packets share the resources of...

Страница 391: ...ecedence of packets To meet these requirements networks must provide more improved services Major Traffic Control Technologies Figure 1 1 End to end QoS model As shown in Figure 1 1 traffic classifica...

Страница 392: ...ng traffic based on ACLs The S5100 series support the following types of ACLs z Basic ACLs z Advanced ACLs z Layer 2 ACLs not available on Release2201 or any earlier releases of the SS5100 SI z For in...

Страница 393: ...ffic here refers to service traffic that is all the packets passing by the switch Traffic classification identifies packets conforming to certain characteristics according to certain criteria It is th...

Страница 394: ...ority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a Diff Serv network traffic is grouped into the following four classes and packets are processed a...

Страница 395: ...cription 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af4...

Страница 396: ...1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 CFI 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 In Figure 1...

Страница 397: ...red such as 802 1p precedence DSCP values local precedence and drop precedence The S5100 SI series switches do not support marking drop precedence for packets 1 For an 802 1q untagged packet When a pa...

Страница 398: ...can be 802 1p precedence or DSCP precedence Table 1 5 describes how your switch handles a packet received on the port Table 1 5 Actions performed when packet priority is trusted Trusted priority type...

Страница 399: ...nce values corresponding to the new DSCP val ue in the DSCP precedence to other precedence mapping table and then deliver the packet with the target 802 1p pr ecedence value after mapping in place of...

Страница 400: ...e Target drop precedence value Target 802 1p precedence value 0 to 7 0 1 1 8 to 15 1 1 2 16 to 23 2 1 0 24 to 31 3 1 3 32 to 39 4 0 4 40 to 47 5 0 5 48 to 55 6 0 6 56 to 63 7 0 7 Table 1 9 The default...

Страница 401: ...he output queue corresponding to the local precedence value z If DSCP marking is configured the traffic will be marked with the new DSCP value Traffic Policing and Traffic Shaping If user traffic is n...

Страница 402: ...and is called conforming traffic otherwise the traffic does not conform to the specification and is called exceeding traffic A token bucket uses the following parameters z Average rate The rate at wh...

Страница 403: ...z Dropping the nonconforming packets z Forwarding the conforming packets or nonconforming packets z Marking the conforming packets or nonconforming packets with 802 1p precedence and then forwarding...

Страница 404: ...e they will be dropped Compared to traffic policing line rate applies to all the packets passing a port It is a simpler solution if you want to limit the rate of all the packets passing a port Traffic...

Страница 405: ...schedules the eight queues strictly in the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packet...

Страница 406: ...ing that the packets in low priority queues may failed to be served for a long time Another advantage of WRR queuing is that though the queues are scheduled in order the service time for each queue is...

Страница 407: ...he packets you are interested in Burst The burst function improves packet buffering and forwarding performance in the following scenarios z Dense broadcast or multicast traffic and massive burst traff...

Страница 408: ...t available priority trust modes Configuration prerequisites z The priority trust mode to be used has been determined z The port where priority trust mode is to be configured has been determined z The...

Страница 409: ...ted Configuration examples Configure trusting port priority on GigabitEthernet 1 0 1 and set the priority of GigabitEthernet 1 0 1 to 7 Sysname system view Sysname interface GigabitEthernet1 0 1 Sysna...

Страница 410: ...cos3 map local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Required Configure the CoS precedence to dro p precedence mapping table qos cos drop precedence map...

Страница 411: ...ec edence mapping table qos dscp dscp map dscp list dscp value Required Configuration examples Configure the CoS precedence to local precedence mapping table for an S5100 EI series switch as follows 0...

Страница 412: ...9 7 Sysname qos dscp local precedence map 40 41 42 43 44 45 46 47 0 Sysname qos dscp local precedence map 48 49 50 51 52 53 54 55 5 Sysname qos dscp local precedence map 56 57 58 59 60 61 62 63 6 Sysn...

Страница 413: ...col Packets Refer to Protocol Priority for information about priority of protocol packets Configuration prerequisites z The protocol type has been determined z The priority type IP or DSCP and priorit...

Страница 414: ...y protocol priority Protocol icmp IP Precedence flash 3 Configuring Priority Marking Refer to Priority Marking for information about marking packet priorities This feature is available only on the H3C...

Страница 415: ...r the incoming packets matching the specific ACL rules in a VLAN To do Use the command Remarks Enter system view system view Mark a priority for the incoming packets matching the specific ACL rules in...

Страница 416: ...ork segment 10 1 1 0 24 with DSCP value 56 assuming that GigabitEthernet 1 0 1 carries VLAN 2 and is connected to network segment 10 1 1 0 24 1 Method I configure priority marking for port GigabitEthe...

Страница 417: ...he specific ACL rules globally To do Use the command Remarks Enter system view system view Configure traffic policing traffic limit inbound acl rule target rate conform con action exceed exceed action...

Страница 418: ...erface number Configure traffic policing traffic limit inbound acl rule target rate conform con action exceed exceed action meter statistic Required Disabled by default Clear traffic policing statisti...

Страница 419: ...an 2 inbound ip group 2000 128 exceed remark dscp 56 Configuring Traffic Shaping Refer to Traffic Policing and Traffic Shaping for information about traffic shaping This feature is available only on t...

Страница 420: ...aximum traffic rate being 640 kbps and the burst size being 16 kbytes Sysname system view Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 traffic shape 640 16 Configuring Line Rate...

Страница 421: ...used for traffic classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The port that the ACL matching packets are to be redirected to has...

Страница 422: ...ing for the incoming packets on a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure traffic redirecting traf...

Страница 423: ...ng for VLAN 2 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname traffic redirect vlan 2 inbound ip group 2000...

Страница 424: ...stem view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 traffic...

Страница 425: ...lgorithm For example you can assign queues 0 through 3 to group 1 and queues 4 through 7 to group 2 The queues in group 2 are scheduled preferentially using WRR The queues in group 1 are scheduled usi...

Страница 426: ...ounting This feature is available only on the H3C S5100 EI series switches Configuration prerequisites The ACL rules for traffic classification have been defined Refer to the ACL module of this manual...

Страница 427: ...nting for a port group Follow these steps to collect clear statistics about incoming ACL matching packets in a port group To do Use the command Remarks Enter system view system view Enter port group v...

Страница 428: ...configure traffic accounting for port GigabitEthernet 1 0 1 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname...

Страница 429: ...c classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The mirroring ports and mirroring direction have been determined z The monitor port...

Страница 430: ...d acl rule monitor interface Required 3 Configuring traffic mirroring for a port group Follow these steps to configure traffic mirroring for a port group To do Use the command Remarks Enter system vie...

Страница 431: ...rt GigabitEthernet 1 0 4 assume that GigabitEthernet 1 0 1 is connected to network segment 10 1 1 0 24 and carries VLAN 2 1 Method I configure traffic mirroring for port GigabitEthernet 1 0 1 Sysname...

Страница 432: ...in any view Display the DSCP precedence to local precedence mapping display qos dscp local precedence m ap Available in any view Display queue scheduling configuration display queue scheduler Availabl...

Страница 433: ...fic policing priority marking traffic redirecting or traffic accounting display qos global all mirrored to traffic limit traffic priority traffic redirect traffic statistic Available in any view Displ...

Страница 434: ...from network segment 192 168 1 0 24 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 192 168 1 0 0 0 0 255 Sysname acl basic 2000 quit Create ACL 2001 and enter b...

Страница 435: ...y and assign the three traffic flows to different queues for scheduling Figure 1 11 Network diagram for priority marking and queue scheduling configuration PC 3 PC 2 PC 1 Switch GE1 0 1 Server 1 192 1...

