H3C S3100 Series Скачать руководство пользователя страница 966

Страница: 966 / 1057

Follow these steps to configure 802.1x-based ARP/IP attack defense:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable using IP-MAC bindings of
authenticated 802.1x clients for ARP
attack detection

ip source static import
dot1x

Required

Disabled by default.

Enter Ethernet port view

interface interface-type
interface-number

—

Enable IP filtering based on IP-MAC
bindings of authenticated 802.1x
clients

ip check dot1x enable

Required

Disabled by default.

The IP-MAC bindings of authenticated 802.1x clients are used together with DHCP snooping

entries and static bindings for ARP attack detection.

IP filtering based on IP-MAC bindings of authenticated 802.1x clients is mutually exclusive with IP

filtering based on DHCP snooping entries.

IP filtering based on IP-MAC bindings of authenticated 802.1x clients does not support link

aggregation.

To implement IP filtering based on IP-MAC bindings of authenticated 802.1x clients, the device

assigns an ACL to each of such bindings. If an ACL fails to be assigned to a binding, the

corresponding authenticated 802.1x client is forced to go offline.

IP filtering based on IP-MAC bindings of authenticated 802.1x clients requires 802.1x clients to

provide IP addresses; otherwise, the IP addresses of 802.1x clients cannot be obtained. To ensure

IP addresses of DHCP clients can be updated for corresponding IP-MAC entries, you are

recommended to enable 802.1x authentication handshake function; otherwise, you need to disable

802.1x authentication triggered by DHCP, ensuring normal receiving and forwarding of multicast

authentication packets.

Configuring ARP Source MAC Address Consistency Check

Introduction

An attacker may use the IP or MAC address of another host as the sender IP or MAC address of ARP

packets. These ARP packets can cause other network devices to update the corresponding ARP

entries incorrectly, thus interrupting network traffic.

To prevent such attacks, you can configure ARP source MAC address consistency check on S3100-EI

series Ethernet switches (operating as gateways). With this function, the device can verify whether an

ARP packet is valid by checking the sender MAC address of the ARP packet against the source MAC

address in the Ethernet header.

If they are consistent, the packet passes the check and the switch learns the ARP entry.

Содержание S3100 Series

Страница 1: ...H3C S3100 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 20100908 C 1 00 Product Version Release 22XX Series...

Страница 2: ...re Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the...

Страница 3: ...Network administrators working with the S3100 series Organization H3C S3100 Series Ethernet Switches Operation Manual Release 22XX Series is organized as follows Part Features 01 CLI Operation z Intro...

Страница 4: ...ggregation control protocol LACP z Manual aggregation z Static aggregation 11 Port Isolation Operation Port isolation group 12 Port Security Port Binding Operation z Configuring port security z Config...

Страница 5: ...onfiguring an Auth Fail VLAN for web authentication z Configuring a web authentication free user z Configuring HTTPS access for web authentication z Customizing web authentication pages z Configuring...

Страница 6: ...eduled task configuration 36 VLAN VPN Operation z VLAN VPN QinQ z Configuring TPID value applicable only to the S3100 EI series z Configuring BPDU tunnels applicable only to the S3100 EI series z Sele...

Страница 7: ...eration Applicable only to the S3100 EI series z Configuring basic CFD settings z Configuring CC on MEPs z Configuring LB on MEPs z Configuring LT on MEPs Software Version H3C S3100 Series Ethernet Sw...

Страница 8: ...D configuration applicable only to the S3100 EI series 48 CFD Operation MAC based VLAN configuration applicable only to the S3100 EI series 04 VLAN Operation Configuring QoS priority settings for voic...

Страница 9: ...tory keep time history record enable hwping agent clear hwping agent max requests sendpacket passroute statistics statistics keep time test time begin and ttl 38 HWPing Operation ND snooping function...

Страница 10: ...ntax choices separated by vertical bars from which you may select multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A...

Страница 11: ...ation procedures Command references Provide a quick reference to all available commands Software configuration H3C Low End Ethernet Switches Configuration Example H3C Low End Ethernet Switches Configu...

Страница 12: ...10 You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Страница 13: ...he CLI 1 1 Command Hierarchy 1 1 Command Level and User Privilege Level 1 1 Modifying the Command Level 1 2 Switching User Level 1 3 CLI Views 1 7 CLI Features 1 12 Online Help 1 12 Terminal Display 1...

Страница 14: ...execute a command by entering partially spelled command keywords as long as the keywords entered can be uniquely identified by the system Command Hierarchy Command Level and User Privilege Level To re...

Страница 15: ...Console port is a level 3 user and can use commands of level 0 through level 3 while Telnet users are level 0 users and can only use commands of level 0 You can use the user privilege level command t...

Страница 16: ...0 view shell tftp 192 168 0 1 get bootrom btm After the above configuration general Telnet users can use the tftp get command to download file bootrom btm and other files from TFTP server 192 168 0 1...

Страница 17: ...ication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy The configuration of authentication mode for user level switching is performed by Leve...

Страница 18: ...ure super password authentication for user level switching which can only be performed by level 3 users administrators Follow these steps to set a password for use level switching Operation Command Re...

Страница 19: ...vel super level Required Execute this command in user view z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the pass...

Страница 20: ...configuration procedures Enable HWTACACS authentication for VTY 0 user level switching Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0...

Страница 21: ...mand in system view Aux1 0 0 port the console port view The S3100 series do not support configuration on port Aux1 0 0 Sysname Aux1 0 0 Execute the interface aux 1 0 0 command in system view VLAN view...

Страница 22: ...Sysname rsa ke y code Public key editing view Edit the RSA or DSA public key for SSH users Sysname peer k ey code Execute the public key code begin command in public key view Execute the public key c...

Страница 23: ...ing view Configure HWPing parameters Sysname hwpin g a123 a123 Execute the hwping command in system view HWTACA CS view Configure HWTACACS parameters Sysname hwtac acs a123 Execute the hwtacacs scheme...

Страница 24: ...licy policy1 Execute the ssl client policy command in system view DHCP address pool view Configure DHCP address pool parameters Supported by only S3100 EI series switches Sysname dhcp p ool test Execu...

Страница 25: ...debugging functions delete Delete a file dir List files on a file system display Display current system information Other information is omitted 2 Enter a command a space and a question mark If the qu...

Страница 26: ...e screen is full When display output pauses you can perform the following operations as needed see Table 1 3 Table 1 2 Display related operations Operation Function Press Ctrl C Stop the display outpu...

Страница 27: ...rror messages Error message Description The command does not exist The keyword does not exist The parameter type is wrong Unrecognized command The parameter value is out of range Incomplete command Th...

Страница 28: ...online help That is when you input an incomplete keyword and press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter...

Страница 29: ...ord 2 8 Configuration Procedure 2 8 Configuration Example 2 9 Console Port Login Configuration with Authentication Mode Being Scheme 2 10 Configuration Procedure 2 10 Configuration Example 2 12 3 Logg...

Страница 30: ...g NMS 6 1 7 User Control 7 1 Introduction 7 1 Controlling Telnet Users 7 1 Prerequisites 7 1 Controlling Telnet Users by Source IP Addresses 7 1 Controlling Telnet Users by Source and Destination IP A...

Страница 31: ...rough this port S3100 series Ethernet switches support two types of user interfaces AUX and VTY z AUX user interface A view when you log in through the AUX port AUX port is a line device port z Virtua...

Страница 32: ...xecute this command in user view Free a user interface free user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal log...

Страница 33: ...9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log into a switch through the Console port make sure the settings of both the Console port and the user terminal are the s...

Страница 34: ...onsole port of the switch are configured as those listed in Table 2 1 On the Windows 2003 Server operating system you need to add the HyperTerminal program first and then log in to and manage the devi...

Страница 35: ...uch as H3C appears after you press the Enter key as shown in Figure 2 5 Figure 2 5 HyperTerminal CLI 4 You can then configure the switch or check the information about the switch by executing the corr...

Страница 36: ...le in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the histo...

Страница 37: ...e Configure user name and password Configure user names and passwords for local RADIUS users Required z The user name and password of a local user are configured on the switch z The user name and pass...

Страница 38: ...UX user interface and commands of level 0 are available to users logging into the VTY user interface Enable terminal services shell Optional By default terminal services are available in all user inte...

Страница 39: ...Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interface view Sysname user in...

Страница 40: ...Console port is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional...

Страница 41: ...igurations for users logging in through the Console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are avai...

Страница 42: ...ode being scheme Operation Command Description Enter system view system view Enter the default ISP domain view domain domain name Specify the AAA scheme to be applied to the domain scheme local none r...

Страница 43: ...ser interface Make terminal services available to the user interface shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can con...

Страница 44: ...20 commands z The timeout time of the AUX user interface is 6 minutes Network diagram Figure 2 8 Network diagram for AUX user interface configuration with the authentication mode being scheme Configur...

Страница 45: ...y command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration yo...

Страница 46: ...itch Item Requirement The IP address is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance...

Страница 47: ...t time of a user interface Optional The default timeout time is 10 minutes Telnet Configurations for Different Authentication Modes Table 3 3 lists Telnet configurations for different authentication m...

Страница 48: ...3 and TCP 22 port will be enabled Telnet Configuration with Authentication Mode Being None Configuration Procedure Table 3 4 Telnet configuration with the authentication mode being none Operation Comm...

Страница 49: ...erface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure not to authe...

Страница 50: ...system view system view Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate users logging into VTY user interfaces using the local passwor...

Страница 51: ...tes You can use the idle timeout 0 command to disable the timeout function When the authentication mode is password the command level available to users logging into the user interface is determined b...

Страница 52: ...tion Command Description Enter system view system view Enter the default ISP domain view domain domain name Configure the AAA scheme to be applied to the domain scheme local none radius scheme radius...

Страница 53: ...e shell Optional Terminal services are available in all use interfaces by default Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can...

Страница 54: ...ivilege level level command is not executed and the service type command specifies the available command level Level 0 The user privilege level level command is executed and the service type command d...

Страница 55: ...up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter s...

Страница 56: ...establishing connection to a Console port z Launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Windows NT Windows 2000 Windows XP on the PC...

Страница 57: ...your PC with the IP address of VLAN interface 1 of the switch as the parameter as shown in Figure 3 7 Figure 3 7 Launch Telnet 5 If the password authentication mode is specified enter the password whe...

Страница 58: ...3 8 Network diagram for Telnetting to another switch from the current switch 2 Perform Telnet related configuration on the switch operating as the Telnet server Refer to section Telnet Configuration...

Страница 59: ...em is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configu...

Страница 60: ...n the authentication mode is none Refer to section Console Port Login Configuration with Authentication Mode Being None Configuration on switch when the authentication mode is password Refer to sectio...

Страница 61: ...omote end 82882285 Modem Modem 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 through Figure 4 4...

Страница 62: ...such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configurat...

Страница 63: ...ss Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The user name and password for logging into the Web based network management system are configur...

Страница 64: ...gin Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The co...

Страница 65: ...tween the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press...

Страница 66: ...http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web s...

Страница 67: ...witch Table 6 1 Requirements for logging into a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reac...

Страница 68: ...lling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACL Section Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACL Se...

Страница 69: ...d ACLs which are numbered from 3000 to 3999 Table 7 3 Control Telnet users by source and destination IP addresses Operation Command Description Enter system view system view Create an advanced ACL or...

Страница 70: ...y specified source MAC addresses acl acl number inbound Required By default no ACL is applied for Telnet users Configuration Example Network requirements Only the Telnet users sourced from the IP addr...

Страница 71: ...umber command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL while configuring the SNMP commun...

Страница 72: ...a acl 2000 Controlling Web Users by Source IP Address You can manage an S3100 Ethernet switch remotely through Web Web users can access a switch through HTTP connections You need to perform the follow...

Страница 73: ...b user by force Operation Command Description Disconnect a Web user by force free web users all user id user id user name user name Required Execute this command in user view Configuration Example Net...

Страница 74: ...7 7 Sysname ip http acl 2030...

Страница 75: ...t 1 1 Introduction to Configuration File 1 1 Management of Configuration File 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Ne...

Страница 76: ...rface configuration section physical port configuration section routing protocol configuration section user interface configuration and so on z End with a return The operating interface provided by th...

Страница 77: ...these tasks to configure configuration file management Task Remarks Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration File for Next...

Страница 78: ...execution of this command If the filename you entered is different from that existing in the system this command will erase its backup attribute to allow only one backup attribute configuration file i...

Страница 79: ...n specify a configuration file to be used for the next startup and configure the main backup attribute for the configuration file Assign main attribute to the startup configuration file z If you save...

Страница 80: ...y saved configuration unit unit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display cu...

Страница 81: ...ion of Protocol Based VLAN 1 9 2 VLAN Configuration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Conf...

Страница 82: ...ii Associating a Port with a Protocol Based VLAN 2 10 Displaying Protocol Based VLAN Configuration 2 10 Protocol Based VLAN Configuration Example 2 11...

Страница 83: ...quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself cau...

Страница 84: ...ion between VLANs routers or Layer 3 switches are required z Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical location...

Страница 85: ...orted by Ethernet The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification Refer to section Encapsulation Format of Ethernet Data for 802 2 802 3 encapsulatio...

Страница 86: ...used to do Layer 3 forwarding The S3100 series Ethernet switches support VLAN interfaces configuration to forward packets in Layer 3 VLAN interface is a virtual interface in Layer 3 mode used to real...

Страница 87: ...n carry multiple VLANs to receive and send traffic for them Except traffic of the default VLAN traffic passes through a trunk port will be VLAN tagged Usually ports connecting network devices are conf...

Страница 88: ...its default VLAN tag the packet with the default VLAN tag and then forward the packet z If the port has not been added to its default VLAN discard the packet z If the VLAN ID is one of the VLAN IDs a...

Страница 89: ...esponding VLAN or drops the frame if it is not In this case port based VLAN applied Approaches to creating MAC address to VLAN mappings In addition to creating MAC address to VLAN mappings at the CLI...

Страница 90: ...d maintenance Encapsulation Format of Ethernet Data This section introduces the common encapsulation formats of Ethernet data for you to understand the procedure for the switch to identify the packet...

Страница 91: ...g the packet with the protocol template The protocol template is the standard to determine the protocol to which a packet belongs Protocol templates include standard templates and user defined templat...

Страница 92: ...tion Optional Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 t...

Страница 93: ...an id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the description string of a VLAN int...

Страница 94: ...n the VLAN z The operation of enabling disabling a VLAN s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN z For the S3100 SI series switch create the...

Страница 95: ...rt to a specified VLAN port access vlan vlan id Optional By default all Access ports belong to VLAN 1 To add an Access port to a VLAN make sure the VLAN already exists Configuring a Hybrid Port Based...

Страница 96: ...rnet port view interface interface type interface number Configure the port link type as Trunk port link type trunk Required Allow the specified VLANs to pass through the current Trunk port port trunk...

Страница 97: ...reate VLAN 101 specify its descriptive string as DMZ and add Ethernet1 0 1 to VLAN 101 SwitchA system view SwitchA vlan 101 SwitchA vlan101 description DMZ SwitchA vlan101 port Ethernet 1 0 1 SwitchA...

Страница 98: ...ubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet port Solution Take the following steps z Use the display interface or display port command to chec...

Страница 99: ...rt Configure the link type of the port s as hybrid port link type hybrid Required Configure the current hybrid port s to permit packets of specific MAC based VLANs to pass through port hybrid vlan vla...

Страница 100: ...procedure Follow these steps to configure the protocol template for a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the protocol template for...

Страница 101: ...essing packets of the same protocol type in different ways the switch will prompt that you cannot set the etype id argument for Ethernet II packets to 0x0800 0x8137 or 0x809B Associating a Port with a...

Страница 102: ...200 using AppleTalk network through Ethernet 1 0 12 z Configure the switch to automatically assign the IP and AppleTalk packets to proper VLANs for transmission so as to ensure the normal communicatio...

Страница 103: ...link type hybrid Switch Ethernet1 0 10 port hybrid vlan 100 200 untagged Associate Ethernet 1 0 10 with protocol template 0 and 1 of VLAN 100 and protocol template 0 of VLAN 200 Switch Ethernet1 0 10...

Страница 104: ...n 1 1 Introduction to Static Route 1 1 Static Route 1 1 Default Route 1 1 Static Route Configuration 1 2 Configuration Prerequisites 1 2 Configuring a Static Route 1 2 Displaying and Maintaining Stati...

Страница 105: ...his destination will be forwarded to the next hop It is the most common type of static routes z Unreachable route route with the reject attribute If a static route to a destination has the reject attr...

Страница 106: ...mask to 0 0 0 0 z Avoid configuring the next hop address of a static route to the address of an interface on the local switch z Different preferences can be configured to implement flexible route man...

Страница 107: ...cs protocol all protocol Use the reset command in user view Delete all static routes delete static routes all Use the delete command in system view Troubleshooting a Static Route Symptom Both the phys...

Страница 108: ...rface 1 4 Displaying IP Addressing Configuration 1 4 IP Address Configuration Examples 1 5 IP Address Configuration Example I 1 5 2 IP Performance Configuration 2 1 IP Performance Overview 2 1 Introdu...

Страница 109: ...ddresses are divided into five classes as shown in the following figure in which the blue parts represent the address class Figure 1 1 IP address classes Table 1 1 describes the address ranges of thes...

Страница 110: ...responding bits in an IP address In a subnet mask the part containing consecutive ones identifies the combination of net ID and subnet ID whereas the part containing consecutive zeros identifies the h...

Страница 111: ...IP address obtained from BOOTP will overwrite the old one manually assigned z This chapter only covers how to assign an IP address manually For the other two approaches to IP address assignment refer...

Страница 112: ...with the management vlan vlan id command Otherwise the configuration fails Refer to the Cluster Operation Manual for detailed introduction to the cluster z Refer to the VLAN module for detailed intro...

Страница 113: ...amples IP Address Configuration Example I Network requirement Assign IP address 129 2 2 1 with mask 255 255 255 0 to VLAN interface 1 of the switch Network diagram Figure 1 3 Network diagram for IP ad...

Страница 114: ...able are the same Configuring IP Performance Introduction to IP Performance Configuration Tasks Table 2 1 Introduction to IP performance configuration tasks Configuration task Description Configuring...

Страница 115: ...nd management it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If receiving a lot of malicious packets that cause it to send ICMP error packets...

Страница 116: ...orwarding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip address1 mask1 mask length1 ip address2 mask2 mask length2 longer longer D...

Страница 117: ...AN 1 6 Voice VLAN Configuration 1 7 Configuration Prerequisites 1 7 Configuring QoS Priority Settings for Voice Traffic on an Interface 1 7 Configuring the Voice VLAN to Operate in Automatic Voice VLA...

Страница 118: ...convert analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voi...

Страница 119: ...responds as follows z If DHCP Server 1 does not support Option 184 it returns the IP address assigned to the IP phone but ignores the other four special requests in the Option 184 field Without infor...

Страница 120: ...t switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier OUI list If a match is found the packet is considered...

Страница 121: ...LAN assignment automatic mode ports can not be added to or removed from a voice VLAN manually z Manual voice VLAN assignment mode In this mode you need to add a port to a voice VLAN or remove a port f...

Страница 122: ...supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice traffic Hyb...

Страница 123: ...wards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in the manual mode with the default VLAN as the voice VLAN any untag...

Страница 124: ...ferentiated Services Code Point DSCP values for voice traffic Voice traffic carries its own QoS priority settings You can configure the device either to modify or not to modify the QoS priority settin...

Страница 125: ...net port view interface interface type interface number Required Enable the voice VLAN function on a port voice vlan enable Required By default voice VLAN is disabled Enable the voice VLAN legacy func...

Страница 126: ...oui mask description text Optional Without this address the default OUI address is used Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode...

Страница 127: ...ice vlan error info command to locate such ports z When a voice VLAN operates in security mode the device in it permits only the packets whose source addresses are the identified voice OUI addresses P...

