manualshive.com logo in svg

H3C S5120-EI Series, Руководство по эксплуатации

Поделиться
Скачать
H3C S5120-EI Series Скачать руководство пользователя страница 900

 

8-6 

Controlling Web Users by Source IP Addresses 

The S5120-EI series Ethernet switches support Web-based remote management, which allows Web 
users to access the switches using the HTTP protocol. By referencing access control lists (ACLs), you 
can control the access of Web users to the switches.  

Prerequisites 

The control policies to be implemented on Web users are decided, including the source IP addresses to 

be controlled and the control action, that is, whether to allow or deny the access.  

Controlling Web Users by Source IP Addresses 

This feature is achieved through the configuration of basic ACLs, the numbers of which are in the range 
2000 to 2999. For the definition of ACLs, see 

ACL Configuration

 in the 

Security Volume

.  

Follow these steps to configure controlling Web users by source IP addresses: 

To do… 

Use the command… 

Remarks 

Enter system view 

system-view

 

— 

Create a basic ACL or enter 

basic ACL view 

acl 

ipv6 

number

 

acl-number 

match-order

 { 

config

 | 

auto

 } ] 

Required 
The 

config

 keyword is 

specified by default. 

Define rules for the ACL 

rule

 [ 

rule-id

 ] { 

permit

 | 

deny

 } [ 

source 

{

 sour-addr sour-wildcard

 | 

any

 } | 

time-range

 

time-name 

fragment

 | 

logging

 ]* 

Required 

Quit to system view

 

quit 

— 

Reference the ACL to control 

Web users 

ip http acl

 

acl-number

 

Required 

 

Forcing Online Web Users Offline 

The network administrators can run a command to force online Web users offline.  
Perform the following operation to force online Web users offline: 

To do… 

Use the command… 

Remarks 

Force online Web users offline 

free web-users 

all

 | 

user-id user-id

 | 

user-name user-name

 } 

Required 
Use this command in 

user view 

 

Configuration Example 

Network requirements 

Configure a basic ACL to allow only Web users using IP address 10.110.100.52 to access the switch.  

Содержание S5120-EI Series

Страница 1: ...H3C S5120 EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd Manual Version 6W101 20100305 Product Version Release 2202...

Страница 2: ...ecPoint SecEngine SecPath Comware Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be me...

Страница 3: ...g IPv6 Static Routing Mulitcast Overview IGMP Snooping Multicast VLAN MLD Snooping 04 IP Multicast Volume IPv6 Multicast VLAN 05 QoS Volume QoS User Profile AAA 802 1X HABP MAC Authentication Port Sec...

Страница 4: ...brackets and separated by vertical bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments GUI conventions...

Страница 5: ...released with the software version Technical Support customer_service h3c com http www h3c com At http www h3cnetworks com Documentation 1 Select Drivers Downloads in the Support area 2 Select Docume...

Страница 6: ...benefits you must first register your product at http www h3cnetworks com Warranty and other service benefits start from the date of purchase so it is important to register your product quickly to en...

Страница 7: ...Documentation and Software 2 1 Manual List 2 1 Software Version 2 1 3 Product Features 3 1 Introduction to Product 3 1 Feature Lists 3 1 4 Features 4 1 Access Volume 4 1 IP Services Volume 4 3 IP Rou...

Страница 8: ...The documentations are available in one of the following ways z H3C website z Software release notes H3C Website You can access the most up to date H3C product documentation on the World Wide Web at...

Страница 9: ...es Ethernet Switches Command Manual Release 2202 are for the software version Release 2202P06 and Release 2202P19 of the S5120 EI series switches The supported features are different between these sof...

Страница 10: ...ageability Feature Lists The S5120 EI series support abundant features and the related documents are divided into the volumes as listed in Table 3 1 Table 3 1 Feature list Volume Features Ethernet Por...

Страница 11: ...System Configuration Device Management File System Management HTTP SNMP RMON MAC Address Table System Maintaining and Debugging Information Center PoE Hotfix NQA NTP Cluster Management IRF 08 System...

Страница 12: ...nabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an E...

Страница 13: ...N space by allowing Ethernet frames to travel across the service provider network with double VLAN tags This document describes z Introduction to QinQ z Configuring basic QinQ z Configuring Selective...

Страница 14: ...Name System DNS is a distributed database which provides the translation between domain name and the IP address This document describes z Configuring the DNS Client z Configuring the DNS Proxy IP Per...

Страница 15: ...th for important network applications This document describes z Static route configuration z Detecting Reachability of the Static Route s Nexthop IPv6 Static Routing Static routes are special routes t...

Страница 16: ...ongestion management z Traffic mirroring configuration User Profile User profile provides a configuration template to save predefined configurations This document describes z Creating a User Profile z...

Страница 17: ...al packets from traveling through thus improving the network security This document describes z Configuring a Static Binding Entry z Configuring Dynamic Binding Function SSH2 0 SSH ensures secure logi...

Страница 18: ...ation function used to enable a device to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link R...

Страница 19: ...through the track module This document describes z Track Overview z Configuring Collaboration Between the Track Module and the Detection Modules z Configuring Collaboration Between the Track Module an...

Страница 20: ...ng web page information across the Internet This document describes z HTTP Configuration z HTTPS Configuration SNMP Simple network management protocol SNMP offers a framework to monitor network device...

Страница 21: ...re z Configuring a PD Disconnection Detection Mode z Enabling the PSE to detect nonstandard PDs Hotfix Hotfix is a fast cost effective method to fix software defects of the device without interrupting...

Страница 22: ...ions IRF Intelligent Resilient Framework IRF allows you to build an IRF namely a united device by interconnecting multiple devices through IRF ports You can manage all the devices in the IRF by managi...

Страница 23: ...Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router...

Страница 24: ...and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain R...

Страница 25: ...oint Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavel...

Страница 26: ...ernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC H...

Страница 27: ...on IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automati...

Страница 28: ...ate LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol D...

Страница 29: ...on Overhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF...

Страница 30: ...OC 3 OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol...

Страница 31: ...Virtual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Author...

Страница 32: ...hoke Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Mul...

Страница 33: ...Distribution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE D...

Страница 34: ...rk VPI Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Trib...

Страница 35: ...tatistics z Enabling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface...

Страница 36: ...te user vlan configuration z Introduction and Configuration of Voice VLAN GVRP GVRP is a GARP application This document describes z GARP overview z GVRP configuration z GARP Timers configuration QinQ...

Страница 37: ...rk monitoring and troubleshooting Traffic mirroring is implemented by a QoS policy which defines certain match criteria to match the packets to be mirrored and defines the action of mirroring such pac...

Страница 38: ...Change on an Ethernet Port 1 4 Configuring Loopback Testing on an Ethernet Port 1 5 Configuring a Port Group 1 5 Configuring Storm Suppression 1 6 Setting the Interval for Collecting Ethernet Port St...

Страница 39: ...tallation Manual Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port Inside the device there is only one forwarding port For a...

Страница 40: ...net port you can specify the transmission rate by its auto negotiation capacity For details refer to Configuring an Auto negotiation Transmission Rate Follow these steps to configure an Ethernet port...

Страница 41: ...on rate of GigabitEthernet 1 0 4 which provides access to the external network for the server group is 1000 Mbps too If you do not specify an auto negotiation range on the device the transmission rate...

Страница 42: ...system view Enter Ethernet port view interface interface type interface number Enable flow control flow control Required Disabled by default Configuring the Suppression Time of Physical Link State Ch...

Страница 43: ...y the former is available on it if the port is shut down port state shown as ADM or Administratively DOWN both are unavailable z The speed duplex mdi and shutdown commands are not applicable during lo...

Страница 44: ...hese steps to set storm suppression ratios for one or multiple Ethernet ports To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface nu...

Страница 45: ...Such frames called jumbo frames will be dropped With forwarding of jumbo frames enabled the system does not drop all the jumbo frames Instead it continues to process jumbo frames with a size greater...

Страница 46: ...ese steps to configure loopback detection To do Use the command Remarks Enter system view system view Enable global loopback detection loopback detection enable Required Disabled by default Configure...

Страница 47: ...6 are used for transmitting signals To enable normal communication you should connect the local transmit pins to the remote receive pins Therefore you should configure the MDI mode depending on the ca...

Страница 48: ...to control a specific type of traffic As the function and the storm constrain function are mutually exclusive do not enable them at the same time on an Ethernet port For example with broadcast storm...

Страница 49: ...own below the lower threshold from a point higher than the upper threshold storm constrain enable log Optional By default the system sends log when the traffic detected exceeds the upper threshold or...

Страница 50: ...rface type interface number Available in user view Clear the statistics of discarded packets on a port reset packet drop interface interface type interface number Available in user view Display the Co...

Страница 51: ...ic Aggregation Group 1 9 Configuring an Aggregate Interface 1 10 Configuring the Description of an Aggregate Interface 1 11 Enabling Link State Trapping for an Aggregate Interface 1 11 Shutting Down a...

Страница 52: ...links can dynamically back up one another As shown in Figure 1 1 Device A and Device B are connected with three physical Ethernet links These physical Ethernet links are aggregated into an aggregate...

Страница 53: ...Any change to this information triggers a recalculation of this operational key In an aggregation group all selected member ports are assigned the same operational key Configuration classes Every con...

Страница 54: ...gation Control Protocol LACP enables dynamic aggregation of physical links It uses link aggregation control protocol data units LACPDUs for exchanging aggregation information between LACP enabled devi...

Страница 55: ...ink aggregation group service traffic will need to be redistributed among all the new member ports of the link aggregation group The Marker protocol can be employed to quickly redistribute service tra...

Страница 56: ...send LACPDUs z An unselected port can receive and send LACPDUs only if it is up and have the same class two configurations as the aggregate interface Aggregating Links in Static Mode LACP is disabled...

Страница 57: ...been reached will not be placed in the selected state even if it should be in normal cases This is to prevent the ongoing traffic on the current selected ports from being interrupted You should avoid...

Страница 58: ...he lowest port ID is selected as the reference port Setting the aggregation state of each member port After the reference port is selected the system with the lower system ID sets the state of each me...

Страница 59: ...carried in packets Ethernet Link Aggregation Configuration Task List Complete the following tasks to configure Ethernet link aggregation Task Remarks Configuring a Static Aggregation Group Configuring...

Страница 60: ...essful static aggregation ensure that the ports at both ends of each link are in the same aggregation state Follow these steps to configure a static aggregation group To do Use the command Remarks Ent...

Страница 61: ...ggregation group numbered the same Configure the aggregation group to work in dynamic aggregation mode link aggregation mode dynamic Required By default an aggregation group works in static aggregatio...

Страница 62: ...uration in the System Volume Follow these steps to enable link state trapping on an aggregate interface To do Use the command Remarks Enter system view system view Enable the trap function globally sn...

Страница 63: ...al or group specific load sharing criteria A link aggregation group preferentially uses the group specific load sharing criteria If no group specific load sharing criteria is available it uses the glo...

Страница 64: ...load sharing criteria for a link aggregation group To do Use the command Remarks Enter system view system view Enter aggregate interface view interface bridge aggregation interface number Configure th...

Страница 65: ...t counters interface bridge aggregation interface number Available in user view Ethernet Link Aggregation Configuration Examples In an aggregation group only ports that have the same port attributes a...

Страница 66: ...ggregation1 quit Assign ports GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to link aggregation group 1 DeviceA interface gigabitethernet 1 0 1 DeviceA gigabitethernet1 0 1 port link aggregation...

Страница 67: ...egation RAGG Route Aggregation Aggregation Mode S Static D Dynamic Loadsharing Type Shar Loadsharing NonS Non Loadsharing Actor System ID 0x8000 000f e2ff 0001 AGG AGG Partner ID Select Unselect Share...

Страница 68: ...AN 20 and assign port GigabitEthernet1 0 5 to VLAN 20 DeviceA vlan 20 DeviceA vlan20 port gigabitEthernet 1 0 5 DeviceA vlan20 quit Create Layer 2 aggregate interface 1 and configure the link aggregat...

Страница 69: ...ure Device A 3 Verify the configurations Display the summary information about all aggregation groups on Device A DeviceA display link aggregation summary Aggregation Interface Type BAGG Bridge Aggreg...

Страница 70: ...traffic to be load shared across aggregation group member ports Figure 1 6 Network diagram for aggregation load sharing configuration Configuration procedure 1 Configure Device A Create VLAN 10 and a...

Страница 71: ...r the link aggregation group as the destination MAC addresses of packets DeviceA interface bridge aggregation 2 DeviceA Bridge Aggregation2 link aggregation load sharing mode destination mac DeviceA B...

Страница 72: ...elect Unselect Share Interface Mode Ports Ports Type BAGG1 S none 2 0 Shar BAGG2 S none 2 0 Shar The output above shows that link aggregation groups 1 and 2 are both load sharing capable Layer 2 stati...

Страница 73: ...olation Configuration 1 1 Introduction to Port Isolation 1 1 Configuring the Isolation Group 1 1 Assigning a Port to the Isolation Group 1 1 Displaying and Maintaining Isolation Groups 1 2 Port Isolat...

Страница 74: ...d between a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group Configuring the Isolation Group Assigning a Port to the Isolation Gro...

Страница 75: ...hat Host A Host B and Host C cannot communicate with one another at Layer 2 but can access the Internet Figure 1 1 Networking diagram for port isolation configuration Configuration procedure Add ports...

Страница 76: ...1 3 Uplink port support NO Group ID 1 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3...

Страница 77: ...of a Device 1 19 Configuring the Maximum Hops of an MST Region 1 20 Configuring the Network Diameter of a Switched Network 1 20 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 22 Conf...

Страница 78: ...ops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking...

Страница 79: ...port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 1 1 Description of designated bridges and design...

Страница 80: ...spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Страница 81: ...iority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configur...

Страница 82: ...device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be def...

Страница 83: ...port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received confi...

Страница 84: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Страница 85: ...ning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With p...

Страница 86: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Страница 87: ...gs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism...

Страница 88: ...tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the sa...

Страница 89: ...constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to a...

Страница 90: ...ate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a des...

Страница 91: ...are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference...

Страница 92: ...List Before configuring MSTP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes...

Страница 93: ...nce mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP...

Страница 94: ...rations of currently activated MST regions display stp region configuration The display command can be executed in any view z Two or more MSTP enabled devices belong to the same MST region only if the...

Страница 95: ...r if you specify a new primary root bridge for the instance then the secondary root bridge will not become the root bridge If you have specified multiple secondary root bridges for an instance when th...

Страница 96: ...e device send out MSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate to STP compatible mode Make t...

Страница 97: ...panning tree calculation and thereby the size of the MST region is confined Make this configuration on the root bridge only All the devices other than the root bridge in the MST region use the maximum...

Страница 98: ...the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are fault free If a device fa...

Страница 99: ...l to timely launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max ag...

Страница 100: ...mit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent within each hello time and the more system resources will be used By setting an appropriate maximum port rate...

Страница 101: ...costs in different MSTIs Setting appropriate path costs allows VLAN traffic flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically...

Страница 102: ...66 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula o...

Страница 103: ...elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priori...

Страница 104: ...ew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manu...

Страница 105: ...cy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and rece...

Страница 106: ...port group manual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled for all ports after it is enabled for the device glo...

Страница 107: ...RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to...

Страница 108: ...led by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated...

Страница 109: ...oping on Device B DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 stp config digest snooping DeviceB GigabitEthernet1 0 1 quit DeviceB stp config digest snoopi...

Страница 110: ...P and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the...

Страница 111: ...eam device Figure 1 9 No Agreement Check configuration 2 Configuration procedure Enable No Agreement Check on GigabitEthernet 1 0 1 of Device A DeviceA system view DeviceA interface gigabitethernet 1...

Страница 112: ...dary root bridge are generally put in a high bandwidth core region during network design However due to possible configuration errors or malicious attacks in the network the legal root bridge may rece...

Страница 113: ...orwarding state resulting in loops in the switched network The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream devic...

Страница 114: ...forwarding address entry flushes that the device can perform within a specific time period after it receives the first TC BPDU stp tc protection threshold number Optional 6 by default We recommend tha...

Страница 115: ...ace list slot slot number brief Available in any view View the MST region configuration information that has taken effect display stp region configuration Available in any view View the root bridge in...

Страница 116: ...MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision level of the MST region as 0 DeviceA system view DeviceA stp region configuration DeviceA mst region region name example DeviceA mst re...

Страница 117: ...w DeviceC stp region configuration DeviceC mst region region name example DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 3 vlan 30 DeviceC mst region instance 4 vlan 40 DeviceC mst...

Страница 118: ...TID Port Role STP State Protection 0 GigabitEthernet1 0 1 DESI FORWARDING NONE 0 GigabitEthernet1 0 2 DESI FORWARDING NONE 0 GigabitEthernet1 0 3 DESI FORWARDING NONE 1 GigabitEthernet1 0 2 DESI FORWA...

Страница 119: ...0 2 ALTE DISCARDING NONE 4 GigabitEthernet1 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figure 1 11 Figure 1 11 MSTIs correspon...

Страница 120: ...8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 9 Setting an Encapsulation Format f...

Страница 121: ...in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major fun...

Страница 122: ...ng bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the...

Страница 123: ...nformation field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and...

Страница 124: ...ently H3C devices support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Conf...

Страница 125: ...The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the appropr...

Страница 126: ...LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved and an aging timer...

Страница 127: ...ort group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the following...

Страница 128: ...ce view or port group view Enter port group view port group manual port group name Required Use either command Enable LLDP polling and set the polling interval lldp check change interval interval Requ...

Страница 129: ...s tlv ip address Optional By default the management address is sent through LLDPDUs and the management address is the main IP address of the lowest ID VLAN carried on the interface If the VLAN is not...

Страница 130: ...ming LLDP frame only when it is Ethernet II encapsulated z With SNAP encapsulation configured an LLDP port sends LLDPDUs in SNAP frames and processes an incoming LLDP frame only when it is SNAP encaps...

Страница 131: ...the voice VLAN configuration TLV for the IP phones to configure the voice VLAN automatically Thus the voice traffic is confined in the configured voice VLAN to be differentiated from other types of t...

Страница 132: ...ing LLDP Trapping LLDP trapping is used to notify the network management system NMS of events such as new neighboring devices detected and link malfunctions To prevent excessive LLDP traps from being...

Страница 133: ...ailable in any view Display types of advertisable optional LLDP TLVs display lldp tlv config interface interface type interface number Available in any view LLDP Configuration Examples Basic LLDP Conf...

Страница 134: ...ernet1 0 1 lldp enable SwitchB GigabitEthernet1 0 1 lldp admin status tx SwitchB GigabitEthernet1 0 1 quit 3 Verify the configuration Display the global LLDP status and port LLDP status on Switch A Sw...

Страница 135: ...A display lldp status Global status of LLDP Enable The current number of LLDP neighbors 1 The current number of CDP neighbors 0 LLDP neighbor information last changed time 0 days 0 hours 5 minutes 20...

Страница 136: ...view SwitchA vlan 2 SwitchA vlan2 quit Set the link type of GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to trunk and enable voice VLAN on them SwitchA interface gigabitethernet 1 0 1 SwitchA Gigab...

Страница 137: ...e neighbor information on Switch A SwitchA display lldp neighbor information CDP neighbor information of port 1 GigabitEthernet1 0 1 CDP neighbor index 1 Chassis ID SEP00141CBCDBFE Port ID Port 1 Sofr...

Страница 138: ...13 IP Subnet Based VLAN Configuration 1 15 Introduction 1 15 Configuring an IP Subnet Based VLAN 1 15 Displaying and Maintaining VLAN 1 16 VLAN Configuration Example 1 16 2 Isolate User VLAN Configur...

Страница 139: ...ii...

Страница 140: ...and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whe...

Страница 141: ...802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority...

Страница 142: ...t the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based...

Страница 143: ...n create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the V...

Страница 144: ...multiple VLANs to receive and send traffic for them Except traffic of the default VLAN traffic sent through a trunk port will be VLAN tagged Usually ports connecting network devices are configured as...