Страница 436: ...and Switch B Configure VLAN mappings on the switches to enable the hosts on the two customer networks to communicate through public network VLANs z Switch A provides network access for terminal device...

Страница 437: ...chA vlan500 quit SwitchA vlan 600 SwitchA vlan600 quit Configure GigabitEthernet 1 0 11 of Switch A as a trunk port and configure its default VLAN as VLAN 100 Assign GigabitEthernet 1 0 11 to VLAN 100...

Страница 438: ...netframe 4000 rule permit source 100 SwitchA quit SwitchA acl number 4001 SwitchA acl ethernetframe 4001 rule permit source 200 SwitchA quit SwitchA acl number 4002 SwitchA acl ethernetframe 4002 rule...

Страница 439: ...8 1 0 25 and access the Internet through the switch z The R D department is connected to GigabitEthernet 1 0 2 of the switch The hosts of the R D department are on network segment 192 168 2 0 25 and a...

Страница 440: ...ch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 mirrored to inbound ip group 2000 monitor interface Switch GigabitEthernet1 0 1 quit Switch interface GigabitEthernet 1 0 3 Switch Gigabi...

Страница 441: ...QoS profile to the port to maintain the same QoS configuration performed for the host Currently a QoS profile can contain configurations concerning packet filtering traffic policing and priority marki...

Страница 442: ...oS profile contains source address information source MAC address information source IP address information or both Manual application mode You can use the apply command to manually apply a QoS profil...

Страница 443: ...on traffic priority inbound acl rule dscp dscp value cos cos value Optional Applying a QoS Profile You can enable a QoS profile to be dynamically applied or apply it manually Configuration prerequisit...

Страница 444: ...w these steps to apply a QoS profile manually To do Use the command Remarks Enter system view system view In system view apply qos profile profile name interface interface list Enter Ethernet port vie...

Страница 445: ...er Switch Network AAA Server GE1 0 1 Configuration procedure 1 Configuration on the AAA server Configure the user authentication information and the user name to QoS profile mapping Refer to the user...

Страница 446: ...to permit IP packets destined for any IP address Sysname acl number 3000 Sysname acl adv 3000 rule 1 permit ip destination any Sysname acl adv 3000 quit Define a QoS profile example to limit the rate...

Страница 447: ...1 4 Traffic Mirroring 1 4 Mirroring Configuration 1 4 Configuring Local Port Mirroring 1 4 Configuring Remote Port Mirroring 1 5 Configuring MAC Based Mirroring 1 8 Configuring VLAN Based Mirroring 1...

Страница 448: ...ring device for network monitoring and diagnosis The port where packets are duplicated is called the source mirroring port or monitored port and the port to which duplicated packets are sent is called...

Страница 449: ...ementation of remote port mirroring Figure 1 2 Remote port mirroring application The switches involved in remote port mirroring function as follows z Source switch The source switch is the device wher...

Страница 450: ...eceives remote mirrored packets Destination switch Destination port Receives packets forwarded from the trunk port and transmits the packets to the data detection device z Do not configure a default V...

Страница 451: ...l inbound outbound traffic passing through a port is monitored traffic mirroring provides a finer monitoring granularity For detailed configuration about traffic mirroring refer to QoS QoS Profile Ope...

Страница 452: ...group group id monitor port monitor port id interface interface type interface number Configure the destination port for the port mirroring group In port view mirroring group group id monitor port Us...

Страница 453: ...t type is Access Configure the trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Return to system view quit Create a remote source mirroring...

Страница 454: ...te probe VLAN 2 Configuration procedure Table 1 4 Follow these steps to perform configurations on the intermediate switch To do Use the command Remarks Enter system view system view Create a VLAN and...

Страница 455: ...Return to system view quit Create a remote destination mirroring group mirroring group group id remote destination Required Configure the destination port for the remote destination mirroring group m...

Страница 456: ...g MAC Based Mirroring mirroring group group id mirroring mac mac vlan vlan id Required Configure the destination port for the mirroring group mirroring group group id monitor port monitor port id Requ...

Страница 457: ...ired Configure the destination port for the mirroring group mirroring group group id monitor port monitor port id Required Note that you need not configure the destination port on the source switch wh...

Страница 458: ...m the R D department and the marketing department through the data detection device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C z Con...

Страница 459: ...2 of Switch B connects to GigabitEthernet 1 0 1 of Switch C z The data detection device is connected to GigabitEthernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Depa...

Страница 460: ...ame mirroring group 1 mirroring port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 inbound Sysname mirroring group 1 reflector port GigabitEthernet 1 0 4 Sysname mirroring group 1 remote probe vlan 10 C...

Страница 461: ...ype trunk Sysname GigabitEthernet1 0 2 port trunk permit vlan 10 3 Configure the destination switch Switch C Create remote destination mirroring group 1 Sysname system view Sysname mirroring group 1 r...

Страница 462: ...type remote destination status active monitor port GigabitEthernet1 0 2 remote probe vlan 10 After the configurations you can monitor all packets sent from Department 1 and 2 on the data detection de...

Страница 463: ...oduction to ARP Attack Detection 1 4 Introduction to Gratuitous ARP 1 5 Configuring ARP 1 5 Configuring ARP Basic Functions 1 5 Configuring ARP Attack Detection 1 6 Configuring Gratuitous ARP 1 7 Disp...

Страница 464: ...device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address...

Страница 465: ...ble 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length...

Страница 466: ...me The aging period is set by the ARP aging timer ARP Process Figure 1 2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B The resolution proc...

Страница 467: ...ost A and Host C respectively causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B Then the traffic between Host A an...

Страница 468: ...itous packet conflict with those of its own it returns an ARP response to the sending device to notify of the IP address conflict By sending gratuitous ARP packets a network device can z Determine whe...

Страница 469: ...ac address mac address Enable DHCP snooping dhcp snooping Required Use at least one of the commands By default no IP static binding is created and the DHCP snooping function is disabled Enter Ethernet...

Страница 470: ...s the ARP attack detection based on the IP to MAC bindings Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view Enable...

Страница 471: ...MAC address being 000f e201 0000 and the outbound port being GigabitEthernet 1 0 10 of VLAN 1 Configuration procedure Sysname system view Sysname undo arp check enable Sysname arp timer aging 10 Sysna...

Страница 472: ...hcp snooping Specify GigabitEthernet 1 0 1 as the DHCP snooping trusted port and the ARP trusted port SwitchA interface GigabitEthernet1 0 1 SwitchA GigabitEthernet1 0 1 dhcp snooping trust SwitchA Gi...

Страница 473: ...Example 1 4 2 Cluster 2 1 Cluster Overview 2 1 Introduction to HGMP 2 1 Roles in a Cluster 2 2 How a Cluster Works 2 3 Cluster Configuration Tasks 2 8 Configuring the Management Device 2 9 Configuring...

Страница 474: ...becomes the main switch of the stack You can perform the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Befo...

Страница 475: ...tion Command Description Enter system view system view Configure an IP address pool for a stack stacking ip pool from ip address ip address number ip mask Required from ip address Start address of the...

Страница 476: ...EI switch stack and cluster must share the same management VLAN if you want to configure stack within a cluster Switching to Slave Switch View After creating a stack you can switch to slave switch vi...

Страница 477: ...d status of the main switch slave switches Display the stack status information on a slave switch display stacking Optional The display command can be executed in any view The displayed information in...

Страница 478: ..._0 Sysname display stacking members Member number 0 Name stack_0 Sysname Device S5100EI MAC Address 000f e20f c43a Member status Admin IP 129 10 1 15 16 Member number 1 Name stack_1 Sysname Device S51...