Страница 128: ...or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN z Create VLAN 2 and configure it as the voice VLAN with the aging timer being 100 minutes z The IP phone...

Страница 129: ...6 DeviceA Ethernet1 0 1 port hybrid vlan 6 tagged Enable the voice VLAN function on Ethernet 1 0 1 DeviceA Ethernet1 0 1 voice vlan enable Voice VLAN Configuration Example Manual Voice VLAN Assignment...

Страница 130: ...ult VLAN of Ethernet 1 0 1 and add the voice VLAN to the list of untagged VLANs whose traffic is permitted by the port DeviceA Ethernet1 0 1 port hybrid pvid vlan 2 DeviceA Ethernet1 0 1 port hybrid v...

Страница 131: ...GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maint...

Страница 132: ...through the messages exchanged between them The messages performing important functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to b...

Страница 133: ...ute information on this entity After that the entity restarts the LeaveAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other...

Страница 134: ...s Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attrib...

Страница 135: ...hree port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN informati...

Страница 136: ...view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type inte...

Страница 137: ...All timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by...

Страница 138: ...RP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network to communicate with each other Network diagram Figure 1 2 Network diagram for GVRP confi...

Страница 139: ...ate VLAN 5 SwitchC vlan 5 SwitchC vlan5 quit 4 Configure Switch D Enable GVRP on Switch D which is similar to that of Switch A and is thus omitted Create VLAN 8 SwitchD vlan 8 SwitchD vlan8 quit 5 Con...

Страница 140: ...8 Display the VLAN information dynamically registered on Switch E SwitchE Ethernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure Ethernet1 0 1 on Switch E to operate in forbidden GVRP...

Страница 141: ...Ports 1 4 Configure loopback detection for Ethernet port s 1 4 Enabling Loopback Test 1 6 Configuring a Port Group 1 7 Enabling the System to Test Connected Cable 1 8 Configuring the Interval to Perfo...

Страница 142: ...sabled Configuring Combo port state Follow these steps to configure the state of a Combo port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface t...

Страница 143: ...Series switches support this feature jumboframe enable Optional By default the maximum frame size allowed on an Ethernet port is 2048 bytes Configuring Port Auto Negotiation Speed You can configure a...

Страница 144: ...sion ratio pps max pps Optional By default the switch does not suppress broadcast traffic Enter Ethernet port view interface interface type interface number Limit broadcast traffic received on the cur...

Страница 145: ...ic ports copy configuration source interface type interface number aggregation group source agg id destination interface list aggregation group destination agg id aggregation group destination agg id...

Страница 146: ...own function is enabled on the port the system will shut down the port and send log and trap messages to the terminal After the loop is removed you need to use the undo shutdown command to bring up th...

Страница 147: ...f the device boots with null configuration this function is disabled Configure the system to run loopback detection on all VLANs of the current trunk or hybrid port loopback detection per vlan enable...

Страница 148: ...ng prompts will be given when you perform loopback test on them Configuring a Port Group To make the configuration task easier for users certain devices allow users to configure on a single port as we...

Страница 149: ...n you can set the interval to perform statistical analysis on the traffic of a port When you use the display interface interface type interface number command to display the information of a port the...

Страница 150: ...log information output is enabled Configuration example By default a port is allowed to output the Up Down log information Execute the shutdown command or the undo shutdown command on Ethernet 1 0 1...

Страница 151: ...rain control block shutdown Optional By default no action is taken when a type of traffic reaches the upper threshold Enable log trap information to be output when a type of traffic received on the po...

Страница 152: ...rks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port state change delay link delay delay time Required Defaults to 0 which indicates t...

Страница 153: ...t id interface Display the storm control configurations display storm constrain interface interface type interface number begin exclude include regular expression Display the information about the por...

Страница 154: ...LAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100 Sysname Ethernet1 0 1 port tru...

Страница 155: ...Aggregation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggreg...

Страница 156: ...asic fields in LACPDUs which cover information including system LACP priority system MAC address port LACP priority port number and operational key With LACP enabled on a port LACP sends the above inf...

Страница 157: ...include z STP configuration including STP status enabled or disabled link attribute point to point or not STP priority STP path cost STP packet format loop guard status root guard status edge port or...

Страница 158: ...for manual aggregation Generally there is no limit on the rate and duplex mode of the ports also including initially down port you want to add to a manual aggregation group Static LACP Aggregation Gr...

Страница 159: ...egation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP protocol packets z Th...

Страница 160: ...regation resources to the aggregation groups with higher priorities When load sharing aggregation resources are used up by existing aggregation groups newly created aggregation groups will be non load...

Страница 161: ...n group z The port with Voice VLAN enabled cannot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP intrusion detection...

Страница 162: ...to form one or multiple dynamic aggregation groups For a static aggregation group a port can only be manually added removed to from the static aggregation group When you add an LACP enabled port to a...

Страница 163: ...Command Remarks Enter system view system view Configure the system priority lacp system priority system priority Optional By default the system priority is 32 768 Enter Ethernet port view interface i...

Страница 164: ...and Remarks Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group or all aggregation groups display link a...

Страница 165: ...ysname Ethernet1 0 1 quit Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 port link aggregation group 1 Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 port link...

Страница 166: ...le Sysname Ethernet1 0 1 quit Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 lacp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 lacp enable The three L...

Страница 167: ...i Table of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying Port Isolation Configuration 1 2 Port Isolation Configuration Example 1 2...

Страница 168: ...net switch The number of Ethernet ports in an isolation group is not limited An isolation group only isolates the member ports in it Port Isolation Configuration You can perform the following operatio...

Страница 169: ...group causes all the ports in the aggregation group being added to the isolation group Displaying Port Isolation Configuration After the above configuration you can execute the display command in any...

Страница 170: ...me interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface...

Страница 171: ...N for a Port in macAddressOrUserLoginSecure mode 1 8 Ignoring the Authorization Information from the RADIUS Server 1 9 Configuring Security MAC Addresses 1 10 Displaying and Maintaining Port Security...

Страница 172: ...kes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are prov...

Страница 173: ...r configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned ca...

Страница 174: ...s the existing dynamic authenticated MAC address entries on the port macAddressWithRa dius In this mode MAC address based authentication is performed for access users macAddressOrUser LoginSecure In t...

Страница 175: ...rLoginSecure or macAddressElseUserLoginSecureExt security mode the MAC address of a user failing MAC authentication is set as a quiet MAC address If the user initiates 802 1x authentication during the...

Страница 176: ...ut 802 1x configuration refer to the sections covering 802 1x and System Guard z For details about MAC authentication configuration refer to the sections covering MAC authentication configuration Sett...

Страница 177: ...ac authentication mac else userlogin secure mac else userlogin secure e xt secure userlogin userlogin secure userlogin secure ext userlogin secure or mac userlogin secure or mac ext userlogin withoui...

Страница 178: ...all frames are allowed to be sent Configuring intrusion protection Follow these steps to configure the intrusion protection feature To do Use the command Remarks Enter system view system view Enter E...

Страница 179: ...ervices only one user at a time 1 When the first user of the port initiates 802 1x or MAC address authentication z If the user fails the authentication the port is added to the guest VLAN and all the...

Страница 180: ...authentication does not have any client software and therefore no such messages will be displayed z To change the security mode from macAddressOrUserLoginSecure mode of a port that is assigned to a g...

Страница 181: ...the maximum number the port will learn new MAC addresses and turn them to security MAC addresses z If the amount of security MAC addresses reaches the maximum number the port will not be able to lear...

Страница 182: ...rity MAC address entries port security timer autolearn age Required Aging of MAC address entries is disabled by default Enter Ethernet port view interface interface type interface number Set the maxim...

Страница 183: ...stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds Network diagram Figure 1 1...

Страница 184: ...the Internet This port is assigned to VLAN 1 Normally the port Ethernet 1 0 2 is also assigned to VLAN z VLAN 10 is intended to be a guest VLAN It contains an update server for users to download and...

Страница 185: ...ain for MAC address authentication Switch mac authentication domain system Enable port security Switch port security enable Specify the switch to trigger MAC address authentication at an interval of 6...

Страница 186: ...provides the following binding policies z Port IP binding binds a port to an IP address On the bound port the switch forwards only the packets sourced from the bound IP address z Port MAC binding bind...

Страница 187: ...at a time z A MAC address can be bound to only one port at a time z For the same port port IP MAC binding is mutually exclusive with port IP binding Displaying and Maintaining Port Binding Configurati...

Страница 188: ...B Eth1 0 1 Switch A Switch B Configuration procedure Configure Switch A as follows Enter system view SwitchA system view Enter Ethernet 1 0 1 port view SwitchA interface Ethernet 1 0 1 Bind the MAC ad...

Страница 189: ...DLDP Status 1 4 DLDP Timers 1 5 DLDP Operating Mode 1 6 DLDP Implementation 1 7 DLDP Neighbor State 1 8 Link Auto recovery Mechanism 1 9 DLDP Configuration 1 9 Performing Basic DLDP Configuration 1 9...

Страница 190: ...ed for sending from A to B the other sending from B to A it is a bidirectional link two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional lin...

Страница 191: ...ally or prompts you to disable it manually according to the configurations to avoid network problems A copper twisted pair cable such as a Category 5e twisted pair cable contains eight wires Some of t...

Страница 192: ...hereafter Advertisement packet with the flush flag set to 1 A flush packet carries only the local port information instead of the neighbor information and is used to trigger neighbors to remove the i...

Страница 193: ...nk recovers to implement the port auto recovery mechanism Recover probe packets carry only the local port information instead of the neighbor information They request for recover echo packets as the r...

Страница 194: ...s you to disable the port manually At the same time DLDP deletes the neighbor entry Entry aging timer When a new neighbor joins a neighbor entry is created and the corresponding entry aging timer is e...

Страница 195: ...ice sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is received from the neighbor when the Echo timer expires the device transits to the...

Страница 196: ...enabled link is up DLDP sends DLDP packets to the peer device and analyzes processes the DLDP packets received from the peer device DLDP packets sent in different DLDP states are of different types Ta...

Страница 197: ...Yes If all neighbors are in the bidirectional link state DLDP switches from the probe state to the advertisement state and sets the echo waiting timer to 0 3 If no echo packet is received from the nei...

Страница 198: ...ket is consistent with that of the local port If yes the link between the local port and the neighbor is considered to be recovered to bidirectional the port changes from the disable state to the acti...

Страница 199: ...Normally the interval is shorter than one third of the STP convergence time which is generally 30 seconds z DLDP does not process any link aggregation control protocol LACP event and treats each link...

Страница 200: ...s Display the DLDP configuration of a unit or a port display dldp unit id interface type interface number Available in any view DLDP Configuration Example Network requirements As shown in Figure 1 4 z...

Страница 201: ...abitEthernet1 1 1 speed 1000 SwitchA GigabitEthernet1 1 1 quit SwitchA interface gigabitethernet 1 1 2 SwitchA GigabitEthernet1 1 2 duplex full SwitchA GigabitEthernet1 1 2 speed 1000 SwitchA GigabitE...

Страница 202: ...he device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive state z If the device operates in the enhance DLDP mode...

Страница 203: ...guration Task List 1 6 Configuring a MAC Address Entry 1 7 Setting the MAC Address Aging Timer 1 8 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 8 Disabling MAC Address learning for a...

Страница 204: ...dress table recording the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to...

Страница 205: ...he packet that is the address MAC A of User A to the MAC address table of the switch forming an entry shown in Figure 1 2 Figure 1 1 MAC address learning diagram 1 Figure 1 2 MAC address table entry o...

Страница 206: ...gure 1 5 When forwarding the response packet from User B to User A the switch sends the response to User A through Ethernet 1 0 1 technically called unicast because MAC A is already in the MAC address...

Страница 207: ...duce broadcast packets and are suitable for networks where network devices seldom change z Dynamic MAC address entry This type of MAC address entries age out after the configured aging time They are g...

Страница 208: ...enter the switch through the marked VLAN the switch however cannot find the MAC addresses of the response packets in the MAC address table of the marked VLAN and have to broadcast the packets in the V...

Страница 209: ...the MAC address entries of the marked VLAN can be copied to the MAC address table of the original VLAN When a response packet arrives at the downstream port the switch determines the outbound port fo...

Страница 210: ...ace type interface number vlan vlan id Required z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by the vlan argument in the command Ot...

Страница 211: ...seconds The capacity of the MAC address table on a switch is limited After the limit is reached the switch will forward the frames received with unknown source MAC addresses without learning MAC addr...

Страница 212: ...number of the MAC addresses a port can learn is not limited If you have configured the maximum number of MAC addresses that a port can learn you cannot enable the MAC address authentication or port s...

Страница 213: ...f the MAC address table To avoid the problem you are allowed to assign MAC addresses to the Ethernet ports on an S3100 series switch The idea is to assign a MAC address called the start port MAC addre...

Страница 214: ...N If the configuration needs to be modified you need to remove the existing configuration first z With the MAC address replication feature disabled all the MAC address entries that the destination VLA...

Страница 215: ...hernet 1 0 2 vlan 1 Add a black hole MAC address 000f e235 abcd with the VLAN and ports specified Sysname mac address blackhole 000f e235 abcd interface Ethernet 1 0 2 vlan 1 Display information about...

Страница 216: ...it to VLAN 3 and VLAN 4 SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 port link type trunk SwitchA Ethernet1 0 2 port trunk permit vlan 3 4 Please wait Done SwitchA Ethernet1 0 2 quit Create...

Страница 217: ...1 quit Configure VLAN marking on Ethernet 1 0 2 to replace the VLAN tag of packets that matches ACL 3001 with VLAN tag 3 SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 traffic remark vlanid in...

Страница 218: ...g the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling...

Страница 219: ...l 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 45 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 46 Enab...

Страница 220: ...RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree prot...

Страница 221: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root po...

Страница 222: ...ls see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port...

Страница 223: ...iority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the...

Страница 224: ...h cost the following fields are compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The smaller these values the...

Страница 225: ...root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each...

Страница 226: ...on BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration...

Страница 227: ...e process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C z By comp...

Страница 228: ...ty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with...

Страница 229: ...gnated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the f...

Страница 230: ...mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped...

Страница 231: ...ing tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 7 CIST A common and internal spanning tree CIST is the spanning tree in a switched n...

Страница 232: ...of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect u...

Страница 233: ...STP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST region MSTP generates differ...

Страница 234: ...figure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are perf...

Страница 235: ...nsmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priori...

Страница 236: ...onfiguration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configurati...

Страница 237: ...Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configurat...

Страница 238: ...o new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the ne...

Страница 239: ...switch cannot be configured any more z During the selection of the root bridge if multiple switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configur...

Страница 240: ...to the format of the packets received Follow these steps to configure how a port recognizes and sends MSTP packets in Ethernet port view To do Use the command Remarks Enter system view system view En...

Страница 241: ...e Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region The value of the maximum hop count limits the size of the MST region...

Страница 242: ...witches Configuration procedure Follow these steps to configure the network diameter of the switched network To do Use the command Remarks Enter system view system view Configure the network diameter...

Страница 243: ...ed to the network The default value is recommended z An adequate hello time parameter enables a switch to detect link failures in time without occupying too many network resources And a too small hell...

Страница 244: ...me factor to a larger number to avoid such cases Normally the timeout time can be four or more times of the hello time For a steady network the timeout time can be five to seven times of the hello tim...

Страница 245: ...many network resources The default value is recommended Configuration example Set the maximum transmitting rate of Ethernet 1 0 1 to 15 1 Configure the maximum transmitting rate in system view Sysnam...

Страница 246: ...re recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time This not only enables these ports to turn to the forwar...

Страница 247: ...point link stp point to point force true force false auto Required The auto keyword is adopted by default z If you configure the link connected to a port in an aggregation group as a point to point li...

Страница 248: ...m view Enable MSTP stp enable Required MSTP is disabled by default Enter Ethernet port view interface interface type interface number Disable MSTP on the port stp disable Optional By default MSTP is e...

Страница 249: ...long different physical links by configuring appropriate path costs on ports so that VLAN based load balancing can be implemented Path cost of a port can be determined by the switch or through manual...

Страница 250: ...00 2 1 1 1 Normally the path cost of a port operating in full duplex mode is slightly less than that of the port operating in half duplex mode When calculating the path cost of an aggregated link the...

Страница 251: ...Sysname Ethernet1 0 1 stp instance 1 cost 2000 Configuration example B Configure the path cost of Ethernet 1 0 1 in MSTI 1 to be calculated by the MSTP enabled switch according to the IEEE 802 1D 1998...

Страница 252: ...change the role of the port and put the port into state transition A smaller port priority value indicates a higher possibility for the port to become the root port If all the ports of a switch have t...

Страница 253: ...on the switch Configuration Procedure You can perform the mCheck operation in the following two ways Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in s...

Страница 254: ...users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter You can prevent this type of attacks by utilizing the BPDU guard function With this functio...

Страница 255: ...It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period z You are recommended to enable root guard on the designated ports of a root b...

Страница 256: ...oops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become design...

Страница 257: ...n threshold command to set the maximum times for a switch to remove the MAC address table and ARP entries in a specific period When the number of the TC BPDUs received within a period is less than the...

Страница 258: ...opping enabled a port will not receive or forward any BPDUs In this way switches are protected against forged BPDU attacks thus ensuring correct STP calculation z You can enable BPDU dropping on ports...

Страница 259: ...est snooping on the port Then the S3100 Ethernet switch regards another manufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manu...

Страница 260: ...sion level and VLAN to instance mapping z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer s switches adopting proprietary spanning tree protoco...

Страница 261: ...ode the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstr...

Страница 262: ...ort 2 is the root port Figure 1 8 Network diagram for rapid transition configuration Configuration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the...

Страница 263: ...ese customer networks and are independent of those of the service provider network As shown in Figure 1 9 the upper part is the service provider network and the lower part comprises the customer netwo...

Страница 264: ...e links between service provider networks are trunk links MSTP Maintenance Configuration Introduction In a large scale network with MSTP enabled there may be many MSTP instances and so the status of a...

Страница 265: ...figuration procedure Follow these steps to enable trap messages conforming to 802 1d standard To do Use the command Remarks Enter system view system view Enable trap messages conforming to 802 1d stan...

Страница 266: ...MSTI 4 and MSTI 0 respectively In this network Switch A and Switch B operate on the convergence layer Switch C and Switch D operate on the access layer VLAN 10 and VLAN 30 are limited in the converge...

Страница 267: ...vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch B as t...

Страница 268: ...and Switch B in the network diagram z Switch C and Switch D are connected to each other through the configured trunk ports of the switches The VLAN VPN tunnel function is enabled in system view thus...

Страница 269: ...rt Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port link type trunk Add the trunk port to all VLANs Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch...

Страница 270: ...1 51 Sysname GigabitEthernet1 0 1 port trunk permit vlan all...

Страница 271: ...IGMP Snooping Configuration 2 4 Enabling IGMP Snooping 2 4 Configuring the Version of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filte...

Страница 272: ...MLD Snooping Proxying 3 15 Configuration Prerequisites 3 15 Enabling MLD Snooping Proxying 3 15 Configuring a Source IPv6 Address for the MLD Messages Sent by the Proxy 3 16 Configuring an MLD Snoopi...

Страница 273: ...st User Control Policy Configuration Example 5 2 IPv6 Multicast Group Filter Configuration 5 5 IPv6 ACL Overview 5 5 IPv6 ACL Configuration 5 7 IPv6 Multicast Group Filter Configuration 5 10 IPv6 Mult...

Страница 274: ...ablishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user as shown in Figure 1 1 Figure 1 1 Information transmissi...

Страница 275: ...ization ratio of the network resources is very low and the bandwidth resources are greatly wasted Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast occup...

Страница 276: ...of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no waste of network resources and makes proper use of ban...