Страница 145: ...or a hybrid or trunk port but not for an access port Therefore after you remove the VLAN that an access port resides in with the undo vlan command the default VLAN of the port changes to VLAN 1 The re...

Страница 146: ...rame if its VLAN is not carried on the port Send the frame if its VLAN is carried on the port The frame is sent with the VLAN tag removed or intact depending on your configuration with the port hybrid...

Страница 147: ...nfigure the link type of the port or ports as access port link type access Optional The link type of a port is access by default Assign the current access port s to a VLAN port access vlan vlan id Opt...

Страница 148: ...fault VLAN by default z To change the link type of a port from trunk to hybrid or vice versa you must set the link type to access first z After you use the port link type access hybrid trunk command t...

Страница 149: ...port port hybrid pvid vlan vlan id Optional VLAN 1 is the default by default z To change the link type of a port from trunk to hybrid or vice versa you must set the link type to access first z Before...

Страница 150: ...ANs to make the forwarding decision z When receiving a tagged frame the receiving port forwards the frame if it is assigned to the corresponding VLAN or drops the frame if it is not In this case port...

Страница 151: ...oS Commands in the QoS Volume Follow these steps to configure a MAC based VLAN To do Use the command Remarks Enter system view system view Associate MAC addresses with a VLAN mac vlan mac address mac...

Страница 152: ...late the packet will be tagged with the default VLAN ID of the port The port processes a tagged packet as it processes tagged packets of a port based VLAN z If the port permits the VLAN ID of the pack...

Страница 153: ...nfiguring the user defined template for llc encapsulation Otherwise the encapsulation format of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively z When you...

Страница 154: ...be a multicast network segment or a multicast address Return to system view quit Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interfac...

Страница 155: ...ess mac address mask mac mask static vlan vlan id Available in any view Display all interfaces with MAC based VLAN enabled display mac vlan interface Available in any view Display protocol information...

Страница 156: ...ult the packets of VLAN 1 are permitted to pass through on all the ports DeviceA GigabitEthernet1 0 1 undo port trunk permit vlan 1 Configure GigabitEthernet 1 0 1 to permit packets from VLAN 2 VLAN 6...

Страница 157: ...seconds output 0 packets sec 0 bytes sec Input total 0 packets 0 bytes 0 unicasts 0 broadcasts 0 multicasts Input normal 0 packets bytes 0 unicasts 0 broadcasts 0 multicasts Input 0 input errors 0 run...

Страница 158: ...of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the por...

Страница 159: ...least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id...

Страница 160: ...to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 1 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEther...

Страница 161: ...n4 port gigabitethernet 1 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the isolate user VLAN config...

Страница 162: ...gigabitethernet 1 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports gigabitethernet 1...

Страница 163: ...ice QoS parameters for the voice traffic thus improving transmission priority and ensuring voice quality Common voice devices include IP phones and integrated access devices IADs Only IP phones are us...

Страница 164: ...nfigure voice VLAN aging time on the device The system will remove a port from the voice VLAN if no packet is received from the port during the aging time Assigning removing ports to from a voice VLAN...

Страница 165: ...Automatic Access Manual No Automatic Configure the default VLAN of the port which cannot be the voice VLAN and assign the port to its default VLAN Trunk Manual Yes Make all the configurations required...

Страница 166: ...If an IP phone sends untagged voice traffic to realize the voice VLAN feature you must configure the default VLAN of the connecting port as the voice VLAN In this case 802 1X authentication function...

Страница 167: ...o pass through Configuring a Voice VLAN Configuration Prerequisites 1 Create a VLAN Before configuring a VLAN as a voice VLAN create the VLAN first 2 Configure the voice VLAN assignment mode For detai...

Страница 168: ...in automatic mode on a hybrid port can process only tagged voice traffic Therefore do not configure a VLAN as both a protocol based VLAN and a voice VLAN For more information refer to Protocol Based...

Страница 169: ...figured with only one voice VLAN and this voice VLAN must be a static VLAN that already exists on the device z Voice VLAN is mutually exclusive with Link Aggregation Control Protocol LACP on a port z...

Страница 170: ...at the same time to ensure the quality of voice packets and effective bandwidth use configure voice VLANs to work in security mode that is configure the voice VLANs to transmit only voice packets Opt...

Страница 171: ...000 Philips NEC phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3com phone Display the current states of voice VLANs DeviceA display voice vlan state Maximum of Voice V...

Страница 172: ...1 0 1 as a hybrid port DeviceA GigabitEthernet1 0 1 port link type hybrid Configure the voice VLAN VLAN 2 as the default VLAN of GigabitEthernet 1 0 1 and configure GigabitEthernet 1 0 1 to permit the...

Страница 173: ...b00 0000 ffff ff00 0000 3com phone Display the current voice VLAN state DeviceA display voice vlan state Maximum of Voice VLANs 8 Current Voice VLANs 1 Voice VLAN security mode Security Voice VLAN agi...

Страница 174: ...rotocols and Standards 1 4 GVRP Configuration Task List 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 6 GVRP Configuration Examples 1 7 GVRP Configur...

Страница 175: ...t is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application entities by z Sending Join messages to register...

Страница 176: ...imer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send LeaveAll messages at the interval set by its LeaveAll...

Страница 177: ...te Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attrib...

Страница 178: ...namically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even tho...

Страница 179: ...remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refer to Port Mirroring Configuration in the Access...

Страница 180: ...r a timer you may change the value range by tuning the value of another related timer z If you want to restore the default settings of the timers restore the Hold timer first and then the Join Leave a...

Страница 181: ...nfiguration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports...

Страница 182: ...c Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP regis...

Страница 183: ...a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B De...

Страница 184: ...P globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1...

Страница 185: ...he TPID in a VLAN Tag 1 3 Protocols and Standards 1 4 QinQ Configuration Task List 1 5 Configuring Basic QinQ 1 5 Enabling Basic QinQ 1 5 Configuring Selective QinQ 1 5 Configuring an Outer VLAN Taggi...

Страница 186: ...ivate networks so that the Ethernet frames will travel across the service provider network public network with double VLAN tags QinQ enables a service provider to use a single SVLAN to serve customers...

Страница 187: ...e SVLAN allocated by the service provider for customer network A is SVLAN 3 and that for customer network B is SVLAN 4 When a tagged Ethernet frame of customer network A enters the service provider ne...

Страница 188: ...t the port tags it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged it...

Страница 189: ...compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID value identical to the value of a particular vendor to allow inte...

Страница 190: ...ng Basic QinQ Enabling Basic QinQ Follow these steps to enable basic QinQ To do Use the command Remarks Enter system view system view Enter Ethernet or Layer 2 aggregate interface view interface inter...

Страница 191: ...must delete the old outer VLAN tag configuration and configure a new outer VLAN tag Configuring the TPID Value in VLAN Tags You can configure the TPID value in VLAN tags in system view where the confi...

Страница 192: ...igured to allow QinQ packets to pass through 1 Configuration on Provider A z Configure GigabitEthernet 1 0 1 Configure VLAN 10 as the default VLAN of GigabitEthernet 1 0 1 ProviderA system view Provid...

Страница 193: ...ure GigabitEthernet 1 0 2 Configure GigabitEthernet 1 0 2 as a hybrid port and configure VLAN 10 as the default VLAN of the port ProviderB interface gigabitethernet 1 0 2 ProviderB GigabitEthernet1 0...

Страница 194: ...across SVLAN 2000 Figure 1 5 Network diagram for comprehensive selective QinQ configuration GE1 0 1 GE1 0 2 GE1 0 3 GE1 0 1 GE1 0 2 Customer A VLAN 10 20 Customer C VLAN 20 Provider B Provider A VLAN...

Страница 195: ...itEthernet1 0 2 quit z Configure GigabitEthernet 1 0 3 Configure GigabitEthernet 1 0 3 as a trunk port to permit frames of VLAN 1000 and VLAN 2000 to pass through ProviderA interface gigabitethernet 1...

Страница 196: ...A GigabitEthernet1 0 3 quit ProviderA qinq ethernet type 8200 3 Configuration on third party devices Configure the third party devices between Provider A and Provider B as follows configure the port c...

Страница 197: ...ling Implementation 1 2 Configuring BPDU Tunneling 1 4 Configuration Prerequisites 1 4 Enabling BPDU Tunneling 1 4 Configuring Destination Multicast MAC Address for BPDUs 1 5 BPDU Tunneling Configurat...

Страница 198: ...ich belong to VLAN 100 User A s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot be transparently transmitted in...

Страница 199: ...Tunneling Implementation The BPDU tunneling implementations for different protocols are all similar This section describes how BPDU tunneling is implemented by taking the Spanning Tree Protocol STP a...

Страница 200: ...e edge devices PE 1 and PE 2 in the service provider network allows BPDUs of the customer network to be transparently transmitted in the service provider network thus ensuring consistent spanning tree...

Страница 201: ...on a port disable the protocol on the port first Because PVST is a special STP protocol before enabling BPDU tunneling for PVST on a port you must also disable STP and then enable BPDU tunneling for S...

Страница 202: ...steps to configure destination multicast MAC address for BPDUs To do Use the command Remarks Enter system view system view Configure the destination multicast MAC address for BPDUs bpdu tunnel tunnel...

Страница 203: ...lan2 quit PE1 interface gigabitethernet 1 0 1 PE1 GigabitEthernet1 0 1 port access vlan 2 Disable STP on GigabitEthernet 1 0 1 and then enable BPDU tunneling for STP on it PE1 GigabitEthernet1 0 1 und...

Страница 204: ...4 Network diagram for configuring BPDU tunneling for PVST Configuration procedure 1 Configuration on PE 1 Configure the destination multicast MAC address for BPDUs as 0x0100 0CCD CDD0 PE1 system view...

Страница 205: ...unk PE2 GigabitEthernet1 0 2 port trunk permit vlan all Disable STP on GigabitEthernet 1 0 2 and then enable BPDU tunneling for STP and PVST on it PE2 GigabitEthernet1 0 2 undo stp enable PE2 GigabitE...

Страница 206: ...on the Destination Device 1 6 Displaying and Maintaining Port Mirroring 1 7 Port Mirroring Configuration Examples 1 7 Local Port Mirroring Configuration Example 1 7 Remote Port Mirroring Configuration...

Страница 207: ...e mirroring port or ports and the monitor port can be located on the same device or different devices Currently remote port mirroring can be implemented only at Layer 2 As a monitor port can monitor m...

Страница 208: ...urce device is the device where the mirroring ports are located On it you must create a remote source mirroring group to hold the mirroring ports The source device copies the packets passing through t...

Страница 209: ...ing local port mirroring is to configure local mirroring groups A local mirroring group comprises one or multiple mirroring ports and one monitor port These ports must not have been assigned to any ot...

Страница 210: ...s enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Access Volume Configuration Prerequis...

Страница 211: ...tor egress monitor egress port id interface interface type interface number mirroring group groupid monitor egress Configure the egress port In interface view quit Required Use either approach Configu...

Страница 212: ...d remote destination Required Configure the remote probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required In system view mirroring group groupid monitor port monitor port id inte...

Страница 213: ...uration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Ethernet switches z Research and Development R D department...

Страница 214: ...the port mirroring groups SwitchC display mirroring group all mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEtherne...

Страница 215: ...nation mirroring group on Switch C Configure VLAN 2 as the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which the data monitoring device is connected as the destination port Figure 1 4...

Страница 216: ...port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC interface GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link typ...

Страница 217: ...ng traffic to the CPU copies the matching packets on an interface to a CPU the CPU of the device where the traffic mirroring enabled interface resides Configuring Traffic Mirroring To configure traffi...

Страница 218: ...ffic to the CPU Follow these steps to mirror traffic to the CPU To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and...

Страница 219: ...face interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the cu...

Страница 220: ...Mirroring To do Use the command Remarks Display traffic behavior configuration information display traffic behavior user defined behavior name Available in any view Display QoS policy configuration i...

Страница 221: ...l 2000 Sysname classifier 1 quit Create behavior 1 and configure the action of mirroring traffic to GigabitEthernet1 0 2 in the traffic behavior Sysname traffic behavior 1 Sysname behavior 1 mirror to...

Страница 222: ...on a client server model in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client This document descr...

Страница 223: ...sic IPv6 functions configuration z IPv6 NDP configuration z PMTU discovery configuration z IPv6 TCP properties configuration z ICMPv6 packet sending configuration z IPv6 DNS Client configuration Dual...

Страница 224: ...Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration...

Страница 225: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Страница 226: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Страница 227: ...IP address to the VLAN interface you may configure the VLAN interface to obtain one through BOOTP or DHCP as alternatives If you change the way an interface obtains an IP address from manual assignmen...

Страница 228: ...ts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN i...

Страница 229: ...es 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4...

Страница 230: ...5 Configuring ARP Quick Notify 1 5 ARP Configuration Example 1 6 Configuring Gratuitous ARP 1 7 Introduction to Gratuitous ARP 1 7 Configuring Gratuitous ARP 1 7 Displaying and Maintaining ARP 1 7 2...

Страница 231: ...Address Resolution Protocol ARP is used to resolve an IP address into an Ethernet MAC address or physical address In a LAN when a host or other network device is to send data to another host or devic...

Страница 232: ...Target protocol address This field specifies the protocol address of the device the message is being sent to ARP Address Resolution Process Suppose that Host A and Host B are on the same subnet and Ho...

Страница 233: ...reated and maintained by ARP It can get aged be updated by a new ARP packet or be overwritten by a static ARP entry When the aging timer expires or the interface goes down the corresponding dynamic AR...

Страница 234: ...if non permanent and resolved will become unresolved Follow these steps to configure a static ARP entry To do Use the command Remarks Enter system view system view Configure a permanent static ARP en...

Страница 235: ...20 minutes by default Enabling the ARP Entry Check The ARP entry check function disables the device from learning multicast MAC addresses With the ARP entry check enabled the device cannot learn any...

Страница 236: ...abled by default You are recommended to enable ARP quick notify in WLANs only ARP Configuration Example Network requirements z Enable the ARP entry check z Set the aging time for dynamic ARP entries t...

Страница 237: ...ing a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache Configuring Gratuitous ARP Fo...

Страница 238: ...ARP entries from the ARP table For distributed devices reset arp all dynamic static slot slot number interface interface type interface number Available in user view Clearing ARP entries from the ARP...

Страница 239: ...ork Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless...

Страница 240: ...n the two hosts Figure 2 2 Application environment of local proxy ARP VLAN 2 Vlan int2 192 168 10 100 16 Switch B GE1 0 3 GE1 0 1 GE1 0 2 Host A 192 168 10 99 16 Host B 192 168 10 200 16 VLAN 2 port i...

Страница 241: ...Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have the same IP prefix and mask Host A belongs to VLAN 1 Host D belongs to VLAN 2 Configure pr...

Страница 242: ...d Host B Figure 2 4 Network diagram for local proxy ARP between isolated ports Switch A Switch B GE1 0 2 GE1 0 3 GE1 0 1 Host A 192 168 10 99 24 Host B 192 168 10 200 24 GE1 0 2 VLAN 2 Vlan int2 192 1...

Страница 243: ...ser vlan which includes uplink port GigabitEthernet 1 0 1 and two secondary VLANs VLAN 2 and VLAN 3 GigabitEthernet 1 0 2 belongs to VLAN 2 and GigabitEthernet 1 0 3 belongs to VLAN 3 z Configure loca...

Страница 244: ...d GigabitEthernet 1 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port gigabitethernet 1 0 1 SwitchA vlan5 interface vlan interface 5 SwitchA Vlan interface5 ip address 192 168 10 100 255...

Страница 245: ...2 4 Configuring the DHCP Relay Agent Security Functions 2 5 Configuring the DHCP Relay Agent to Send a DHCP Release Request 2 7 Configuring the DHCP Relay Agent to Support Option 82 2 7 Displaying an...

Страница 246: ...4 7 DHCP Snooping Option 82 Support Configuration Example 4 8 5 BOOTP Client Configuration 5 1 Introduction to BOOTP Client 5 1 BOOTP Application 5 1 Obtaining an IP Address Dynamically 5 2 Protocols...

Страница 247: ...mplexity of networks result in scarce IP addresses assignable to hosts Meanwhile as many people need to take their laptops across networks the IP addresses need to be changed accordingly Therefore rel...

Страница 248: ...Dynamic IP address allocation process As shown in Figure 1 2 a DHCP client obtains an IP address from a DHCP server via four steps 1 The client broadcasts a DHCP DISCOVER message to locate a DHCP serv...

Страница 249: ...ast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast deny...

Страница 250: ...rmat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry contr...

Страница 251: ...guration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for se...

Страница 252: ...te the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other p...

Страница 253: ...interface that received the client s request Its format is shown in Figure 1 10 Figure 1 10 Sub option 1 in verbose padding format In Figure 1 10 except that the VLAN ID field has a fixed length of 2...

Страница 254: ...r not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to r...

Страница 255: ...ported only on VLAN interfaces Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same s...

Страница 256: ...P address and forwards the message to the designated DHCP server in unicast mode 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent...

Страница 257: ...Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82...

Страница 258: ...an IP address via the DHCP relay agent the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server Otherwise the DHCP client cannot obt...

Страница 259: ...ance of invalid IP address configuration you can configure the DHCP relay agent to check whether a requesting client s IP and MAC addresses match a binding dynamic or static on the DHCP relay agent Wi...

Страница 260: ...y send a DHCP REQUEST message to the DHCP server z If the server returns a DHCP ACK message or does not return any message within a specified interval which means the IP address is assignable now the...

Страница 261: ...After you configure this task the DHCP relay agent actively sends a DHCP RELEASE request that contains the client s IP address to be released Upon receiving the DHCP RELEASE request the DHCP server th...

Страница 262: ...on user defined Option 82 Configure the code type for the remote ID sub option dhcp relay information remote id format type ascii hex Optional By default the code type is hex This code type configurat...

Страница 263: ...ings display dhcp relay security tracker Display information about the configuration of a specified or all DHCP server groups display dhcp relay server group group id all Display packet statistics on...

Страница 264: ...requirements z As shown in Figure 2 3 Enable Option 82 on the DHCP relay agent Switch A z Configure the handling strategy for DHCP requests containing Option 82 as replace z Configure the padding cont...

Страница 265: ...DHCP Relay Agent Configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent Analysis Some problems may occur with the DHCP relay agent or server configurat...

Страница 266: ...recommended to enable both the DHCP client and the DHCP snooping on the same device Otherwise DHCP snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address Introd...

Страница 267: ...UP again by first executing the shutdown command and then the undo shutdown command or the DHCP client is enabled on the interface by executing the undo ip address dhcp alloc and ip address dhcp allo...

Страница 268: ...3 3 SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address dhcp alloc...

Страница 269: ...e following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP...

Страница 270: ...ng through For details refer to IP Source Guard Configuration in the Security Volume Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 4 1 Configure...

Страница 271: ...Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agen...

Страница 272: ...the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after addi...

Страница 273: ...ed Layer 2 Ethernet interface to an aggregation group z Configuring both the DHCP snooping and QinQ function on the switch is not recommended because it may result in malfunctioning of DHCP snooping C...

Страница 274: ...ooping information vlan vlan id circuit id string circuit id Optional By default the padding content depends on the padding format of Option 82 Configure user defined Option 82 Configure the padding c...

Страница 275: ...cket statistics slot slot number Available in user view DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements z As shown in Figure 4 3 Switch B is connected to...

Страница 276: ...ernet 1 0 1 as trusted SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to support Option 82 S...

Страница 277: ...Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards BOOTP Application After you specify an interface of a...

Страница 278: ...the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received response Protocols and Standards Some protocols and stan...

Страница 279: ...the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Figure 5 1 Network diagram for BOOTP WINS server 10 1 1 4 25 Client Switch B Client DNS server 10 1 1 2 25 DHCP serv...

Страница 280: ...onfiguring Static Domain Name Resolution 1 4 Configuring Dynamic Domain Name Resolution 1 4 Configuring the DNS Proxy 1 5 Displaying and Maintaining DNS 1 5 DNS Configuration Examples 1 5 Static Domai...

Страница 281: ...checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution T...

Страница 282: ...s valid and the DNS client gets the aging information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resol...