Страница 479: ...6 Switch back to Switch A stack_1 Sysname quit stack_0 Sysname Switch to Switch C a slave switch stack_0 Sysname stacking 2 stack_2 Sysname Switch back to Switch A stack_2 Sysname quit stack_0 Sysnam...

Страница 480: ...e and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remo...

Страница 481: ...guration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that i...

Страница 482: ...not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect networ...

Страница 483: ...within the specified hop count so as to provide the information of which devices can be added to a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the...

Страница 484: ...ce Note the following when creating a cluster z You need to designate a management device for the cluster The management device of a cluster is the portal of the cluster That is any operations from ou...

Страница 485: ...ackets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times...

Страница 486: ...necting to the management device the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management V...

Страница 487: ...d on the MAC address and VLAN ID and then forward the packet to its downstream switch If within the specified hops a switch with the specified destination MAC address is found this switch sends a resp...

Страница 488: ...against opened socket and enhance switch security the S5100 series Ethernet switches provide the following functions so that a cluster socket is opened only when it is needed z Opening UDP port 40000...

Страница 489: ...he interval to send NDP packets ndp timer hello seconds Optional By default the interval to send NDP packets is 60 seconds Enabling NTDP globally and on a specific port Table 2 6 Enable NTDP globally...

Страница 490: ...ction Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function is enabled Configuring cluster parameters...

Страница 491: ...h a cluster in automatic mode Table 2 10 Establish a cluster in automatic mode Operation Command Description Enter system view system view Enter cluster view cluster Configure the IP address range for...

Страница 492: ...ster This feature is only applicable to S5100 EI series switches 1 Configuration prerequisites z The cluster switches are properly connected z The shared servers are properly connected to the manageme...

Страница 493: ...uster the candidate devices change to member devices and their UDP port 40000 is opened at the same time z When you execute the administrator address command on a device the device s UDP port 40000 is...

Страница 494: ...ember device Table 2 17 Access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the s...

Страница 495: ...logy management function After the cluster topology becomes stable you can use the topology management commands on the cluster administrative device to save the topology of the current cluster as the...

Страница 496: ...e Perform the following configuration on the management device Table 2 20 Configure cluster topology management function Operation Command Description Enter system view system view Enter cluster view...

Страница 497: ...ion about the devices in the cluster blacklist display cluster black list Optional This command can be executed in any view Configuring the Cluster Synchronization Function After a cluster is establis...

Страница 498: ...e groupname authentication mode md5 sha authpassstring privacy mode des56 privpassstring Required Not configured by default Create or update the public MIB view information for the cluster cluster snm...

Страница 499: ...ynchronize the command Create a MIB view mib_a which includes all objects of the subtree org test_0 Sysname cluster cluster snmp agent mib view included mib_a org Member 2 succeeded in the mib view co...

Страница 500: ...a public local user for the cluster on the management device and the username and password will be synchronized to the member devices of the cluster which is equal to creating this local user on all m...

Страница 501: ...ation Table 2 22 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime...

Страница 502: ...net 1 0 1 z GigabitEthernet 1 0 1 belongs to VLAN 2 whose interface IP address is 163 172 55 1 z All the devices in the cluster share the same FTP server and TFTP server z The FTP server and TFTP serv...

Страница 503: ...net 1 0 1 Sysname GigabitEthernet1 0 1 undo ntdp enable Sysname GigabitEthernet1 0 1 quit Enable NDP globally and on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 Sysname system view Sysname ndp ena...

Страница 504: ...r 17 mac address 000f e20f 0012 Set the holdtime of member device information to 100 seconds aaa_0 Sysname cluster holdtime 100 Set the interval to send handshake packets to 10 seconds aaa_0 Sysname c...

Страница 505: ...e operations refer to the preceding description in this chapter z After the above configuration you can receive logs and SNMP trap messages of all cluster members on the NMS Enhanced Cluster Feature C...

Страница 506: ...me cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all sav...

Страница 507: ...1 Configuring Basic Trap Functions 1 4 1 3 2 Configuring Extended Trap Function 1 5 1 4 Enabling Logging for Network Management 1 5 1 5 Displaying SNMP 1 6 1 6 SNMP Configuration Example 1 6 1 6 1 SNM...

Страница 508: ...network management station NMS and agent z An NMS can be a workstation running client program At present the commonly used network management platforms include QuidView Sun NetManager IBM NetView and...

Страница 509: ...arting from the root 1 1 Architecture of the MIB tree 1 1 2 1 2 1 2 5 6 B A MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored...

Страница 510: ...name for SNMPv1 and SNMPv2c z You can choose either of them as needed Set the maximum size of an SNMP packet for SNMP agent to receive or send snmp agent packet max size byte count Optional 1 500 byt...

Страница 511: ...formation Create or update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Note An S5100 SI...

Страница 512: ...ize Optional The default is 100 Set the aging time for traps snmp agent trap life seconds Optional 120 seconds by default 1 3 2 Configuring Extended Trap Function The extended trap function refers to...

Страница 513: ...e current device display snmp agent local engineid remote engineid Display group information about the device display snmp agent group group name Display SNMP user information display snmp agent usm u...

Страница 514: ...Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode aes128 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port GigabitEtherne...

Страница 515: ...r each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can q...

Страница 516: ...more effectively and actively thus providing a satisfactory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP agents can be reduced thus facili...

Страница 517: ...efined in event groups With an alarm entry defined in an alarm group a network device performs the following operations accordingly z Sampling the defined alarm variables periodically z Comparing the...

Страница 518: ...o Use the command Remarks Enter system view system view Add an event entry rmon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an...

Страница 519: ...arm prialarm entry number Display RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry Available in any view 2 4 RMON Configuration Example 1 Network re...

Страница 520: ...ween samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6...

Страница 521: ...ng the Version of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filter 2 7 Configuring the Maximum Number of Multicast Groups on a Port 2...

Страница 522: ...ii...

Страница 523: ...Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this information and sends a separate copy of the informati...

Страница 524: ...ion transmitted to users is significantly different in other cases this is an inefficient use of the network and when there is limited bandwidth bottlenecks can develop in information transmission In...

Страница 525: ...ot add to the network burden remarkably The advantages of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no...

Страница 526: ...RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast group z S G Indicates a shortest path tree S...

Страница 527: ...all valid they are filtered SSM model In the practical life users may be interested in the multicast data from only certain multicast sources The SSM model provides a transmission service that allows...

Страница 528: ...ty IANA categorizes IP addresses into five classes A B C D and E Unicast packets use IP addresses of Class A B and C based on network scales Class D IP addresses are used as destination addresses of m...

Страница 529: ...re reserved for network protocols on local networks The following table lists commonly used reserved IP multicast addresses Table 1 3 Reserved IP multicast addresses Class D address range Description...

Страница 530: ...k a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members As stipulated by IANA the high order 24 bits of a multicast MAC addr...

Страница 531: ...st routing protocols 0 describes where these multicast protocols are in a network Figure 1 5 Positions of Layer 3 multicast protocols AS 1 AS 2 Source Receiver Receiver Receiver PIM PIM MSDP IGMP IGMP...

Страница 532: ...Layer 2 multicast protocols 1 IGMP Snooping Running on Layer 2 devices Internet Group Management Protocol Snooping IGMP Snooping are multicast constraining mechanisms that manage and control multicas...

Страница 533: ...s subject to an RPF check z If the result of the RPF check shows that the RPF interface is the incoming interface of the existing S G entry this means that the S G entry is correct but the packet arri...

Страница 534: ...multicast packet from Source arrives to VLAN interface 1 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C Switch C performs an RPF check...

Страница 535: ...on these mappings As shown in Figure 2 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast...

Страница 536: ...ernet 1 0 2 of Switch B are member ports The switch records all member ports on the local device in the IGMP Snooping forwarding table Port aging timers in IGMP Snooping and related messages and actio...