Страница 277: ...plications of Multicast Advantages of multicast Advantages of multicast include z Enhanced efficiency Multicast decreases network traffic and reduces server load and CPU load z Optimal performance Mul...

Страница 278: ...ddition the SSM model uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast...

Страница 279: ...p of destination addresses called group address rather than one address All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the...

Страница 280: ...ated routers OSPF DR 224 0 0 7 Shared tree routers 224 0 0 8 Shared tree hosts 224 0 0 9 RIP 2 routers 224 0 0 11 Mobile agents 224 0 0 12 DHCP server relay agent 224 0 0 13 All protocol independent m...

Страница 281: ...address The P and T bits must also be set to 1 P z When set to 0 it indicates that this address is an IPv6 multicast address not based on a unicast prefix z When set to 1 it indicates that this addres...

Страница 282: ...e multicast IP address Figure 1 6 describes the mapping relationship Figure 1 6 Multicast address mapping XXXX X XXXX XXXX XXXX XXXX XXXX XXXX 1110 XXXX 0XXX XXXX XXXX XXXX XXXX XXXX 0000 0001 0000 00...

Страница 283: ...ction provides only general descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details about part of these protocols refer to the related cha...

Страница 284: ...ol MSDP and Multicast Border Gateway Protocol MBGP MSDP is used to propagate multicast source information among different ASs while MBGP an extension of the Multi protocol Border Gateway Protocol MP B...

Страница 285: ...whether the packet will be forwarded or discarded The RPF check mechanism is the basis for most multicast routing protocols to implement multicast forwarding The RPF mechanism enables multicast devic...

Страница 286: ...is the RPF neighbor The router considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source Assume that unicast r...

Страница 287: ...1 14 the interface on which the packet actually arrived The RPF check succeeds and the packet is forwarded...

Страница 288: ...en IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are mul...

Страница 289: ...ssages and actions Table 2 1 Port aging timers in IGMP Snooping and related messages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router por...

Страница 290: ...y receive the message and this prevents the switch from knowing if members of that multicast group are still attached to these ports When receiving a leave message When an IGMPv1 host leaves a multica...

Страница 291: ...ts automatically If the multicast group does not exist the switch drops this IGMP leave message IGMP Snooping Configuration The following table lists all the IGMP Snooping configuration tasks Table 2...

Страница 292: ...gies IGMPv3 has found increasingly wide application In IGMPv3 a host can not only join a specific multicast group but also explicitly specify to receive or reject the information from a specific multi...

Страница 293: ...rt the switch directly removes that port from the forwarding table entry for the specific group If only one host is attached to a port enable fast leave processing to improve bandwidth management Enab...

Страница 294: ...ms available to different users In an actual application when a user requests a multicast program the user s host initiates an IGMP report Upon receiving this report message the switch checks the repo...

Страница 295: ...ion takes effect on all ports in the specified VLAN s z The configuration performed in Ethernet port view takes effect on the port no matter which VLAN it belongs to if no VLAN is specified if one or...

Страница 296: ...and therefore cannot send general queries by default By enabling IGMP Snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no multicast routers...

Страница 297: ...ommand Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the source IP address of IGMP general queries igmp snooping general query source ip current interface ip address Opt...

Страница 298: ...c Member Port for a Multicast Group If the host connected to a port is interested in the multicast data for a specific group you can configure that port as a static member port for that multicast grou...

Страница 299: ...N view Operation Command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure a specified port as a static router port multicast static router port interface type interface num...

Страница 300: ...by default z Before configuring a simulated host enable IGMP Snooping in VLAN view first z The port to be configured must belong to the specified VLAN otherwise the configuration does not take effect...

Страница 301: ...orresponding configurations on the Layer 3 switch Table 2 18 Configure multicast VLAN on the Layer 3 switch Operation Command Remarks Enter system view system view Create a multicast VLAN and enter VL...

Страница 302: ...port hybrid vlan vlan id list tagged untagged Required The multicast VLAN must be included and the port must be configured to forward tagged packets for the multicast VLAN z One port can belong to onl...

Страница 303: ...GMP snooping on Layer 2 switches z As shown in Figure 2 3 Router A connects to a multicast source Source through Ethernet1 0 2 and to Switch A through Ethernet1 0 1 z Run PIM DM and IGMP on Router A R...

Страница 304: ...thernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100 on Switch A SwitchA display igmp sno...

Страница 305: ...10 includes Ethernet 1 0 10 Ethernet1 0 1 and Ethernet 1 0 2 Ethernet 1 0 10 is connected to Switch A VLAN 10 is a multicast VLAN Host A User 1 Host A is connected to Ethernet 1 0 1 on Switch B Host B...

Страница 306: ...Enable the IGMP Snooping feature on Switch B SwitchB system view SwitchB igmp snooping enable Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it SwitchB vlan 10 SwitchB vlan10 serv...

Страница 307: ...ng is disabled check whether it is disabled globally or in the specific VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globall...

Страница 308: ...overy Snooping MLD snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups Introduction to MLD Snooping By analyzing received MLD...

Страница 309: ...r 2 It brings the following advantages z Reducing Layer 2 broadcast packets thus saving network bandwidth z Enhancing the security of multicast traffic z Facilitating the implementation of per host ac...

Страница 310: ...nd dynamic ports z On an MLD snooping enabled switch the ports that received MLD general queries with the source address other than 0 0 or IPv6 PIM hello messages are dynamic router ports Aging timers...

Страница 311: ...tion addressed to that IPv6 multicast group Upon receiving an MLD report the switch forwards it through all the router ports in the VLAN resolves the address of the reported IPv6 multicast group and p...

Страница 312: ...ed the MLD done message Upon receiving the MLD multicast address specific query the switch forwards it through all the router ports in the VLAN and all member ports for that IPv6 multicast group and p...

Страница 313: ...looks up the multicast forwarding table for the entry for the multicast group If the forwarding entry is found with the receiving port contained as a dynamic port in the outgoing port list the proxy...

Страница 314: ...Pv6 Address for the MLD Messages Sent by the Proxy Optional Configuring Dropping Unknown IPv6 Multicast Data Optional Configuring MLD Report Suppression Optional Configuring Maximum Multicast Groups t...

Страница 315: ...ing enable Required Disabled by default z MLD snooping must be enabled globally before it can be enabled in a VLAN z When you enable MLD snooping in a specified VLAN this function takes effect for por...

Страница 316: ...get manually removed Follow these steps to configure the maximum number of entries in the forwarding table To do Use the command Remarks Enter system view system view Enter MLD snooping view mld snoop...

Страница 317: ...al 260 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps to c...

Страница 318: ...uter will deem that no member of this IPv6 multicast group exists on the network segment and therefore will remove the corresponding forwarding path To avoid this situation from happening you can enab...

Страница 319: ...usage However if fast leave processing is enabled on a port to which more than one host is attached when one host leaves a multicast group the other hosts attached to the port and interested in the sa...

Страница 320: ...ng MLD snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no Layer 3 multicast devices are present the Layer 2 switch will act as the MLD quer...

Страница 321: ...es globally Follow these steps to configure MLD queries and responses globally To do Use the command Remarks Enter system view system view Enter MLD snooping view mld snooping Configure the maximum re...

Страница 322: ...address of MLD query messages may affect MLD querier election within the segment Configuring MLD Snooping Proxying Configuration Prerequisites Before configuring MLD snooping proxying in a VLAN enabl...

Страница 323: ...Before configuring an MLD snooping policy complete the following tasks z Enable MLD snooping in the VLAN Before configuring an MLD snooping policy prepare the following data z The maximum number of IP...

Страница 324: ...s Enter system view system view Enter MLD snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default On an MLD snooping proxy MLD membership reports are su...

Страница 325: ...cal example is channel switching namely by joining the new multicast group a user automatically switches from the current IPv6 multicast group to the new one To address this situation you can enable t...

Страница 326: ...view system view Enter MLD Snooping view mld snooping Configure 802 1p precedence for MLD Messages dot1p priority priority number Required The default 802 1p precedence for MLD messages is 0 Configuri...

Страница 327: ...gh Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 Router A is the MLD querier on the subnet z MLDv1 is required on Router A MLD snooping version 1 is required on Switch A and Router A will act...

Страница 328: ...lan 100 SwitchA vlan100 port ethernet 1 0 1 to ethernet 1 0 4 SwitchA vlan100 mld snooping enable SwitchA vlan100 mld snooping drop unknown SwitchA vlan100 quit Configure an IPv6 multicast group filte...

Страница 329: ...h Ethernet 1 0 1 z MLDv1 is to run on Router A and MLDv1 Snooping is to run on Switch A Switch B and Switch C with Router A acting as the MLD querier z Host A and host C are permanent receivers of IPv...

Страница 330: ...witch B Eth1 0 1 E t h 1 0 2 E t h 1 0 3 E t h 1 0 1 Eth1 0 2 E t h 1 0 1 Eth1 0 2 Host C Host B Host A Receiver Receiver E t h 1 0 3 E t h 1 0 4 Eth1 0 5 Configuration procedure 1 Enable IPv6 forward...

Страница 331: ...100 port ethernet 1 0 1 ethernet 1 0 2 SwitchB vlan100 mld snooping enable SwitchB vlan100 quit 5 Configure Switch C Enable MLD snooping globally SwitchC system view SwitchC mld snooping SwitchC mld s...

Страница 332: ...shown above Ethernet 1 0 3 of Switch A has become a static router port Display the detailed MLD snooping multicast group information in VLAN 100 on Switch C SwitchC display mld snooping group vlan 100...

Страница 333: ...multicast sources is chosen as the MLD snooping querier z To prevent flooding of unknown multicast traffic within the VLAN it is required to configure all the switches to drop unknown multicast data...

Страница 334: ...s information of these MLD messages received Display the MLD message statistics on Switch B SwitchB vlan100 display mld snooping statistics Received MLD general queries 3 Received MLDv1 specific queri...

Страница 335: ...port Ethernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface ethernet 1 0 1 RouterA Ethernet1 1 mld enable RouterA Ethernet1 1 pim ipv6 dm RouterA Ethernet1 1 quit...

Страница 336: ...roup address FF1E 101 FF1E 101 Host port s total 2 port Eth1 0 3 D Eth1 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 2 port Eth1 0 3 Eth1 0 4 Display information about MLD mult...

Страница 337: ...0 4 Troubleshooting MLD Snooping Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding Analysis MLD snooping is not enabled Solution 1 Enter the...

Страница 338: ...Ns require IPv6 multicast programs on demand service the Layer 3 device Router A needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device Switch A This results...

Страница 339: ...D Snooping can uniformly manage the router ports and member ports in the IPv6 multicast VLAN When forwarding multicast data to Switch A Router A needs to send only one copy of multicast traffic to Swi...

Страница 340: ...he IPv6 multicast VLAN to pass and untag the packets Thus upon receiving multicast packets tagged with the IPv6 multicast VLAN ID from the upstream device the Layer 2 device untags the multicast packe...

Страница 341: ...Required By default an IPv6 multicast VLAN has no ports Configure IPv6 multicast VLAN ports in terface view Follow these steps to configure IPv6 multicast VLAN ports in interface view To do Use this c...

Страница 342: ...e so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forward the IPv6 multicast data to the receivers that belong to different user VLANs Figure 4...

Страница 343: ...LAN 2 to pass and untag the packets when forwarding them SwitchA interface ethernet 1 0 2 SwitchA Ethernet1 0 2 port link type hybrid SwitchA Ethernet1 0 2 port hybrid pvid vlan 2 SwitchA Ethernet1 0...

Страница 344: ...VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port Eth1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF...

Страница 345: ...configured policies If a match is found the host is allowed to join the multicast group otherwise the join report is dropped by the access switch z Upon receiving an IGMP leave message from a host the...

Страница 346: ...ation z A multicast user control policy is functionally similar to a multicast group filter A difference lies in that a control policy can control both multicast joining and leaving of users based on...

Страница 347: ...ugh Ethernet 1 0 3 to the four VLANs respectively SwitchA system view SwitchA vlan 101 SwitchA vlan101 port ethernet 1 0 1 SwitchA vlan101 quit SwitchA vlan 102 SwitchA vlan102 port ethernet 1 0 2 Swi...

Страница 348: ...radius scheme1 primary accounting 2 1 1 1 SwitchB radius scheme1 key accounting 321123 SwitchB radius scheme1 user name format without domain SwitchB radius scheme1 quit Create an ISP domain domain1...

Страница 349: ...ilter Configuration IPv6 ACL Overview IPv6 ACL Classification IPv6 ACLs identified by ACL numbers fall into two categories as shown in Table 5 1 Table 5 1 IPv6 ACL categories Category ACL number Match...

Страница 350: ...ocol range A rule configured with a specific protocol is prior to a rule with the protocol type set to IP IP means any protocol carried over IP 2 Source IPv6 address prefix A rule configured with a lo...

Страница 351: ...They are numbered in the range 2000 to 2999 z Configuration Prerequisites If you want to reference a time range in a rule define it with the time range command first z Configuration Procedure Follow...

Страница 352: ...CMP message code Advanced IPv6 ACLs are numbered in the range 3000 to 3999 Compared with basic IPv6 ACLs they allow of more flexible and accurate filtering z Configuration Prerequisites If you want to...

Страница 353: ...among the existing rules in the depth first order Note that the IDs of the rules still remain the same z You can modify the rule order of an IPv6 ACL with the acl ipv6 number acl6 number name acl6 nam...

Страница 354: ...nst the configured ACL rule If the port on which the report was received can join this IPv6 multicast group the switch adds an entry for this port in the MLD snooping forwarding table otherwise the sw...

Страница 355: ...oup otherwise the join report is dropped by the access switch z Upon receiving a done message from a host the access switch matches the IPv6 multicast group and source addresses against the policies I...

Страница 356: ...iguration Example Network requirements z As shown in Figure 5 2 Switch A is a Layer 3 switch It connects to IPv6 multicast Source 1 through VLAN interface 101 It connects to the RADIUS server through...

Страница 357: ...oping quit Create VLAN 103 assign Ethernet 1 0 1 through Ethernet 1 0 3 to this VLAN and enable MLD snooping in this VLAN SwitchB vlan 103 SwitchB vlan103 port ethernet 1 0 1 to ethernet 1 0 3 SwitchB...

Страница 358: ...IUS server On the RADIUS server configure the parameters related to Switch B For details refer to the configuration manual of the RADIUS server 5 Verify the configuration After the configurations the...

Страница 359: ...5 15 MAC group address 3333 0000 0101 Host port s total 1 port Eth1 0 3 As shown above Ethernet 1 0 3 on Switch B has joined FF1E 101 but not FF1E 102...

Страница 360: ...t servers on the network This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources You can configure multicast source port suppressio...

Страница 361: ...ually Generally when receiving a multicast packet for a multicast group not yet registered on the switch the switch will flood the packet within the VLAN to which the port belongs You can configure a...

Страница 362: ...tered on the local switch the packet will be flooded in the VLAN When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address i...

Страница 363: ...information about multicast source port suppression display multicast source deny interface interface type interface number Display the created multicast MAC table entries display mac address multicas...

Страница 364: ...n 1 20 Enabling the Unicast Trigger Function for 802 1X Authentication 1 20 Configuring Guest VLAN 1 21 Configuring Auth Fail VLAN for 802 1X Authentication 1 21 Configuring 802 1x Re Authentication 1...

Страница 365: ...ard Feature 4 1 Displaying and Maintaining System Guard 4 2 5 System Guard Configuration For S3100 SI 5 1 System Guard Overview 5 1 System Guard Configuration 5 1 Enabling the System Guard function 5...

Страница 366: ...Figure 1 1 Architecture of 802 1x authentication z The supplicant system is an entity residing at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN...

Страница 367: ...m can send and receive authentication requests z The controlled port can be used to pass service packets when it is in authorized state It is blocked when not in authorized state In this case no packe...

Страница 368: ...defined in 802 1x To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs EAP protocol packets are encapsulated in EAPoL format The followin...

Страница 369: ...he Code Identifier Length and Data fields z The Data field carries the EAP packet whose format differs with the Code field A Success or Failure packet does not contain the Data field so the Length fie...

Страница 370: ...rt the two newly added fields the EAP message field with a value of 79 and the Message authenticator field with a value of 80 Four authentication ways namely EAP MD5 EAP TLS transport layer security E...

Страница 371: ...process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP re...

Страница 372: ...d to rejected In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authent...

Страница 373: ...act in an orderly way z Handshake timer handshake period This timer sets the handshake period and is triggered after a supplicant system passes the authentication It sets the interval for a switch to...

Страница 374: ...ersion period and is triggered after a switch sends a version request packet The switch sends another version request packet if it does receive version response packets from the supplicant system when...

Страница 375: ...ion and validity of an 802 1x client to prevent unauthorized users or users with earlier versions of 802 1x client from logging in This function makes the switch to send version requesting packets aga...

Страница 376: ...the device will keep the user in the guest VLAN If a user of a port in the guest VLAN initiates authentication and passes the authentication the device will add the user to the assigned VLAN or return...

Страница 377: ...mong the S3100 series Ethernet switches only the S3100 EI series supports the Auth Fail VLAN function Enabling 802 1x re authentication 802 1x re authentication is timer triggered or packet triggered...

Страница 378: ...henticates users periodically 802 1x re authentication will fail if a CAMS server is used and configured to perform authentication but not accounting This is because a CAMS server establishes a user s...

Страница 379: ...er to the AAA Operation Manual for detailed information about AAA scheme configuration Basic 802 1x Configuration Configuration Prerequisites z Configure ISP domain and the AAA scheme to be adopted Yo...

Страница 380: ...is the macbased keyword is used by default Set authentication method for 802 1x users dot1x authentication method chap pap eap Optional By default a switch performs CHAP authentication in EAP termina...

Страница 381: ...on switches cannot receive handshaking acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking functi...

Страница 382: ...dvanced 802 1x configurations as listed below are all optional z Specifying a Mandatory Authentication Domain for a Port z Configuration concerning CAMS including multiple network adapters detecting p...

Страница 383: ...n Default domain Not configured Default domain X Default domain user name format without domain user name format with domain Z X Z Z X Z user name format without domain Note that z You can view userna...

Страница 384: ...the proxy detecting function you need to enable the online user handshaking function first z The configuration listed in Table 1 4 takes effect only when it is performed on CAMS as well as on the swi...

Страница 385: ...DHCP on access users and users are authenticated when they apply for dynamic IP addresses through DHCP Table 1 6 Enable DHCP triggered authentication Operation Command Remarks Enter system view syste...

Страница 386: ...C EPON EI Series Ethernet Switches Configuring Auth Fail VLAN for 802 1X Authentication Configuration prerequisites z Enable 802 1X authentication z Create the VLAN to be specified as the Auth Fail VL...

Страница 387: ...ation on port s In port view dot1x re authenticate Required By default 802 1x re authentication is disabled on a port z To enable 802 1x re authentication on a port you must first enable 802 1x global...

Страница 388: ...he 802 1x related configuration by executing the display command in any view You can clear 802 1x related statistics information by executing the reset command in user view Table 1 12 Display and debu...

Страница 389: ...name is sent to the RADIUS servers with the domain name truncated z The user name and password for local 802 1x authentication are localuser and localpass in plain text respectively The idle disconnec...

Страница 390: ...5 Set the timer for the switch to send real time accounting packets to the RADIUS servers Sysname radius radius1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with...

Страница 391: ...to provide authentication authorization and accounting services Specify aabbcc as the shared key for Switch to exchange packets with the RADIUS server z Configure hello as both the username and passw...

Страница 392: ...bcc Switch radius radius1 key accounting aabbcc Switch radius radius1 server type extended Switch radius radius1 user name format with domain Switch radius radius1 quit Specify aabbcc as the mandatory...

Страница 393: ...s and HTTP redirection Restricted access Before passing 802 1x authentication a user is restricted through ACLs to a specific range of IP addresses or a specific server Services like EAD client upgrad...