Страница 283: ...tion on the DNS proxy instead of on each DNS client Figure 1 2 DNS proxy networking application Operation of a DNS proxy 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS reques...

Страница 284: ...us one if there is any You may create up to 50 static mappings between domain names and IP addresses Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name reso...

Страница 285: ...able in any view Clear the information of the dynamic domain name cache reset dns dynamic host Available in user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Net...

Страница 286: ...is com The mapping between domain name Host and IP address 3 1 1 1 16 is stored in the com domain z Switch serves as a DNS client and uses the dynamic domain name resolution and the suffix to access...

Страница 287: ...uctions to create a new zone named com Figure 1 5 Create a zone Create a mapping between the host name and IP address Figure 1 6 Add a host In Figure 1 6 right click zone com and then select New Host...

Страница 288: ...st is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press...

Страница 289: ...r and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 1 8 1 Configure the DNS server This configuration may vary with different DNS server...

Страница 290: ...ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Trouble...

Страница 291: ...Directly Connected Network 1 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configurati...

Страница 292: ...pecific network In the destination IP address of a directed broadcast the network ID is a network ID identifies the target network and the host ID is all one If a device is allowed to forward directed...

Страница 293: ...and executed last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN...

Страница 294: ...configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the synwait timer interval the TCP connection cannot be created z fin...

Страница 295: ...o find out the best route 2 Sending ICMP timeout packets If the device received an IP packet with a timeout error it drops the packet and sends an ICMP timeout packet to the source The device will sen...

Страница 296: ...it to send ICMP error packets its performance will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becom...

Страница 297: ...Display socket information display ip socket socktype sock type task id socket id slot slot number Display FIB information display fib begin include exclude regular expression acl acl number ip prefix...

Страница 298: ...ntents 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 1 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Examples 1 2 UDP Helper Configuration...

Страница 299: ...relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP br...

Страница 300: ...ion of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 de...

Страница 301: ...0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the destin...

Страница 302: ...to RA Messages 1 12 Configuring the Maximum Number of Attempts to Send an NS Message for DAD 1 15 Configuring PMTU Discovery 1 15 Configuring a Static PMTU for a Specified IPv6 Address 1 15 Configurin...

Страница 303: ...w Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant dif...

Страница 304: ...ateful and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from a server for example a DHCP server z Stateless addre...

Страница 305: ...an be represented in a shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 address contains two or more consecutive groups of zeros they can be replaced by a double colon For example the abov...

Страница 306: ...ddresses including aggregatable global unicast address link local address and site local address z The aggregatable global unicast addresses equivalent to public IPv4 addresses are provided for networ...

Страница 307: ...0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address Interface identifier in IEEE EUI 64 format An interface identifier is used to iden...

Страница 308: ...ed to respond to an RS message Router advertisement RA message 134 With the RA message suppression disabled the router regularly sends an RA message containing information such as prefix information o...

Страница 309: ...on The DAD procedure is as follows 1 Node A sends an NS message whose source address is the unassigned address and destination address is the corresponding solicited node multicast address of the IPv6...

Страница 310: ...he source host so that the host can select a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway sends an IPv6 ICMP redirect message when the following cond...

Страница 311: ...resses but also AAAA records IPv6 addresses The DNS server can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server implements the functions of both IPv6 DNS and IPv4...

Страница 312: ...Pv6 site local addresses or aggregatable global unicast addresses are configured manually IPv6 link local addresses can be configured in either of the following ways z Automatic generation The device...

Страница 313: ...t adopt manual assignment and then automatic generation the automatically generated link local address will not take effect and the link local address of an interface is still the manually assigned on...

Страница 314: ...cquire the link layer address of a neighbor node through NS and NA messages and add it into the neighbor table Too large a neighbor table may reduce the forwarding performance of the device You can re...

Страница 315: ...hosts use the stateless autoconfiguration to acquire information other than IPv6 addresses Router lifetime This field is used to set the lifetime of the router that sends RA messages to serve as the d...

Страница 316: ...s is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig managed address flag Optional By default the M flag bit is set to 0 that is hosts acquire IPv6 addresses through stateles...

Страница 317: ...uring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for a specified destination IPv6 address When a source host sends a packet through an interface it compares the interfa...

Страница 318: ...et the finwait timer tcp ipv6 timer fin timeout wait time Optional 675 seconds by default Set the synwait timer tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Set the size of the...

Страница 319: ...system view system view Enable sending of multicast echo replies ipv6 icmpv6 multicast echo reply enable Not enabled by default Enabling Sending of ICMPv6 Time Exceeded Packets A device sends an ICMPv...

Страница 320: ...r for resolution The system can support at most six DNS servers You can configure a DNS suffix so that you only need to enter part of a domain name and the system can automatically add the preset suff...

Страница 321: ...ce type interface number vlan vlan id count Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display socket information display ipv6 socket socktype...

Страница 322: ...nterface 2 on Switch B is 3001 2 64 and a route to Host is available z IPv6 is enabled for Host to automatically get an IPv6 address through IPv6 NDP and a route to Switch B is available Figure 1 6 Ne...

Страница 323: ...7d14 1 GE1 0 2 STALE D 1238 2001 15B E0EA 3524 E791 0015 e9a6 7d14 1 GE1 0 2 STALE D 1248 The above information shows that the IPv6 aggregatable global unicast address that Host obtained is 2001 15B...

Страница 324: ...address is FE80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 1 FF02 1 FF00 1C0 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enab...

Страница 325: ...rbose Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1234 Global unicast address es 3001 2 subnet is 3001 64 Joined group addr...

Страница 326: ...ress SwitchB Vlan interface2 ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CTRL_C to break Reply from 3001 1 bytes 56 Sequence 1 hop limit 64 time 2 ms 3001 1 ping statistics 1 packet s transmi...

Страница 327: ...mand in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is corr...

Страница 328: ...i Table of Contents 1 Dual Stack Configuration 1 1 Dual Stack Overview 1 1 Configuring Dual Stack 1 1...

Страница 329: ...be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 1 1 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figure 1 1 IPv4 IPv6 dual stack in r...

Страница 330: ...n interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure an IPv6 link local address Manually specify an IPv6 link l...

Страница 331: ...Overview 1 1 Introduction to sFlow 1 1 Operation of sFlow 1 1 Configuring sFlow 1 2 Displaying and Maintaining sFlow 1 2 sFlow Configuration Example 1 3 Troubleshooting sFlow Configuration 1 4 The Rem...

Страница 332: ...he sFlow packets and displays the results sFlow has the following two sampling mechanisms z Packet based sampling An sFlow enabled port samples one packet out of a configurable number of packets passi...

Страница 333: ...cts the statistics of sFlow enabled ports sflow interval interval time Optional 20 seconds by default Enter Ethernet port view interface interface type interface number Enable sFlow in the inbound or...

Страница 334: ...e results Network diagram Figure 1 1 Network diagram for sFlow configuration Configuration procedure Configure an IP address for the sFlow agent Switch system view Switch sflow agent ip 3 3 3 1 Specif...

Страница 335: ...f the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector z No IP address is configured for the Layer 3 interface on the device or the IP address is confi...

Страница 336: ...gured by the administrator The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications This document describes z Static...

Страница 337: ...Routing Overview 1 1 Routing 1 1 Routing Table and FIB Table 1 1 Routing Protocol Overview 1 3 Static Routing and Dynamic Routing 1 3 Routing Protocols and Routing Priority 1 3 Displaying and Maintai...

Страница 338: ...ting route selection and forwarding information bases FIBs play a key role in packet forwarding Each router maintains a routing table and each entry in the table specifies which physical interface a p...

Страница 339: ...ork mask is made of a certain number of consecutive 1s It can be expressed in dotted decimal format or by the number of the 1s z Outbound interface Specifies the interface through which the IP packets...

Страница 340: ...ork topology changes it cannot adjust to network changes by itself Dynamic routing is based on dynamic routing protocols which can detect network topology changes and recalculate the routes accordingl...

Страница 341: ...range display ip routing table ip address1 mask length mask ip address2 mask length mask verbose Available in any view Display routes of a routing protocol display ip routing table protocol protocol...

Страница 342: ...for an IPv6 address range display ipv6 routing table ipv6 address1 prefix length1 ipv6 address2 prefix length2 verbose Available in any view Clear specified IPv6 routing table statistics reset ipv6 ro...

Страница 343: ...c Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Detecting Reachability of the Static Route s Nexthop 1 3 Detecting Nexthop Reachability Through...

Страница 344: ...case the network administrator has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded...

Страница 345: ...s is specified The next hop address can not be a local interface IP address otherwise the route configuration will not take effect 3 Other attributes You can configure different preferences for differ...

Страница 346: ...Through Track If you specify the nexthop but not outgoing interface when configuring a static route you can associate the static route with a track entry to check the static route validity z When the...

Страница 347: ...information display current configuration Display the brief information of the IP routing table display ip routing table Display the detailed information of the IP routing table display ip routing tab...

Страница 348: ...guration Display the IP routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost NextHop Interface 0 0 0 0 0 Static 60 0...

Страница 349: ...Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Reply from 1 1 2 2 bytes 32 time 1ms TTL 255 Ping statistics for...

Страница 350: ...Static Routing 1 1 Features of IPv6 Static Routes 1 1 Default IPv6 Route 1 1 Configuring an IPv6 Static Route 1 1 Configuration prerequisites 1 1 Configuring an IPv6 Static Route 1 2 Displaying and M...

Страница 351: ...n unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in...

Страница 352: ...marks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all IPv6 static routes delete ipv6 static routes all Available in s...

Страница 353: ...C SwitchC system view SwitchC ipv6 route static 0 5 2 3 Configure the IPv6 addresses of hosts and gateways Configure the IPv6 addresses of all the hosts based upon the network diagram configure the de...

Страница 354: ...chA ping ipv6 3 1 PING 3 1 56 data bytes press CTRL_C to break Reply from 3 1 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 1 by...

Страница 355: ...used for multicast group management and control This document describes z Configuring Basic Functions of IGMP Snooping z Configuring IGMP Snooping Port Functions z Configuring IGMP Snooping Querier z...

Страница 356: ...f Information Transmission Techniques 1 1 Features of Multicast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 5 Multicast Architecture 1 6 Multi...

Страница 357: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Страница 358: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Страница 359: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Страница 360: ...f Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast g...

Страница 361: ...G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S sends to multicast group G Here S represents a specific multicast source...

Страница 362: ...locations of the multicast sources by some other means In addition the SSM model uses a multicast address range that is different from that of the ASM SFM model and dedicated multicast forwarding path...

Страница 363: ...TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8...

Страница 364: ...ticast address are as follows z 0xFF The most significant 8 bits are 11111111 indicating that this address is an IPv6 multicast address Figure 1 5 Format of the Flags field z Flags Referring to Figure...

Страница 365: ...al scope E Global scope z Group ID 112 bits IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group in the scope defined by the Scope field Ethernet multicast MAC addresses Wh...

Страница 366: ...ame MAC address Therefore in Layer 2 multicast forwarding a device may receive some multicast data addressed for other IPv4 multicast groups and such redundant data needs to be filtered by the upper l...

Страница 367: ...a network Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols Figure 1 8 describes where these multicast protocols are...

Страница 368: ...icast information transport Layer 2 multicast protocols Layer 2 multicast protocols include IGMP Snooping MLD Snooping and multicast VLAN IPv6 multicast VLAN Figure 1 9 shows where these protocols are...

Страница 369: ...ulticast model is more complex in the following aspects z To ensure multicast packet transmission in the network unicast routing tables or multicast routing tables for example the MBGP routing table s...

Страница 370: ...11 Enabling IGMP Snooping Querier 1 11 Configuring IGMP Queries and Responses 1 12 Configuring Source IP Address of IGMP Queries 1 13 Configuring an IGMP Snooping Policy 1 13 Configuration Prerequisi...

Страница 371: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 1 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at...

Страница 372: ...e DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list z Me...

Страница 373: ...age out How IGMP Snooping Works A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this s...

Страница 374: ...tening to the reported multicast address will suppress their own reports upon receiving this report and this will prevent the switch from knowing whether the reported multicast group still has active...

Страница 375: ...st of the forwarding table entry for that multicast group when the aging timer expires Protocols and Standards IGMP Snooping is documented in z RFC 4541 Considerations for Internet Group Management Pr...

Страница 376: ...ate port view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they take part in aggregation...

Страница 377: ...e version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding...

Страница 378: ...ging time interval Optional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLA...

Страница 379: ...ber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running IGMP responds to IGMP querie...

Страница 380: ...n IGMP leave message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated group Then when receiving IGMP group specific querie...

Страница 381: ...rce address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general...

Страница 382: ...by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For IGMP general queries you can configure the maximum response time to fill their Max...

Страница 383: ...nd cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem you are commended to configure a non all zero IP address...

Страница 384: ...re a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure a multicast group filter group policy acl number vlan...

Страница 385: ...se either approach Enable multicast source port filtering igmp snooping source deny Required Disabled by default S5120 EI series switches when enabled to filter IPv4 multicast data based on the source...

Страница 386: ...d over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report suppres...

Страница 387: ...dition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is channel switching namely by joining a...

Страница 388: ...icast group replacement functionality will not take effect Displaying and Maintaining IGMP Snooping To do Use the command Remarks View IGMP Snooping multicast group information display igmp snooping g...

Страница 389: ...can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch A even if Host A and Host B accidentally temporarily stop receiving multicast data Network diagram Figure 1 3 Networ...

Страница 390: ...chA acl basic 2001 quit SwitchA igmp snooping SwitchA igmp snooping group policy 2001 vlan 100 SwitchA igmp snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts f...

Страница 391: ...itEthernet 1 0 5 on Switch C are required to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the n...

Страница 392: ...M DM on each interface and enable IGMP on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable Ro...

Страница 393: ...tEthernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable IGMP Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 igm...

Страница 394: ...100 on Switch C SwitchC display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real...

Страница 395: ...nown multicast data packets z Because a switch does not enlist a port that has heard an IGMP query with a source IP address of 0 0 0 0 default as a dynamic router port configure a non all zero IP addr...

Страница 396: ...mp snooping enable SwitchB vlan100 igmp snooping drop unknown SwitchB vlan100 quit Configurations on Switch C and Switch D are similar to the configuration on Switch B 3 Verify the configuration After...

Страница 397: ...to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups Analysis z The ACL rule is incorrectly configured z The multicast group policy is not...

Страница 398: ...Prerequisites 1 3 Configuring Sub VLAN Based Multicast VLAN 1 3 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring Multicast VLA...

Страница 399: ...ayer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without multicast VLAN The multicast VLAN featu...

Страница 400: ...t A Host B and Host C are in three different user VLANs All the user ports ports with attached hosts on Switch A are hybrid ports On Switch A configure VLAN 10 as a multicast VLAN assign all the user...

Страница 401: ...n is given preference Configuring Sub VLAN Based Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based multicast VLAN complete the following tasks z Create VLANs as required z E...

Страница 402: ...e port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port...

Страница 403: ...packets of VLAN 1 to pass For details about the port link type port hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring Multicast VLAN Ports In this...

Страница 404: ...A port can belong to only one multicast VLAN Displaying and Maintaining Multicast VLAN To do Use the command Remarks Display information about a multicast VLAN display multicast vlan vlan id Availabl...

Страница 405: ...sses Configure an IP address and subnet mask for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enable PIM DM on ea...

Страница 406: ...nfiguration Display information about the multicast VLAN SwitchA display multicast vlan Total 1 multicast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping multic...

Страница 407: ...match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE1 0 4 Vlan id 10 Total 1...

Страница 408: ...port based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the multicast data to the receivers that belong to different...

Страница 409: ...1 0 2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type hybrid SwitchA Gig...

Страница 410: ...rt C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s matc...

Страница 411: ...iguration Prerequisites 1 11 Enabling MLD Snooping Querier 1 11 Configuring MLD Queries and Responses 1 12 Configuring Source IPv6 Addresses of MLD Queries 1 13 Configuring an MLD Snooping Policy 1 14...

Страница 412: ...een ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 1 1 when MLD Snooping is not running IPv6 multicast packets are broadcast to all devic...

Страница 413: ...s Router port Member port Ports involved in MLD Snooping as shown in Figure 1 2 are described as follows z Router port A router port is a port on the Ethernet switch that leads switch towards the Laye...

Страница 414: ...tialized to the dynamic router port aging time MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Dynamic member port agi...

Страница 415: ...d IPv6 multicast group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exi...

Страница 416: ...the port suppose it is a dynamic member port before its aging timer expires this means that some host attached to the port is receiving or expecting to receive IPv6 multicast data for that IPv6 multi...

Страница 417: ...up view are effective only for all the ports in the current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet po...

Страница 418: ...MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of M...

Страница 419: ...ure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure dynamic router port aging time router aging time...

Страница 420: ...mber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running MLD responds to MLD queries...

Страница 421: ...er port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process MLD done messages in a fast way With the fast leave processing feature enabled when receiving a...

Страница 422: ...ng querier prepare the following data z MLD general query interval z MLD last member query interval z Maximum response time for MLD general queries z Source IPv6 address of MLD general queries and z S...

Страница 423: ...n to 0 the host sends an MLD report to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids...

Страница 424: ...e time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occur Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6...

Страница 425: ...entry for this port in the MLD Snooping forwarding table otherwise the switch drops this report message Any IPv6 multicast data that fails the ACL check will not be sent to this port In this way the s...

Страница 426: ...rt filtering globally Follow these steps to configure IPv6 multicast source port filtering To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable IPv6...

Страница 427: ...ort suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default Configurin...

Страница 428: ...in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joinin...

Страница 429: ...ulticast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect Displaying and Maintaining MLD Snooping To do Use the command Remarks View MLD Snooping mul...

Страница 430: ...ven if Host A and Host B accidentally temporarily stop receiving IPv6 multicast data Network diagram Figure 1 3 Network diagram for IPv6 group policy simulated joining configuration Source Router A Sw...

Страница 431: ...group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 1...

Страница 432: ...red to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forward...

Страница 433: ...IM DM on each interface and enable MLD on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 mld enabl...

Страница 434: ...hernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable MLD Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 mld sno...

Страница 435: ...0 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VL...

Страница 436: ...e MLD Snooping querier Network diagram Figure 1 5 Network diagram for MLD Snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 forwarding and enable MLD Snooping glo...

Страница 437: ...l queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 12 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records...

Страница 438: ...ured z The IPv6 multicast group policy is not correctly applied Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6...

Страница 439: ...isites 1 3 Configuring Sub VLAN Based IPv6 Multicast VLAN 1 3 Configuring Port Based IPv6 Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring IPv6 Multi...

Страница 440: ...to the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without IPv6 multicast VLAN The IPv6 mu...

Страница 441: ...in Figure 1 3 Host A Host B and Host C are in three different user VLANs All the user ports are hybrid ports On Switch A configure VLAN 10 as an IPv6 multicast VLAN assign all the user ports to this I...

Страница 442: ...cast VLAN on a device the port based IPv6 multicast VLAN configuration is given preference Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN Configuration Prerequisites Before configuring sub VLAN b...

Страница 443: ...effective only for the current port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports i...

Страница 444: ...t hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring IPv6 Multicast VLAN Ports In this approach you need to configure a VLAN as an IPv6 multicast VL...

Страница 445: ...elong to only one IPv6 multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN To do Use the command Remarks Display information about an IPv6 multicast VLAN display multicast vlan ipv6 vlan id...

Страница 446: ...gure an IPv6 address and address prefix for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on...

Страница 447: ...display multicast vlan ipv6 Total 1 IPv6 multicast vlan s IPv6 Multicast vlan 10 subvlan list vlan 2 4 port list no port View the MLD Snooping IPv6 multicast group information on Switch A SwitchA disp...

Страница 448: ...otal 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 0 port MAC g...

Страница 449: ...2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A MLD querier Router A GE1 0 1 1 2 64 GE1 0 2 2001 1 64 1 1 64 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Enable IPv6 forwarding a...

Страница 450: ...witchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration s...

Страница 451: ...AC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC...

Страница 452: ...ter and packet loss rate This document describes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing configuration z Traffic shaping configuration z Line rate...