Страница 537: ...rding table the switch resets the member port aging timer of the port z If the port is not in the forwarding table the switch installs an entry for this port in the forwarding table and starts the mem...

Страница 538: ...this means that no members of that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires...

Страница 539: ...MP queries are likely to fail to pass the VLAN You can solve this problem by configuring VLAN tags for queries For details see 0 Configuring a VLAN Tag for Query Messages Configuring the Version of IG...

Страница 540: ...mer of the multicast member port igmp snooping host aging time seconds Optional By default the aging time of multicast member ports is 260 seconds Configuring Fast Leave Processing With fast leave pro...

Страница 541: ...a Multicast Group Filter On an IGMP Snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different user...

Страница 542: ...med in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes effect on all ports in the specified VLAN s z The configur...

Страница 543: ...not support IGMP and therefore cannot send general queries by default By enabling IGMP Snooping on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no multicast...

Страница 544: ...Required By default unknown multicast flooding suppression If the function of dropping unknown multicast packets is enabled you cannot enable unknown multicast flooding suppression Configuring Static...

Страница 545: ...st static router port vlan vlan id Required By default no static router port is configured In VLAN view Table 2 16 Configure a static router port in VLAN view Operation Command Remarks Enter system vi...

Страница 546: ...imulated multicast group member igmp host join group address source ip source address vlan vlan id Optional Simulated joining is disabled by default z Before configuring a simulated host enable IGMP S...

Страница 547: ...ifferent VLANs to share the same multicast VLAN This saves bandwidth because multicast streams are transmitted only within the multicast VLAN In addition because the multicast VLAN is isolated from us...

Страница 548: ...to system view quit Enter Ethernet port view for the Layer 3 switch interface interface type interface number Define the port as a trunk or hybrid port port link type trunk hybrid Required port hybri...

Страница 549: ...the reset command in user view to clear the statistics information about IGMP Snooping Table 2 21 Display and maintain IGMP Snooping Operation Command Remarks Display the current IGMP Snooping config...

Страница 550: ...1 RouterA system view RouterA multicast routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthe...

Страница 551: ...Ethernet1 0 4 This means that Host A and Host B have joined the multicast group 224 1 1 1 Configuring Multicast VLAN Network requirements As shown in Figure 2 4 Workstation is a multicast source Switc...

Страница 552: ...you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports The following text describes the configuration details You can also configure these ports as trunk por...

Страница 553: ...lan10 quit Define GigabitEthernet 1 0 10 as a hybrid port add the port to VLAN 2 VLAN 3 and VLAN 10 and configure the port to forward tagged packets for VLAN 2 VLAN 3 and VLAN 10 SwitchB interface Gig...

Страница 554: ...disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corres...

Страница 555: ...ort belongs You can configure a static multicast MAC address entry to avoid this Table 3 1 Configure a multicast MAC address entry in system view Operation Command Remarks Enter system view system vie...

Страница 556: ...ed on the local switch the packet will be flooded in the VLAN which the multicast packet belongs to When the function of dropping unknown multicast packets is enabled the switch will drop any multicas...

Страница 557: ...11 Configuration Procedure 1 11 Configuring NTP Authentication 1 11 Configuration Prerequisites 1 12 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 14 Configuring an Interface on...

Страница 558: ...hronize or be synchronized by other systems by exchanging NTP messages Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensu...

Страница 559: ...e set as a reference clock It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized Implementation Principle of NTP Figure 1 1 shows the impleme...

Страница 560: ...essage arrives at Device B Device B inserts its own timestamp 11 00 01 am T2 into the packet z When the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z...

Страница 561: ...ssive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode both sides can be synchronized to each other Response packet In th...

Страница 562: ...server while the local switch serves as the client Symmetric peer mode Configure the local S5100 SI EI switch to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric...

Страница 563: ...only after the local clock of the H3C S5100 SI EI Ethernet switch has been synchronized z When symmetric peer mode is configured on two Ethernet switches to synchronize the clock of the two switches...

Страница 564: ...default the switch is not configured to work in the NTP client mode z The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client Th...

Страница 565: ...he NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first ot...

Страница 566: ...ew interface Vlan interface vlan id Configure the switch to work in the NTP broadcast client mode ntp service broadcast client Required Not configured by default Configuring NTP Multicast Mode For swi...

Страница 567: ...ss Required Not configured by default Configuring Access Control Right With the following command you can configure the NTP service access control right to the local switch for a peer device There are...

Страница 568: ...server synchronization query acl number Optional peer by default The access control right mechanism provides only a minimum degree of security protection for the local switch A more secure method is...

Страница 569: ...y on the broadcast multicast server with the corresponding NTP broadcast multicast client Otherwise NTP authentication cannot be enabled normally z Configurations on the server and the client must be...

Страница 570: ...cation key is configured Configure the specified key as a trusted key ntp service reliable authentication keyid key id Required By default no trusted authentication key is configured Enter VLAN interf...

Страница 571: ...bling an Interface from Receiving NTP Messages Optional Configuring an Interface on the Local Switch to Send NTP Messages Follow these steps to configure an interface on the local switch to send NTP m...

Страница 572: ...he maximum number of dynamic sessions that can be established on the local switch ntp service max dynamic sessions number Required By default up to 100 dynamic sessions can be established locally Disa...

Страница 573: ...efore synchronization DeviceB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2...

Страница 574: ...ed 4 candidate 5 configured Total associations 1 Configuring NTP Symmetric Peer Mode Network requirements z The local clock of Device A is set as the NTP master clock with the clock stratum level of 2...

Страница 575: ...t information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2 one level lower than Device B View the information about the NTP se...

Страница 576: ...nt DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service broadcast client After the above configurations Device A and Device D will listen to broadcast messages through their own VLAN...

Страница 577: ...tions 1 Configuring NTP Multicast Mode Network requirements z The local clock of Device C is set as the NTP master clock with a clock stratum level of 2 Configure Device C to work in the NTP multicast...

Страница 578: ...minal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 U...

Страница 579: ...s Device B is ready to synchronize with Device A Because the NTP authentication function is not enabled on Device A the clock of Device B will fail to be synchronized to that of Device A 2 To synchron...

Страница 580: ...vice A with a clock stratum level of 3 one stratum level lower than that Device A View the information about NTP sessions of Device B you can see that a connection is established between Device B and...

Страница 581: ...blic Key to a File 1 13 Configuring the SSH Client 1 14 SSH Client Configuration Task List 1 14 Configuring an SSH Client that Runs SSH Client Software 1 14 Configuring an SSH Client Assumed by an SSH...

Страница 582: ...SSH can also provide data compression to increase transmission speed take the place of Telnet and provide a secure channel for transfers using File Transfer Protocol FTP SSH adopts the client server...

Страница 583: ...nature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encryp...

Страница 584: ...use The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client z If the negotiation is successful the server and the client go on...

Страница 585: ...the public key is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform the success or failure of the...

Страница 586: ...functions Configuring the SSH Server Configuring an SSH Client that Runs SSH Client Software An H3C switch Another H3C switch Configuring the SSH Server Configuring an SSH Client Assumed by an SSH2 Ca...

Страница 587: ...d when the authentication mode is publickey Assigning a Public Key to an SSH User z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Data exc...

Страница 588: ...server provides a number of management functions to prevent illegal operations such as malicious password guess guaranteeing the security of SSH connections You can specify the IP address or the inter...

Страница 589: ...be compatible with SSH1 clients ssh server compatible ssh1x enable Optional By default the SSH server is compatible with SSH1 clients Configuring Key Pairs The SSH server s key pairs are for generati...