Страница 394: ...ck EAD deployment disabled users cannot access the DHCP server if they fail 802 1x authentication With quick EAD deployment enabled users can obtain IP addresses dynamically before passing authenticat...

Страница 395: ...g and Maintaining Quick EAD Deployment After performing the above configurations you can display and verify the quick EAD deployment related configuration by executing the display command in any view...

Страница 396: ...s PC is configured as the IP address of the connected VLAN interface on the switch Configure the URL for HTTP redirection Sysname system view Sysname dot1x url http 192 168 0 111 Configure a free IP...

Страница 397: ...otted decimal notation As a result the PC cannot receive any ARP response and therefore cannot be redirected To solve this problem the user needs to enter an IP address that is not in the free IP rang...

Страница 398: ...o the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on management devices and HABP clients usually on attached switches For ease of swit...

Страница 399: ...habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enable HABP for it Displaying HABP After performing the above configuration you can display and verif...

Страница 400: ...o know the characteristics of the attack source and then you can adopt different filtering rules according the characteristics of the attack source Thus system guard is implemented Configuring the Sys...

Страница 401: ...minutes Displaying and Maintaining System Guard After the above configuration execute the display command in any view to display the running status of the system guard feature and to verify the confi...

Страница 402: ...nfiguration includes z Enabling the system guard function z Configuring system guard related parameters z Specifying system guard enabled ports Enabling the System Guard function Table 5 1 lists the o...

Страница 403: ...rt if the number of packets the port received and sent to the CPU in a specified interval exceeds the specified threshold the system considers that the port is under attack and begins to limit the pac...

Страница 404: ...figuring RADIUS Accounting Servers 2 16 Configuring Shared Keys for RADIUS Messages 2 17 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2 18 Configuring the Type of RADIUS Serv...

Страница 405: ...Telnet Users 2 33 HWTACACS Authentication and Authorization of Telnet Users 2 35 Troubleshooting AAA 2 36 Troubleshooting RADIUS Configuration 2 36 Troubleshooting HWTACACS Configuration 2 36 3 EAD Co...

Страница 406: ...ated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardwar...

Страница 407: ...eme and so on for each ISP domain independently in ISP domain view Authentication authorization and accounting of a user depends on the AAA methods configured for the domain that the user belongs to T...

Страница 408: ...g as a RADIUS client passes user information to a specified RADIUS server and takes appropriate action such as establishing terminating user connection depending on the responses returned from the ser...

Страница 409: ...ient an authentication response Access Accept which contains the user s authorization information If the authentication fails the server returns an Access Reject response 4 The RADIUS client accepts o...

Страница 410: ...4 Accounting Request Direction client server The client transmits this message to the server to request the server to start or end the accounting whether to start or to end the accounting is determine...

Страница 411: ...ength fields Table 1 2 RADIUS attributes Type field value Attribute type Type field value Attribute type 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHAP Password 25 Class 4 NAS IP Ad...

Страница 412: ...liable transmission and encryption and therefore is more suitable for security control Table 1 3 lists the primary differences between HWTACACS and RADIUS Table 1 3 Differences between HWTACACS and RA...

Страница 413: ...ange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication authorization and accounting for a user Figure 1 7 illustrates the basi...

Страница 414: ...message carrying the password to the TACACS server 6 The TACACS server returns an authentication response indicating that the user has passed the authentication 7 The TACACS client sends a user author...

Страница 415: ...onfigure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional AAA configuration Cutt...

Страница 416: ...twork service Set the maximum number of access users that the ISP domain can accommodate access limit disable enable max user number Optional By default there is no limit on the number of access users...

Страница 417: ...ser information security With the cooperation of other networking devices such as switches in a network a CAMS server can implement the AAA functions and right management Configuring an AAA Scheme for...

Страница 418: ...local hwtacacs scheme hwtacacs scheme name local Required By default an ISP domain uses the local AAA scheme Specify an AAA scheme for LAN users scheme lan access local none radius scheme radius sche...

Страница 419: ...the FTP service you should not configure the none scheme z If scheme switching occurs during authentication local authorization and accounting will be performed If no scheme switching occurs during a...

Страница 420: ...cal and none authentication methods do not require any scheme 2 Determine the access mode or service type to be configured With AAA you can configure an authentication method specifically for each acc...

Страница 421: ...hing processes do not affect each other For example if scheme switching occurs during authentication the primary HWTACACS authorization scheme is still used though the authorization hwtacacs scheme hw...

Страница 422: ...AN z String If the RADIUS authentication server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon receiving a string ID assigned by the RADIUS auth...

Страница 423: ...ss local authentication you should add an entry in the local user database on the switch for the user Table 2 7 Configure the attributes of a local user Operation Command Remarks Enter system view sys...

Страница 424: ...is determined by the privilege level of the user For SSH users using RSA shared key for authentication the commands they can access are determined by the levels set on their user interfaces z If the c...

Страница 425: ...mission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be Sent to RADIUS Serv...

Страница 426: ...horization and accounting And for each type of server you can configure two servers in a RADIUS scheme primary server and secondary server A RADIUS scheme has some parameters such as IP addresses of t...

Страница 427: ...eme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS...

Страница 428: ...timeout Some users may need the attributes but some users may not Such conflict occurs if the RADIUS server does not support user based attribute assignment or it performs uniformed user management Th...

Страница 429: ...sending mode of accounting start requests Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Configure the sending mode...

Страница 430: ...erver secondary accounting ip address ipv6 ipv6 address port number key string Optional By default the IP address and UDP port number of the secondary accounting server are 0 0 0 0 and 1813 for a newl...

Страница 431: ...maximum number the switch cuts down the user connection z The IP address and port number of the primary accounting server of the default RADIUS scheme system are 127 0 0 1 and 1646 respectively z Cur...

Страница 432: ...request fails Table 2 16 Configure the maximum transmission attempts of a RADIUS request Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme...

Страница 433: ...the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchange...

Страница 434: ...lows to RADIUS servers data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet un...

Страница 435: ...MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is necessary when the format of Calling...

Страница 436: ...server The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers and the corresponding timer in the switch system is called the response timeout...

Страница 437: ...ional By default the real time accounting interval is 12 minutes Enabling Sending Trap Message when a RADIUS Server Goes Down Table 2 22 Specify to send trap message when a RADIUS server goes down Ope...

Страница 438: ...ing to the information NAS ID NAS IP address and session ID contained in the message and ends the accounting for the users depending on the last accounting update message 4 Once the switch receives th...

Страница 439: ...e The HWTACACS protocol configuration is performed on a scheme basis Therefore you must create an HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Table 2 25 Create...

Страница 440: ...nfiguring TACACS Authorization Servers Table 2 27 Configure TACACS authorization servers Operation Command Remarks Enter system view system view Create an HWTACACS scheme and enter its view hwtacacs s...

Страница 441: ...onal By default the stop accounting messages retransmission function is enabled and the system can transmit a buffered stop accounting request for 100 times z You are not allowed to configure the same...

Страница 442: ...e user names sent from the switch to TACACS server carry ISP domain names data flow format data byte giga byte kilo byte mega byte Set the units of data flows to TACACS servers data flow format packet...

Страница 443: ...nting interval is 12 minutes z To control the interval at which users are charge in real time you can set the real time accounting interval After the setting the switch periodically sends online users...

Страница 444: ...ics display radius statistics Display buffered non response stop accounting requests display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop ti...

Страница 445: ...rs The IP address of the server is 10 110 91 164 z Set the shared keys for authentication authorization and accounting packets exchanged with the RADIUS server to aabbcc Configure the switch to remove...

Страница 446: ...witch Ethernet1 0 1 dot1x Remote RADIUS Authentication of Telnet SSH Users The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users The f...

Страница 447: ...name domain cams Sysname isp cams access limit enable 10 Sysname isp cams quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary...

Страница 448: ...uthentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user teln...

Страница 449: ...set both authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc Configure the switch to strip domain names off user names before sending user...

Страница 450: ...from the switch Take measures to make the switch communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and solutions z The communica...

Страница 451: ...es the validity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as va...

Страница 452: ...ration includes z Configuring the attributes of access users such as user name user type and password For local authentication you need to configure these attributes on the switch for remote authentic...

Страница 453: ...tication server type to extended z Configure the encryption password for exchanging messages between the switch and RADIUS server to expert z Configure the IP address 10 110 91 166 of the security pol...

Страница 454: ...ams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme Sysname radius cams...

Страница 455: ...iguring Basic MAC Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 4 MAC Address Authentication Enhanced Function Configuration Tasks 1 4 Configuring a Guest V...

Страница 456: ...en authentications are performed on a RADIUS server the switch serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server z In MAC address mode the switch sends the...

Страница 457: ...ply by the switch until the quiet timer expires This prevents an invalid user from being authenticated repeatedly in a short time z If the quiet MAC is the same as the static MAC configured or an auth...

Страница 458: ...ace number Set the offline detect timer for MAC authentication on the Ethernet port view mac authentication timer offline detect offline detect value Optional 300 seconds for offline detect timer by d...

Страница 459: ...ction for MAC authentication After completing configuration tasks in Configuring Basic MAC Authentication Functions for a switch this switch can authenticate access users according to their MAC addres...

Страница 460: ...ort even if users fail to pass authentication Table 1 3 Configure a guest VLAN or Auth Fail VLAN Operation Command Description Enter system view system view Enter Ethernet port view interface interfac...

Страница 461: ...onfigure a new guest VLAN for this port z 802 1x authentication cannot be enabled for a port configured with a MAC authentication guest VLAN Configuring the Maximum Number of MAC Address Authenticatio...

Страница 462: ...uiet no matter whether the authentication is failed Table 1 5 Configure the quiet MAC function on a port Operation Command Description Enter system view system view Enter Ethernet port view interface...

Страница 463: ...uiring hyphened lowercase MAC addresses as the usernames and passwords Sysname mac authentication authmode usernameasmacaddress usernameformat with hyphen lowercase Add a local user z Specify the user...

Страница 464: ...9 After doing so your MAC authentication configuration will take effect immediately Only users with the MAC address of 00 0d 88 f6 44 c1 are allowed to access the Internet through port Ethernet 1 0 2...

Страница 465: ...e 1 4 Configuring a Web Authentication Free User 1 4 Configuring HTTPS Access for Web Authentication 1 4 Configuration Prerequisites 1 5 Configuration Procedure 1 5 Customizing Web Authentication Page...

Страница 466: ...nfiguration Example Currently only the S3100 EI series support Web authentication Introduction to Web Authentication Web authentication is a port based authentication method that is used to control th...

Страница 467: ...sabled globally by default interface interface type interface number web authentication select method shared designated extended Enable Web authentication on a port quit Required Disabled on port by d...

Страница 468: ...orced to get offline z You can use the web authentication select method extended command to enable Web authentication on a hybrid port Configuring an Auth Fail VLAN for Web Authentication In some case...

Страница 469: ...the MAFV for 802 1X authentication on a port has been assigned to a user the MAFV for Web authentication will not take effect for the user Configuring a Web Authentication Free User Follow these steps...

Страница 470: ...r policy policy name Required HTTP is used by default z You must configure this command before enabling Web authentication That is after enabling Web authentication you cannot change the access protoc...

Страница 471: ...Web authentication page file the device will display the loaded Web authentication pages The customized information configured in section Customizing Page Elements for the default authentication page...

Страница 472: ...requests are used when users submit username and password pairs log on the system and log off the system Rules on Post request attributes 1 Observe the following requirements when editing a form of a...

Страница 473: ...ing Web Authentication Transition A WLAN client is connected to a switch through a wireless access point AP It may move between the ports of the switch when it for example roams between different APs...

Страница 474: ...Web Proxy Auto Discovery WPAD rather than configured manually you need to perform the following configuration in addition to the port configuration z If DNS and WINS servers are providing services in...

Страница 475: ...ain an IP address through the DHCP server Set the IP address and port number of the Web authentication server Sysname system view Sysname web authentication web server ip 10 10 10 10 port 8080 Configu...

Страница 476: ...me radius scheme radius1 Enable Web authentication globally It is recommended to take this step as the last step so as to avoid the case that a valid user cannot access the network due to that some ot...

Страница 477: ...le Authentication Overview 1 1 Background 1 1 Triple Authentication Mechanism 1 1 Extended Functions 1 2 Triple Authentication Configuration 1 3 Triple Authentication Configuration Example 1 3 Network...

Страница 478: ...which connects to the terminals needs to support all the three types of authentication and allow a terminal to access the network after passing a type of authentication Figure 1 1 Triple authenticati...

Страница 479: ...ing online To make the client free from authentication you can execute the web authentication free user command or configure an ACL rule to permit packets sourced from the client to pass Extended Func...

Страница 480: ...he three authentication methods 802 1X authentication Web authentication and MAC authentication can access the IP network More specifically z The terminals request IP addresses through DHCP They use I...

Страница 481: ...to specific VLANs omitted Enable DHCP Switch system view Switch dhcp enable Exclude the gateway IP addresses from assignment Switch dhcp server forbidden ip 192 168 1 1 Switch dhcp server forbidden i...

Страница 482: ...Switch radius rs1 key accounting radius Specify usernames sent to the RADIUS server to carry no domain names Switch radius rs1 user name format without domain Switch radius rs1 quit 3 Configure an IS...

Страница 483: ...ernet1 0 1 quit 6 Configure 802 1X authentication Enable 802 1X authentication globally Switch dot1x Enable 802 1X authentication MAC based access control required on Ethernet 1 0 1 and specify VLAN 2...

Страница 484: ...Rate Limit 1 5 Introduction to Gratuitous ARP 1 5 ARP Configuration 1 5 Configuring ARP Basic Functions 1 5 Configuring ARP Attack Detection 1 6 Configuring the ARP Packet Rate Limit Function 1 7 Gra...

Страница 485: ...quest messages and ARP reply messages Figure 1 1 illustrates the format of these two types of ARP messages z As for an ARP request all the fields except the hardware address of the receiver field are...

Страница 486: ...sender Hardware address of the receiver z For an ARP request packet this field is null z For an ARP reply packet this field carries the hardware address of the receiver IP address of the receiver IP a...

Страница 487: ...IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all zero MAC...

Страница 488: ...switches support the ARP attack detection function All ARP both request and response packets passing through the switch are redirected to the CPU which checks the validity of all the ARP packets by u...

Страница 489: ...port will revert to the Up state after a configured period of time Introduction to Gratuitous ARP The following are the characteristics of gratuitous ARP packets z Both source and destination IP addre...

Страница 490: ...ument must be the ID of an existing VLAN and the port identified by the interface type and interface number arguments must belong to the VLAN z Currently static ARP entries cannot be configured on the...

Страница 491: ...discussing DHCP in this manual z Generally the uplink port of a switch is configured as a trusted port z Before enabling ARP restricted forwarding make sure you enable ARP attack detection and configu...

Страница 492: ...t the port state auto recovery function is disabled Configure the port state auto recovery interval arp protective down recover interval interval Optional By default when the port state auto recovery...

Страница 493: ...he ARP mapping entries related to a specified string in a specified way display arp dynamic static begin include exclude regular expression Display the number of the ARP entries of a specified type di...

Страница 494: ...ooping on Switch A and specify Ethernet1 0 1 as the DHCP snooping trusted port z Enable ARP attack detection in VLAN 1 to prevent ARP man in the middle attacks and specify Ethernet1 0 1 as the ARP tru...

Страница 495: ...A Ethernet1 0 2 arp rate limit enable SwitchA Ethernet1 0 2 arp rate limit 20 SwitchA Ethernet1 0 2 quit Enable the ARP packet rate limit function on Ethernet1 0 3 and set the maximum ARP packet rate...

Страница 496: ...WINS Servers for the DHCP Client 2 9 Configuring Gateways for the DHCP Client 2 10 Configuring BIMS Server Information for the DHCP Client 2 10 Configuring Option 184 Parameters for the Client with V...

Страница 497: ...iguring DHCP Snooping Trusted Untrusted Ports 3 6 Configuring Unauthorized DHCP Server Detection 3 7 Configuring DHCP Snooping to Support Option 82 3 7 Configuring IP Filtering 3 11 Displaying DHCP Sn...

Страница 498: ...t dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 1 1 Figure 1 1 Typical DHCP application DH...

Страница 499: ...the assignment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned...

Страница 500: ...gents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increases by 1 z xid Random number that the client selects when it initiates a request Th...

Страница 501: ...ications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z R...

Страница 502: ...LAN interfaces Introduction to DHCP Server Usage of DHCP Server Generally DHCP servers are used in the following networks to assign IP addresses z Large sized networks where manual configuration metho...

Страница 503: ...rations in turn can be inherited by their client address So for the parameters that are common to the whole network segment or some subnets such as domain name you just need to configure them on the n...

Страница 504: ...ent DHCP IP Address Preferences A DHCP server assigns IP addresses in interface address pools or global address pools to DHCP clients in the following sequence 1 IP addresses that are statically bound...

Страница 505: ...rt 67 and UDP port 68 ports will be disabled Configuring the Global Address Pool Based DHCP Server Configuration Task List Complete the following tasks to configure the global address pool based DHCP...

Страница 506: ...ddress pool mode Creating a DHCP Global Address Pool Follow these steps to create a DHCP address pool To do Use the command Remarks Enter system view system view Create a DHCP global address pool and...

Страница 507: ...ound static bind mac address mac address Bind an IP address to the MAC address of a DHCP client or a client ID statically Configure the client ID to which the IP address is to be statically bound stat...

Страница 508: ...DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation The lease time can differ with a...

Страница 509: ...bout DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address p...

Страница 510: ...WINS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding...

Страница 511: ...efore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP clie...

Страница 512: ...option is defined Voice VLAN Configuration sub option 3 The voice VLAN configuration sub option carries the ID of the voice VLAN and the flag indicating whether the voice VLAN identification function...

Страница 513: ...onse packet to be sent to the DHCP client Only when the DHCP client specifies in Option 55 of the request packet that it requires Option 184 does the DHCP server add Option 184 in the response packet...

Страница 514: ...meet customers requirements for example you cannot use the dns list command to configure more than eight DNS server addresses you can configure a self defined option for extension Follow these steps t...

Страница 515: ...n IP addresses from the same network segment the number of DHCP clients cannot exceed the number of the IP addresses assignable in the VLAN interface address pool Configuration Task List An interface...

Страница 516: ...dress of the interface Enabling the Interface Address Pool Mode on Interface s If the DHCP server works in the interface address pool mode it picks IP addresses from the interface address pools and as...

Страница 517: ...ly allocated to DHCP clients Configuring the static IP address allocation mode Some DHCP clients such as WWW servers need fixed IP addresses This is achieved by binding IP addresses to the MAC address...

Страница 518: ...ly assigned is unnecessary To avoid address conflicts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip comman...

Страница 519: ...DHCP server The DHCP server provides the domain name suffix together with an IP address for a requesting DHCP client Follow these steps to configure a domain name suffix for the client To do Use the...

Страница 520: ...cast The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node After receiving the broadcast packet the destinatio...

Страница 521: ...address Configuring BIMS Server Information for the DHCP Client A DHCP client performs regular software update and backup using configuration files obtained from a BIMS server Therefore the DHCP serv...

Страница 522: ...lling processor dhcp server voice config ncp ip ip address all interface interface type interface number to interface type interface number Required Not specified by default Specify the backup network...

Страница 523: ...nterface number all Required By default no customized option is configured Be cautious when configuring self defined DHCP options because such configuration may affect the DHCP operation process Confi...

Страница 524: ...e IP address to the requesting client The DHCP client probes the IP address by sending gratuitous ARP packets Follow these steps to configure IP address detecting To do Use the command Remarks Enter s...

Страница 525: ...hree packets bring no response from the RADIUS server the DHCP server does not send Accounting START packets any more DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting mak...

Страница 526: ...ip Display information about address binding display dhcp server ip in use ip ip address pool pool name interface interface type interface number all Display the statistics on a DHCP server display dh...