Страница 453: ...ng Overview 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring P...

Страница 454: ...Traffic Filtering 6 1 Traffic Filtering Configuration Example 6 2 Traffic Filtering Configuration Example 6 2 7 Priority Marking Configuration 7 1 Priority Marking Overview 7 1 Configuring Priority M...

Страница 455: ...QoS techniques used most widely Using these techniques reasonably in the specific environments you can improve the QoS effectively Introduction to QoS Service Models This section covers three typical...

Страница 456: ...ositions of the QoS techniques in a network As shown in Figure 1 1 traffic classification traffic shaping traffic policing congestion management and congestion avoidance mainly implement the following...

Страница 457: ...estion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port As congestion becomes worse it actively reduces the amount of traffic by droppi...

Страница 458: ...ring QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these...

Страница 459: ...r tcl name operator and or Required By default the relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 2 1 shows t...

Страница 460: ...Specifies to match packets by DSCP precedence The dscp list argument is a list of DSCP values in the range of 0 to 63 ip precedence ip precedence list Specifies to match packets by IP precedence The i...

Страница 461: ...ria listed above ensure that the operator of the class is OR Defining a Traffic Behavior To define a traffic behavior you must first create it and then configure QoS actions such as priority marking a...

Страница 462: ...o check whether a QoS policy has been applied successfully use the display qos policy interface command z The switch may save the applications of some QoS policies that have failed to be applied due t...

Страница 463: ...n be applied To modify a QoS policy already applied in a certain direction remove the QoS policy application first Follow these steps to apply the QoS policy to online users To do Use the command Rema...

Страница 464: ...the QoS policy to a VLAN To do Use the command Remarks Enter system view system view Apply the QoS policy to VLANs qos vlan policy policy name vlan vlan id list inbound Required z QoS policies cannot...

Страница 465: ...avior user defined behavior name Available in any view Display information about a class display traffic classifier user defined classifier name Available in any view Display information about QoS pol...

Страница 466: ...ly scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assig...

Страница 467: ...carried in packets There are three priority trust modes on H3C S5120 EI series switches z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP carried in packets...

Страница 468: ...port priority as the 802 1p priority for priority mapping Look up the dot1p dp and dot1p lp mapping tables Mark the packet with local precedence and drop precedence Port priority The priority mapping...

Страница 469: ...ing table display qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Optional Available in any view You cannot configure mapping any DSCP value to drop precedence 1 Configuring the Priority...

Страница 470: ...up name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port group Configure the port priority qos priori...

Страница 471: ...4 z The management department connects to GigabitEthernet 1 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priorit...

Страница 472: ...gabitethernet 1 0 2 Device GigabitEthernet1 0 2 qos priority 4 Device GigabitEthernet1 0 2 quit Set the port priority of GigabitEthernet 1 0 3 to 5 Device interface gigabitethernet 1 0 3 Device Gigabi...

Страница 473: ...vior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 qos apply p...

Страница 474: ...hat it is under the specifications Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Buckets Token bucket features A token bucket is analogous to a conta...

Страница 475: ...bucket In each evaluation packets are measured against the buckets z If the C bucket has enough tokens packets are colored green z If the C bucket does not have enough tokens but the E bucket has eno...

Страница 476: ...cket these cached packets are sent at an even rate Traffic shaping may result in an additional delay while traffic policing does not Figure 4 2 Schematic diagram for GTS Token bucket Packets dropped P...

Страница 477: ...s are available in the token bucket if tokens are inadequate packets cannot be transmitted until the required number of tokens are generated in the token bucket Thus traffic rate is restricted to the...

Страница 478: ...on GigabitEthernet 1 0 1 to limit the rate of received HTTP traffic to 512 kbps and drop the exceeding traffic Enter system view Sysname system view Configure advanced ACL 3000 to match HTTP traffic...

Страница 479: ...Required Display interface GTS configuration information display qos gts interface interface type interface number Available in any view Configuration Example Configure GTS on GigabitEthernet1 0 1 sha...

Страница 480: ...bitethernet 1 0 1 Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Sysname GigabitEthernet1 0 1 qos lr outbound cir 512 Displaying and Maintaining Traffic Policing GTS and Line Rate O...

Страница 481: ...o common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet tra...

Страница 482: ...ing As shown in Figure 5 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to the...

Страница 483: ...age of SP queuing that packets in low priority queues may fail to be served for a long time Another advantage of WRR queuing is that while the queues are scheduled in turn the service time for each qu...

Страница 484: ...port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth 10 Mbps 128 kb...

Страница 485: ...e settings in port group view take effect on all ports in the port group Configure SP queuing qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values a...

Страница 486: ...group with their weights being 1 2 4 6 8 10 12 and 14 2 Configuration procedure Enter system view Sysname system view Configure the WRR queues on port GigabitEthernet1 0 1 Sysname interface GigabitEth...

Страница 487: ...4 6 8 10 12 and 14 respectively z Set the minimum guaranteed bandwidth of queue 0 to 128 kbps 2 Configuration procedure Enter system view Sysname system view Configure WFQ queues on GigabitEthernet 1...

Страница 488: ...ssigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration Example Network requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 z Configure que...

Страница 489: ...figuration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue c...

Страница 490: ...fic filtering Alternatively you can implement traffic filtering on a port by directly applying an ACL on the port For the configuration procedure refer to ACL Configuration in the Security Volume Conf...

Страница 491: ...behavior do not take effect Traffic Filtering Configuration Example Traffic Filtering Configuration Example Network requirements As shown in Figure 6 1 Host is connected to GigabitEthernet 1 0 1 of D...

Страница 492: ...r_1 quit Create a policy named policy and associate class classifier_1 with behavior behavior_1 in the policy DeviceA qos policy policy DeviceA qospolicy policy classifier classifier_1 behavior behavi...

Страница 493: ...hange its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bi...

Страница 494: ...QoS policy Globally Applying the QoS policy globally Display the priority marking configuration display traffic behavior user defined behavior name Optional Available in any view Priority Marking Conf...

Страница 495: ...destination IP address 192 168 0 3 Device acl number 3002 Device acl adv 3002 rule permit ip destination 192 168 0 3 0 Device acl adv 3002 quit Create a class named classifier_dbserver and reference A...

Страница 496: ...behavior_fserver Device behavior behavior_fserver remark local precedence 2 Device behavior behavior_fserver quit Create a policy named policy_server and associate classes with behaviors in the polic...

Страница 497: ...to only Layer 2 packets and the target interface should be a Layer 2 interface Configuring Traffic Redirecting Follow these steps to configure traffic redirecting To do Use the command Remarks Enter...

Страница 498: ...z Generally the action of redirecting traffic to the CPU and the action of redirecting traffic to an interface are mutually exclusive with each other in the same traffic behavior z You can use the dis...

Страница 499: ...ps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match c...

Страница 500: ...IP address 1 1 1 1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and reference ACL 2000...

Страница 501: ...s to verify the configuration DeviceA display qos policy interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If m...

Страница 502: ...lass Based Weighted Fair Queuing CE Customer Edge CIR Committed Information Rate CQ Custom Queuing DAR Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codep...

Страница 503: ...Shaping VoIP Voice over IP VPN Virtual Private Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For...

Страница 504: ...o 39 0 4 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Appendix C Introduction to Packet Precedences IP Precedence and DSCP Values Figure 10 1 ToS and DS fields As shown in Figure 10 1 the ToS field of the I...

Страница 505: ...111 network Table 10 5 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af...

Страница 506: ...the 802 1Q tag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 10 6 presents the values for 802 1p priority Figure 10...

Страница 507: ...on 1 1 User Profile Overview 1 1 User Profile Configuration 1 1 User Profile Configuration Task List 1 1 Creating a User Profile 1 2 Applying a QoS Policy to User Profile 1 2 Enabling a User Profile 1...

Страница 508: ...access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more gra...

Страница 509: ...e corresponding user profile view The configuration made in user profile view takes effect when the user profile is enabled and the corresponding users are online Refer to 802 1x Configuration in the...

Страница 510: ...being enabled Follow these steps to enable a user profile To do Use the command Remarks Enter system view system view Enable a user profile user profile profile name enable Required A user profile is...

Страница 511: ...simplified as 802 1X is a port based network access control protocol that is used as the standard for LAN user access authentication This document describes z 802 1X overview z 802 1X configuration z...

Страница 512: ...nt z Configuring an SFTP Server z Configuring an SFTP Client PKI The Public Key Infrastructure PKI is a hierarchical framework designed for providing information security through public key technologi...

Страница 513: ...omain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 18 Configuring User Group Attributes 1 21 Tearing down User Connections Forcibly 1 21 Displayin...

Страница 514: ...d to the Data Sent to HWTACACS Server 1 33 Setting Timers Regarding HWTACACS Servers 1 34 Displaying and Maintaining HWTACACS 1 35 AAA Configuration Examples 1 35 AAA for Telnet Users by a HWTACACS Se...

Страница 515: ...e network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA net...

Страница 516: ...s Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distributed information...

Страница 517: ...secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods for example the Password Authentication Protocol PAP and Challenge Hand...

Страница 518: ...ADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 8 The RADIUS server returns a stop accounting response Accounting...

Страница 519: ...the Code Identifier Length Authenticator and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If t...

Страница 520: ...unnel Password 23 Framed IPX Network 70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Timeout 74 ARAP Security Data 28 Idle Timeou...

Страница 521: ...g with RFC 1700 The vendor ID of H3C is 2011 z Vendor Type Indicates the type of the sub attribute z Vendor Length Indicates the length of the sub attribute z Vendor Data Indicates the contents of the...

Страница 522: ...s only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on diffe...

Страница 523: ...g request 19 Stop accounting response 10 Authentication continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTACACS client s...

Страница 524: ...o AAA RADIUS HWTACACS include z RFC 2865 Remote Authentication Dial In User Service RADIUS z RFC 2866 RADIUS Accounting z RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support z RFC 286...

Страница 525: ...figuring Local User Attributes Optional Configuring User Group Attributes Optional Tearing down User Connections Forcibly Optional Displaying and Maintaining AAA Optional RADIUS Configuration Task Lis...

Страница 526: ...ommand authorization service to enhance device security Allows the authorization server to check each command executed by the login user and only authorized commands can be successfully executed Confi...

Страница 527: ...enticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain attributes To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP...

Страница 528: ...r extended RADIUS protocol in collaboration with systems like iMC to implement user authentication Remote authentication features centralized information management high capacity high reliability and...

Страница 529: ...P Domain In AAA authorization is a separate process at the same level as authentication and accounting Its responsibility is to send authorization requests to the specified authorization server and to...

Страница 530: ...AA authorization methods for an ISP domain To do Use the command Remarks Enter system view system view Create an ISP domain and enter ISP domain view domain isp name Required Specify the default autho...

Страница 531: ...guring AAA Accounting Methods for an ISP Domain In AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end...

Страница 532: ...command configured a user to be disconnected can still use the network resources even when there is no available accounting server or communication with the current accounting server fails z The loca...

Страница 533: ...ll attributes of the group such as authorization attributes For details about local user group refer to Configuring User Group Attributes z Binding attributes Binding attributes including the ISDN cal...

Страница 534: ...d for a local user Set the expiration time of the user expiration date time Optional Not set by default Specify the user group for the local user group group name Optional By default a local user belo...

Страница 535: ...rol attributes and authorization attributes for a user group By default every newly added local user belongs to the user group of system and bears all attributes of the group User group system is auto...

Страница 536: ...onfiguring RADIUS The RADIUS protocol is configured on a per scheme basis After creating a RADIUS scheme you need to configure the IP addresses and UDP ports of the RADIUS servers for the scheme The s...

Страница 537: ...server by default z It is recommended to specify only the primary RADIUS authentication authorization server if backup is not required z If both the primary and secondary authentication authorization...

Страница 538: ...heme Besides because RADIUS uses different UDP ports to receive authentication authorization and accounting packets the port for authentication authorization must be different from that for accounting...

Страница 539: ...eives no response it considers that the authentication has failed Follow these steps to set the upper limit of RADIUS request retransmission attempts To do Use the command Remarks Enter system view sy...

Страница 540: ...he status of the primary server to active while keeping the status of the secondary server unchanged In the case of authentication authorization the device resumes the communication with the primary s...

Страница 541: ...the RADIUS server To do Use the command Remarks Enter system view system view Enable the RADIUS trap function radius trap accounting server down authentication server down Optional Disabled by defaul...

Страница 542: ...ing request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z...

Страница 543: ...smission attempts of RADIUS packets refer to the command retry in the command manual Specifying a Security Policy Server The core of the EAD solution is integration and cooperation and the security po...

Страница 544: ...cs slot slot number Available in any view Display information about buffered stop accounting requests that get no responses display stop accounting buffer radius scheme radius server name session id s...

Страница 545: ...WTACACS scheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default Specify the primary HWTACACS authentication server primary authentication ip address...

Страница 546: ...secondary authorization servers cannot be the same Otherwise the configuration fails z You can remove an authorization server only when no active TCP connection for sending authorization packets is us...

Страница 547: ...ackets Only when the same key is used can they properly receive the packets and make responses Follow these steps to set the shared key for HWTACACS packets To do Use the command Remarks Enter system...

Страница 548: ...e sending the username to the server z The nas ip command in HWTACACS scheme view is only for the current HWTACACS scheme while the hwtacacs nas ip command in system view is for all HWTACACS schemes H...

Страница 549: ...uffer hwtacacs scheme hwtacacs scheme name slot slot number Available in any view Clear HWTACACS statistics reset hwtacacs statistics accounting all authentication authorization slot slot number Avail...

Страница 550: ...10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without d...

Страница 551: ...or packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given in this example The only difference lies in the access type Figure...

Страница 552: ...ccounting default radius scheme imc When telneting into the switch a user enters username telnet bbb for authentication using domain bbb AAA for SSH Users by a RADIUS Server Network requirements As sh...

Страница 553: ...ervice as the service type z Select H3C as the access device type z Select the access device from the device list or manually add the device with the IP address of 10 1 1 2 z Click OK to finish the op...

Страница 554: ...1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server Switch public key local create rsa Switch public key local create dsa Switch ssh server enable...

Страница 555: ...username is not in the format of userid isp name or no default ISP domain is specified for the NAS 3 The user is not configured on the RADIUS server 4 The password of the user is incorrect 5 The RADI...

Страница 556: ...thorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the authentication authorization server and the accounting server are not cor...

Страница 557: ...uring 802 1X for a Port 1 12 Configuring an 802 1X Guest VLAN 1 14 Displaying and Maintaining 802 1X 1 14 802 1X Configuration Example 1 15 Guest VLAN and VLAN Assignment Configuration Example 1 17 AC...

Страница 558: ...l mechanism As a port based access control protocol 802 1X authenticates devices connected to the 802 1X enabled LAN ports to control their access to the LAN The port security feature provides rich se...

Страница 559: ...n server z Between the client and the device EAP protocol packets are encapsulated using EAPOL to be transferred on the LAN z Between the device and the RADIUS server EAP protocol packets can be handl...

Страница 560: ...laces the port in the authorized state allowing users of the ports to access the network without authentication z unauthorized force Places the port in the unauthorized state denying any access reques...

Страница 561: ...alue of 0x02 Frame for logoff request present between a client and a device z Length Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subsequent d...

Страница 562: ...ed Figure 1 6 Encapsulation format of the Message Authenticator attribute 802 1X Authentication Triggering 802 1X authentication can be initiated by either a client or the device Unsolicited triggerin...

Страница 563: ...EAP relay mode EAPOL EAPOR EAPOL Start EAP Request Identity EAP Response Identity EAP Request MD5 challenge EAP Success EAP Response MD5 challenge RADIUS Access Request EAP Response Identity RADIUS Ac...

Страница 564: ...rated by itself If the two are identical the authentication server considers the user valid and sends to the device a RADIUS Access Accept packet 10 Upon receiving the RADIUS Access Accept packet the...

Страница 565: ...s section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout tim...

Страница 566: ...entication server sends authorization information to the device If the authorization information contains VLAN authorization information the device adds the port connecting the client to the assigned...

Страница 567: ...device adds a PGV configured port into the guest VLAN according to the port s link type in the similar way as described in VLAN assignment If a user of a port in the guest VLAN initiates authenticatio...

Страница 568: ...rtificate authority that is the user domain names are the same This allows you to deploy 802 1X access policies flexibly Configuring 802 1X Configuration Prerequisites 802 1X provides a user identity...

Страница 569: ...ccess control mode port access method and the maximum number of users for a port in Ethernet interface view For detailed configuration refer to Configuring 802 1X for a Port The only difference betwee...

Страница 570: ...hentication dot1x re authenticate Required Disabled by default Specify the mandatory authentication domain for the port dot1x mandatory domain domain name Optional No mandatory authentication domain i...

Страница 571: ...e functions Configuration prerequisites z Create the VLAN to be specified as the guest VLAN z To configure a port based guest VLAN make sure that the port access control method is portbased and the 80...

Страница 572: ...uthentication accounting server and the latter as the secondary authentication accounting server z Set the shared key for the device to exchange packets with the authentication server as name and that...

Страница 573: ...ange packets with the authentication server Device radius radius1 key authentication name Specify the shared key for the device to exchange packets with the accounting server Device radius radius1 key...

Страница 574: ...rver which is in VLAN 10 is for client software download and upgrade z Port GigabitEthernet 1 0 3 of the device which is in VLAN 5 is for accessing the Internet As shown in Figure 1 11 z On port Gigab...

Страница 575: ...rocedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration in the Security Volume z Configurations on the 802 1X client and RADIUS server are omitte...

Страница 576: ...use VLAN 10 as its guest VLAN Device dot1x guest vlan 10 interface GigabitEthernet 1 0 2 You can use the display current configuration or display interface GigabitEthernet 1 0 2 command to view your...

Страница 577: ...adius scheme 2000 Device isp 2000 authorization default radius scheme 2000 Device isp 2000 accounting default radius scheme 2000 Device isp 2000 quit Configure ACL 3000 to deny packets destined for 10...

Страница 578: ...1 21 C...

Страница 579: ...evice which tends to be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to...

Страница 580: ...before passing 802 1X authentication Once a free IP is configured the fast deployment of EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remar...

Страница 581: ...tarted If the user neither downloads client software nor performs authentication before the timer expires the occupied ACL will be released so that other users can use it When there are a large number...

Страница 582: ...3 Enable 802 1X globally Device dot1x Enable 802 1X on the port Device interface GigabitEthernet 1 0 1 Device GigabitEthernet1 0 1 dot1x 3 Verify your configuration Use the ping command to ping an IP...

Страница 583: ...X The redirection function does redirect this kind of ARP request z The address is within the freely accessible network segment In this case the device regards that the user is trying to access a host...

Страница 584: ...Contents 1 HABP Configuration 1 1 Introduction to HABP 1 1 Configuring HABP 1 2 Configuring the HABP Server 1 2 Configuring an HABP Client 1 2 Displaying and Maintaining HABP 1 3 HABP Configuration E...

Страница 585: ...t supported which is typical of network devices the communication between them will fail because they cannot pass 802 1X authentication and their packets will be blocked on Switch A To allow the two s...

Страница 586: ...Client Configuring the HABP Server HABP server is usually configured on the authentication device enabled with 802 1X authentication or MAC address authentication The HABP server sends HABP requests t...

Страница 587: ...habp Available in any view Display HABP MAC address table entries display habp table Available in any view Display HABP packet statistics display habp traffic Available in any view HABP Configuration...

Страница 588: ...ent Configuration in the System Volume SwitchA habp server vlan 1 Set the interval to send HABP request packets to 50 seconds SwitchA habp timer 50 2 Configure Switch B and Switch C Configure Switch B...

Страница 589: ...Authentication 1 2 ACL Assigning 1 3 Configuring MAC Authentication 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Configuring a Guest VLAN 1 4 Configuration Prerequisites 1 4 Configu...

Страница 590: ...and password z Fixed username where all users use the same preconfigured username and password for authentication regardless of the MAC addresses RADIUS Based MAC Authentication In RADIUS based MAC au...