Страница 590: ...estroy rsa Destroy key pair s Destroy the DSA key pair public key local destroy dsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify a...

Страница 591: ...fore logging in In this mode you do not need to create a key pair on each client You can configure the clients to use the same key pair that is created on one client for publickey authentication With...

Страница 592: ...enjoy this level z Under the password or password publickey authentication mode the level of commands available to a logged in SSH user is determined by the AAA scheme Meanwhile for different users th...

Страница 593: ...e the public key of a client manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begi...

Страница 594: ...blic Key of a Client on the Server or Configuring whether first time authentication is supported an SSH client s or an SSH server s host public key can be imported from a public key file This task all...

Страница 595: ...lient software For a client assumed by an SSH2 capable switch The authentication mode is password Configuring an SSH Client that Runs SSH Client Software Configuring an SSH Client Assumed by an SSH2 C...

Страница 596: ...select SSH z Selecting the SSH version Since the device supports SSH2 0 now select 2 0 or lower for the client z Specifying the private key file On the server if public key authentication is enabled...

Страница 597: ...bar in the blue box of shown in Figure 1 4 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 4 Generate the client keys 2 After the key pair is generated...

Страница 598: ...you whether to save the private key without any precaution Click Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 1 6 Generate the clie...

Страница 599: ...1 18 Figure 1 7 Generate the client keys 5 Specifying the IP address of the Server Launch PuTTY exe The following window appears Figure 1 8 SSH client configuration interface 1...

Страница 600: ...9 appears Figure 1 9 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version Some SSH client software for example Tectia client software supports the D...

Страница 601: ...nd click Open If the connection is normal a user will be prompted for a username Once passing the authentication the user can log in to the server Configuring an SSH Client Assumed by an SSH2 Capable...

Страница 602: ...disabled an SSH client that is not configured with the server host public key will be denied of access to the server To access the server a user must configure in advance the server host public key l...

Страница 603: ...ource ip ip address Optional By default no source IP address is configured Specify a source interface for the SSH client ssh2 source interface interface type interface number Optional By default no so...

Страница 604: ...the IP address of the source interface specified for the SSH server display ssh server source ip Display the mappings between host public keys and SSH servers saved on a client display ssh server info...

Страница 605: ...its authentication type ssh user username authentication type rsa ssh user username authentication type publickey z After RSA key pairs are generated the display rsa local key pair public command dis...

Страница 606: ...n mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch u...

Страница 607: ...as an example 1 Run PuTTY exe to enter the following configuration interface Figure 1 12 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the SSH se...

Страница 608: ...cation succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 14 an SSH connection is required between the h...

Страница 609: ...the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations z Specify th...

Страница 610: ...fy the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed z Add an account for device management 1 Configure the SSH server Create a VLAN interface on...

Страница 611: ...key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch is...

Страница 612: ...he category on the left pane of the window select Connection SSH The window as shown in Figure 1 16 appears Figure 1 16 SSH client configuration interface 2 Under Protocol options select 2 from Prefer...

Страница 613: ...with the switch z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 1 17 Switch acts as server for password and HWTACACS authentication Configuration proc...

Страница 614: ...domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authent...

Страница 615: ...ill log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS se...

Страница 616: ...irs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode...

Страница 617: ...Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run PuTTYGen exe choose SSH2 RSA and click Generate Figure 1 21 Generate a client key pair 1 Wh...

Страница 618: ...re 1 22 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 23 Generate a client ke...

Страница 619: ...is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with...

Страница 620: ...26 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 27 SSH client configurati...

Страница 621: ...Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interfa...

Страница 622: ...SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to s...

Страница 623: ...itchB public key local create rsa SwitchB public key local create dsa Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode sc...

Страница 624: ...ate dsa Export the generated DSA key pair to a file named Switch001 SwitchA public key local export dsa ssh2 Switch001 After the key pair is generated you need to upload the pubic key file to the serv...

Страница 625: ...the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and...

Страница 626: ...generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP z Configure Switch A Create a VLAN interface on the...

Страница 627: ...ch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connec...

Страница 628: ...tion to File System 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4...

Страница 629: ...e path and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory Fo...

Страница 630: ...that the execute command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserv...

Страница 631: ...the switch adopts the null configuration when it starts up next time Flash Memory Operations Perform the following Flash memory operations using commands listed in Table 1 4 Perform the following con...

Страница 632: ...drw Apr 04 2000 23 04 21 test 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup attribute Copy the file flash config cfg to flash test with 1 cfg as th...

Страница 633: ...main backup and none as described in Table 1 6 Table 1 6 Descriptions on file attributes Attribute name Description Feature Identifier main Identifies main startup files The main startup file is prefe...

Страница 634: ...e Perform the configuration listed in Table 1 7 in user view The display commands can be executed in any view Table 1 7 Configure file attributes To do Use the command Remarks Configure the app file w...

Страница 635: ...the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration file has the extensi...

Страница 636: ...mple A Switch Operating as an FTP Server 1 9 FTP Banner Display Configuration Example 1 11 FTP Configuration A Switch Operating as an FTP Client 1 12 SFTP Configuration 1 14 SFTP Configuration A Switc...

Страница 637: ...red through command lines and the most popular application is FTP At present although E mail and Web are the usual methods for file transmission FTP still has its strongholds As an application layer p...

Страница 638: ...ng a securer guarantee for data transmission In addition since the switch can be used as a client you can log in to remote devices to transfer files securely FTP Configuration Complete the following t...

Страница 639: ...et switch at a given time when the latter operates as an FTP server z Operating as an FTP server an H3C S5100 SI EI series Ethernet switch cannot receive a file whose size exceeds its storage space Th...

Страница 640: ...interface and source IP address for an FTP server To do Use the command Remarks Enter system view system view Specify the source interface for an FTP server ftp server source interface interface type...

Страница 641: ...t switch will disconnect the user after the data transmission is completed Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the F...

Страница 642: ...Use the command Remarks Display the information about FTP server configurations on a switch display ftp server Display the source IP address set for an FTP server display ftp server source ip Display...

Страница 643: ...ectory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pwd Create a directory on the remote FTP server mkdir pathname Remove a directory on the re...

Страница 644: ...nterface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP server Follow these steps to specify the source interface and source IP address for an FTP cl...

Страница 645: ...equirements A switch operates as an FTP server and a remote PC as an FTP client The application switch bin of the switch is stored on the PC Upload the application to the remote switch through FTP and...

Страница 646: ...s the Ethernet switch through FTP Input the username switch and password hello to log in and enter FTP view C ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none switch 331 Passwo...

Страница 647: ...tart the switch Thus the switch application is upgraded Sysname boot boot loader switch bin Sysname reboot For information about the boot boot loader command and how to specify the startup file for a...

Страница 648: ...1 1 220 login banner appears 220 FTP service ready User 1 1 1 1 none switch 331 Password required for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration A Switch Operati...

Страница 649: ...you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make roo...

Страница 650: ...emarks Enabling an SFTP server Required Configuring connection idle time Optional SFTP Configuration A Switch Operating as an SFTP Server Supported SFTP client software Basic configurations on an SFTP...

Страница 651: ...client software see the corresponding configuration manual z Currently an H3C S5100 SI EI series Ethernet switch operating as an SFTP server supports the connection of only one SFTP user When multiple...

Страница 652: ...ile remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files i...

Страница 653: ...emarks Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source...

Страница 654: ...ication timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user c...

Страница 655: ...1 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Su...

Страница 656: ...lly ended Upload file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received sta...

Страница 657: ...kets from the TFTP server An H3C S5100 SI EI series Ethernet switch can act as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory z If the TFTP...