Страница 527: ...guration Example Network requirements z The DHCP server Switch A assigns IP address to clients in subnet 10 1 1 0 24 which is subnetted into 10 1 1 0 25 and 10 1 1 128 25 z The IP addresses of VLAN in...

Страница 528: ...0 24 and the attributes will be based on the configuration of the parent address pool For this example the number of clients applying for IP addresses from VLAN interface 1 is recommended to be less...

Страница 529: ...pool 1 nbns list 10 1 1 4 SwitchA dhcp pool 1 quit Configure DHCP address pool 2 including address range gateway and lease time SwitchA dhcp server ip pool 2 SwitchA dhcp pool 2 network 10 1 1 128 mas...

Страница 530: ...face2 ip address 10 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure VLAN interface 2 to operate in the DHCP server mode Sysname dhcp select global interface vlan interface 2 Enter DHCP addr...

Страница 531: ...Sysname interface ethernet 1 0 1 Sysname Ethernet1 0 1 port access vlan 2 Sysname Ethernet1 0 1 quit Enter Ethernet 1 0 2 port view and add the port to VLAN 3 Sysname interface ethernet 1 0 2 Sysname...

Страница 532: ...nt from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network with the conflicting IP address as the destinati...

Страница 533: ...ernet switch Figure 3 1 Typical network diagram for DHCP snooping application On S3100 SI series Ethernet switches DHCP snooping listens the DHCP REQUEST packets to retrieve the IP addresses the DHCP...

Страница 534: ...ap and administratively shuts down the port as configured The port that is shut down administratively is in the closed state and cannot receive or forward packets however using the display current con...

Страница 535: ...with the default padding contents That is the circuit ID or remote ID sub option defines the type and length of a circuit ID or remote ID The remote ID type field and circuit ID type field are determi...

Страница 536: ...the circuit ID sub option of the original Option 82 with the configured circuit ID sub option in ASCII format Replace Remote ID sub option is configured Forward the packet after replacing the remote I...

Страница 537: ...snooping enabled device and the number of the VLAN to which the port belongs to These records are saved as entries in the DHCP snooping table IP static binding table The DHCP snooping table only recor...

Страница 538: ...Description Enter system view system view Enter Ethernet port view interface interface type interface number Specify the current port as a trusted port dhcp snooping trust Required By default after DH...

Страница 539: ...e dhcp snooping server guard source mac mac address Optional By default the source MAC address of DHCP DISCOVER messages is the bridge MAC address of the switch Display information about unauthorized...

Страница 540: ...e steps to enable DHCP snooping Option 82 support Operation Command Description Enter system view system view Enable DHCP snooping Option 82 support dhcp snooping information enable Required By defaul...

Страница 541: ...hex ascii Optional By default the format is hex The dhcp snooping information format command applies only to the default content of the Option 82 field If you have configured the circuit ID or remote...

Страница 542: ...sysname of the device or any customized character string in the ASCII format z In Ethernet port view the remote ID takes effect only on the current interface You can configure Option 82 as any customi...

Страница 543: ...rt z The remote ID configured on a port will not be synchronized in the case of port aggregation Configure the padding format for Option 82 Follow these steps to configure the padding format for Optio...

Страница 544: ...static entry z The VLAN ID of the IP static binding configured on a port is the default VLAN ID of the port Displaying DHCP Snooping Configuration After the above configurations you can verify the co...

Страница 545: ...he switch Set the circuit ID sub option to abcd in DHCP packets from VLAN 1 on Ethernet 1 0 3 Network diagram Figure 3 8 Network diagram for DHCP snooping Option 82 support configuration Eth1 0 2 Clie...

Страница 546: ...down administratively z To prevent attackers from filtering the detecting DHCP DISCOVER packets specify the source MAC address for such packets as 000f e200 1111 different from the bridge MAC address...

Страница 547: ...hernet1 0 3 and Ethernet1 0 4 is connected to DHCP Client B and Client C z Enable DHCP snooping on the switch and specify Ethernet1 0 1 as the DHCP snooping trusted port z Enable IP filtering on Ether...

Страница 548: ...rce ip address mac address Switch Ethernet1 0 2 quit Switch interface Ethernet1 0 3 Switch Ethernet1 0 3 ip check source ip address mac address Switch Ethernet1 0 3 quit Switch interface Ethernet1 0 4...

Страница 549: ...limit refer to ARP Operation in this manual The following describes only the DHCP packet rate limit function After DHCP packet rate limit is enabled on an Ethernet port the switch counts the number o...

Страница 550: ...the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds z Enable the port state auto recovery function before...

Страница 551: ...Switch interface Ethernet1 0 1 Switch Ethernet1 0 1 dhcp snooping trust Switch Ethernet1 0 1 quit Enable auto recovery Switch dhcp protective down recover enable Set the port state auto recovery inter...

Страница 552: ...nfiguration Application Background With the automatic configuration feature a device upon startup without any configuration file can automatically obtain a configuration file from a remote server for...

Страница 553: ...The Option 55 in the request specifies the information the device needs such as a configuration file name and a TFTP server address 3 From the reply returned by the DHCP server the switch obtains its...

Страница 554: ...e automatic configuration terminates During this period the command line input is disabled in case of deletion of commands mistakenly After the automatic configuration terminates the command line inpu...

Страница 555: ...ient can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease period z An S3100 Ethernet switch functioning as a DHCP client supports default route creati...

Страница 556: ...lient Configure VLAN interface 1 to dynamically obtain an IP address by using DHCP SwitchA system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc Displaying DHCP...

Страница 557: ...n ACL Globally 1 12 Assigning an ACL to a VLAN 1 12 Assigning an ACL to a Port Group 1 13 Assigning an ACL to a Port 1 13 Displaying ACL Configuration 1 14 Example for Upper Layer Software Referencing...

Страница 558: ...ed ACL Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2...

Страница 559: ...r comparison in the above order the weighting principles will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the paramet...

Страница 560: ...ACL is referenced by upper layer software to control Telnet SNMP and Web login users the switch will deny packets if the packets do not match the ACL Types of ACLs Supported by S3100 Series Ethernet S...

Страница 561: ...active only when the system time is within the defined absolute time section If multiple absolute time sections are defined in a time range the time range is active only when the system time is within...

Страница 562: ...l number acl number match order auto config Required config by default Define an ACL rule rule rule id deny permit rule string Required For information about rule string refer to ACL Command Configure...

Страница 563: ...and processing of three packet priority levels type of service ToS priority IP priority and differentiated services codepoint DSCP priority Using advanced ACLs you can define classification rules tha...

Страница 564: ...the existent ones by depth first principle but the numbers of the existent rules are unaltered Configuration example Configure ACL 3000 to permit the TCP packets sourced from the network 129 9 0 0 16...

Страница 565: ...you need to specify a number for the rule z The content of a modified or created rule cannot be identical with that of any existing rule of the ACL otherwise the rule modification or creation will fai...

Страница 566: ...system If you want to configure a new one you need to remove the existing one first z To specify the src port dest port icmpv6 type or icmpv6 code keyword in the command you need to specify the ip pro...

Страница 567: ...c port or dest port keyword in the command you need to specify the ip protocol rule string rule mask combination as TCP or UDP that is 0x06 or 0x11 To specify the icmpv6 type or icmpv6 code keyword yo...

Страница 568: ...ment the following four ways are available z Assigning ACLs globally for filtering the inbound packets on all the ports z Assigning ACLs to a VLAN for filtering the inbound packets on all the ports an...

Страница 569: ...inbound packets on all the ports Sysname system view Sysname packet filter inbound ip group 2000 Assigning an ACL to a VLAN Configuration prerequisites Before applying ACL rules to a VLAN you need to...

Страница 570: ...port group view port group group id Apply an ACL to the port group packet filter inbound acl rule Required For description on the acl rule argument refer to ACL Command After an ACL is assigned to a p...

Страница 571: ...inbound ip group 2000 Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Table...

Страница 572: ...CL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet l...

Страница 573: ...ACL on Ethernet 1 0 1 to deny packets with the source IP address of 10 1 1 1 from 8 00 to 18 00 everyday Network diagram Figure 1 3 Network diagram for basic ACL configuration Configuration procedure...

Страница 574: ...e from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 working day Define ACL 3000 to filter packets destined for wage query server Sysname acl number 3000 Sysname acl...

Страница 575: ...0011 ffff ffff ffff dest 0011 0011 0012 ffff ffff ffff time range test Sysname acl ethernetframe 4000 quit Apply ACL 4000 on Ethernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 packe...

Страница 576: ...Ethernet1 0 1 packet filter inbound user group 5000 Example for Applying an ACL to a Port Group Network requirements PC 1 PC 2 and PC 3 connect to the switch through Ethernet 1 0 1 Ethernet 1 0 2 and...

Страница 577: ...stination 192 168 1 2 0 time range test Sysname acl adv 3000 quit Create port group 1 and add Ethernet 1 0 1 Ethernet 1 0 2 and Ethernet 1 0 3 in the port group 1 Sysname port group 1 Sysname port gro...

Страница 578: ...S Configuration 1 13 Configuring Priority Trust Mode 1 13 Configuring Priority Mapping 1 15 Marking Packet Priority 1 17 Configuring Traffic Policing 1 19 Configuring Traffic Shaping 1 21 Configuring...

Страница 579: ...ii Configuration Example 2 4 QoS Profile Configuration Example 2 4...

Страница 580: ...only suitable for applications insensitive to bandwidth and delay such as WWW file transfer and E mail New Applications and New Requirements With the expansion of computer network more and more networ...

Страница 581: ...s resource competition during network congestion Generally it puts packets into queues first and then schedules the packets with a certain algorithm Congestion management is usually applied in the out...

Страница 582: ...information about line rate refer to Port Rate Limiting z For information about the burst function refer to Burst Congestion management SP applicable only to the S3100 EI series WRR and HQ WRR queue s...

Страница 583: ...00 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a network providing differentiated services traffics are grouped into the foll...

Страница 584: ...011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be def...

Страница 585: ...in the 802 1p specifications 3 Local precedence Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to one of the eight hardwa...

Страница 586: ...packet priority types Trusted priority type Description 802 1p priority The switch searches for the local precedence corresponding to the 802 1p priority of the packet in the 802 1p to local precedenc...

Страница 587: ...d for traffic classification z If 802 1p priority marking is configured the traffic will be mapped to the local precedence corresponding to the re marked 802 1p priority and assigned to the output que...

Страница 588: ...affic with the token bucket When token bucket is used for traffic evaluation the number of the tokens in the token bucket determines the amount of the packets that can be forwarded If the number of to...

Страница 589: ...shaping is a measure to regulate the output rate of traffic actively Its typical application is to control local traffic output based on the traffic policing indexes of downstream network nodes The m...

Страница 590: ...ecting you can change the way in which a packet is forwarded to achieve specific purposes VLAN Marking VLAN marking allows you to replace the VLAN ID carried in the traffic matching a certain ACL rule...

Страница 591: ...ndicates the proportion of obtaining resources On a 100 M port configure the weight value of WRR queue scheduling algorithm to 5 3 1 and 1 corresponding to w3 w2 w1 and w0 in order In this way the que...

Страница 592: ...tion about mirroring refer to the Mirroring module of this manual QoS Configuration Table 1 9 QoS configuration tasks Task Remarks Configuring Priority Trust Mode Optional Configuring Priority Mapping...

Страница 593: ...y Exit to system view quit Configure to trust packet priority priority trust Required By default the S3100 series switches trust port priority z If you configure to trust packet priority without speci...

Страница 594: ...Sysname priority trust dscp Configure an S3100 EI switch to trust the DSCP precedence of the received packets Sysname system view Sysname priority trust Sysname priority trust dscp Configure to trust...

Страница 595: ...le 1 13 Configure IP precedence to local precedence mapping table Operation Command Description Enter system view system view Configure IP precedence to local pre cedence mapping table qos ip preceden...

Страница 596: ...SCP precedence of the packets Configuration prerequisites The following items are defined or determined before the configuration z The ACL rules used for traffic classification are specified Refer to...

Страница 597: ...ckets passing a port and matching specific ACL rules Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Mark the priorities...

Страница 598: ...packets matching specific ACL rules or for the packets that match specific ACL rules and are of a VLAN of a port group or pass a port Table 1 18 Configure traffic policing for all the packets matching...

Страница 599: ...g traffic limit inbound acl rule target rate burst bucket burst bucket size conform con action exceed exceed action meter statistic Required By default traffic policing is disabled Clear the traffic p...

Страница 600: ...Enter Ethernet port view interface interface type interface number Configure traffic shaping traffic shape queue queue id max rate burst size Required Traffic shaping is not enabled by default Config...

Страница 601: ...ecting Only H3C S3100 EI series switches support this configuration Refer to section Traffic Redirecting for information about traffic redirecting Configuration prerequisites z The ACL rules used for...

Страница 602: ...ure traffic redirecting traffic redirect inbound acl rule cpu interface interface type interface number Required z The traffic redirecting function configured on a VLAN is only applicable to packets t...

Страница 603: ...28 Configure VLAN marking Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure VLAN marking to change the VLAN ID c...

Страница 604: ...ion Configuration procedure Sysname system view Sysname queue scheduler wrr 12 8 4 1 Sysname display queue scheduler Queue scheduling mode weighted round robin weight of queue 0 12 weight of queue 1 8...

Страница 605: ...ble 1 32 Generate traffic statistics on packets that are of a port group and match specific ACL rules Operation Command Description Enter system view system view Enter port group view port group group...

Страница 606: ...ame acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname traffic statistic vlan 2 inbound ip group 2000 Sysname reset traffic statistic vlan...

Страница 607: ...r system view system view Enter Ethernet port view of the destination port interface interface type interface number Define the current port as the destination port monitor port Required Exit current...

Страница 608: ...t interface interface type interface number Define the current port as the destination port monitor port Required Exit current view quit Enter Ethernet port view of traffic mirroring configuration int...

Страница 609: ...ationship display qos dscp local precedence map Display the IP precedence to local precedence mapping relationship display qos ip precedence local precedence m ap Display queue scheduling algorithm an...

Страница 610: ...ct traffic statistic Display the configuration of traffic mirroring traffic policing priority marking traffic redirecting or traffic accounting performed for packets of a port group display qos port g...

Страница 611: ...basic ACL view to classify packets sourced from the 192 168 2 0 24 network segment Sysname acl number 2001 Sysname acl basic 2001 rule permit source 192 168 2 0 0 0 0 255 Sysname acl basic 2001 quit 2...

Страница 612: ...ion Mode Dynamic application mode A QoS profile can be applied dynamically to a user or a group of users passing 802 1x authentication To apply QoS profiles dynamically a user name to QoS profile mapp...

Страница 613: ...isites z The ACL rules used for traffic classification are defined Refer to the ACL module of this manual for information about defining ACL rules z The type and number of actions in the QoS profile a...

Страница 614: ...ce type interface number Configure the mode to apply a QoS profile as port based qos profile port based Specify the mode to apply a QoS profile Configure the mode to apply a QoS profile as user based...

Страница 615: ...s and control their access to network resources A user name is someone and the authentication password is hello It is connected to Ethernet 1 0 1 of the switch and belongs to the test net domain It is...

Страница 616: ...domain Sysname radius radius1 quit Create the user domain test net and specify radius1 as your RADIUS server group Sysname domain test net Sysname isp test net radius scheme radius1 Sysname isp test...

Страница 617: ...1 1 Remote Port Mirroring 1 1 Mirroring Configuration 1 3 Configuring Local Port Mirroring 1 3 Configuring Remote Port Mirroring 1 4 Displaying Port Mirroring 1 7 Mirroring Configuration Example 1 7 L...

Страница 618: ...device copies the packets of the source port to the reflector port which then broadcasts the packets in the remote probe VLAN After the remote device receives the packets it compares the VLAN ID of th...

Страница 619: ...to the next intermediate switch or the destination switch through the remote probe VLAN No intermediate switch is present if the source and destination switches directly connect to each other z Desti...

Страница 620: ...be VLAN run other protocol packets or carry other service packets on the remote prove VLAN and do not use the remote prove VLAN as the voice VLAN and protocol VLAN otherwise remote port mirroring may...

Страница 621: ...fect When configuring local port mirroring note that z You need to configure the source and destination ports for the local port mirroring to take effect z The destination port cannot be a member port...

Страница 622: ...ies do not support the both keyword in the source port configuration for a remote source mirroring group z All ports of a remote source mirroring group are on the same device Each remote source mirror...

Страница 623: ...mit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Configuration on a switch acting as a destination switch 1 Configuration prerequisites z The destination por...

Страница 624: ...roring VLAN is removed Displaying Port Mirroring After the above configurations you can execute the display commands in any view to view the mirroring running information so as to verify your configur...

Страница 625: ...oring group 1 Sysname display mirroring group 1 mirroring group 1 type local status active mirroring port Ethernet1 0 1 both Ethernet1 0 2 both monitor port Ethernet1 0 3 After the configurations you...

Страница 626: ...A Ethernet 1 0 1 and Ethernet 1 0 2 of Switch B and Ethernet 1 0 1 of Switch C as trunk ports allowing packets of VLAN 10 to pass z On Switch C create a remote destination mirroring group configure V...

Страница 627: ...nterface Ethernet 1 0 1 Sysname Ethernet1 0 1 port link type trunk Sysname Ethernet1 0 1 port trunk permit vlan 10 Sysname Ethernet1 0 1 quit Configure Ethernet 1 0 2 as the trunk port allowing packet...

Страница 628: ...nformation about remote destination mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type remote destination status active monitor port Ethernet1 0 2 remote probe vlan 10 After th...

Страница 629: ...ck Configuration Example 1 5 2 Cluster 2 1 Cluster Overview 2 1 Introduction to HGMP 2 1 Roles in a Cluster 2 2 How a Cluster Works 2 3 Cluster Configuration Tasks 2 8 Configuring the Management Devic...

Страница 630: ...form the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Before creating a stack you need to configure an IP...

Страница 631: ...ack Operation Command Description Enter system view system view Configure an IP address pool for a stack stacking ip pool from ip address ip address number ip mask Required from ip address Start addre...

Страница 632: ...its IP address z Since both stack and cluster use the management VLAN and only one VLAN interface is available on the S3100 switch stack and cluster must share the same management VLAN if you want to...

Страница 633: ...ble the stack port function on the stack port stack port enable Disable the stack port function on the stack port undo stack port enable Use either approach Enabled by default After a switch joins in...

Страница 634: ...Switch A Switch B and Switch C with each other through their stack ports to form a stack in which Switch A acts as the main switch while Switch B and Switch C act as slave switches z Configure Switch...

Страница 635: ...0 1 16 16 Member number 2 Name stack_2 Sysname Device S3100 EI MAC Address 000f e200 3135 Member status Up IP 129 10 1 17 16 Switch to Switch B a slave switch stack_0 Sysname stacking 1 stack_1 Sysnam...

Страница 636: ...e and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remo...

Страница 637: ...guration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that i...

Страница 638: ...not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect networ...

Страница 639: ...within the specified hop count so as to provide the information of which devices can be added to a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the...

Страница 640: ...ce Note the following when creating a cluster z You need to designate a management device for the cluster The management device of a cluster is the portal of the cluster That is any operations from ou...

Страница 641: ...ackets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times...

Страница 642: ...ice the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management VLAN auto negotiation function...

Страница 643: ...he MAC address and VLAN ID and then forward the packet to its downstream switch If within the specified hops a switch with the specified destination MAC address is found this switch sends a response t...

Страница 644: ...s provide the following functions so that a cluster socket is opened only when it is needed z Opening UDP port 40000 used for cluster only when the cluster function is implemented z Closing UDP port 4...

Страница 645: ...ng NTDP globally and on a specific port Follow these steps to enable NTDP globally and on a specific port Operation Command Description Enter system view system view Enable NTDP globally ntdp enable R...

Страница 646: ...uster function is enabled Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establis...