Страница 591: ...n MAC address that has passed another type of authentication the quiet function does not take effect VLAN Assigning For separation of users from restricted network resources users and restricted resou...

Страница 592: ...ensure that z The type of username and password must be consistent with that used for MAC authentication z All the letters in the MAC address to be used as the username and password must be in lower c...

Страница 593: ...kes effect only after you enable MAC authentication globally z Enabling MAC authentication on a port is mutually exclusive with adding the port to an aggregation group z For details about the default...

Страница 594: ...in EAD fast deployment on a port For the free IP configuration refer to 802 1X Configuration in the Security Volume Displaying and Maintaining MAC Authentication To do Use the command Remarks Display...

Страница 595: ...entication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet 180 Specify the MAC authentication username format as MAC address that is using the MAC addre...

Страница 596: ...Configuration procedure It is required that the RADIUS server and the device are reachable to each other and the username and password are configured on the server 1 Configure MAC authentication on t...

Страница 597: ...er number is 1024 per slot Current user number amounts to 1 Current domain is 2000 Silent Mac User info MAC Addr From Port Port Index GigabitEthernet1 0 1 is link up MAC address authentication is enab...

Страница 598: ...abc Sysname radius 2000 key accounting abc Sysname radius 2000 user name format without domain Sysname radius 2000 quit Create an ISP domain and specify the AAA schemes Sysname domain 2000 Sysname isp...

Страница 599: ...thernet1 0 1 mac authentication After completing the above configurations you can use the ping command to verify whether the ACL 3000 assigned by the RADIUS server functions C ping 10 0 0 1 Pinging 10...

Страница 600: ...figuring Port Security Features 1 8 Configuring NTK 1 8 Configuring Intrusion Protection 1 9 Configuring Trapping 1 9 Configuring Secure MAC Addresses 1 10 Configuration Prerequisites 1 10 Configurati...

Страница 601: ...hose source MAC addresses cannot be learned by the device in a security mode are considered illegal the events that users do not pass 802 1X authentication or MAC authentication are considered illegal...

Страница 602: ...ecurity mode searches the MAC address table for the source MAC address If a match is found the port forwards the packet If no match is found the port learns the MAC address or performs authentication...

Страница 603: ...d A secure MAC addresses never ages out by default When the number of secure MAC addresses reaches the upper limit the port turns to secure mode In addition you can configure MAC addresses manually by...

Страница 604: ...port in this mode supports multiple 802 1X and MAC authentication users 3 macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC auth...

Страница 605: ...that a user is in after failing authentication For a security mode that supports MAC authentication you can configure a MAC based guest VLAN MAC authentication MGV For details about MAC authenticatio...

Страница 606: ...For detailed MAC based authentication configuration refer to MAC Authentication Configuration in the Security Volume Setting the Maximum Number of Secure MAC Addresses With port security enabled more...

Страница 607: ...ort security mode of a port when any user is present on the port z Before configuring the port to operate in autoLearn mode set the maximum number of secure MAC addresses allowed on a port Configuring...

Страница 608: ...estination MAC addresses in outbound frames to allow frames to be forwarded to only devices passing authentication The NTK feature supports three modes z ntkonly Forwards only frames destined for auth...

Страница 609: ...disabled Return to system view quit Set the silence timeout during which a port remains disabled port security timer disableport time value Optional 20 seconds by default On a port operating in eithe...

Страница 610: ...view In system view port security mac address security mac address interface interface type interface number vlan vlan id interface interface type interface number Configure a secure MAC address In i...

Страница 611: ...rface type interface number vlan vlan id count Available in any view Port Security Configuration Examples Configuring the autoLearn Mode Network requirements Restrict port GigabitEthernet 1 0 1 of the...

Страница 612: ...n protection trap is enabled and the intrusion protection action is to disable the port DisablePortTemporarily for 30 seconds You can also use the above command repeatedly to track the number of MAC a...

Страница 613: ...h port GigabitEthernet 1 0 1 The switch authenticates the client by the RADIUS server If the authentication succeeds the client is authorized to access the Internet z RADIUS server 192 168 1 2 functio...

Страница 614: ...2 168 1 2 Switch radius radsun key authentication name Switch radius radsun key accounting money Switch radius radsun timer response timeout 5 Switch radius radsun retry 5 Switch radius radsun timer r...

Страница 615: ...erver Encryption Key name Acct Server Encryption Key money Interval for timeout second 5 Retransmission times for timeout 5 Interval for realtime accounting minute 15 Retransmission times of realtime...

Страница 616: ...timeout 30m The maximum 802 1X user resource number is 1024 per slot Total current used 802 1X resource number is 1 GigabitEthernet1 0 1 is link up 802 1X protocol is enabled Handshake is enabled The...

Страница 617: ...on the host and RADIUS servers are omitted 1 Configure the RADIUS protocol The required RADIUS authentication accounting configurations are the same as those in Configuring the userLoginWithOUI Mode 2...

Страница 618: ...me aaa Fixed password 123456 Offline detect period is 300s Quiet period is 60s Server response timeout value is 100s The max allowed user number is 1024 per slot Current user number amounts to 3 Curre...

Страница 619: ...POL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled User s amount to 1 In addition as NTK...

Страница 620: ...ort security mac address security 1 1 2 vlan 1 Cannot Change Port Security Mode When a User Is Online Symptom Port security mode cannot be changed when an 802 1X authenticated or MAC authenticated use...

Страница 621: ...ing Dynamic Binding Function 1 2 Displaying and Maintaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 3 Static Binding Entry Configuration Example 1 3 Dynamic Binding Function Confi...

Страница 622: ...n a port it is effective only on the port IP source guard filters packets based on the following types of binding entries z IP port binding entry z MAC port binding entry z IP MAC port binding entry z...

Страница 623: ...After the dynamic binding function is enabled on a port IP source guard will obtain binding entries through cooperation with DHCP protocols z Cooperating with DHCP snooping IP source guard will automa...

Страница 624: ...ion Examples Static Binding Entry Configuration Example Network requirements As shown in Figure 1 1 Host A and Host B are connected to ports GigabitEthernet 1 0 2 and GigabitEthernet 1 0 1 of Switch B...

Страница 625: ...168 0 1 mac address 0001 0203 0406 SwitchB GigabitEthernet1 0 2 quit Configure port GigabitEthernet 1 0 1 of Switch B to allow only IP packets with the source MAC address of 00 01 02 03 04 07 and the...

Страница 626: ...r as a trusted port SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display dynamic binding functi...

Страница 627: ...gured with dynamic binding function Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic bindi...

Страница 628: ...and Maintaining SSH 1 11 SSH Server Configuration Examples 1 11 When Switch Acts as Server for Password Authentication 1 11 When Switch Acts as Server for Publickey Authentication 1 13 SSH Client Conf...

Страница 629: ...remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH versions SSH2 0 and SSH1 When acting as an SSH client the device supports SSH2 0 only Operati...

Страница 630: ...n fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation otherwise the server breaks the TCP connection All the packets involved in the above ste...

Страница 631: ...server sends a message to the client to inform the success or failure of the authentication Currently the device supports two publickey algorithms for digital signature RSA and DSA The following gives...

Страница 632: ...commands by saving the text as a configuration file uploading the configuration file to the server through SFTP and then using the configuration file to restart the server Configuring the Device as a...

Страница 633: ...length of the key modulus be at least 768 bits on the SSH server side z The public key local create dsa command generates only the host key pair SSH1 does not support the DSA algorithm z The length of...

Страница 634: ...o login you must configure the client s DSA or RSA host public key on the server and configure the client to use the corresponding private key To configure the public key of an SSH client you can z Co...

Страница 635: ...c key peer keyname import sshkey filename Required For information about client side public key configuration and the relevant commands refer to Public Key Configuration in the Security Volume Configu...

Страница 636: ...ssh user command z The configured authentication method takes effect only for users logging in after the configuration For users using publickey authentication z You must configure on the device the...

Страница 637: ...guration Task List Complete the following tasks to configure an SSH client Task Remarks Specifying a Source IP address Interface for the SSH client Optional Configuring Whether First time Authenticati...

Страница 638: ...For successful authentication of an SSH client not supporting first time authentication the server host public key must be configured on the client and the public key name must be specified Follow th...

Страница 639: ...le in any view Display the mappings between SSH servers and their host public keys saved on an SSH client display ssh server info Available in any view Display information about a specified or all SSH...

Страница 640: ...y0 4 protocol inbound ssh Switch ui vty0 4 quit Create local user client001 and set the user command privilege level to 3 Switch local user client001 Switch luser client001 password simple aabbcc Swit...

Страница 641: ...Authentication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey a...

Страница 642: ...and click Generate Figure 1 4 Generate a key pair on the client 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 O...

Страница 643: ...file name as key pub to save the public key Figure 1 6 Generate a key pair on the client 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to sav...

Страница 644: ...tch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 Switch ui vty0 4 user privilege level...

Страница 645: ...SSH client configuration interface 1 Select Connection SSH Auth from the navigation tree The following window appears Click Browse to bring up the file selection window navigate to the private key fi...

Страница 646: ...cation Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SSH client is client001 and the p...

Страница 647: ...erver Configure an IP address for VLAN interface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit Sw...

Страница 648: ...A pkey key code D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 SwitchA pkey key code E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2...

Страница 649: ...tchB ssh server enable Configure an IP address for VLAN interface 1 which the SSH client will use as the destination for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip ad...

Страница 650: ...87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Continue Y N y Do you want to save the server public key Y N n Later you will find that you have logged into Swi...

Страница 651: ...TP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detai...

Страница 652: ...r the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a s...

Страница 653: ...files under a specified directory or the directory information z Changing the name of a specified directory on the server z Creating or deleting a directory Follow these steps to work with the SFTP d...

Страница 654: ...le Optional dir a l remote path Display the files under a specified directory ls a l remote path Optional The dir command functions as the ls command delete remote file 1 10 Delete a file from the SFT...

Страница 655: ...n Figure 2 1 an SSH connection is established between Switch A and Switch B Switch A an SFTP client logs in to Switch B for file management and file transfer An SSH user uses publickey authentication...

Страница 656: ...y For user client001 set the service type as SFTP authentication type as publickey public key as Switch001 and working folder as flash SwitchB ssh user client001 service type sftp authentication type...

Страница 657: ...lly renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noo...

Страница 658: ...nfigure an IP address for VLAN interface 1 which the client will use as the destination for SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 45 255 255 255...

Страница 659: ...supports only password authentication Establish a connection with the remote SFTP server Run the psftp exe to launch the client interface as shown in Figure 2 3 and enter the following command open 19...

Страница 660: ...e 1 7 Retrieving a Certificate Manually 1 8 Configuring PKI Certificate Verification 1 9 Destroying a Local RSA Key Pair 1 10 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 11 Disp...

Страница 661: ...eir owners helping distribute public keys in large networks securely With digital certificates the PKI system provides network communication and e commerce with security services such as user authenti...

Страница 662: ...certification practice statement CPS A CA policy can be acquired through out of band means such as phone disk and e mail As different CAs may use different methods to check the binding of a public key...

Страница 663: ...ions S MIME which is based on PKI and allows for transfer of encrypted mails with signature Web security For Web security two peers can establish a Secure Sockets Layer SSL connection first for transp...

Страница 664: ...tity a standard 2 character code For example CN represents China and US represents the United States of America z Fully qualified domain name FQDN of the entity a unique identifier of an entity on the...

Страница 665: ...by default z Currently up to two entities can be created on a device z The Windows 2000 CA server has some restrictions on the data length of a certificate request If the entity DN in a certificate r...

Страница 666: ...I domain the entity will reject the root certificate Follow these steps to configure a PKI domain To do Use the command Remarks Enter system view system view Create a PKI domain and enter its view pki...

Страница 667: ...re an entity to submit a certificate request in auto mode To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Set the certificate request mode to a...

Страница 668: ...omain has already a local certificate you cannot request another certificate for it This is to avoid inconsistency between the certificate and the registration information resulting from configuration...

Страница 669: ...the certificate so that the certificate is valid Configuring PKI Certificate Verification A certificate needs to be verified before being used Verifying a certificate is to check that the certificate...

Страница 670: ...main name Required z The CRL update period refers to the interval at which the entity downloads CRLs from the CRL server The CRL update period configured manually is prior to that specified in the CRL...

Страница 671: ...exists by default Configure an attribute rule for the certificate issuer name certificate subject name or alternative subject name attribute id alt subject name fqdn ip issuer name subject name dn fqd...

Страница 672: ...ntity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to s...

Страница 673: ...mmon name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view S...

Страница 674: ...ficate domain torsa challenge word Certificate is being requested please wait Switch Enrolling the local certificate please wait a while Certificate request Successfully Saving the local certificate t...

Страница 675: ...ated to display pki certificate ca domain and display pki crl domain commands in PKI Commands of the Security Volume Requesting a Certificate from a CA Running Windows 2003 Server The CA server runs t...

Страница 676: ...sting services After completing the above configuration check that the system clock of the switch is synchronous to that of the CA server ensuring that the switch can request a certificate normally 2...

Страница 677: ...Successfully Saving the local certificate to device Done 3 Verify your configuration Use the following command to view information about the local certificate acquired Switch display pki certificate l...

Страница 678: ...lgorithm sha1WithRSAEncryption 81029589 7BFA1CBD 20023136 B068840B Omitted You can also use some other display commands to view detailed information about the CA certificate Refer to the display pki c...

Страница 679: ...itch pki cert attribute group mygroup1 quit Create certificate attribute group mygroup2 and add two attribute rules The first rule defines that the FQDN of the alternative subject name does not includ...

Страница 680: ...uest z Synchronize the system clock of the device with that of the CA Failed to Request a Local Certificate Symptom Failed to request a local certificate Analysis Possible reasons include these z The...

Страница 681: ...certificate has been retrieved before you try to retrieve CRLs z The IP address of LDAP server is not configured z The CRL distribution URL is not configured z The LDAP server version is wrong Solutio...

Страница 682: ...List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuratio...

Страница 683: ...thentication of the server and client by using the digital signatures The SSL server and client obtain certificates from a certificate authority CA through the Public Key Infrastructure PKI z Reliabil...

Страница 684: ...ity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session...

Страница 685: ...nd enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy S...

Страница 686: ...rol Device through Web pages For security of the device it is required that users use HTTPS HTTP Security which uses SSL to log in to the Web interface of the device and use SSL for identity authentic...

Страница 687: ...e for Device Device pki request certificate domain 1 Create an SSL server policy named myssl Device ssl server policy myssl Specify the PKI domain for the SSL server policy as 1 Device ssl server poli...

Страница 688: ...ust configure a PKI domain For details about PKI domain configuration refer to PKI Configuration in the Security Volume Configuration Procedure Follow these steps to configure an SSL client policy To...

Страница 689: ...the debugging ssl command and view the debugging information to locate the problem z If the SSL client is configured to authenticate the SSL server but the SSL server has no certificate request one fo...

Страница 690: ...Asymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer...

Страница 691: ...ntiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types of key algorithms...

Страница 692: ...ir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryption and signature whereas DSA are used for signature only Asym...

Страница 693: ...he local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display t...

Страница 694: ...lic key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public...

Страница 695: ...2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RS...

Страница 696: ...1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001 DeviceB pkey key code public key code end DeviceB pkey public key peer public key end Display the host public key of Device A saved on Device B DeviceB di...

Страница 697: ...F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E 35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E8 4B9151BDC7EECE1C8770D961557D192DE2B36CAF99...

Страница 698: ...key file devicea pub to Device B DeviceB public key peer devicea import sshkey devicea pub Display the host public key of Device A saved on Device B DeviceB display public key peer name devicea Key N...

Страница 699: ...Creating a Time Range 2 1 Configuration Procedure 2 1 Configuration Example 2 2 Configuring a Basic IPv4 ACL 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 3 Configuration Example 2 3 C...

Страница 700: ...xample 3 4 Copying an IPv6 ACL 3 4 Configuration Prerequisites 3 4 Configuration Procedure 3 4 Displaying and Maintaining IPv6 ACLs 3 5 IPv6 ACL Configuration Example 3 5 Network Requirements 3 5 Conf...

Страница 701: ...pass and what should be rejected based on matching criteria such as source MAC address destination MAC address source IP address destination IP address and port number Application of ACLs on the Switc...

Страница 702: ...ACLs identified by ACL numbers fall into three categories as shown in Table 1 1 Table 1 1 IPv4 ACL categories Category ACL number Matching criteria Basic IPv4 ACL 2000 to 2999 Source IP address Advan...

Страница 703: ...epth first match for an advanced IPv4 ACL The following shows how your device performs depth first match in an advanced IPv4 ACL 1 Sort rules by VPN instance first and compare packets against the rule...

Страница 704: ...assign a newly defined rule a number that is the smallest multiple of the step bigger than the current biggest number For example with a step of five if the biggest number is currently 28 the newly de...

Страница 705: ...an IPv6 ACL you can specify a unique name for it Afterwards you can identify the IPv6 ACL by its name An IPv6 ACL can have only one name Whether to specify a name for an ACL is up to you After creatin...

Страница 706: ...address 3 If the prefix lengths for the source IPv6 addresses are the same look at the destination IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the...

Страница 707: ...quired Display the configuration and status of one or all time ranges display time range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can...

Страница 708: ...e ends at the latest time that the system supports namely 24 00 12 31 2100 Configuration Example Create a time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname tim...

Страница 709: ...IPv4 ACL description text Optional By default a basic IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule descripti...

Страница 710: ...ets based on three priority criteria type of service ToS IP precedence and differentiated services codepoint DSCP priority Advanced IPv4 ACLs are numbered in the range 3000 to 3999 Compared with basic...

Страница 711: ...tion text Optional By default an advanced IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that...

Страница 712: ...To do Use the command Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required The default mat...

Страница 713: ...xist Configuration Example Configure ACL 4000 to deny frames with the 802 1p priority of 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 Verify the configu...

Страница 714: ...name all Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl counter acl number all name acl name Available in user view IPv...

Страница 715: ...Pv4 ACL 3000 Switch traffic classifier c_rd Switch classifier c_rd if match acl 3000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd S...

Страница 716: ...ch GigabitEthernet1 0 2 qos apply policy p_rd inbound Switch GigabitEthernet1 0 2 quit Apply QoS policy p_market to interface GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 3 Switch Gigabi...

Страница 717: ...ure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create a basic IPv6 ACL view and enter its view acl ipv6 number acl6 number name acl6 name m...

Страница 718: ...l ipv6 number acl6 number name acl6 name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configurat...

Страница 719: ...rt operator port1 port2 dscp dscp fragment icmpv6 type icmpv6 type icmpv6 code icmpv6 message logging source source source prefix source source prefix any source port operator port1 port2 time range t...

Страница 720: ...tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 9050 64 5...

Страница 721: ...e name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number all name acl6 name Available in user...

Страница 722: ...b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd Switch qospolicy p_rd classifier c_rd behav...

Страница 723: ...dify rules and the edited rules take effect immediately You can configure an interval for collecting and outputting packet filtering logs The log information includes the number of matching packets an...

Страница 724: ...introduction and configuration of the information center refer to Information Center Configuration in the System Volume Filtering IPv6 Packets Follow these steps to apply an IPv6 ACL to an interface t...

Страница 725: ...everyday from 8 00 to 18 00 the interface allows only packets sourced from Host A to pass through Configure Device A to output IPv4 packet filtering logs to the console at an interval of 10 minutes Fi...

Страница 726: ...o Server from 14 00 to 18 00 during working days without affecting communication between Host A and Host B Figure 4 2 Network diagram for applying an ACL to a VLAN interface Vlan int100 192 168 1 1 Ho...

Страница 727: ...ction 1 3 Configuration Procedure 1 4 Displaying and Maintaining Source MAC Address Based ARP Attack Detection 1 4 Configuring ARP Packet Source MAC Address Consistency Check 1 4 Introduction 1 4 Conf...

Страница 728: ...evice continuously resolves destination IP addresses and thus its CPU is overloaded z A large number of ARP packets to bring a great impact to the CPU For details about ARP attack features and types r...

Страница 729: ...suppression function With the function enabled whenever the number of ARP requests triggered by the packets with unresolvable destination IP addresses from a host within five seconds exceeds a specif...