Страница 658: ...d by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default Specifying the source interface or source IP address for an FTP client You can speci...

Страница 659: ...e source IP address is different from the fixed one the former will be used for the connection this time z You may specify only one source interface or source IP address for the TFTP client at one tim...

Страница 660: ...e on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan in...

Страница 661: ...stem Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information to the...

Страница 662: ...gnosing network problems The information center of the system has the following features Classification of system information The system is available with three types of information z Log information...

Страница 663: ...output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap a...

Страница 664: ...module HA High availability module HABP Huawei authentication bypass protocol module HTTPD HTTP server module HWCM Huawei Configuration Management private MIB module IFNET Interface management module...

Страница 665: ...ns z If the output destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content Note z Th...

Страница 666: ...to allow users to check and identify system events Note that there is a space between the timestamp and sysname host name fields The time stamp has the following two formats 1 Without the universal ti...

Страница 667: ...en the sysname and module fields This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is d...

Страница 668: ...on to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output...

Страница 669: ...s to configure to display time stamp with the UTC time zone To do Use the command Remarks Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is...

Страница 670: ...when configuring the system information output rules and use the debugging command to enable debugging for the corresponding modules Table 1 4 Default output rules for different output directions LOG...

Страница 671: ...nd Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal which is a user terminal that has login connections through the AUX VTY or TTY...

Страница 672: ...tput system information to a monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the dis...

Страница 673: ...r channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to the log host info...

Страница 674: ...e size buffersize Optional By default the switch uses information channel 4 to output log information to the log buffer which can holds up to 512 items by default Configure the output rules of system...

Страница 675: ...ommand Remarks Display information on an information channel display channel channel number channel name Display the operation status of information center the configuration of information channels th...

Страница 676: ...e host whose IP address is 202 38 1 10 as the log host Permit ARP and IP modules to output information with severity level higher than informational to the log host Switch info center loghost 202 38 1...

Страница 677: ...the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations...

Страница 678: ...nf z A note must start in a new line starting with a sign z In each pair a tab should be used as a separator instead of a space z No space is permitted at the end of the file name z The device name fa...

Страница 679: ...ing information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with sev...

Страница 680: ...C time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch...

Страница 681: ...g Disabling System Debugging 2 2 Displaying Debugging Status 2 3 Displaying Operating Information about Modules in System 2 3 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tra...

Страница 682: ...or information you are interested in z Introduction to Loading Approaches z Local Boot ROM and Software Loading z Remote Boot ROM and Software Loading Introduction to Loading Approaches You can load s...

Страница 683: ...tion date Apr 16 2007 11 29 53 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 000fe2123456 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password To enter...

Страница 684: ...negotiation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the...

Страница 685: ...9600 bps as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not display...

Страница 686: ...HyperTerminal to the switch as shown in Figure 1 3 Figure 1 3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press En...

Страница 687: ...dialog box Step 8 Click Send The system displays the page as shown in Figure 1 5 Figure 1 5 Sending file page Step 9 After the sending process completes the system displays the following information L...

Страница 688: ...for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loading You can also use the xmodem get command to load host software through the Consol...

Страница 689: ...rTerminal program on the configuration PC Start the switch Then enter the BOOT Menu At the prompt Enter your choice 0 9 in the BOOT Menu press 6 or Ctrl U and then press Enter to enter the Boot ROM up...

Страница 690: ...xcept that the system gives the prompt for host software loading instead of Boot ROM loading When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC dire...

Страница 691: ...the following FTP related parameters as required Load File name switch btm Switch IP address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The syste...

Страница 692: ...M and host software remotely Remote Loading Using FTP Loading Procedure Using FTP Client 1 Loading the Boot ROM As shown in Figure 1 8 a PC is used as both the configuration device and the FTP server...

Страница 693: ...the boot boot loader command to select the host software used for next startup of the switch After the above operations the Boot ROM and host software loading is completed Pay attention to the follow...

Страница 694: ...with Ctrl Z Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 192 168 0 28 255 255 255 0 Step 3 Enable FTP service on the switch and configure the FTP user name to test and passwo...

Страница 695: ...ep 6 Enter ftp 192 168 0 28 and enter the user name test password pass as shown in 0 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file swit...

Страница 696: ...hat the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed abo...

Страница 697: ...name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Execute this command in user view z When the system r...

Страница 698: ...ol the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging inform...

Страница 699: ...stem debugging Displaying Debugging Status To do Use the command Remarks Display all enabled debugging on the specified device display debugging unit unit id interface interface type interface number...

Страница 700: ...cket percentage and the minimum average and maximum values of response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This c...

Страница 701: ...3 2...

Страница 702: ...iguration Device Management Configuration Task list Complete the following tasks to configure device management Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Op...

Страница 703: ...eriod schedule reboot regularity at hh mm period Optional The switch timer can be set to precision of one minute that is the switch will reboot within one minute after the specified reboot date and ti...

Страница 704: ...to upgrade the Boot ROM To do Use the command Remarks Upgrade the Boot ROM boot bootrom file url device name Required Identifying and Diagnosing Pluggable Transceivers Introduction to pluggable transc...

Страница 705: ...the field is H3C it is considered an H3C customized pluggable transceiver z Electrical label information is also called permanent configuration data or archive information which is written to the stor...

Страница 706: ...ce number module name Available in any view Remote Switch APP Upgrade Configuration Example Network requirements Telnet to the switch from a PC remotely and download applications from the FTP server t...

Страница 707: ...ation part of this manual for configuration commands and steps about telnet user 3 Execute the telnet command on the PC to log into the switch The following prompt appears Sysname If the Flash memory...

Страница 708: ...cify the downloaded program as the host software to be adopted when the switch starts next time Sysname boot boot loader switch bin The specified file will be booted next time on unit 1 Sysname displa...

Страница 709: ...iguration 1 4 VLAN VPN Configuration Example 1 4 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN VPN 1 4 2 Selective QinQ Configuration 2 1 Selective QinQ Overview 2 1 S...

Страница 710: ...oviders backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public networks and the inner VL...

Страница 711: ...he Tag packet of an Ethernet frame defined by IEEE 802 1Q Figure 1 3 The structure of the Tag packet of an Ethernet frame 0 31 15 TPID Priority VLAN ID CFI By default S5100 SI EI series switches adopt...

Страница 712: ...tem view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable Required By default the VLAN VPN feature is disabled on a port TPID...

Страница 713: ...PN uplink port z A VLAN VPN uplink port does not remove the outer VLAN tags of packets to be sent through it so a VLAN VPN uplink port must be configured as a trunk port or hybrid port and configured...

Страница 714: ...ration Configuration procedure z Configure Switch A Enable the VLAN VPN feature on GigabitEthernet 1 0 11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer V...

Страница 715: ...d to configure the two ports to remove the outer VLAN tags before transmitting packets of VLAN 1040 Refer to Port Basic Configuration in this manual for detailed configuration z Configure the devices...

Страница 716: ...the packet is forwarded which restores the packet to a packet tagged with only the private VLAN tag and enables it to be forwarded to its destination networks 5 It is the same case when a packet trave...

Страница 717: ...fferent outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes the service provider network structure more flexible You can classify the terminal users on the p...

Страница 718: ...etwork resources are well utilized and users of the same type are also isolated by their inner VLAN tags This helps to improve network security Inner to Outer Tag Priority Mapping As shown in Figure 1...

Страница 719: ...n vpn priority old priority remark new priority Required By default the inner to outer tag priority mapping feature is not enabled Selective QinQ Configuration Example Processing Private Network Packe...

Страница 720: ...GE1 0 5 For PC User VLAN100 108 For IP Phone VLAN200 230 SwitchA SwitchB GE1 0 11 GE1 0 12 GE1 0 13 Configuration procedure z Configure Switch A Create VLAN 1000 VLAN 1200 and VLAN 5 the default VLAN...