Страница 647: ...h Required Start automatic cluster establishment auto build recover Required Follow prompts to establish a cluster z After a cluster is built automatically ACL 3998 and ACL 3999 will automatically gen...

Страница 648: ...configured Configure a shared SNMP host for the cluster snmp host ip address Optional By default no shared SNMP host is configured Configuring Member Devices Member device configuration tasks Complete...

Страница 649: ...evice s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is c...

Страница 650: ...s to access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the shared TFTP server o...

Страница 651: ...n id by ip ip address nondp Optional These commands can be executed in any view Configuring the Enhanced Cluster Features Enhanced cluster feature overview 1 Cluster topology management function After...

Страница 652: ...uster device blacklist Required Configure cluster topology management function 1 Configuration prerequisites Before configuring the cluster topology management function make sure that z The basic clus...

Страница 653: ...Operation Command Description Enter system view system view Enter cluster view cluster Add the MAC address of a specified device to the cluster blacklist black list add mac mac address Optional By def...

Страница 654: ...ement device 2 Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations To do Use the command Remarks Enter system view system view Enter cl...

Страница 655: ...allowing read only access right using this community name test_0 Sysname cluster cluster snmp agent community read read_a Member 2 succeeded in the read community configuration Member 1 succeeded in...

Страница 656: ...mib view included mib_a org snmp agent usm user v3 user_a group_a undo snmp agent trap enable standard z Configuration file content on a member device only the SNMP related information is displayed te...

Страница 657: ...ations cannot be synchronized to the devices that are on the cluster blacklist z If a member device leaves the cluster the public local user configurations will not be removed Displaying and Maintaini...

Страница 658: ...erves as the management device z The rest are member devices Serving as the management device the S3100 switch manages the two member devices The configuration for the cluster is as follows z The two...

Страница 659: ...sname system view Sysname ndp enable Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ndp enable Sysname Ethernet1 0 1 quit Enable NTDP globally and on Ethernet1 0 1 Sysname ntdp enable Sysname...

Страница 660: ...t the interval to collect topology information to 3 minutes Sysname ntdp timer 3 Enable the cluster function Sysname cluster enable Enter cluster view Sysname cluster Sysname cluster Configure a priva...

Страница 661: ...itch to member number mac address H H H command on the management device to switch to member device view to maintain and manage a member device After that you can execute the cluster switch to adminis...

Страница 662: ...onfiguration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034...

Страница 663: ...the PoE Mode on a Port 1 4 Configuring the PD Compatibility Detection Function 1 5 Configuring PoE Over Temperature Protection on the Switch 1 5 Upgrading the PSE Processing Software Online 1 6 Displa...

Страница 664: ...hree components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection P...

Страница 665: ...es over temperature protection mechanism Using this mechanism the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE...

Страница 666: ...ort is enabled by the default configuration file config def when the device is delivered z If you delete the default configuration file without specifying another one the PoE function on a port will b...

Страница 667: ...example Port A has the priority critical When the switch PoE is close to its full load and a new PD is now added to port A the switch just gives a prompt that a new PD is added and will not supply pow...

Страница 668: ...perature Protection on the Switch If this function is enabled the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE...

Страница 669: ...software z Generally the refresh update mode is used to upgrade the PSE processing software z When the online upgrading procedure is interrupted for some unexpected reason for example the device resta...

Страница 670: ...8 port even when Switch A is under full load Networking diagram Figure 1 1 Network diagram for PoE Switch A Network Eth1 0 2 Eth1 0 1 Eth1 0 8 Switch B AP AP Configuration procedure Upgrade the PSE p...

Страница 671: ...hernet1 0 8 quit Set the PoE management mode on the switch to auto it is the default mode so this step can be omitted SwitchA poe power management auto Enable the PD compatibility detect of the switch...

Страница 672: ...enabled port the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Ente...

Страница 673: ...ed for query it is displayed that the PoE profile is applied properly to the port z If one or more features in the PoE profile are not applied properly on a port the switch will prompt explicitly whic...

Страница 674: ...A z Apply PoE profile 1 for Ethernet 1 0 1 through Ethernet 1 0 5 z Apply PoE profile 2 for Ethernet 1 0 6 through Ethernet 1 0 10 Network diagram Figure 2 1 PoE profile application Network IP Phone...

Страница 675: ...signal SwitchA poe profile Profile2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 Switch...

Страница 676: ...arameters 1 5 Configuring Basic Trap 1 5 Configuring Extended Trap 1 6 Enabling Logging for Network Management 1 6 Displaying SNMP 1 6 SNMP Configuration Examples 1 7 SNMP Configuration Examples 1 7 2...

Страница 677: ...ject MIB Management Information Base according to the message types generates the corresponding Response packets and returns them to the NMS When a network device operates improperly or changes to oth...

Страница 678: ...bles of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object identifier OID of the managed o...

Страница 679: ...y name snmp agent community read write community name acl acl number mib view view name Set an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notif...

Страница 680: ...tify view acl acl number Required Encrypt a plain text password to generate a cipher text one snmp agent calculate password plain password mode md5 sha local engineid specified engineid engineid Optio...

Страница 681: ...er system view system view Enable the switch to send Trap messages to NMS snmp agent trap enable configuration flash standard authentication coldstart linkdown linkup warmstart system Enter port view...

Страница 682: ...Command Description Enter system view system view Configure extended Trap snmp agent trap ifmib link extended Optional By default the linkUp linkDown Trap message adopts the standard format defined in...

Страница 683: ...read write Display the currently configured MIB view display snmp agent mib view exclude include viewname view name Available in any view SNMP Configuration Examples SNMP Configuration Examples Netwo...

Страница 684: ...rface Vlan interface 2 Sysname Vlan interface2 ip address 10 10 10 2 255 255 255 0 Sysname Vlan interface2 quit Enable the SNMP agent to send Trap messages to the NMS whose IP address is 10 10 10 1 Th...

Страница 685: ...1 9 Authentication related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully...

Страница 686: ...large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways z Using the dedicated RMON probes When an RMON system operates in this...

Страница 687: ...larm entry you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds thus implement more flexible alarm functions With an extended alarm e...

Страница 688: ...ld threshold value2 event entry2 owner text Optional Before adding an alarm entry you need to use the rmon event command to define the event to be referenced by the alarm entry Add an extended alarm e...

Страница 689: ...in any view RMON Configuration Examples Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before per...

Страница 690: ...rops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entryty...

Страница 691: ...10 Configuration Procedure 1 10 Configuring NTP Authentication 1 11 Configuration Prerequisites 1 11 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 13 Configuring an Interface on t...

Страница 692: ...f devices in a network with required accuracy by performing NTP configuration NTP is mainly applied to synchronizing the clocks of all devices in a network For example z In network management the anal...

Страница 693: ...ks they need to synchronize the clocks of each other through NTP To help you to understand the implementation principle we suppose that z Before the system clocks of Device A and Device B are synchron...

Страница 694: ...information to calculate the following two parameters z Delay for an NTP message to make a round trip between Device A and Device B Delay T4 T1 T3 T2 z Time offset of Device A relative to Device B Of...

Страница 695: ...cast mode Figure 1 5 Multicast mode Client Multicast clock synchronization packets periodically Network Server Initiates a client server mode request after receiving the first multicast packet Works i...

Страница 696: ...cast server mode In this mode the local switch sends multicast NTP messages through the VLAN interface configured on the switch z Configure the local S3100 Ethernet switch to work in NTP multicast cli...

Страница 697: ...er ntp service multicast client and ntp service multicast server commands enables the NTP feature and opens UDP port 123 at the same time z Execution of the undo form of one of the above six commands...

Страница 698: ...been synchronized If the clock of a server has a stratum level lower than or equal to that of a client s clock the client will not synchronize its clock to the server s z You can configure multiple se...

Страница 699: ...will not proceed z You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be ch...

Страница 700: ...in the NTP multicast client mode will respond to the NTP messages so as to start the clock synchronization An H3C S3100 series Ethernet switch can work as a multicast server or a multicast client z Re...

Страница 701: ...device to perform control query z server Server right This level of right permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch...

Страница 702: ...mmetric peer mode Configuration Prerequisites NTP authentication configuration involves z Configuring NTP authentication on the client z Configuring NTP authentication on the server Observe the follow...

Страница 703: ...ote ip server name authentication keyid key id Associate the specified key with the correspo nding NTP server Configure on the symmetric active peer in the symmetric peer mode ntp service unicast peer...

Страница 704: ...them after configuring the NTP mode The procedure for configuring NTP authentication on the server is the same as that on the client Besides the client and the server must be configured with the same...

Страница 705: ...server side and dynamic associations will be created at the client side Table 1 15 Configure the number of dynamic sessions allowed on the local switch Operation Command Description Enter system view...

Страница 706: ...iguration Configuration procedure Perform the following configurations on Device B View the NTP status of Device B before synchronization DeviceB display ntp service status Clock status unsynchronized...

Страница 707: ...1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Symmetric Peer Mode Network requirements z The local clock of Device A is set as the NTP master c...

Страница 708: ...output information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2 one level lower than Device B View the information about the N...

Страница 709: ...face2 ntp service broadcast client After the above configurations Device A and Device D will listen to broadcast messages through their own Vlan interface2 and Device C will send broadcast messages th...

Страница 710: ...ulticast server mode and advertise multicast NTP messages through Vlan interface2 z Device A and Device D are two S3100 Ethernet switches Configure Device A and Device D to work in the NTP multicast c...

Страница 711: ...3 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that Device D is synchronized to Device C with a clock stratum level of 3 one stratum level lower than that Device C View the...

Страница 712: ...ID being 42 and the key being aNiceKey DeviceA ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key 42 as a trusted key DeviceA ntp service reliable authentication keyi...

Страница 713: ...1 22 Total associations 1...

Страница 714: ...0 Exporting the RSA or DSA Public Key 1 11 Configuring the SSH Client 1 12 SSH Client Configuration Task List 1 12 Configuring an SSH Client that Runs SSH Client Software 1 12 Configuring an SSH Clien...

Страница 715: ...SSH server In the former case the device establishes a remote SSH connection to an SSH server In the latter case the device provides connections to multiple clients Furthermore SSH can also provide d...

Страница 716: ...ey of user 1 If the signature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA...

Страница 717: ...lgorithm negotiation packets to each other which contain public key algorithm lists supported by the server and the client encrypted algorithm list message authentication code MAC algorithm list and c...

Страница 718: ...an SSH_SMSG_FAILURE packet indicating that the processing fails or it cannot resolve the request The client sends a session request to the server which processes the request and establishes a session...

Страница 719: ...on the Server z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Assigning a Public Key to an SSH User z Not necessary when the authenticati...

Страница 720: ...mmand is not available Similarly if the protocol inbound ssh command has been executed the authentication mode password and authentication mode none commands are not available Configuring the SSH Mana...

Страница 721: ...EI series support the ssh server compatible ssh1x enable command Generating Destroying Key Pairs This configuration task lets you generate or destroy a key pair You must generate an RSA and DSA key pa...

Страница 722: ...ir of more than 768 bits is recommended Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type for it Specifying an authentica...

Страница 723: ...le to a logged in SSH user can be configured using the user privilege level command on the server and all the users with this authentication mode will enjoy this level z Under the password or password...

Страница 724: ...nually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begin Configure a public key for th...

Страница 725: ...c key on the screen in a specified format or export it to a specified file so that you can configure the key at a remote end when necessary Table 1 11 Follow these steps to export the RSA public key T...

Страница 726: ...Software Configuring an SSH Client Assumed by an SSH2 Capable Switch Whether first authentication is supported Configuring an SSH Client Assumed by an SSH2 Capable Switch Configuring an SSH Client tha...

Страница 727: ...ile corresponding to the public key must be specified on the client RSA key pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY Vers...

Страница 728: ...enerate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure 1 4 Generate...

Страница 729: ...e name of the file for saving the private key private in this case to save the private key Figure 1 5 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse a...

Страница 730: ...ote that there must be a route available between the IP address of the server and the client Selecting a protocol for remote connection As shown in Figure 1 7 select SSH under Protocol Selecting an SS...

Страница 731: ...tion From the window shown in Figure 1 8 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection T...

Страница 732: ...on z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Configuring whether first time authentication is supported Optional Establishing the co...

Страница 733: ...nter system view system view Enable the device to support first time authentication ssh client first time enable Optional By default the client is enabled to run first time authentication Table 1 16 F...

Страница 734: ...correct private key Displaying and Maintaining SSH Configuration To do Use the command Remarks Display the public key part of the current switch s key pairs display public key local dsa rsa public Dis...

Страница 735: ...sign publickey keyname Create an SSH user and specify pubblickey authentication as its authentication type ssh user username authentication type rsa ssh user username authentication type publickey z A...

Страница 736: ...n mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch u...

Страница 737: ...as an example 1 Run PuTTY exe to enter the following configuration interface Figure 1 11 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH ser...

Страница 738: ...thentication succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 13 an SSH connection is required between...

Страница 739: ...ion from the navigation tree In the System Configuration window click Modify of the Access Device item and then click Add to enter the Add Access Device window and perform the following configurations...

Страница 740: ...and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 15 Add an account for device management 1 Configure the SSH server Create a...

Страница 741: ...key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch is...

Страница 742: ...he category on the left pane of the window select Connection SSH The window as shown in Figure 1 17 appears Figure 1 17 SSH client configuration interface 2 Under Protocol options select 2 from Prefer...

Страница 743: ...with the switch z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 1 18 Switch acts as server for password and HWTACACS authentication Configuration proc...

Страница 744: ...domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authent...

Страница 745: ...ill log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS se...

Страница 746: ...y pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication m...

Страница 747: ...Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run PuTTYGen exe choose SSH2 RSA and click Generate Figure 1 22 Generate a client key pair 1 Wh...

Страница 748: ...re 1 23 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 24 Generate a client ke...

Страница 749: ...is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with...

Страница 750: ...27 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 28 SSH client configurati...

Страница 751: ...Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interfa...

Страница 752: ...SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to s...

Страница 753: ...itchB public key local create rsa SwitchB public key local create dsa Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode sc...

Страница 754: ...ate dsa Export the generated DSA key pair to a file named Switch001 SwitchA public key local export dsa ssh2 Switch001 After the key pair is generated you need to upload the pubic key file to the serv...

Страница 755: ...the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and...

Страница 756: ...generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP z Configure Switch A Create a VLAN interface on the...

Страница 757: ...ch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connec...

Страница 758: ...em 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4 File Attribute C...

Страница 759: ...and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory For exam...

Страница 760: ...te command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserved Optional A d...

Страница 761: ...ash Memory Operations Perform the following Flash memory operations using commands listed in Table 1 4 Perform the following configuration in user view Table 1 4 Operations on the Flash memory To do U...

Страница 762: ...attribute Copy the file flash config cfg to flash test with 1 cfg as the name of the new file Sysname copy flash config cfg flash test 1 cfg Copy unit1 flash config cfg to unit1 flash test 1 cfg Y N y...

Страница 763: ...backup startup file is used after a switch fails to start up using the main startup file In the Flash memory there can be only one app file one configuration file and one Web file with the backup att...

Страница 764: ...e Management part in this manual Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the...

Страница 765: ...the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration file has the extensi...

Страница 766: ...ample A Switch Operating as an FTP Server 1 6 FTP Banner Display Configuration Example 1 8 FTP Configuration A Switch Operating as an FTP Client 1 9 SFTP Configuration 1 11 SFTP Configuration A Switch...

Страница 767: ...1 Roles that an H3C S3100 series Ethernet switch acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP client...

Страница 768: ...the service type to FTP To use FTP services a user must provide a user name and password for being authenticated by the FTP server Only users that pass the authentication have access to the FTP server...

Страница 769: ...P 21 is disabled when you shut down the FTP server Configuring connection idle time After the idle time is configured if the server does not receive service requests from a client within a specified t...

Страница 770: ...FTP server through FTP the configured banner is displayed on the FTP client Banner falls into the following two types z Login banner After the connection between an FTP client and an FTP server is es...

Страница 771: ...erver display ftp user Available in any view FTP Configuration A Switch Operating as an FTP Client Basic configurations on an FTP client By default a switch can operate as an FTP client In this case y...

Страница 772: ...le to the remote FTP server put localfile remotefile Rename a file on the remote server rename remote source remote dest Log in with the specified user name and password user username password Connect...

Страница 773: ...ation Configure the FTP user name as switch the password as hello and the service type as FTP Sysname Sysname system view Sysname ftp server enable Sysname local user switch Sysname luser switch passw...

Страница 774: ...If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu z H3C series switch is not shipped with FTP client applicat...

Страница 775: ...in banner appears Sysname header shell shell banner appears 2 Configure the PC FTP client Access the Ethernet switch through FTP Enter the user name switch and the password hello to log in to the swit...

Страница 776: ...og in to a switch through the Console port or by telnetting the switch See the Login module for detailed information If available space on the Flash memory of the switch is not enough to hold the file...

Страница 777: ...ing module of this manual SFTP Configuration Table 1 10 SFTP configuration tasks Item Configuration task Description Enabling an SFTP server Required Configuring connection idle time Optional SFTP Con...

Страница 778: ...nding configuration manual z Currently an H3C S3100 series Ethernet switch operating as an SFTP server supports the connection of only one SFTP user When multiple users attempt to log in to the SFTP s...

Страница 779: ...ile remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files i...

Страница 780: ...e 1 6 Network diagram for SFTP configuration Configuration procedure 1 Configure the SFTP server switch B Create key pairs Sysname system view Sysname public key local create rsa Sysname public key lo...

Страница 781: ...1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public...

Страница 782: ...Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02...

Страница 783: ...1 17 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received status End of file Received status Success sftp client Exit SFTP sftp client quit Bye Sysname...

Страница 784: ...ads files from When you download a file that is larger than the free space of the switch s flash memory z If the TFTP server supports file size negotiation file size negotiation will be initiated betw...

Страница 785: ...by default Specify an ACL rule used by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default TFTP Configuration Example Network requirements A...

Страница 786: ...ch the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 255 255 0...

Страница 787: ...Output System Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 9 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information...

Страница 788: ...has a smaller severity level Table 1 1 Severity description Severity Severity value Description emergencies 1 The system is unavailable alerts 2 Information that demands prompt reaction critical 3 Cri...

Страница 789: ...ing information 4 logbuffer Log buffer Receives log information a buffer inside the device for recording information 5 snmpagent SNMP NMS Receives trap information 6 channel6 Not specified Receives lo...

Страница 790: ...nal line module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neighbor discovery protocol module NTDP Network topology discovery protocol module NTP Network ti...

Страница 791: ...ination is loghost the switch and the log host use the syslog protocol The system information is in the following format according to RFC 3164 The BSD Syslog Protocol Int_16 timestamp sysname nnmodule...

Страница 792: ...terminal logbuffer trapbuffer and the SNMP is with a precision of milliseconds z yyyy is the year z GMT hh mm ss is the UTC time zone which represents the time difference with the Greenwich standard...

Страница 793: ...and content fields For system information destined to the log host z If the character string ends with l it indicates the log information z If the character string ends with t it indicates the trap in...

Страница 794: ...Required Disabled by default z If the system information is output before you input any information following the current command line prompt the system does not echo any command line prompt after the...

Страница 795: ...ystem information output to the console info center console channel channel number channel name Optional By default the switch uses information channel 0 to output log debugging trap information to th...

Страница 796: ...associated display function to display the output information on the console Table 1 9 Enable the system information display on the console Operation Command Description Enable the debugging log trap...

Страница 797: ...ple Telnet users or dumb terminal users they share some configuration parameters including module filter language and severity level threshold In this case change to any such parameter made by one use...

Страница 798: ...nformation to the log host the switch uses information channel 2 by default Configure the source interface through which log information is sent to the log host info center loghost source interface ty...

Страница 799: ...rap debugging boot date none Optional By default the time stamp format of the output trap information is date Setting to Output System Information to the Log Buffer Table 1 14 Set to output system inf...