Страница 730: ...sult the device fails to deliver other functions properly or even crashes To prevent this you need to configure ARP packet rate limit It is recommended that you enable this feature after the ARP detec...

Страница 731: ...ault Configure the threshold arp anti attack source mac threshold threshold value Optional 50 by default Configure the aging timer for source MAC address based ARP attack detection entries arp anti at...

Страница 732: ...s whether the ARP entry has been updated within the last minute z If yes the gateway does not update the ARP entry z If not the gateway unicasts an ARP request to the source MAC address of the ARP ent...

Страница 733: ...if not the ARP packet cannot pass the check z Upon receiving an ARP packet from an ARP trusted port the device does not check the ARP packet z If ARP detection is not enabled for the VLAN the ARP pac...

Страница 734: ...and use static IP addresses it is recommended that you configure static IP Source Guard binding entries and enable ARP detection based on DHCP snooping entries on your access device z If access client...

Страница 735: ...entries and then 802 1X security entries If an ARP packet fails to pass ARP detection based on static IP to MAC bindings it is discarded If the packet passes this detection it will be checked against...

Страница 736: ...detection arp detection validate dst mac ip src mac Required Not specified by default Displaying and Maintaining ARP Detection To do Use the command Remarks Display the VLANs enabled with ARP detecti...

Страница 737: ...Ethernet1 0 1 quit Configure a static IP Source Guard binding entry on GigabitEthernet 1 0 2 SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEthernet1 0 2 user bind ip address 10 1 1 5 mac addr...

Страница 738: ...SwitchB system view SwitchB dot1x SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dot1x SwitchB GigabitEthernet1 0 1 quit SwitchB interface gigabitethernet 1 0 2 SwitchB GigabitEt...

Страница 739: ...1 12 Enable ARP detection based on 802 1X security entries SwitchB arp detection mode dot1x...

Страница 740: ...tion used to enable a device to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link RRPP RRPP i...

Страница 741: ...et OAM Functions z Configuring Link Monitoring z Enabling OAM Loopback Testing CFD CFD is an end to end per VLAN link layer OAM mechanism for link connectivity detection fault verification and fault l...

Страница 742: ...rts for a Smart Link Group 1 6 Configuring Role Preemption for a Smart Link Group 1 7 Enabling the Sending of Flush Messages 1 7 Smart Link Device Configuration Example 1 8 Configuring an Associated D...

Страница 743: ...ice connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 A dual uplink network demonstrates hi...

Страница 744: ...ch form a smart link group with GE1 0 1 being active and GE1 0 2 being standby Master slave port Master port and slave port are two port roles in a smart link group When both ports in a smart link gro...

Страница 745: ...nge z To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link switc...

Страница 746: ...Ports for a Smart Link Group Required Configuring Role Preemption for a Smart Link Group Optional Configuring a Smart Link Device Enabling the Sending of Flush Messages Optional Configuring an Associa...

Страница 747: ...MSTIs To view VLAN to MSTI mappings use the display stp region configuration command For VLAN to MSTI mapping configuration refer to MSTP Configuration in the Access Volume Configuring Member Ports fo...

Страница 748: ...nk group view smart link group group id Enable role preemption preemption mode role Required Disabled by default Configure the preemption delay preemption delay delay time Optional 1 second by default...

Страница 749: ...Ethernet 1 0 2 as the slave port z Configure VLAN 20 for flush update Configuration procedure Sysname system view Sysname vlan 20 Sysname vlan20 quit Sysname interface gigabitethernet 1 0 1 Sysname Gi...

Страница 750: ...fied for processing flush messages the device forwards the received flush messages without processing them z Make sure that the receive control VLAN is the same as the transmit control VLAN configured...

Страница 751: ...2 respectively z Traffic of VLANs 1 through 30 on Device C and Device D are dually uplinked to Device A z Configure Smart Link on the devices for dual uplink backup using VLAN 1 the default for flush...

Страница 752: ...Configure GigabitEthernet 1 0 1 as the master port and GigabitEthernet 1 0 2 as the slave port for smart link group 1 DeviceC smlk group1 port gigabitethernet 1 0 1 master DeviceC smlk group1 port gi...

Страница 753: ...1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as trunk ports that permit VLANs 1 through 30 and enable flush message receiving on them DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEther...

Страница 754: ...runk ports that permit VLANs 1 through 30 and enable flush message receiving on them DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1...

Страница 755: ...raffic of VLANs 101 through 200 over different links to Device A z Implement dual uplink backup on Device C traffic of VLANs 1 through 100 mapped to MSTI 0 is uplinked to Device A by Device B traffic...

Страница 756: ...r smart link group 1 DeviceC smlk group1 port gigabitethernet 1 0 1 master DeviceC smlk group1 port gigabitethernet 1 0 2 slave Enable role preemption in smart link group 1 enable flush message sendin...

Страница 757: ...the receive control VLANs DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 port link type trunk DeviceD GigabitEthernet1 0 1 port trunk permit vlan 1 to 200 DeviceD GigabitEtherne...

Страница 758: ...1 GigabitEthernet1 0 2 SLAVE STANDBY 1 17 45 20 2009 02 21 Smart link group 2 information Device ID 000f e23d 5af0 Preemption mode ROLE Control VLAN 101 Protected VLAN Reference Instance 2 Member Role...

Страница 759: ...erminology 1 1 How Monitor Link Works 1 2 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Creating a Monitor Link Group 1 2 Configuring Monitor Link Group Member Ports 1 3 Displaying and...

Страница 760: ...te of uplink ports triggering link switchover on the downstream device in time as shown in Figure 1 1 Figure 1 1 Network diagram for monitor link application scenario Device A Device D Device B Core n...

Страница 761: ...link that connects the uplink ports in a monitor link group while the downlink is the link that connects the downlink ports How Monitor Link Works A monitor link group works independently of other mo...

Страница 762: ...er ports for a monitor link group in interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface ty...

Страница 763: ...etwork diagram for smart link in combination with monitor link configuration Configuration procedure 1 Configuration on Device C Create VLANs 1 through 30 map VLANs 1 through 10 to MSTI 0 VLANs 11 thr...

Страница 764: ...es DeviceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device A Create VLANs 1 through 30 DeviceA system view DeviceA vlan 1 to 30 Configure GigabitEthernet 1 0 1 and GigabitE...

Страница 765: ...t 1 0 1 DeviceD GigabitEthernet1 0 1 port link type trunk DeviceD GigabitEthernet1 0 1 port trunk permit vlan 1 to 30 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1...

Страница 766: ...information about monitor link group 1 on Device D DeviceD display monitor link group 1 Monitor link group 1 information Group status DOWN Last up time 16 35 27 2009 4 21 Last down time 16 37 19 2009...

Страница 767: ...iguring Control VLANs 1 11 Configuring Protected VLANs 1 11 Configuring RRPP Rings 1 12 Configuring RRPP Ports 1 12 Configuring RRPP Nodes 1 13 Activating an RRPP Domain 1 15 Configuring RRPP Timers 1...

Страница 768: ...e protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use...

Страница 769: ...ne of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 1 1 Do...

Страница 770: ...detect the integrity of the primary ring and perform loop guard As shown in Figure 1 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and D...

Страница 771: ...ing group configured on an assistant edge node is called an assistant edge node RRPP ring group Up to one subring in an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 1...

Страница 772: ...ed Hello packets ensuring that all nodes in the ring network are consistent in the two timer settings How RRPP Works Polling mechanism The polling mechanism is used by the master node of an RRPP ring...

Страница 773: ...raffic by transmitting traffic of different VLANs along different paths By configuring an individual RRPP domain for transmitting the traffic of the specified VLANs referred to as protected VLANs in a...

Страница 774: ...s shown in Figure 1 3 there are two or more rings in the network topology and only one common node between rings In this case you need to define an RRPP domain for each ring Figure 1 3 Schematic diagr...

Страница 775: ...for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 1 6 Ring 1 is configured as the pri...

Страница 776: ...Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffi...

Страница 777: ...r node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto election mechanism so you m...

Страница 778: ...ed with RRPP you must ensure only the two ports connecting the device to the RRPP ring permit the packets of the control VLANs Otherwise the packets from other VLANs may go into the control VLANs in t...

Страница 779: ...g RRPP Ports Perform this configuration on each node s ports intended for accessing RRPP rings Follow these steps to configure RRPP ports To do Use the command Remarks Enter system view system view En...

Страница 780: ...Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP domains is 16 z If a device carries multiple RRPP rings in an RRPP domain only one ring can be confi...

Страница 781: ...interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the edge port ring ring id node mode ed...

Страница 782: ...master node before enabling the subrings on their separate master nodes On an edge node or assistant edge node enable disable the primary ring and subrings separately as follows z Enable the primary...

Страница 783: ...marks Enter system view system view Create an RRPP ring group and enter RRPP ring group view rrpp ring group ring group id Required Assign the specified subrings to the RRPP ring group domain domain i...

Страница 784: ...e RRPP domain 1 specify the primary control VLAN of RRPP domain 1 as VLAN 4092 and RRPP domain 1 protects all VLANs z Device A Device B Device C and Device D constitute primary ring 1 z Specify Device...

Страница 785: ...port and enable ring 1 DeviceA rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceA rrpp domain1 ring 1 enable DeviceA rrpp dom...

Страница 786: ...ormation on each device Intersecting Ring Configuration Example Networking requirements As shown in Figure 1 9 z Device A Device B Device C and Device D constitute RRPP domain 1 VLAN 4092 is the prima...

Страница 787: ...t1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 port trunk permit vlan all DeviceA GigabitEthernet1 0 2 qos trust dot1p DeviceA GigabitEthernet1 0...

Страница 788: ...GigabitEthernet1 0 3 qos trust dot1p DeviceB GigabitEthernet1 0 3 quit Create RRPP domain 1 configure VLAN 4092 as the primary control VLAN of RRPP domain 1 and configure the VLANs mapped to MSTIs 0...

Страница 789: ...main 1 DeviceC rrpp domain 1 DeviceC rrpp domain1 control vlan 4092 DeviceC rrpp domain1 protected vlan reference instance 0 to 16 Configure Device C as a transit node of primary ring 1 with GigabitEt...

Страница 790: ...guration on Device E Disable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 configure the two ports as trunk ports and assign them to all VLANs and configure them to trust the 802 1p precedenc...

Страница 791: ...ode of the subring Ring 3 Device B is the assistant edge node of the subring Ring 3 z Device A Device B Device C Device D and Device E constitute RRPP domain 2 and VLAN 105 is the primary control VLAN...

Страница 792: ...1p DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2...

Страница 793: ...0 1 and GigabitEthernet 1 0 2 configure the two ports as trunk ports remove them from VLAN 1 and assign them to VLAN 10 and VLAN 20 and configure them to trust the 802 1p precedence of the received p...

Страница 794: ...2 as the secondary port and enable ring 1 DeviceB rrpp domain1 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceB rrpp domain1 ring 1 ena...

Страница 795: ...st dot1p DeviceC GigabitEthernet1 0 1 quit DeviceC interface gigabitethernet 1 0 2 DeviceC GigabitEthernet1 0 2 undo stp enable DeviceC GigabitEthernet1 0 2 port link type trunk DeviceC GigabitEtherne...

Страница 796: ...ng 3 node mode edge edge port gigabitethernet 1 0 4 DeviceC rrpp domain1 ring 3 enable DeviceC rrpp domain1 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN of RRPP domain 2 an...

Страница 797: ...Ethernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN of RRPP domain 1 and configure the VLAN mapped to MSTI 1 as the protected VLAN of RRPP domain 1 DeviceD rrpp doma...

Страница 798: ...itEthernet1 0 1 quit DeviceE interface gigabitethernet 1 0 2 DeviceE GigabitEthernet1 0 2 undo stp enable DeviceE GigabitEthernet1 0 2 port link type trunk DeviceE GigabitEthernet1 0 2 undo port trunk...

Страница 799: ...bitEthernet1 0 2 port trunk permit vlan 10 DeviceF GigabitEthernet1 0 2 qos trust dot1p DeviceF GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN and config...

Страница 800: ...is not the same for the nodes in the same RRPP ring z Some ports are abnormal Solution z Use the display rrpp brief command to check whether RRPP is enabled for all nodes If not use the rrpp enable c...

Страница 801: ...8 Enabling DLDP 1 9 Setting DLDP Mode 1 9 Setting the Interval for Sending Advertisement Packets 1 10 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 11 Configuring DLDP Authenticati...

Страница 802: ...can receive packets from the other end but the other end cannot For example if two switches Switch A and Switch B are connected via a fiber pair one used for sending packets from A to B and the other...

Страница 803: ...auto negotiation mechanism provided by the physical layer detects physical signals and faults DLDP performs operations such as identifying peer devices detecting unidirectional links and shutting dow...

Страница 804: ...Y tags that can be sent successively is 5 Advertisement timer Determines the interval to send advertisement packets which defaults to 5 seconds Probe timer Determines the interval to send Probe packet...

Страница 805: ...oves the corresponding neighbor entry and sends an Advertisement packet with the RSY tag z In enhanced DLDP mode when an entry timer expires the Enhanced timer is triggered and the device sends up to...

Страница 806: ...Authentication type field of DLDP packets to 0 The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the correspon...

Страница 807: ...onding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and transits to Probe state Advertisement packet with RSY tag Retrieving the neighbor information If the corres...

Страница 808: ...formation If not no process is performed LinkDown packet Check to see if the local port operates in Enhanced mode If yes and the local port is not in Disable state the local transits to Disable state...

Страница 809: ...tates described in Table 1 7 Table 1 7 Description on DLDP neighbor states DLDP neighbor state Description Unknown A neighbor is in this state when it is just detected and is being probed No informati...

Страница 810: ...default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name Either of the two is req...

Страница 811: ...advertisement packets will increase In most cases you are recommended to use the default Follow these steps to set the interval for sending Advertisement packets To do Use the command Remarks Enter sy...

Страница 812: ...tate only after you manually shut down unidirectional link ports with the shutdown command z Auto mode In this mode when a unidirectional link is detected DLDP transits to Disable state generates log...

Страница 813: ...nable the port to perform DLDP detect again you can reset the DLDP state of the port in one of the following methods z If the port is shut down with the shutdown command manually run the undo shutdown...

Страница 814: ...e dldp reset Required Displaying and Maintaining DLDP To do Use the command Remarks Display the DLDP configuration of a port display dldp interface type interface number Available in any view Display...

Страница 815: ...2 Configuration on Device B Enable DLDP globally and then on GigabitEthernet1 0 50 and GigabitEthernet 1 0 51 respectively DeviceB system view DeviceB dldp enable DeviceB interface gigabitethernet 1 0...

Страница 816: ...e thus shut down Correct the fiber connections on detecting the unidirectional link problem As a result the ports shut down by DLDP automatically recover Display the DLDP configuration information on...

Страница 817: ...ce B are connected through two fiber pairs in which two fibers are cross connected The unidirectional links cannot be detected all the four ports involved are in Advertisement state Analysis The probl...

Страница 818: ...ation Task List 1 6 Configuring Basic Ethernet OAM Functions 1 6 Configuring Link Monitoring 1 7 Configuring Errored Symbol Event Detection 1 7 Configuring Errored Frame Event Detection 1 7 Configurin...

Страница 819: ...net has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool...

Страница 820: ...be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet...

Страница 821: ...interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM conn...

Страница 822: ...k faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity s...

Страница 823: ...es of the corresponding OAMPDUs Table 1 5 Critical link error events Ethernet OAM link events Description Link Fault Peer link signal is lost Dying Gasp An unexpected fault such as power failure occur...

Страница 824: ...iguring Errored Symbol Event Detection Optional Configuring Errored Frame Event Detection Optional Configuring Errored Frame Period Event Detection Optional Configuring Link Monitoring Configuring Err...

Страница 825: ...system view system view Configure the errored symbol event detection interval oam errored symbol period period value Optional 1 second by default Configure the errored symbol event triggering thresho...

Страница 826: ...Follow these steps to configure errored frame seconds event detection To do Use the command Remarks Enter system view system view Configure the errored frame seconds event detection interval oam erro...

Страница 827: ...out z Ethernet OAM remote loopback is only applicable to individual links It is not applicable to link aggregation member ports In addition you cannot assign ports where Ethernet OAM remote loopback i...

Страница 828: ...net OAM for it DeviceA system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 oam mode passivez DeviceA GigabitEthernet1 0 1 oam enable DeviceA GigabitEthernet1 0 1 quit Set...

Страница 829: ...e statistics of Ethernet OAM critical link events on all the ports of Device A DeviceA display oam critical event Port GigabitEthernet1 0 1 Link Status Up Event statistic Link Fault 0 Dying Gasp 0 Cri...

Страница 830: ...sites 1 7 Configuring Procedure 1 7 Configuring LB on MEPs 1 8 Configuration Prerequisites 1 8 Configuration Procedure 1 8 Configuring LT on MEPs 1 8 Configuration Prerequisites 1 9 Finding the Path B...

Страница 831: ...e The MD boundary is defined by some maintenance association end points MEPs configured on the ports An MD is identified by an MD name To accurately locate faults CFD introduces eight levels from 0 to...

Страница 832: ...sociation end points MEPs and maintenance association intermediate points MIPs z MEP Each MEP is identified by an integer called a MEP ID The MEPs of an MD define the range and boundary of the MD The...

Страница 833: ...ure 1 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled A through F respectively Suppose each device has two ports and MEPs and MIPs are configured on some...

Страница 834: ...and LBRs are unicast messages Linktrace Linktrace is responsible for identifying the path between the source MEP and the destination MEP This function is implemented in the following way the source M...

Страница 835: ...M messages even if it is blocked by STP z Only Ethernet ports support CFD Basic Configuration Tasks Basic configuration tasks include z Configuring Service Instance z Configuring MEP z Configuring MIP...

Страница 836: ...N attribute of the service instance become the attribute of the MEP Follow these steps to configure a MEP To do Use the command Remarks Enter system view system view Enter Ethernet port view interface...

Страница 837: ...of the following actions or cases can cause MIPs to be created or deleted after you have configured the cfd mip rule command z Enabling CFD use the cfd enable command z Creating or deleting the MEPs o...

Страница 838: ...ces the MEPs belonging to the same MD and MA should be configured with the same time interval for CCMs sending Configuring LB on MEPs The LB function can verify the link state between two ends after C...

Страница 839: ...rget MEP cfd linktrace service instance instance id mep mep id target mep target mep id target mac mac address ttl ttl value hw only Required Enabling Automatic LT Messages Sending Follow these steps...

Страница 840: ...e light blue square frame and the blue one specify two different MDs z Two MDs MD_A indicated by the light blue square frame with level 5 and MD_B indicated by the blue square frame with level 3 are d...

Страница 841: ...rvice instance to verify your configuration Configuring MEP and Enabling CC on it Network requirements After finishing service instance configuration you can start to design the MEPs z MEPs are config...

Страница 842: ...nable DeviceB GigabitEthernet1 0 3 cfd cc service instance 2 mep 2001 enable 3 On Device D DeviceD system view DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 cfd mep 4001 service...

Страница 843: ...uld choose the default rule If MIPs are to be configured only when the low level MDs having MEP you should choose the explicit rule According to the diagram as shown in Figure 1 7 perform the followin...

Страница 844: ...system view DeviceA cfd loopback service instance 1 mep 1001 target mep 4002 Configuring LT on MEPs Network requirements Use the LT function to find the path and locate the fault after you obtain the...

Страница 845: ...ation Task List 1 2 Configuring Collaboration Between the Track Module and the Detection Modules 1 2 Configuring Track NQA Collaboration 1 2 Configuring Collaboration Between the Track Module and the...

Страница 846: ...tion modules trigger the application modules to perform certain operations through the Track module More specifically the detection modules probe the link status network performance and so on and info...

Страница 847: ...dules that can collaborate with the Track module include z VRRP z Static routing Track Configuration Task List To implement the collaboration function you need to establish collaboration between the T...

Страница 848: ...s interface when configuring a static route you can associate the static route with a Track object and thus check the validity of the static route according to the status of the Track object z If the...