Страница 721: ...AN 1000 as the outer VLAN tag when they are forwarded to the public network by Switch A and packets of VLAN 200 through VLAN 230 that is packets of IP phone users are tagged with the tag of VLAN 1200...

Страница 722: ...to the clients in the same way you need to configure the selective QinQ feature on GigabitEthernet 1 0 12 and GigabitEthernet 1 0 13 The configuration on Switch B is similar to that on Switch A and is...

Страница 723: ...onfiguration 1 4 HWPing Server Configuration 1 4 HWPing Client Configuration 1 4 Displaying HWPing Configuration 1 15 HWPing Configuration Examples 1 15 ICMP Test 1 15 DHCP Test 1 17 FTP Test 1 18 HTT...

Страница 724: ...client and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by a HWPing client and you can view the test results on the HWPing client...

Страница 725: ...test you must specify a destination IP address and the destination address must be the IP address of a TCP UDP UDP listening service configured on the HWPing server Destination port destination port F...

Страница 726: ...er in the test packets dns This parameter is used to specify a DNS domain name in a HWPing DNS test group dns server This parameter is used to set the DNS server IP address in a HWPing DNS test group...

Страница 727: ...WPing server configurations To do Use the command Remarks Enter system view system view Enable the HWPing server function hwping server enable Required Disabled by default Configure a UDP listening se...

Страница 728: ...probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure the maximum number of histor...

Страница 729: ...50 Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Display test results display hwping results admin name opera...

Страница 730: ...l By default the type of FTP operation is get that is the FTP operation will get a file from the FTP server Configure an FTP login username username name Configure an FTP login password password passw...

Страница 731: ...y default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test i...

Страница 732: ...nation port is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By defa...

Страница 733: ...tem view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator...

Страница 734: ...fault the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the destina...

Страница 735: ...ault the maximum number is 50 Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results admin...

Страница 736: ...Configure the number of probes per test count times Optional By default one probe is made per test Configure the maximum number of history records that can be saved history records number Optional By...

Страница 737: ...utomatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type...

Страница 738: ...fails Configure the number of consecutive unsuccessful HWPing probes before Trap output probe failtimes times Optional By default Trap messages are sent each time a probe fails Displaying HWPing Conf...

Страница 739: ...nistrator icmp history records 5 Display test results Sysname hwping administrator icmp display hwping results administrator icmp HWPing entry admin administrator tag icmp test result Destination ip a...

Страница 740: ...ing agent enable Create a HWPing test group setting the administrator name to administrator and test tag to DHCP Sysname Hwping administrator dhcp Configure the test type as dhcp Sysname hwping admini...

Страница 741: ...6 1020 1 0 2000 04 03 09 50 52 8 7 1018 1 0 2000 04 03 09 50 48 8 8 1020 1 0 2000 04 03 09 50 36 8 9 1020 1 0 2000 04 03 09 50 30 8 10 1028 1 0 2000 04 03 09 50 22 8 For detailed output description s...

Страница 742: ...address of the FTP server as 10 2 2 2 Sysname hwping administrator ftp destination ip 10 2 2 2 Configure the FTP login username Sysname hwping administrator ftp username admin Configure the FTP login...

Страница 743: ...rd Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04 03 03 59 52 9 5 15772 1 0 2000 04 03 03 59...

Страница 744: ...2 Sysname hwping administrator http destination ip 10 2 2 2 Configure to make 10 probes per test Sysname hwping administrator http count 10 Set the probe timeout time to 30 seconds Sysname hwping adm...

Страница 745: ...000 04 02 15 15 52 5 2 9 1 0 2000 04 02 15 15 52 5 3 3 1 0 2000 04 02 15 15 52 5 4 3 1 0 2000 04 02 15 15 52 5 5 3 1 0 2000 04 02 15 15 52 5 6 2 1 0 2000 04 02 15 15 52 4 7 3 1 0 2000 04 02 15 15 52 4...

Страница 746: ...igure the IP address of the HWPing server as 10 2 2 2 Sysname hwping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the HWPing server Sysname hwping administrator Jitte...

Страница 747: ...ve DS Square Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 Sysname hwping administrator Jitter display hwping history administrator Jitter HWPing entry a...

Страница 748: ...rence in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure HWPing Client Switch A Enable the HWPing client...

Страница 749: ...g history administrator snmp HWPing entry admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 0...

Страница 750: ...onfigure to make 10 probes per test Sysname hwping administrator tcpprivate count 10 Set the probe timeout time to 5 seconds Sysname hwping administrator tcpprivate timeout 5 Start the test Sysname hw...

Страница 751: ...n the two switches to test the RTT of UDP packets between this end HWPing client and the specified destination end HWPing server Network diagram Figure 1 9 Network diagram for the Udpprivate test Conf...

Страница 752: ...Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hw...

Страница 753: ...2 2 Sysname hwping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com Sysname hwping administrator dns dns resolve target www test com Configure to make 10 probes...

Страница 754: ...d Times 0 Sysname hwping administrator dns display hwping history administrator dns HWPing entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50...

Страница 755: ...nfiguring Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining DNS 1 3 DNS Configuration Examples 1 4 Stat...

Страница 756: ...ase would increase efficiency Some frequently used addresses can be put in the static DNS database Currently S5100 SI EI series Ethernet switches support both static and dynamic DNS clients Static Dom...

Страница 757: ...by users It is used when the name to be resolved is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc...

Страница 758: ...address is configured for the DNS server by default Configure DNS suffixes dns domain domain name Optional No DNS suffix is configured by default Note You may configure up to six DNS servers and ten...

Страница 759: ...name ping host com PING host com 10 1 1 2 56 data bytes press CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply...

Страница 760: ...ution Sysname system view Sysname dns resolve Configure the IP address 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 Configure com as the DNS suffix Sysname dns domain com Execute the ping hos...

Страница 761: ...at the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the s...

Страница 762: ...aining Smart Link 1 6 Smart Link Configuration Example 1 6 Implementing Link Redundancy Backup 1 6 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 Overview 2 1 How Monitor Link Works...

Страница 763: ...edundancy backup and fast convergence to meet the user demand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation Basic Concep...

Страница 764: ...nk group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries Control VLAN for sending flush messages This control VLAN sends flush messages When link...

Страница 765: ...their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying flush messages from the smart link group and refreshing MAC forwarding entries and A...

Страница 766: ...s of the smart link group To do Use the command Remarks Enter system view system view Create a smart link group and enter smart link group view smart link group group id Required Enable the function o...

Страница 767: ...witch E Follow these steps to enable the specified port to process flush messages received from the specified control VLAN To do Use the command Remarks Enter system view system view System view smart...

Страница 768: ...n the aggregation group automatically that is the other member ports in the aggregation group cannot process flush messages The function of processing flush messages must be manually configured for ea...

Страница 769: ...0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create smart link group 1 and enter the corresponding...

Страница 770: ...w Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 SwitchD smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 4 Enable the function of proc...

Страница 771: ...nd one or multiple downlink ports When the link for the uplink port of a monitor link group fails all the downlink ports in the monitor link group are forced down When the link for the uplink port rec...

Страница 772: ...ally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of GigabitEthernet 1 0 1 z If Switch C is configured with monitor link group and monitor link group detec...

Страница 773: ...e Uplink Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Follow these steps to create a monitor link group To do Use the command Remarks Enter system view system view...

Страница 774: ...uit interface interface type interface number Configure a downlink port for the monitor link group Configure the specified Ethernet port as a downlink port of the monitor link group Ethernet port view...