Страница 800: ...o send information to a remote SNMP NMS properly related configurations are required on both the switch and the SNMP NMS Displaying and Maintaining Information Center After the above configurations yo...

Страница 801: ...Switch system view Switch info center enable Disable the function of outputting information to log host channels Switch undo info center source default channel loghost Configure the host whose IP add...

Страница 802: ...and the file etc syslog conf is modified execute the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd...

Страница 803: ...d be used as a separator instead of a space z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must...

Страница 804: ...with severity level higher than informational to the console Switch info center console channel console Switch info center source arp channel console log level informational debug state off trap state...

Страница 805: ...to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info center timestamp loghost date Configure to add UTC time to the output information of th...

Страница 806: ...about Modules in System 2 3 Command Alias Configuration 2 1 Introduction 2 1 Configuring Command Alias 2 1 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device M...

Страница 807: ...ii Configuring a Scheduled Task 5 1 Configuration Prerequisites 5 1 Configuring a Scheduled Task 5 1 Scheduled Task Configuration Example 5 2...

Страница 808: ...hrough Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP The Boot ROM software version should be compatible with the host software version when you load th...

Страница 809: ...tup mode after the information Press Ctrl B to enter BOOT Menu displays Otherwise the system starts to extract the program and if you want to enter the BOOT Menu at this time you will have to restart...

Страница 810: ...g program proceeds to send another packet If the check fails the receiving program sends negative acknowledgement characters and the sending program retransmits the packet Loading Boot ROM Follow thes...

Страница 811: ...ed to add the HyperTerminal program first and then log in to and manage the device as described in this document On the Windows 2008 Server Windows 7 Windows Vista or some other operating system you n...

Страница 812: ...HyperTerminal to the switch as shown in Figure 1 3 Figure 1 3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press En...

Страница 813: ...dialog box Step 8 Click Send The system displays the page as shown in Figure 1 5 Figure 1 5 Sending file page Step 9 After the sending process completes the system displays the following information L...

Страница 814: ...for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loading You can also use the xmodem get command to load host software through the Consol...

Страница 815: ...rTerminal program on the configuration PC Start the switch Then enter the BOOT Menu At the prompt Enter your choice 0 9 in the BOOT Menu press 6 or Ctrl U and then press Enter to enter the Boot ROM up...

Страница 816: ...except that the system gives the prompt for host software loading instead of Boot ROM loading When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC di...

Страница 817: ...P address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No...

Страница 818: ...n device and the FTP server You can telnet to the switch and then execute the FTP commands to download the Boot ROM program switch btm from the remote FTP server whose IP address is 10 1 1 1 to the sw...

Страница 819: ...The loading of Boot ROM and host software takes effect only after you restart the switch with the reboot command z If the space of the Flash memory is not enough you can delete the unused files in th...

Страница 820: ...able FTP service on the switch and configure the FTP user name to test and password to pass Sysname Vlan interface1 quit Sysname ftp server enable Sysname local user test New local user added Sysname...

Страница 821: ...Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file...

Страница 822: ...t the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed above...

Страница 823: ...1 16...

Страница 824: ...ime it automatically adds the specified offset to the current time so as to toggle the system time to the summer time z When the system reaches the specified end time it automatically subtracts the sp...

Страница 825: ...ontrol the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging in...

Страница 826: ...it unit id interface interface type interface number module name You can execute the display command in any view Displaying Operating Information about Modules in System When an Ethernet switch is in...

Страница 827: ...habits Configuring Command Alias Follow these steps to configure command aliases To do Use the command Remarks Enter system view system view Enable the command alias function command alias enable Req...

Страница 828: ...response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This command is mainly used to check the network connectivity It ca...

Страница 829: ...onfiguring Real time Monitoring of the Running Status of the System Optional Specifying the APP to be Used at Reboot Optional Upgrading the Boot ROM Optional Identifying and Diagnosing Pluggable Trans...

Страница 830: ...boot date and time Configuring Real time Monitoring of the Running Status of the System This function enables you to dynamically record the system running status such as CPU thus facilitating analysis...

Страница 831: ...t or if the peer port is shut down the 1000 Mbps uplink port automatically enters the power save state so as to lower the power consumption of the switch Table 4 7 Follow these steps to enable auto po...

Страница 832: ...ation Command Description Display main parameters of the pluggable transceiver s display transceiver interface interface type interface number Available for all pluggable transceivers Display part of...

Страница 833: ...ment Operation Command Description Display the APP to be adopted at next startup display boot loader unit unit id Display the module type and operating status of each board display device manuinfo uni...

Страница 834: ...P configuration Switch PC Network 1 1 1 1 2 2 2 2 Configuration procedure 1 Configure the following FTP server related parameters on the PC an FTP user with the username as switch and password as hell...

Страница 835: ...om boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be adopted when the...

Страница 836: ...commands in a scheduled task must be in the same view z You can specify up to ten commands in one scheduled task To execute more than ten commands you can specify multiple scheduled tasks Configuring...

Страница 837: ...b name Available in any view z You can specify only one view for each scheduled task z After a scheduled task is configured modification of the system time will affect the execution of the task Howeve...

Страница 838: ...ing at 18 00 week day Mon Tue Wed Thu Fri command shutdown Switch job pc3 Switch job pc3 view Ethernet1 0 3 Switch job pc3 time 1 repeating at 8 00 week day Mon Tue Wed Thu Fri command undo shutdown S...

Страница 839: ...e QinQ Configuration 2 1 Selective QinQ Overview 2 1 Selective QinQ Overview 2 1 Selective QinQ Configuration 2 2 Selective QinQ Configuration Task List 2 2 Configuring Global Tag Mapping Rules for Se...

Страница 840: ...rough the service providers backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public netwo...

Страница 841: ...the VLAN tag in an Ethernet frame 0 31 15 TPID Priority VLAN ID CFI An S3100 switch determines whether a received frame is VLAN tagged by comparing its own TPID with the TPID field in the received fra...

Страница 842: ...Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable Required By default the VLAN VPN featu...

Страница 843: ...twork by Using VLAN VPN Network requirements As shown in Figure 1 4 Switch A and Switch B are both S3100 series switches They connect the users to the servers through the public network z PC users and...

Страница 844: ...nable SwitchA Ethernet1 0 11 quit Set the global TPID value to 0x9200 for intercommunication with the devices in the public network and configure Ethernet 1 0 12 as a trunk port permitting packets of...

Страница 845: ...e basic principles are introduced here That is you need to configure the devices connecting to Ethernet 1 0 12 of Switch A and Ethernet 1 0 22 of Switch B to permit the corresponding ports to transmit...

Страница 846: ...e QinQ feature you can configure inner to outer VLAN tag mapping according to which you can add different outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes...

Страница 847: ...s in VLAN 201 to VLAN 300 and forward the packets to the VoIP device which is responsible for processing IP telephone services To guarantee the quality of voice packet transmission you can configure Q...

Страница 848: ...e Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the selective QinQ feature vlan vpn selective enable Required By...

Страница 849: ...tive QinQ Network diagram Figure 2 2 Network diagram for selective QinQ configuration Public Network VLAN1000 VLAN1200 PC User VLAN100 108 IP Phone User VLAN200 230 Eth1 0 3 Eth1 0 5 For PC User VLAN1...

Страница 850: ...vlan vpn selective enable After the above configuration packets of VLAN 100 through VLAN 108 that is packets of PC users are tagged with the tag of VLAN 1000 as the outer VLAN tag when they are forwa...

Страница 851: ...onfiguration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through Ethernet 1 0 12 and Ethernet 1 0 13 respectively To make the packets from the servers be trans...

Страница 852: ...ets be transmitted across the provider s network without getting involved in the computation of the public network The BPDU Tunnel feature is designed to address the above requirements It enables some...

Страница 853: ...ts destination address is called a tunnel packet In the service provider network the tunnel packet can be forwarded as a normal data packet z Before the device in the service provider network forwards...

Страница 854: ...otocol NTDP neighbor topology discovery protocol cluster MRC cluster member remote control and HABP Huawei authentication bypass protocol z Proprietary protocols of other vendors including CDP CISCO d...

Страница 855: ...make sure that NDP and NTDP are not enabled on any port in an aggregation group before enabling the service provider network to use aggregation group to transmit HGMP packets through BPDU tunnels z Th...

Страница 856: ...e for STP BPDUs on Ethernet1 0 1 Sysname Ethernet1 0 1 bpdu tunnel stp Enable the VLAN VPN feature on Ethernet1 0 1 and use VLAN 100 to transmit user data packets through BPDU tunnels Sysname Ethernet...

Страница 857: ...ernet1 0 4 vlan vpn enable Configure the destination MAC address for the packets transmitted in the tunnel Sysname Ethernet1 0 4 quit Sysname bpdu tunnel tunnel dmac 010f e233 8b22 Configure Ethernet1...

Страница 858: ...Mapping Configuration Task List 1 4 Configuring a Global One to One VLAN Mapping Rule 1 4 Configuring a Port Level One to One VLAN Mapping Rule 1 5 Configuring Many to One VLAN Mapping 1 5 Configurin...

Страница 859: ...ts of the two VLAN mapping types Implementation and Application of One to one VLAN mapping One to one VLAN mapping maps traffic from one VLAN to another VLAN for transmission On an S3100 EI switch you...

Страница 860: ...VLAN mapping can map uplink traffic streams from multiple original VLANs to the same target VLAN and can correctly restore the original VLANs for downlink traffic streams z In the uplink direction yo...

Страница 861: ...y to one VLAN mapping network the DHCP server is usually deployed above the distribution layer To record the client information correctly the DHCP server must know the port through which a user is con...

Страница 862: ...u cannot enable one to one VLAN mapping on any other port z One to one VLAN mapping is mutually exclusive with VLAN ID marking z One to one VLAN mapping is mutually exclusive with IP filtering For mor...

Страница 863: ...to one VLAN mapping rule is configured and one to one VLAN mapping is disabled on all ports z In a one to one VLAN mapping rule one original VLAN can be mapped to only one target VLAN and vice versa...

Страница 864: ...inal VLAN information dhcp snooping information ignore vlanmapping Required By default this function is disabled and option 82 carries the target VLAN information Enter Ethernet port view of the downl...

Страница 865: ...ts from original VLANs from a user and forward the traffic from the target VLANs from the distribution switch Ethernet 1 0 1 should be a trunk or hybrid port Configure Ethernet 1 0 1 as a hybrid port...

Страница 866: ...ng vlan 3 remark 1003 SwitchA Ethernet1 0 1 quit Configure one to one VLAN mapping on port Ethernet 1 0 2 in the same way SwitchA interface Ethernet 1 0 12 SwitchA Ethernet1 0 12 vlan mapping vlan 1 r...

Страница 867: ...y to one VLAN mapping rule on Ethernet 1 0 1 to map original VLANs 1 through 3 to target VLAN 1001 Sysname Ethernet1 0 1 vlan mapping n to 1 vlan 1 remark 1001 Sysname Ethernet1 0 1 vlan mapping n to...

Страница 868: ...name dhcp snooping Sysname interface GigabitEthernet 1 1 1 Sysname GigabitEthernet1 1 1 dhcp snooping trust Sysname GigabitEthernet1 1 1 quit Configure DHCP snooping to support option 82 on Switch A S...

Страница 869: ...onfiguration 1 4 HWPing Server Configuration 1 4 HWPing Client Configuration 1 4 Displaying HWPing Configuration 1 20 HWPing Configuration Examples 1 20 ICMP Test 1 20 DHCP Test 1 21 FTP Test 1 23 HTT...

Страница 870: ...ient and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by an HWPing client and you can view the test results on the HWPing client on...

Страница 871: ...jitter test you must specify a destination port number and the destination port number must be the port number of a TCP or UDP listening service configured on the HWPing server Source interface sourc...

Страница 872: ...ng discards some earliest records Automatic test interval frequency This parameter is used to set the interval at which the HWPing client periodically performs the same test automatically Probe timeou...

Страница 873: ...e same for HWPing test types that need to configure HWPing server Follow these steps to perform HWPing server configurations To do Use the command Remarks Enter system view system view Enable the HWPi...

Страница 874: ...re the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure a stuffing...

Страница 875: ...e times out in three seconds Configure the type of service ToS tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results ad...

Страница 876: ...s Configure statistics interval and the maximum number of retained statistics information statistics interval interval max group number Optional By default statistics interval is 120 minutes and up to...

Страница 877: ...m number is 50 Enable history record history record enable Optional By default history record is not enabled Configure the retaining time of history record history keep time keep time Optional By defa...

Страница 878: ...isplay hwping results admin name operation tag Required You can execute the command in any view 4 Configuring HTTP test on HWPing client Follow these steps to configure HTTP test on HWPing client To d...

Страница 879: ...ned statistics information statistics interval interval max group number Optional By default statistics interval is 120 minutes and up to two pieces of statistics information can be retained Configure...

Страница 880: ...group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type jitter codec codec value Required By default the test...

Страница 881: ...tistics information statistics keep time keep time Optional By default the retaining time of statistics information is 120 minutes Configure test start time and lifetime test time begin hh mm ss yyyy...

Страница 882: ...no destination address is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Opti...

Страница 883: ...default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping...

Страница 884: ...tory records number Optional By default the maximum number is 50 Configure the retaining time of history record history keep time keep time Optional By default the retaining time of history record is...

Страница 885: ...rt destination port port number z Required in a Udpprivate test z A Udppublic test is a UDP connection test on port 7 Use the hwping server udpecho ip address 7 command on the server to configure the...

Страница 886: ...table bypass is disabled Configure the TTL ttl number Optional By default TTL is 20 The sendpacket passroute command voids the ttl command Configure the automatic test interval frequency interval Opt...

Страница 887: ...es and up to two pieces of statistics information can be retained Configure the retaining time of statistics information statistics keep time keep time Optional By default the retaining time of statis...

Страница 888: ...messages are generated regardless of whether the HWPing test succeeds or fails You can specify whether to output Trap messages by enabling disabling Trap sending Follow these steps to configure the H...

Страница 889: ...ystem view Sysname hwping agent enable Create an HWPing test group setting the administrator name to administrator and test tag to ICMP Sysname hwping administrator icmp Configure the test type as icm...

Страница 890: ...d manual DHCP Test Network requirements The HWPing client is an H3C S3100 series Ethernet switch while the DHCP server can be an H3C S5600 series Ethernet switch Perform an HWPing DHCP test between th...

Страница 891: ...al delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop op...

Страница 892: ...or and test tag to FTP Sysname hwping administrator ftp Configure the test type as ftp Sysname hwping administrator ftp test type ftp Configure the IP address of the FTP server as 10 2 2 2 Sysname hwp...

Страница 893: ...ry admin administrator tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04...

Страница 894: ...be timeout time to 30 seconds Sysname hwping administrator http timeout 30 Enable the saving of history records and set the maximum number of history records that can be saved to 10 Sysname hwping adm...

Страница 895: ...04 02 15 15 52 4 8 3 1 0 2000 04 02 15 15 52 4 9 2 1 0 2000 04 02 15 15 52 4 10 2 1 0 2000 04 02 15 15 52 4 For detailed output description see the corresponding command manual When you use H3C S3100...

Страница 896: ...ng administrator Jitter history record enable Sysname hwping administrator Jitter history records 10 Start the test Sysname hwping administrator Jitter test enable Display test results Sysname hwping...

Страница 897: ...5 8 263 1 0 2000 04 02 08 14 56 2 9 270 1 0 2000 04 02 08 14 56 0 10 275 1 0 2000 04 02 08 14 55 7 For detailed output description see the corresponding command manual SNMP Test Network requirements...

Страница 898: ...cords and set the maximum number of history records that can be saved to 10 Sysname hwping administrator snmp history record enable Sysname hwping administrator snmp history records 10 Start the test...

Страница 899: ...on Sysname system view Sysname hwping server enable Sysname hwping server tcpconnect 10 2 2 2 8000 z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent...

Страница 900: ...HWPing entry admin administrator tag tcpprivate history record Index Response Status LastRC Time 1 4 1 0 2000 04 02 08 26 02 9 2 5 1 0 2000 04 02 08 26 02 8 3 4 1 0 2000 04 02 08 26 02 8 4 5 1 0 2000...

Страница 901: ...g administrator udpprivate history record enable Sysname hwping administrator udpprivate history records 10 Start the test Sysname hwping administrator udpprivate test enable Display test results Sysn...

Страница 902: ...Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create an HWPing test group setting the administrator name to administrator and test tag to dns Sysname hwping...

Страница 903: ...Drop operation number 0 Other operation errors 0 Dns result DNS Resolve Current Time 10 DNS Resolve Min Time 6 DNS Resolve Times 10 DNS Resolve Max Time 10 DNS Resolve Timeout Times 0 DNS Resolve Fail...

Страница 904: ...18 Configuring the Hop Limit of ICMPv6 Reply Packets 1 18 Configuring ND Snooping 1 18 Configuring the ND Detection 1 19 Configuring DHCPv6 Snooping 1 20 Configuring IPv6 Filtering 1 21 Configuring I...

Страница 905: ...e significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits IPv6 Features Header format simplification IPv6 cuts down some IPv4 header fields or...

Страница 906: ...s Support for QoS The Flow Label field in the IPv6 header allows the device to label packets in a flow and provide special handling for these packets Enhanced neighbor discovery mechanism The IPv6 nei...

Страница 907: ...address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address z Multicast address An ident...

Страница 908: ...y node Before acquiring a valid IPv6 address a node may fill this address in the source address field of an IPv6 packet but may not use it as a destination IPv6 address Multicast address Multicast add...

Страница 909: ...ion Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Neighbor solicitation NS message Used to perform a duplicate address detection Used to respond...

Страница 910: ...ess of node B The NS message contains the link layer address of node A 2 After receiving the NS message node B judges whether the destination address of the packet is the corresponding solicited node...

Страница 911: ...support ND snooping The ND snooping feature is used in Layer 2 switching networks It creates ND snooping entries using NS messages ND snooping entries are used to z Cooperate with the ND detection fun...

Страница 912: ...is received the device stops sending out DAD NS messages and updates the corresponding entry If no corresponding NA message is received within five seconds after the first DAD NS message is sent the d...

Страница 913: ...y intercept and modify the communication information Figure 1 5 ND attack diagram Switch Host A Host B IP_A MAC_A IP_B MAC_B IP_C MAC_C Host C Forged ND packets Forged ND packets A forged ND packet ha...

Страница 914: ...e static binding command For more information see Configuring IPv6 Filtering z The security entry of DHCPv6 snooping is generated automatically through DHCPv6 snooping itself For more information see...

Страница 915: ...igure 1 6 Configure trusted and untrusted ports Trusted DHCPv6 server DHCPv6 snooping Untrusted Untrusted Unauthorized DHCPv6 server DHCPv6 client DHCPv6 reply messages As shown in Figure 1 6 a DHCPv6...

Страница 916: ...about ND snooping refer to Introduction to ND Snooping Introduction to IPv6 DNS In the IPv6 network a domain name system DNS supporting IPv6 converts domain names into IPv6 addresses Different from a...

Страница 917: ...ute Optional Configuring IPv6 TCP Properties Optional Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time Optional Configuring the Hop Limit of ICMPv6 Reply Packets...

Страница 918: ...an IPv6 address ipv6 address ipv6 address prefix length ipv6 address prefix length Configure an IPv6 global unicast address or site local address Adopt the EUI 64 format to form an IPv6 address ipv6...

Страница 919: ...cal address because the system automatically generates one for the interface If no IPv6 site local address or global unicast address is configured the interface has no link local address Configuring I...

Страница 920: ...ge for duplicate address detection To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the attempts to send an NS...

Страница 921: ...et is sent the synwait timer is triggered If no response packet is received before the synwait timer expires the IPv6 TCP connection establishment fails z finwait timer When the IPv6 TCP connection st...

Страница 922: ...CMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency Table 1 13 Configure the maximum number of IPv6 ICMP error packets sent with...