Страница 849: ...wise a valid route may be considered invalid z For details of static route configuration refer to Static Routing Configuration in the IP Routing Volume Displaying and Maintaining Track Object s To do...

Страница 850: ...s 100 ms SwitchA nqa admin test icmp echo frequency 100 Configure Reaction entry 1 specifying that five consecutive probe failures trigger the Static Routing Track NQA collaboration SwitchA nqa admin...

Страница 851: ...erface vlan interface 3 SwitchB Vlan interface3 undo ip address Display information of the Track object on Switch A SwitchA display track all Track ID 1 Status Negative Reference object NQA entry admi...

Страница 852: ...ontrolling Login Users Basic System Configuration Basic system configuration involves the configuration of device name system clock welcome message user privilege levels and so on This document descri...

Страница 853: ...AC Address Table A switch maintains a MAC address table for fast forwarding packets This document describes z MAC address table overview z Configuring MAC Address Entries z Configuring the Aging Timer...

Страница 854: ...ice quality parameters This document describes z NQA Overview z Configuring the NQA Server z Enabling the NQA Client z Creating an NQA Test Group z Configuring an NQA Test Group z Configuring the Coll...

Страница 855: ...e This document describes z IRF Overview z IRF Working Process z Configuring IRF z Logging In to an IRF Automatic Configuration Automatic configuration enables a device to automatically obtain and exe...

Страница 856: ...Configuration Example 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 Configuring Command Authorization 2 11 Conf...

Страница 857: ...source IP address Interface Specified for Telnet Packets 7 2 8 Controlling Login Users 8 1 Introduction 8 1 Controlling Telnet Users 8 1 Prerequisites 8 1 Controlling Telnet Users by Source IP Address...

Страница 858: ...t of a H3C series switch are the same one you will be in the AUX user interface if you log in through this port H3C S5120 EI series Ethernet switch supports two types of user interfaces AUX and VTY z...

Страница 859: ...ly specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in the sequence of...

Страница 860: ...or more user interface views user interface type first number last number Display the information about the current user interface all user interfaces display users all You can execute this command in...

Страница 861: ...quisite to configure other login methods By default you can log in to an H3C S5120 EI series Ethernet switch through its Console port only To log in to an Ethernet switch through its Console port the...

Страница 862: ...n Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are configured as those...

Страница 863: ...for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port l...

Страница 864: ...Terminal configuration Set the timeout time of a user interface idle timeout minutes seconds Optional The default timeout time is 10 minutes Changing of Console port configuration terminates the conn...

Страница 865: ...password of a remote user are configured on the RADIUS server Refer to user manual of RADIUS server for details Manage AUX users Set service type for AUX users Required Scheme Perform common configura...

Страница 866: ...rk diagram Figure 2 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interfac...

Страница 867: ...ogging in through the Console port are not authenticated while users logging in through the Telnet need to pass the password authentication Set the local password set authentication password cipher si...

Страница 868: ...n to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain...

Страница 869: ...ystem view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to a...

Страница 870: ...t and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the local user to be...

Страница 871: ...gure 2 4 thus ensuring the consistency between the configurations of the terminal emulation utility and those of the switch Otherwise you will fail to log in to the switch Configuring Command Authoriz...

Страница 872: ...only the authorized and executed commands will be recorded on the HWTACACS server The command accounting configuration involves three steps 1 Enable command accounting See the following table for deta...

Страница 873: ...oute between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP...

Страница 874: ...s the password authentication to login Step 3 Connect your PC to the Switch as shown in Figure 3 1 Make sure the Ethernet port to which your PC is connected belongs to the management VLAN of the switc...

Страница 875: ...e telnet command and then to configure the later Figure 3 3 Network diagram for Telnetting to another switch from the current switch PC Telnet server Telnet client Step 1 Configure the user name and p...

Страница 876: ...e supported VTY user interface configuration Set the command that is automatically executed when a user logs into the user interface auto execute command text Optional By default no command is automat...

Страница 877: ...elnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last numb...

Страница 878: ...can contain to 30 Sysname ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 m...

Страница 879: ...Figure 3 5 Network diagram for Telnet configuration with the authentication mode being password 3 Configuration procedure Enter system view and enable the Telnet service Sysname system view Sysname te...

Страница 880: ...uration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADI...

Страница 881: ...mode z The commands of level 2 are available to users logging in to VTY 0 z Telnet protocol is supported in VTY 0 z The screen can contain up to 30 lines z The history command buffer can store up to 2...

Страница 882: ...uthorized the command with the default level not higher than the user level With the command authorization configured the command level for a login user is decided by both the user level and AAA autho...

Страница 883: ...ver The command accounting configuration involves three steps 1 Enable command accounting See the following table for details 2 Configure a HWTACACS scheme Specify the IP addresses of the HWTACACS acc...

Страница 884: ...Network diagram for configuring user authentication Configuration procedure Assign an IP address to Device to make Device be reachable from Host A Host B Host C and RADIUS server The configuration is...

Страница 885: ...ication as the backup Device domain system Device isp system authentication login radius scheme rad local Device isp system authorization login radius scheme rad local Device isp system quit Add a loc...

Страница 886: ...tandard Specify Device to remove the domain name in the username sent to the HWTACACS server for the scheme Device hwtacacs scheme tac Device hwtacacs tac primary authentication 192 168 2 20 49 Device...

Страница 887: ...vice user interface aux 0 Device ui aux0 command accounting Device ui aux0 quit Enable command accounting for users logging in through telnet or SSH Device user interface vty 0 4 Device ui vty0 4 comm...

Страница 888: ...Create ISP domain system and configure the ISP domain system to use HWTACACS scheme tac for accounting of command line users Device domain system Device isp system accounting command hwtacacs scheme...

Страница 889: ...N of the switch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user na...

Страница 890: ...ss to the management VLAN interface of the switch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the fo...

Страница 891: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 5 2 appears enter the user name and...

Страница 892: ...rotocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to...

Страница 893: ...source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface...

Страница 894: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Страница 895: ...ugh Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Pr...

Страница 896: ...L refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create...

Страница 897: ...ne rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by s...

Страница 898: ...to control users accessing the switch through SNMP Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the contr...

Страница 899: ...etailed configuration refer to SNMP Configuration in the System Volume Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are p...

Страница 900: ...ontrolling Web users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl ipv6 number acl number match order config auto Re...

Страница 901: ...network Host B 10 110 100 52 Configuration procedure Create a basic ACL Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Refer...

Страница 902: ...7 Configuring CLI Hotkeys 1 7 Configuring Command Aliases 1 9 Configuring User Privilege Levels and Command Levels 1 9 Introduction 1 9 Configuring user privilege level 1 10 Switching user privilege l...

Страница 903: ...onfiguration of the device before configuring the device The configurations of a device fall into the following categories z Factory defaults When devices are shipped they are installed with some basi...

Страница 904: ...Exiting the Current View The system divides the command line interface into multiple command views which adopts a hierarchical structure For example there is system view under user view and interface...

Страница 905: ...time You can view the system clock by using the display clock command Follow these steps to configure the system clock To do Use the command Remarks Set time and date clock datetime time date Optional...

Страница 906: ...zone time add 1 Display 03 00 00 zone time Fri 02 02 2007 1 2 and 1 date time Configure clock timezone zone time add 1 and clock datetime 3 00 2007 3 3 Display 03 00 00 zone time Sat 03 03 2007 If the...

Страница 907: ...7 1 1 clock timezone zone time add 1 and clock summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 Display 02 00 00 zone time Mon 01 01 2007 If the value of date time zone offset is not in the summer...

Страница 908: ...equired Enabled by default Configuring a Banner Introduction to banners Banners are prompt information displayed by the system when users are connected to the device perform login authentication and s...

Страница 909: ...eywords at the first line with the first and last characters being different then press the Enter key End the setting with the first character at the first line The first character at the first line a...

Страница 910: ...istory command buffer Ctrl P Displays the previous command in the history command buffer Ctrl R Redisplays the current line information Ctrl V Pastes the content in the clipboard Ctrl W Deletes all th...

Страница 911: ...d the keyword of a command the alias wins to execute the command whose keyword partially matches your input you need to input the complete keyword When you input a character string that matches multip...

Страница 912: ...system support modules for service support By default commands at this level involve file system FTP TFTP Xmodem command download user management level setting as well as parameter setting within a sy...

Страница 913: ...refer to AAA Commands in the Security Volume z For the introduction to SSH refer to SSH 2 0 Configuration in the Security Volume 2 Example of configuring user privilege level by using AAA authenticat...

Страница 914: ...le user interface is 3 and that for users logging from the other user interfaces is 0 Follow these steps to configure the user privilege level under a user interface none or password authentication mo...

Страница 915: ...ent command view refresh Do soft reset reset Reset operation screen length Specify the lines displayed on one screen send Send information to other user terminal interface ssh2 Establish a secure shel...

Страница 916: ...ilege level to a high user privilege level only the console login users do not have to enter the password and users that log in from VTY user interfaces need to enter the password for security s sake...

Страница 917: ...Display information on system version display version Display information on the system clock display clock Display defined command aliases and the corresponding commands display command alias Displa...

Страница 918: ...e System Volume z Support for the display configure user and display current configuration command depends on the device model z The display commands discussed above are for the global configuration R...

Страница 919: ...gnosis z Saving and executing commands that have been executed z Fuzzy match for convenience of input When you execute a command you can input part of the characters in a keyword However to enable you...

Страница 920: ...position The command is then repeated in the next command line and executed if you press Enter 4 Enter a character string followed by a All the commands starting with this string are displayed Sysnam...

Страница 921: ...0 characters Table 2 1 lists these functions Table 2 1 Edit functions Key Function Common keys If the editing buffer is not full insert the character at the position of the cursor and move the cursor...

Страница 922: ...he lines that match the regular expression The regular expression is a string of 1 to 256 characters case sensitive It also supports special characters as shown in Table 2 2 Table 2 2 Special characte...

Страница 923: ...a string containing string1string2string2 string1 string2 1 2 means to repeat string1 for once first and then repeat string2 for once and string1 string2 1 2 must match a string containing string1stri...

Страница 924: ...ings of the screen length command are multiple screen output is enabled and 24 lines are displayed on the next screen This command is executed in user view and therefore is applicable to the current u...

Страница 925: ...the key command Result View the history commands display history command Displays the commands that you have entered Access the previous history command Up arrow key or Ctrl P Displays the earlier his...

Страница 926: ...2 8...

Страница 927: ...nd Lines 1 5 Disabling Boot ROM Access 1 6 Configuring a Detection Interval 1 6 Clearing the 16 bit Interface Indexes Not Used in the Current System 1 7 Identifying and Diagnosing Pluggable Transceive...

Страница 928: ...evice management function you can view the current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List...

Страница 929: ...IRF members Rebooting a Device When a fault occurs to a running device you can remove the fault by rebooting the device depending on the actual situation This operation equals to powering on the devic...

Страница 930: ...e backup boot file to restart the device z If you are performing file operations when the device is to be rebooted the system does not execute the command for the sake of security Configuring the Sche...

Страница 931: ...r the automatic execution function is configured the scheduled automatic execution configuration turns invalid automatically z Only the last configuration takes effect if you execute the schedule job...

Страница 932: ...ccessful upgrade Follow these steps to upgrade the Boot ROM program To do Use the command Remarks Enter system view system view Enable the validity check function when upgrading the Boot ROM bootrom u...

Страница 933: ...time to protect the Boot ROM against operations of illegal users You can use the display startup command to view the status of the Boot ROM access function For the detailed description of the display...

Страница 934: ...remain unchanged Follow these steps to clear the 16 bit interface indexes not used in the current system To do Use the command Remarks Clear the 16 bit interface indexes saved but not in use in the cu...

Страница 935: ...label information of the anti spoofing transceiver s customized by H3C display transceiver manuinfo interface interface type interface number Available for anti spoofing pluggable transceiver s custo...

Страница 936: ...Available in any view Display information about a board subboard CF board USB or hardware on the device display device shelf shelf number frame frame number slot slot number subslot subslot number ve...

Страница 937: ...m for remote scheduled automatic upgrade FTP Client FTP Server User Telnet Device 1 1 1 1 24 2 2 2 2 24 Internet Configuration procedure 1 Configuration on the FTP server Note that configurations may...

Страница 938: ...ew the content of the file Execute the scheduled automatic execution function to enable the device to be automatically upgraded at 3 am Device schedule job at 03 00 view system execute auto update bat...

Страница 939: ...g cfg File will be transferred in binary mode Downloading file from remote TFTP server please wait TFTP 917 bytes received in 1 second s File downloaded successfully Download file new config cfg to Sl...

Страница 940: ...rs IRF boot loader file soft version2 bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file will be used as the main boot file at the next rebo...

Страница 941: ...the Startup Configuration File 1 16 Displaying and Maintaining Device Configuration 1 17 2 FTP Configuration 2 1 FTP Overview 2 1 Introduction to FTP 2 1 Operation of FTP 2 1 Configuring the FTP Clie...

Страница 942: ...ii Single Device Upgrade 3 4 IRF System Upgrade 3 5...

Страница 943: ...file copy and display If an operation delete or overwrite for example causes problems such as data loss or corruption the file system will prompt you to confirm the operation by default Depending on...

Страница 944: ...haracters flash test a txt Indicates that a file named a txt is in the test folder under the root directory of the flash memory on the master To read and write the a txt file under the root directory...

Страница 945: ...oved must be empty meaning that before you remove a directory you must delete all the files and the subdirectory under this directory For file deletion refer to the delete command for subdirectory del...

Страница 946: ...Renaming a file To do Use the command Remarks Rename a file rename fileurl source fileurl dest Required Available in user view Copying a file To do Use the command Remarks Copy a file copy fileurl so...

Страница 947: ...n To do Use the command Remarks Enter the original working directory of the file to be deleted cd directory Optional If the original directory of the file to be deleted is not the current working dire...

Страница 948: ...medium space To do Use the command Remarks Restore the space of a storage medium fixdisk device Optional Available in user view Format a storage medium format device Optional Available in user view z...

Страница 949: ...3cd bin 4 drw Apr 26 2007 19 58 11 test 15240 KB total 9943 KB free Create a new folder called mytest under the test directory Sysname cd test Sysname mkdir mytest Created dir flash test mytest Displa...

Страница 950: ...ration settings z Lists commands in sections by views usually in the order of system view interface view and routing protocol view Sections are separated with one or multiple blank lines or comment li...

Страница 951: ...save the current configuration to the startup configuration file before the device reboots Complete these tasks to save the current configuration Task Remarks Enabling configuration file auto save Op...

Страница 952: ...g z Whether the save safely backup main command or the save filename all command Enter takes effect on all the member devices or on the master only depends on whether the configuration file auto save...

Страница 953: ...nd the specified replacement configuration file z The rollback operation does not execute the commands that are the same in the replacement configuration file and in the current configuration file z T...

Страница 954: ...iles If you change the path of the saved configuration files the files in the original path become common configuration files and are not processed as saved configuration files The number of saved con...

Страница 955: ...t running configuration automatically You can configure the system to save the current running configuration at a specified interval and use the display archive configuration command to view the filen...

Страница 956: ...ning configuration manually otherwise the operation fails Setting configuration rollback Follow these steps to set configuration rollback To do Use the command Remarks Enter system view system view Se...

Страница 957: ...startup To do Use the command Remarks Specify a startup configuration file for the next system startup of all the member devices startup saved configuration cfgfile backup main Required Available in...

Страница 958: ...You may need to delete the startup configuration file for the next startup for one of these reasons z After you upgrade system software the existing configuration file does not match the new system s...

Страница 959: ...Displaying and Maintaining Device Configuration To do Use the command Remarks Display the information about configuration rollback display archive configuration Available in any view Display the curr...

Страница 960: ...r btm z ASCII mode for text file transmission like files with the suffixes txt bat or cfg Operation of FTP FTP adopts the client server model Your device can function either as the client or as the se...

Страница 961: ...FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP...

Страница 962: ...matched route as the source IP address to communicate with an FTP server z If the source address is specified with the ftp client source or ftp command this source address is used to communicate with...

Страница 963: ...nd is available in FTP client view Configuring the FTP Client After a device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection refer to...

Страница 964: ...erver rmdir directory Optional Disconnect from the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect from the FTP server without exiting the FTP...

Страница 965: ...FTP server Configuration procedure If the available memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the fil...

Страница 966: ...f the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device Management Commands in the System Volume IRF Sys...

Страница 967: ...newest bin z Download the startup file newest bin from PC to the root directory of the storage medium of a slave with member ID of 2 ftp get newest bin slot2 flash newest bin Upload the configuration...

Страница 968: ...ode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer might result in file corruption on the FTP server T...

Страница 969: ...upport FTP anonymous user access Assign a password to the user password simple cipher password Required Assign the FTP service to the user service type ftp Required By default the system does not supp...

Страница 970: ...s password to pwd and the user privilege level to level 3 the manage level Sysname system view Sysname local user ftp Sysname luser ftp password simple pwd Sysname luser ftp authorization attribute wo...

Страница 971: ...et config cfg back config cfg Upload the configuration file newest bin to Device ftp put newest bin ftp bye z You can take the same steps to upgrade configuration file with FTP When upgrading the conf...

Страница 972: ...sword to pwd for the FTP client to log in to the FTP server Figure 2 5 Smooth upgrading using the FTP server Configuration procedure 1 Configure Device FTP Server Create an FTP user account ftp set it...

Страница 973: ...41 5120ei cfg 15240 KB total 11004 KB free 2 Configure the PC FTP Client Log in to the FTP server through FTP c ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none abc 331 Passwo...

Страница 974: ...ext reboot on slot 2 Reboot the device and the startup file is updated at the system reboot Sysname reboot The startup file used for the next startup must be saved under the root directory of the stor...

Страница 975: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Страница 976: ...e secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file Source a...

Страница 977: ...ddress get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user view Download or upload a file in an IPv6 netw...

Страница 978: ...omitted z On the PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the available memory space of the device is not enough use the fixdisk command to clea...

Страница 979: ...vice and PC z Device downloads a startup file from PC for upgrading and uploads a configuration file named config cfg to PC for backup Figure 3 3 Smooth upgrading using the TFTP client function Config...

Страница 980: ...be used at the next startup for all the member devices Sysname boot loader file newest bin slot all main This command will set the boot file of the specified board Continue Y N y The specified file wi...

Страница 981: ...aying and Maintaining HTTP 1 3 HTTP Configuration Example 1 3 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2...

Страница 982: ...ally the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP...

Страница 983: ...HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service with an ACL By associating the HTTP service with an A...

Страница 984: ...t A 10 1 1 2 24 10 2 1 2 24 Device Host B 10 2 1 1 24 Configuration procedure 1 Configure the HTTP server Device Create a basic ACL 2000 allowing packets with the source IP address in 10 1 1 0 24 Devi...

Страница 985: ...1 1...

Страница 986: ...ss the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security mana...

Страница 987: ...nly associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again y...

Страница 988: ...ssociate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute acces...

Страница 989: ...fault z If you execute the ip https acl command for multiple times to associate the HTTPS service with different ACLs the HTTPS service is only associated with the last specified ACL z For the detaile...

Страница 990: ...as ssl security com Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Configure a PKI domain 1...

Страница 991: ...server policy myssl Associate the HTTPS service with certificate attribute access control policy myacp ensuring that only HTTPS clients retrieving a certificate from new ca can access the HTTPS server...

Страница 992: ...MP Logging 1 5 Introduction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 SNMP Trap Configuration 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8...

Страница 993: ...the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An...

Страница 994: ...and agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privacy or no auth...

Страница 995: ...are as follows Hangzhou H3C Tech Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read vie...

Страница 996: ...v3 all Required The defaults are as follows Hangzhou H3C Tech Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configur e directly Create an SNMP commun ity snmp agent commu...

Страница 997: ...ex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the informat...

Страница 998: ...specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output desti...

Страница 999: ...MP module the SNMP module saves the traps in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destinatio...

Страница 1000: ...Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent stati...

Страница 1001: ...name snmp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port GigabitEthernet 1 0 1 to VLAN 2 Sysname vlan 2 Sysname vlan2 port GigabitEthernet 1 0...