Страница 775: ...server and Internet due to uplink link or port failure Network diagram Figure 2 3 Network diagram for Monitor Link configuration BLOCK Switch A Switch B GE1 0 1 GE1 0 2 Switch C Switch D Switch E GE1...

Страница 776: ...hC system view Create monitor link group 1 and enter monitor link group view SwitchC monitor link group 1 Configure GigabitEthernet 1 0 1 as the uplink port of the monitor link group and GigabitEthern...

Страница 777: ...6 ICMP Error Packets Sent within a Specified Time 1 13 Configuring the Hop Limit of ICMPv6 Reply Packets 1 14 Configuring IPv6 DNS 1 14 Displaying and Maintaining IPv6 1 15 IPv6 Configuration Example...

Страница 778: ...was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address si...

Страница 779: ...ateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatica...

Страница 780: ...esses zeros in IPv6 addresses can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in shorter format as 2001 0 130F 0 0 9C0...

Страница 781: ...dress 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses Unicast address There are several forms of...

Страница 782: ...etection Each IPv6 unicast or anycast address has one corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1...

Страница 783: ...citation RS message After started a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration Used t...

Страница 784: ...s of node A and returns an NA message containing the link layer address of node B in the unicast mode 3 Node A acquires the link layer address of node B from the NA message After that node A and node...

Страница 785: ...tion The function and implementation of these two types of domain name resolution are the same as those of an IPv4 DNS For details refer to DNS Operation in this manual Usually the DNS server connecti...

Страница 786: ...blic IPv6 network you need to assign an IPv6 global unicast address to it IPv6 site local addresses and global unicast addresses can be configured in either of the following ways z EUI 64 format When...

Страница 787: ...an IPv6 site local address or global unicast address is configured for an interface a link local address will be generated automatically The automatically generated link local address is the same as...

Страница 788: ...h NS and NA messages and add it to the neighbor table Too large a neighbor table may lead to the forwarding performance degradation of the device Therefore you can restrict the size of the neighbor ta...

Страница 789: ...er Specify the NS interval ipv6 nd ns retrans timer value Optional 1 000 milliseconds by default Configuring the neighbor reachable timeout time on an interface After a neighbor passed the reachabilit...

Страница 790: ...default Set the synwait timer of IPv6 TCP packets tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Configure the size of IPv6 TCP receiving sending buffer tcp ipv6 window size Optio...

Страница 791: ...ctly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address Each host name can correspond to only one IPv6 address A newly configured IPv6 add...

Страница 792: ...is manual Displaying and Maintaining IPv6 To do Use the command Remarks Display DNS domain name suffix information display dns domain dynamic Display IPv6 dynamic domain name cache information display...

Страница 793: ...splay the statistics of IPv6 UDP packets display udp ipv6 statistics Clear IPv6 dynamic domain name cache information reset dns ipv6 dynamic host Clear IPv6 neighbor information reset ipv6 neighbors a...

Страница 794: ...2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchA Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface V...

Страница 795: ...F02 1 FF00 2 FF02 1 FF00 1 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless a...

Страница 796: ...ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Se...

Страница 797: ...1 20 0 00 packet loss round trip min avg max 50 60 70 ms...

Страница 798: ...ipv6 command is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For detai...

Страница 799: ...s the destination host As there is no application using the UDP port the destination returns a port unreachable ICMP error message z The source receives the port unreachable ICMP error message and und...

Страница 800: ...lient application of IPv6 to set up an IPv6 Telnet connection with Device A which serves as the Telnet server If Device A again connects to Device B through Telnet the Device A is the Telnet client an...

Страница 801: ...a LAN there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively It is required that you telnet to the telnet server from SWA and download file...

Страница 802: ...3 1 SWA ipv6 route static 3001 64 3003 1 SWA quit Trace the IPv6 route from SWA to SWC SWA tracert ipv6 3002 1 traceroute to 3002 1 30 hops max 60 bytes packet 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms...

Страница 803: ...t can be pinged through check whether the UDP port that was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachab...

Страница 804: ...ng the PoE Mode on a Port 1 5 Configuring the PD Compatibility Detection Function 1 5 Configuring PoE Over Temperature Protection on the Switch 1 6 Upgrading the PSE Processing Software Online 1 6 Dis...

Страница 805: ...ists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information col...

Страница 806: ...he display command z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The switch provides over temperature protection mechanism Wh...

Страница 807: ...Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection...

Страница 808: ...oE priority settings S5100 SI EI series switches support two PoE management modes auto and manual The auto mode is adopted by default z auto When the switch is close to its full load in supplying powe...

Страница 809: ...upport the spare mode After the PoE feature is enabled on the port perform the following configuration to set the PoE mode on a port Table 1 7 Set the PoE mode on a port Operation Command Description...

Страница 810: ...escription Enter system view system view Upgrade the PSE processing software online poe update refresh full filename Required The specified PSE processing software is a file with the extension s19 z I...

Страница 811: ...5100 SI EI series Ethernet switch supporting PoE Switch B can be PoE powered z The GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 ports of Switch A are connected to Switch B and an AP respectively th...

Страница 812: ...2 poe enable SwitchA GigabitEthernet1 0 2 poe max power 2500 SwitchA GigabitEthernet1 0 2 quit Enable the PoE feature on GigabitEthernet 1 0 8 and set the PoE priority of GigabitEthernet 1 0 8 to crit...

Страница 813: ...figuration Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename R...

Страница 814: ...uration command can be used to query which PoE profile is applied to a port However the command cannot be used to query which PoE features in a PoE profiles are applied successfully Displaying PoE Pro...

Страница 815: ...1 PoE profile application Configuration procedure Create Profile1 and enter PoE profile view SwitchA system view SwitchA poe profile Profile1 In Profile1 add the PoE policy configuration applicable to...

Страница 816: ...le Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe en...

Страница 817: ...1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 2 Displaying and Maintaining UDP Helper 1 3 UDP Helper Configuration Example 1 3 Cross Network Computer Search Th...

Страница 818: ...ay specified UDP packets In other words UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Help...

Страница 819: ...rface vlan id Specify the destination server to which the UDP packets are to be forwarded udp helper server ip address Required No destination server is specified by default z You need to enable UDP H...

Страница 820: ...h Switch A and are routable to each other It is required to configure UDP Helper on the switch so that PC A can find PC B through computer search Broadcasts with UDP port 137 are used for searching Ne...

Страница 821: ...agement Configuration 1 1 Access Management Overview 1 1 Configuring Access Management 1 2 Access Management Configuration Examples 1 2 Access Management Configuration Example 1 2 Combining Access Man...

Страница 822: ...he access management function aims to manage user access rights on access switches It enables you to manage the external network access rights of the hosts connected to ports of an access switch To im...

Страница 823: ...t be in the same network segment as the interface IP address of the VLAN which the port belongs to z If an access management address pool configured contains IP addresses that belong to the static ARP...

Страница 824: ...200 24 Sysname Vlan interface1 quit Configure the access management IP address pool on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 am ip pool 202 10 20 1...

Страница 825: ...on on Switch A For information about port isolation and the corresponding configuration refer to the Port Isolation Operation Enable access management Sysname system view Sysname am enable Set the IP...

Страница 826: ...bitEthernet 1 0 2 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 am ip pool 202 10 20 25 26 202 10 20 55 11 Add GigabitEthernet 1 0 2 to the port isolation group Sysname GigabitE...

Страница 827: ...i Table of Contents 1 Acronyms 1 1...

Страница 828: ...Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Reg...

Страница 829: ...ndent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PoE Power over Ethernet Q QoS Quality of Service R RIP Routing Information Protocol R...

Страница 830: ...1 3 V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking...

Отзывы:

Нет отзывов