Страница 923: ...s a large number of ND snooping entries the system resources will be consumed To prevent such a problem you can configure the uplink port as an ND snooping uplink port Follow these steps to configure...

Страница 924: ...DHCPv6 snooping Follow these steps to configure DHCPv6 snooping To do Use the command Remarks Enter system view system view Enable DHCPv6 snooping dhcp snooping ipv6 enable Required Disabled by defau...

Страница 925: ...oping ipv6 information enable Required Not enabled by default Specify the DHCPv6 option supported by DHCPv6 snooping dhcp snooping ipv6 information option 18 37 Required Option 37 is specified by defa...

Страница 926: ...essage can be sent to the correct server for resolution The system can support at most six DNS servers You can configure a domain name suffix so that you only need to enter some fields of a domain nam...

Страница 927: ...tion related to a specified socket display ipv6 socket socktype socket type task id socket id Available in any view Display the statistics of IPv6 packets and IPv6 ICMP packets display ipv6 statistics...

Страница 928: ...g to VLAN 1 IPv6 addresses are configured for the interface Vlan interface1 on each switch to verify the connectivity between the two switches The global unicast address of Switch A is 3001 1 64 and t...

Страница 929: ...s FE80 2E0 FCFF FE00 2006 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 2 FF02 1 FF00 2006 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1...

Страница 930: ...p limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 5 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 6...

Страница 931: ...user legality and to ensure the packets of legal users can be forwarded normally while those of illegal users are discarded Networking diagram Figure 1 10 Networking diagram for ND detection configur...

Страница 932: ...1 1 64 and the MAC address of Client B is 0001 0203 0406 z Enable DHCPv6 snooping on the switch B and specify Ethernet 1 0 1 as the DHCPv6 snooping trusted port z Enable IPv6 filtering on Ethernet 1 0...

Страница 933: ...et1 0 2 quit SwitchB interface Ethernet1 0 3 SwitchB Ethernet1 0 3 ipv6 check source ip address mac address SwitchB Ethernet1 0 3 quit SwitchB interface Ethernet1 0 4 SwitchB Ethernet1 0 4 ipv6 check...

Страница 934: ...ails about the ping command refer to System Maintenance and Debugging After you execute the ping ipv6 command you can press Ctrl C to terminate the ping operation Table 2 1 Ping IPv6 To do Use the com...

Страница 935: ...ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination Table 2 2 Traceroute IPv6 To do Use the command R...

Страница 936: ...Device A is the Telnet client and Device B is the Telnet server Figure 2 2 Provide Telnet services Configuration prerequisites Enable Telnet on the Telnet server and configure the authentication metho...

Страница 937: ...64 3001 3 64 Telnet_Server TFTP_Server Configuration procedure You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is a...

Страница 938: ...emote Destination Symptom Unable to ping a remote destination and return an error message Solution z Check that the IPv6 addresses are configured correctly z Use the display ipv6 interface command to...

Страница 939: ...ck it by running the dir command in user view z Check that the ACL configured for the TFTP server does not block the connection to the TFTP server Unable to Run Telnet Symptom Unable to login to Telne...

Страница 940: ...nfiguring Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining DNS 1 3 DNS Configuration Example 1 4 Stati...

Страница 941: ...tatic Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP addresses of the corresponding domain names can be found in t...

Страница 942: ...is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the...

Страница 943: ...ay configure up to six DNS servers and ten DNS suffixes Displaying and Maintaining DNS After the above configuration you can execute the display command and the nslookup type command in any view to di...

Страница 944: ...Sysname system view Sysname ip host host com 10 1 1 2 Execute the ping host com command to verify that the device can use static domain name resolution to get the IP address 10 1 1 2 corresponding to...

Страница 945: ...ations are done on the devices For the IP addresses of the interfaces see the figure above z There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server z The DNS server wo...

Страница 946: ...abling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to check that the specified domain name is in the cache z If th...

Страница 947: ...nd Debugging Smart Link 1 6 Smart Link Configuration Example 1 7 Implementing Link Redundancy Backup 1 7 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 How Monitor Link Works 2 2 Co...

Страница 948: ...emand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation Basic Concepts in Smart Link Smart Link group A Smart Link group con...

Страница 949: ...sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries Control VLAN for sending flush messages This control VLAN sends flush messages When link switchi...

Страница 950: ...device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying...

Страница 951: ...n group as a member of a Smart Link group Table 1 2 Configure Smart Link with ports as the members of the Smart Link group Operation Command Remarks Enter system view system view Create a Smart Link g...

Страница 952: ...n Ethernet 1 0 2 and Ethernet 1 0 3 of Switch C Ethernet 1 0 2 and Ethernet 1 0 3 of Switch D and Ethernet 11 0 1 and Ethernet 1 0 12 of Switch E Table 1 4 Enable the specified port to process flush m...

Страница 953: ...be synchronized to the other ports in the aggregation group automatically that is the other member ports in the aggregation group cannot process flush messages The function of processing flush messag...

Страница 954: ...0 2 PC Switch D Switch E Eth1 0 3 Eth1 0 2 Eth1 0 1 Configuration procedure 1 Configure a Smart Link group on Switch A and configure member ports for it Enable the function of sending flush messages i...

Страница 955: ...AN 1 on Ethernet 1 0 2 SwitchC smart link flush enable control vlan 1 port Ethernet 1 0 2 3 Enable the function of processing flush messages received from VLAN 1 on Switch D Enter system view SwitchD...

Страница 956: ...up fails all the downlink ports in the Monitor Link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a...

Страница 957: ...configured with Smart Link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of Ethernet1 0 1 z If Switch C is configured with Monitor...

Страница 958: ...link Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Table 2 2 Create a Monitor Link group Operation Command Remarks Enter system view system view Create a Monitor Lin...

Страница 959: ...specified Ethernet port as a downlink port of the Monitor Link group Ethernet port view port monitor link group group id downlink Required Use either approach z A Smart Link Monitor Link group with me...

Страница 960: ...o access the server and Internet due to uplink link or port failure Network diagram Figure 2 3 Network diagram for Monitor Link configuration BLOCK Switch A Switch B Eth1 0 1 Eth1 0 2 Switch C Switch...

Страница 961: ...C Enter system view SwitchC system view Create Monitor Link group 1 and enter Monitor Link group view SwitchC monitor link group 1 Configure Ethernet1 0 1 as the uplink port of the Monitor Link group...

Страница 962: ...ttack Defense Based on 802 1x 3 Overview 3 Configuring 802 1x Based ARP IP Attack Defense 3 Configuring ARP Source MAC Address Consistency Check 4 Introduction 4 Enabling ARP Source MAC Address Consis...

Страница 963: ...sent from the host to the gateway will be redirected to the fake MAC address and the client will be unable to access the external network Figure 1 1 Gateway spoofing attack To prevent gateway spoofing...

Страница 964: ...based on gateway s IP address or based on gateway s IP and MAC addresses but not both on an Ethernet port Configuring the Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn Introduction...

Страница 965: ...e feature of using IP to MAC bindings of authenticated 802 1x clients which obtain IP addresses through DHCP or manual assignment to implement ARP attack detection or IP filtering The feature avoids c...

Страница 966: ...authenticated 802 1x client is forced to go offline z IP filtering based on IP MAC bindings of authenticated 802 1x clients requires 802 1x clients to provide IP addresses otherwise the IP addresses...

Страница 967: ...192 168 100 1 24 and 000D 88F8 528C To prevent gateway spoofing attacks from Host A and Host B configure ARP packet filtering based on the gateway s IP and MAC addresses on Switch Network Diagram Figu...

Страница 968: ...nsistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header z Limit the number of dynamic ARP entries learned on VLAN inte...

Страница 969: ...4 Network diagram for 802 1x based ARP IP attack defense Configuration Procedures Enter system view Switch system view Enable 802 1x authentication globally Switch dot1x Enable ARP attack detection fo...

Страница 970: ...8 Switch interface ethernet1 0 1 Switch Ethernet1 0 1 dot1x Enable IP filtering based on IP MAC bindings of authenticated 802 1x clients Switch Ethernet1 0 1 ip check dot1x enable...

Страница 971: ...Re Initialization Delay 1 7 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address 1 8 Setting Other LLDP Parameters 1 9 Setting an Encapsulation Format...

Страница 972: ...DP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major...

Страница 973: ...ng bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the...

Страница 974: ...nformation field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and...

Страница 975: ...N name on the port Protocol Identity Protocols supported on the port Currently H3C devices support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1...

Страница 976: ...endpoint to advertise its vendor name Model Name Allows a MED endpoint to advertise its model name Asset ID Allows a MED endpoint to advertise its asset ID The typical case is that the user specifies...

Страница 977: ...it interval resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information...

Страница 978: ...only receives LLDP frames z Disable mode A port in this mode does not send or receive LLDP frames Follow these steps to set LLDP operating mode To do Use the command Remarks Enter system view system v...

Страница 979: ...ort description system capability system description system name dot1 tlv all port vlan id protocol vlan id vlan id vlan name vlan id dot3 tlv all link aggregation mac physic max frame size power med...

Страница 980: ...l device can be saved on a neighbor device by setting the TTL multiplier The TTL is expressed as follows TTL Min 65535 TTL multiplier LLDPDU transmit interval As the expression shows the TTL can be up...

Страница 981: ...ype interface number Required Set the encapsulation format for LLDPDUs to SNAP lldp encapsulation snap Required Ethernet II encapsulation format applies by default To restore the default use the undo...

Страница 982: ...patible LLDP to operate in TxRx mode Follow these steps to enable LLDP to be compatible with CDP To do Use the command Remarks Enter system view system view Enable CDP compatibility globally lldp comp...

Страница 983: ...the LLDP TLVs sent from neighboring devices display lldp neighbor information interface interface type interface number brief Available in any view Display LLDP statistics display lldp statistics glob...

Страница 984: ...2 lldp enable SwitchA Ethernet1 0 2 lldp admin status rx SwitchA Ethernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on Ethernet1 0 1 you c...

Страница 985: ...ional TLV 0 Number of received unknown TLV 3 As the sample output shows Ethernet 1 0 1 of Switch A connects a MED device and Ethernet 1 0 2 of Switch A connects a non MED device Both ports operate in...

Страница 986: ...d unknown TLV 0 As shown in the sample output Ethernet 1 0 2 of Switch A does not connect any neighboring devices CDP Compatible LLDP Configuration Example Of the S3100 series only the S3100 EI series...

Страница 987: ...on Switch A Enable LLDP globally and enable LLDP to be compatible with CDP globally SwitchA lldp enable SwitchA lldp compliance cdp Enable LLDP you can skip this step because LLDP is enabled on ports...

Страница 988: ...G2 Platform Cisco IP Phone 7960 Duplex Full CDP neighbor information of port 2 Ethernet1 0 2 CDP neighbor index 2 Chassis ID SEP00141CBCDBFF Port ID Port 1 Sofrware version P0030301MFG2 Platform Cisco...

Страница 989: ...Certificate Request in Manual Mode 1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring...

Страница 990: ...tificate mechanism to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI...

Страница 991: ...lish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of...

Страница 992: ...f PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private...

Страница 993: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Страница 994: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Страница 995: ...icated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certificate...

Страница 996: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Страница 997: ...RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along w...

Страница 998: ...send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal z The pki request cer...

Страница 999: ...CRL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verif...

Страница 1000: ...CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate...

Страница 1001: ...me by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control poli...

Страница 1002: ...cate from a CA Running RSA Keon The CA server runs RSA Keon in this configuration example Network requirements z The device submits a local certificate request to the CA server z The device acquires t...

Страница 1003: ...ame Switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain torsa...

Страница 1004: ...ng CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Certificate...

Страница 1005: ...65A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You...

Страница 1006: ...From the start menu select Control Panel Administrative Tools Internet Information Services IIS Manager and then select Web Sites from the navigation tree Right click on Default Web Site and select Pr...

Страница 1007: ...4DCE 439C 1C1F 83AB SHA1 fingerprint 97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct Y N y Saving CA RA certificates chain please wait a moment CA certificates retrieval...

Страница 1008: ...4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points URI http l00192b CertEnroll CA 20server crl URI file l00192b CertEnroll CA server crl Authority Information Access CA Issuers URI http l00192b...

Страница 1009: ...proper For example the network cable may be damaged or loose z No CA certificate has been retrieved z The current key pair has been bound to a certificate z No trusted CA is specified z The URL of th...

Страница 1010: ...ed z The LDAP server version is wrong Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LDAP server z Specify the CRL di...

Страница 1011: ...List 1 2 Configuring an SSL Server Policy 1 2 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuratio...

Страница 1012: ...and the client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key...

Страница 1013: ...nd master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated c...

Страница 1014: ...rver policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Opt...

Страница 1015: ...0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z The switch offers Web authentication to preform access authentication for clients z The clien...

Страница 1016: ...nt verify enable Switch ssl server policy myssl quit 3 Configure Web authentication Set the IP address and port number of the Web authentication server Switch system view Switch web authentication web...

Страница 1017: ...ing steps to access the Internet Step 1 Enter http 10 10 10 10 8080 in the address column of IE Step 2 Enter the correct user name and password and then click login The following page will be displaye...

Страница 1018: ...name all Available in any view Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server the device fails to handshake with the SSL client Analysis SSL handshake failure may result from the...

Страница 1019: ...ot be trusted request and install a certificate for the client 2 You can use the display ssl server policy command to view the cipher suite used by the SSL server policy If the cipher suite used by th...

Страница 1020: ...1 1 Associating the HTTPS Service with an SSL Server Policy 1 2 Enabling the HTTPS Service 1 2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy 1 3 Associating the HTTP...

Страница 1021: ...clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing th...

Страница 1022: ...e through the Web function only when the HTTPS service is enabled Follow these steps to enable the HTTPS service To do Use the command Remarks Enter system view system view Enable the HTTPS service ip...

Страница 1023: ...access control policy z If the HTTPS service is associated with a certificate attribute access control policy the client verify enable command must be configured in the SSL server policy Otherwise the...

Страница 1024: ...ocedure Perform the following configurations on Device 1 Apply for a certificate for Device Configure a PKI entity Device system view Device pki entity en Device pki entity en common name http server1...

Страница 1025: ...licy myacp and create a control rule Device pki certificate access control policy myacp Device pki cert acp myacp rule 1 permit mygroup1 Device pki cert acp myacp quit 4 Reference an SSL server policy...

Страница 1026: ...Basic Ethernet OAM Functions 1 6 Configuring the Ethernet OAM Connection Detection Timers 1 6 Configuring Link Monitoring 1 7 Configuring Errored Symbol Event Detection 1 7 Configuring Errored Frame...

Страница 1027: ...s is why an effective management and maintenance mechanism for Ethernet has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance...

Страница 1028: ...ed by bridges Ethernet OAMPDUs cannot be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the...

Страница 1029: ...interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM conn...

Страница 1030: ...k faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity s...

Страница 1031: ...Table 1 5 Critical link error events Ethernet OAM link events Description Link Fault Peer link signal is lost Dying Gasp An unexpected fault such as power failure occurred Critical event An undetermi...

Страница 1032: ...erating mode oam mode active passive Optional The default is active Ethernet OAM mode Enable Ethernet OAM on the current port oam enable Required Ethernet OAM is disabled by default To change the Ethe...

Страница 1033: ...toring After Ethernet OAM connections are established the link monitoring periods and thresholds configured in this section take effect on all Ethernet ports automatically Configuring Errored Symbol E...

Страница 1034: ...riod period value Optional 1000 milliseconds by default Configure the errored frame period event triggering threshold oam errored frame period threshold threshold value Optional 1 by default Configuri...

Страница 1035: ...ilable only on full duplex links that support remote loopback at both ends z Ethernet OAM remote loopback needs the support of the peer hardware z Enabling Ethernet OAM remote loopback interrupts data...

Страница 1036: ...rror events reset oam interface interface type interface number Available in user view only Ethernet OAM Configuration Example Network requirements z Enable Ethernet OAM on Device A and Device B to au...

Страница 1037: ...tput information the detection period of errored frame events is 20 seconds the detection threshold is 10 seconds and all the other parameters use the default values You can use the display oam critic...

Страница 1038: ...1 12 The above information indicates that 35 errors occurred since Ethernet OAM is enabled on Device A 17 of which are caused by error frames The link is instable...

Страница 1039: ...CFD Settings 1 6 Enabling CFD 1 6 Configuring the CFD Protocol Version 1 6 Configuring Service Instances 1 6 Configuring MEPs 1 7 Configuring MIP Generation Rules 1 7 Configuring CFD Functions 1 9 Co...

Страница 1040: ...role The MD boundary is defined by some maintenance association end points MEPs configured on the ports An MD is identified by an MD name To accurately locate faults CFD introduces eight levels from...

Страница 1041: ...sociation end points MEPs and maintenance association intermediate points MIPs z MEP Each MEP is identified by an integer called a MEP ID The MEPs of an MD define the range and boundary of the MD The...

Страница 1042: ...an perform a function similar to ping and traceroute Like a MEP a MIP forwards packets at a higher level without any processing and only processes packet of its level or lower Figure 1 4 demonstrates...

Страница 1043: ...e z Continuity check CC z Loopback LB z Linktrace LT Continuity check Continuity check is responsible for checking the connectivity between MEPs Connectivity faults are usually caused by device faults...

Страница 1044: ...e following tasks z Grade the MDs in the entire network and define the boundary of each MD z Assign a name for each MD Make sure that the same MD has the same name on different devices z Define the MA...

Страница 1045: ...ame MD must use the same CFD protocol version otherwise they cannot exchange CFD protocol packets Follow these steps to configure the CFD protocol version To do Use the command Remarks Enter system vi...

Страница 1046: ...P Before creating MEPs configure the MEP list first An MEP list is a collection of local MEPs allowed to be configured in an MA and the remote MEPs to be monitored Follow these steps to configure a ME...

Страница 1047: ...steps to configure the rules for generating MIPs To do Use the command Remarks Enter system view system view Configure the rules for generating MIPs cfd mip rule explicit default service instance inst...

Страница 1048: ...y default The relationship between the interval field value in the CCM messages the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 1 1 Table 1 1 Relations...

Страница 1049: ...nd the TTL field in the LTMs set to the maximum value 255 will be sent out Based on the LTRs that echo back the fault source can be located Follow these steps to configure LT on MEPs To do Use the com...

Страница 1050: ...belong to VLAN 100 and the MAs in the two MDs all serve VLAN 100 z In MD_A there are three edge ports Ethernet 1 0 1 on Device A Ethernet 1 0 3 on Device D and Ethernet 1 0 4 on Device E configure in...

Страница 1051: ...cfd service instance 1 md MD_A ma MA_A Configure Device E as you configure Device A Create MD_A level 5 on Device B create MA_A which serves VLAN 100 in MD_A and then create service instance 1 for MD...

Страница 1052: ...fd meplist 1001 4002 5001 service instance 1 DeviceD cfd meplist 2001 4001 service instance 2 DeviceD interface ethernet 1 0 1 DeviceD Ethernet1 0 1 cfd mep 4001 service instance 2 outbound DeviceD Et...

Страница 1053: ...etects a link fault you can use the LB function to locate the fault For example Enable LB on Device A to check the status of the link between MEP 1001 and MEP 5001 in service instance 1 DeviceA cfd lo...

Страница 1054: ...i Table of Contents Appendix A Acronyms A 1...

Страница 1055: ...DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration P...

Страница 1056: ...AM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PKI Public Ke...

Страница 1057: ...A 3 TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking...

Результаты поиска

Содержание S3100 Series

Отзывы:

Похожие инструкции для S3100 Series

Бренды по названию

Популярные бренды

H3C S3100 Series, Руководство по эксплуатации

Результаты поиска

Содержание S3100 Series

Отзывы:

Похожие инструкции для S3100 Series

Бренды по названию

Популярные бренды