Страница 1002: ...LAN interface on the agent is 1 1 1 1 24 z Configure community name access right and SNMP version on the agent Figure 1 4 Network diagram for SNMP logging Configuration procedure The configurations fo...

Страница 1003: ...1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID o...

Страница 1004: ...le management of the device the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the same a...

Страница 1005: ...uration 1 1 RMON Overview 1 1 Introduction 1 1 Working Mechanism 1 1 RMON Groups 1 2 Configuring RMON 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Displaying and Maintaining RMON 1...

Страница 1006: ...k monitor or a network probe It monitors and collects statistics on traffic over the network segments connected to its interfaces such as the total number of packets passed through a network segment o...

Страница 1007: ...n upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event gro...

Страница 1008: ...undersize oversize packets broadcasts multicasts bytes received packets received bytes sent packets sent and so on After the creation of a statistics entry on an interface the statistics group starts...

Страница 1009: ...that can be created the creation fails z When you create an entry in the history table if the specified buckets number argument exceeds the history table size supported by the device the entry will be...

Страница 1010: ...g entry number Available in any view RMON Configuration Example Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS across the Internet Cre...

Страница 1011: ...sname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysn...

Страница 1012: ...MAC Learning Limit 1 4 Displaying and Maintaining MAC Address Table 1 5 MAC Address Table Configuration Example 1 5 2 MAC Information Configuration 2 1 Overview 2 1 Introduction to MAC Information 2...

Страница 1013: ...nd ID of the VLAN to which the interface belongs When forwarding a frame the device looks up the MAC address table according to the destination MAC address of the frame to rapidly determine the egress...

Страница 1014: ...d specific user devices to the port thus preventing hackers from stealing data using forged MAC addresses Manually configured MAC address table entries have a higher priority than dynamically learned...

Страница 1015: ...se steps to add modify or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view mac address blackhole mac address vlan vlan id Add modify a MAC a...

Страница 1016: ...address entries learned or administratively configured only Configuring the MAC Learning Limit To prevent a MAC address table from getting so large that it may degrade forwarding performance you may...

Страница 1017: ...cs Available in any view MAC Address Table Configuration Example Network requirements Log onto your device from the Console port to configure MAC address table management as follows z Set the aging ti...

Страница 1018: ...1 6...

Страница 1019: ...tion Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user informa...

Страница 1020: ...g the Interval for Sending Syslog or Trap Messages To prevent Syslog or Trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or Tra...

Страница 1021: ...twork requirements z Host A is connected to a remote server Server through Device z Enable MAC Information on GigabitEthernet 1 0 1 on Device Device sends MAC address change information using Syslog m...

Страница 1022: ...hernet1 0 1 mac address information enable added Device GigabitEthernet1 0 1 mac address information enable deleted Device GigabitEthernet1 0 1 quit Set the MAC Information queue length to 100 Device...

Страница 1023: ...Debugging 1 1 System Maintaining and Debugging Overview 1 1 Introduction to System Maintaining 1 1 Introduction to System Debugging 1 2 System Maintaining and Debugging 1 3 System Maintaining 1 3 Syst...

Страница 1024: ...istics Output of the ping command falls into the following z The ping command can be applied to the destination s name or IP address If the destination s name is unknown the prompt information is disp...

Страница 1025: ...nformation to help users diagnose errors The following two switches control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Sc...

Страница 1026: ...te from the source to the destination tracert ipv6 f first ttl m max ttl p port q packet number w timeout remote system Optional Used in IPv6 network Available in any view z For a low speed network yo...

Страница 1027: ...the detailed debugging information on the terminal For the detailed description on the terminal debugging and terminal monitor commands refer to Information Center Commands in the System Volume Syste...

Страница 1028: ...tem Information to a Log Host 1 8 Outputting System Information to the Trap Buffer 1 9 Outputting System Information to the Log Buffer 1 10 Outputting System Information to the SNMP Module 1 11 Config...

Страница 1029: ...dule z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the information channel t...

Страница 1030: ...tem information The system supports six information output destinations including the console monitor terminal monitor log buffer log host trap buffer and SNMP module The specific destinations support...

Страница 1031: ...information source modules Default output rules of system information The default output rules define the source modules allowed to output information on each output destination the output information...

Страница 1032: ...ons z If the output destination is not the log host such as console monitor terminal logbuffer trapbuffer SNMP the system information is in the following format timestamp sysname module level digest c...

Страница 1033: ...conds sysname Sysname is the system name of the current host You can use the sysname command to modify the system name Refer to Basic System Configuration Commands in the System Volume for details Thi...

Страница 1034: ...tor Terminal Optional Outputting System Information to a Log Host Optional Outputting System Information to the Trap Buffer Optional Outputting System Information to the Log Buffer Optional Outputting...

Страница 1035: ...e command Remarks Enable the monitoring of system information on the console terminal monitor Optional Enabled on the console and disabled on the monitor terminal by default Enable the display of debu...

Страница 1036: ...monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on...

Страница 1037: ...rimary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information output to the log host info center timestamp loghost d...

Страница 1038: ...ion center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default...

Страница 1039: ...odule info center snmp channel channel number channel name Optional By default system information is output to the SNMP module through channel 5 known as snmpagent Configure the output rules of the sy...

Страница 1040: ...n in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The...

Страница 1041: ...play the configuration of the log file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize A...

Страница 1042: ...tional to be output to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state o...

Страница 1043: ...t ps ae grep syslogd 147 kill HUP 147 syslogd r After the above configurations the system will be able to record log information into the log file Outputting Log Information to a Linux Log Host Networ...

Страница 1044: ...Device info log Step 3 Edit file etc syslog conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the l...

Страница 1045: ...ut of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configu...

Страница 1046: ...terminal monitor Current terminal monitor is on Sysname terminal logging Current terminal logging is on After the above configuration takes effect if the specified module generates log information the...

Страница 1047: ...Interfaces Through a PoE Configuration File 1 3 Configuring PoE Power Management 1 5 Configuring PD Power Management 1 5 Configuring the PoE Monitoring Function 1 6 Configuring PSE Power Monitoring 1...

Страница 1048: ...et interfaces through twisted pair cables Advantages z Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply z Easy to connect A network termin...

Страница 1049: ...onal z When the PoE power or PSE fails you cannot configure PoE z Turning off of the PoE power during the startup of the device might result in the failure to restore the PoE Profile Configuring the P...

Страница 1050: ...default Configure a description for the PD connected to the PoE interface poe pd description string Optional By default no description for the PD connected to the PoE interface is available Configurin...

Страница 1051: ...figur ation file to the PoE interface s Apply the PoE configuration file to the current PoE interface in PoE interface view apply poe profile index index name profile name Use either approach z After...

Страница 1052: ...for a PoE interface the interface with a higher priority can preempt the power of the interface with a lower priority to ensure the normal working of the higher priority interface z If the sudden inc...

Страница 1053: ...lue exceeds the limited range the system will automatically take some measures to protect itself Configuring PSE Power Monitoring The system sends a Trap message when the percentage of power utilizati...

Страница 1054: ...n Mode To detect the PD connection with PSE PoE provides two detection modes AC detection and DC detection The AC detection mode is energy saving relative to the DC detection mode Follow these steps t...

Страница 1055: ...e pse pse id interface power Display all information of the configurations and applications of the PoE configuration file display poe profile index index name profile name Display all information of t...

Страница 1056: ...Sysname GigabitEthernet1 0 12 poe enable Sysname GigabitEthernet1 0 12 quit Set the power priority level of GigabitEthernet 1 0 2 to critical Sysname system view Sysname interface GigabitEthernet 1 0...

Страница 1057: ...the configuration requirements of the PoE interface z Another PoE configuration file is already applied to the PoE interface Solution z In the first case you can solve the problem by removing the ori...

Страница 1058: ...tallation Task List 1 6 Configuring the Patch File Location 1 6 Loading a Patch File 1 6 Activating Patches 1 7 Confirm Running Patches 1 7 One Step Patch Uninstallation 1 8 Step by Step Patch Uninsta...

Страница 1059: ...they will be numbered as 1 2 and 3 respectively Incremental patch Patches in a patch file are all incremental patches An incremental patch means that the patch is dependent on the previous patch units...

Страница 1060: ...turn to the ACTIVE state Figure 1 1 Relationship between patch state changes and command actions Information about patch states is saved in file patchstate on the flash It is recommended not to opera...

Страница 1061: ...te At this time the patch states in the system are as shown in Figure 1 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 1 3 A patch file is...

Страница 1062: ...of the system are as shown in Figure 1 5 Figure 1 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task List...

Страница 1063: ...h name for device Table 1 1 Default patch names for device Product PATCH FLAG Default patch name S5120 EI PATCH XXX patch_xxx bin The loading and installation are performed on all member devices Befor...

Страница 1064: ...patch file location patch location patch location Optional flash by default z The directory specified by the patch location argument must exist on each member device If one member device does not have...

Страница 1065: ...s of some problem you can reboot the device to deactivate the patch so as to avoid a series of running faults resulting from patch error Follow the steps below to activate patches To do Use the comman...

Страница 1066: ...stop running a patch the patch state becomes DEACTIVE and the system runs in the way before it is installed with the patch Follow the steps below to stop running patches To do Use the command Remarks...

Страница 1067: ...ix configuration Configuration procedure 1 Configure TFTP Server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server functio...

Страница 1068: ...nfiguration procedure 1 Configure the TFTP server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the pa...

Страница 1069: ...e patch install flash Patches will be installed Continue Y N y Do you want to continue running patches after reboot Y N y Installing patches Installation completed and patches will continue to run aft...

Страница 1070: ...g a Voice Test 1 15 Configuring a DLSw Test 1 17 Configuring the Collaboration Function 1 18 Configuring Trap Delivery 1 19 Configuring the NQA Statistics Function 1 20 Configuring Optional Parameters...

Страница 1071: ...nsfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test types...

Страница 1072: ...d Take static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static r...

Страница 1073: ...est one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and serv...

Страница 1074: ...e the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 S...

Страница 1075: ...r tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listeni...

Страница 1076: ...cho and enter test type view type icmp echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a...

Страница 1077: ...a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a DH...

Страница 1078: ...example you need to configure the username and password used to log onto the FTP server For the FTP server configuration see File System Management Configuration in the System Volume Configuring an FT...

Страница 1079: ...the get command the device does not save the files obtained from the FTP server z When you execute the get command the FTP test cannot succeed if a file named file name does not exist on the FTP serve...

Страница 1080: ...for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test http version v1 0 Opti...

Страница 1081: ...r system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as UDP jitter and enter test type view type udp jitter Required Configure the destination...

Страница 1082: ...arameters See Configuring Optional Parameters Common to an NQA Test Group Optional The number of probes made in a UDP jitter test depends on the probe count command while the number of probe packets s...

Страница 1083: ...tween the client and the specified port on the NQA server and the setup time for the connection thus judge the availability and performance of the services provided on the specified port on the server...

Страница 1084: ...onnectivity and roundtrip time of a UDP echo packet from the client to the specified UDP port on the NQA server Configuration prerequisites A UDP echo test requires cooperation between the NQA server...

Страница 1085: ...an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Conf...

Страница 1086: ...when you evaluate the voice quality Configuration prerequisites A voice test requires cooperation between the NQA server and the NQA client Before a voice test make sure that the UDP listening functi...

Страница 1087: ...1 law codec type and is 32 bytes for G 729 A law codec type Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadecim...

Страница 1088: ...be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring the Collaboration Function Collaboration is...

Страница 1089: ...he snmp agent target host command create an NQA test group and configure related parameters For the introduction to the snmp agent target host command see SNMP Commands in the System Volume Configurin...

Страница 1090: ...unction To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dlsw ftp http icmp echo snm...

Страница 1091: ...obes in an NQA test probe count times Optional By default one probe is performed in a test Only one probe can be made in one voice test Therefore this command is not available in a voice test Configur...

Страница 1092: ...use the display clock command to view the current system time Configuration prerequisites Before scheduling an NQA test group make sure z Required test parameters corresponding to a test type have bee...

Страница 1093: ...ndtrip time of packets Figure 1 3 Network diagram for ICMP echo tests Configuration procedure Create an ICMP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry...

Страница 1094: ...se Status Time 370 3 Succeeded 2007 08 23 15 00 01 2 369 3 Succeeded 2007 08 23 15 00 01 2 368 3 Succeeded 2007 08 23 15 00 01 2 367 5 Succeeded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00...

Страница 1095: ...res due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late...

Страница 1096: ...tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded pro...

Страница 1097: ...A undo nqa schedule admin test Display results of the last HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation ti...

Страница 1098: ...admin test udp jitter destination ip 10 2 2 2 DeviceA nqa admin test udp jitter destination port 9000 DeviceA nqa admin test udp jitter frequency 1000 DeviceA nqa admin test udp jitter quit Enable UDP...

Страница 1099: ...delay 15 Max DS delay 16 Min SD delay 7 Min DS delay 7 Number of SD delay 10 Number of DS delay 10 Sum of SD delay 78 Sum of DS delay 85 Square sum of SD delay 666 Square sum of DS delay 787 SD lost...

Страница 1100: ...DS delay 3891 Square sum of SD delay 45987 Square sum of DS delay 49393 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 The display nqa history command cannot show you the re...

Страница 1101: ...min test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 50 50 50 Square Sum of round trip t...

Страница 1102: ...eA nqa schedule admin test start time now lifetime forever Disable TCP test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last TCP test DeviceA...

Страница 1103: ...lated test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo dest...

Страница 1104: ...Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nqa...

Страница 1105: ...erage 6 Positive SD square sum 54127 Positive DS square sum 1691967 Min negative SD 1 Min negative DS 1 Max negative SD 203 Max negative DS 1297 Negative SD number 255 Negative DS number 259 Negative...

Страница 1106: ...egative DS 1297 Negative SD number 1028 Negative DS number 1022 Negative SD sum 1028 Negative DS sum 1022 Negative SD average 4 Negative DS average 5 Negative SD square sum 495901 Negative DS square s...

Страница 1107: ...o nqa schedule admin test Display the result of the last DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation time...

Страница 1108: ...NQA test group Create an NQA test group with the administrator name being admin and operation tag being test SwitchA nqa entry admin test Configure the test type of the NQA test group as ICMP echo Swi...

Страница 1109: ...127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the static route with the next hop 10 2 1 1 is active and the status of the track entry is positive The static route configur...

Страница 1110: ...127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the next hop 10 2 1 1 of the static route is not reachable and the status of the track entry is negative Th...

Страница 1111: ...ce for NTP Messages 1 11 Disabling an Interface from Receiving NTP Messages 1 12 Configuring the Maximum Number of Dynamic Sessions Allowed 1 12 Configuring Access Control Rights 1 13 Configuration Pr...

Страница 1112: ...pplications of NTP An administrator can by no means keep time synchronized among all the devices within a network by changing the system clock on each station because this is a huge amount of workload...

Страница 1113: ...ranges from 1 to 15 The clock accuracy decreases as the stratum number increases A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock z The local clock of an S5120 E...

Страница 1114: ...erver namely Device A synchronizes its clock to that of Device B z It takes 1 second for an NTP message to travel from one device to the other Figure 1 1 Basic work flow of NTP IP network IP network I...

Страница 1115: ...t a must for clock synchronization it will not be discussed in this document All NTP messages mentioned in this document refer to NTP clock synchronization messages A clock synchronization message is...

Страница 1116: ...it Timestamp the local time at which the reply departed from the service host for the client z Authenticator authentication information Operation Modes of NTP Devices running NTP can implement clock s...

Страница 1117: ...fter receiving the first broadcast message the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates...

Страница 1118: ...es the first multicast message the client and the server start to exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the ser...

Страница 1119: ...when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creat...

Страница 1120: ...ymmetric active device To do Use the command Remarks Enter system view system view Specify a symmetric passive peer for the device ntp service unicast peer ip address peer name authentication keyid ke...

Страница 1121: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Страница 1122: ...NTP multicast server mode ntp service multicast server ip address authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after it...

Страница 1123: ...t or multicast NTP messages is the interface configured with the respective command z If the specified source interface for NTP messages is down the source IP address for an NTP message that is sent o...

Страница 1124: ...full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer d...

Страница 1125: ...he symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication k...

Страница 1126: ...er Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disa...

Страница 1127: ...onfiguration Examples Configuring NTP Client Server Mode Network requirements Perform the following configurations to synchronize the time between Device B and Device A z The local clock of Switch A i...

Страница 1128: ...stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an association has been set up between Switch B and Switch A SwitchB display n...

Страница 1129: ...oot delay 15 00 ms Root dispersion 775 15 ms Peer dispersion 34 29 ms Reference time 15 22 47 083 UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the cl...

Страница 1130: ...1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Broadcast Mode Network requirements As shown in Figure 1 9 Switch C functions as the NTP server f...

Страница 1131: ...A gets synchronized upon receiving a broadcast message from Switch C View the NTP status of Switch A after clock synchronization SwitchA Vlan interface2 display ntp service status Clock status synchr...

Страница 1132: ...evices To realize this requirement perform the following configurations z The local clock of Switch C is to be used as the master clock with a stratum level of 2 z Switch C works in the multicast serv...

Страница 1133: ...2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service multicast client Because Switch D and Switch C are on the same subnet Switch D can receive the multicast me...

Страница 1134: ...nable SwitchB interface vlan interface 2 SwitchB Vlan interface2 pim dm SwitchB Vlan interface2 quit SwitchB vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB interface vlan i...

Страница 1135: ...ient Server Mode with Authentication Network requirements As shown in Figure 1 11 perform the following configurations to synchronize the time between Device B and Device A and ensure network security...

Страница 1136: ...000 ms Root delay 31 00 ms Root dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown above Switch B has been synchronized to Switch A and t...

Страница 1137: ...pecify Switch C as an NTP broadcast server and specify an authentication key SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service broadcast server authentication keyid 88 3 Configura...

Страница 1138: ...2005 C6D95F6F B6872B02 As shown above Switch D has been synchronized to Switch C and the clock stratum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D...

Страница 1139: ...ween the Management Device and the Member Devices Within a Cluster 1 11 Configuring Cluster Management Protocol Packets 1 11 Cluster Member Management 1 12 Configuring the Member Devices 1 13 Enabling...

Страница 1140: ...ng topology discovery and display function which is useful for network monitoring and debugging z Allowing simultaneous software upgrading and parameter configuration on multiple devices free of topol...

Страница 1141: ...ent is implemented through HW Group Management Protocol version 2 HGMPv2 which consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z...

Страница 1142: ...nformation of all its neighbors The information collected will be used by the management device or the network management software to implement required functions When a member device detects a change...

Страница 1143: ...aves the state information of its member device and identifies it as Active And the member device also saves its state information and identifies itself as Active z After a cluster is created its mana...

Страница 1144: ...he management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the memb...

Страница 1145: ...r Optional Configuring Cluster Management Protocol Packets Optional Configuring the Management Device Cluster Member Management Optional Enabling NDP Optional Enabling NTDP Optional Manually Collectin...

Страница 1146: ...ed to a cluster that is the entry with the destination address as the management device cannot be added to the routing table the candidate device will be added to and removed from the cluster repeated...

Страница 1147: ...ckets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports For NTDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to...

Страница 1148: ...3 by default Configure the interval to collect topology information ntdp timer interval time Optional 1 minute by default Configure the delay to forward topology collection request packets on the fir...

Страница 1149: ...cluster in two ways manually and automatically With the latter you can establish a cluster according to the prompt information The system 1 Prompts you to enter a name for the cluster you want to est...

Страница 1150: ...packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster For a member device in Connect state z If the management device does n...

Страница 1151: ...y default Configure the interval to send MAC address negotiation broadcast packets cluster mac syn interval interval time Optional One minute by default When you configure the destination MAC address...

Страница 1152: ...ling NDP Refer to Enabling NDP Globally and for Specific Ports Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports Manually Collecting Topology Information Refer to Manually Collectin...

Страница 1153: ...hentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a clust...

Страница 1154: ...ncluded in the blacklist the MAC address and access port of the latter are also included in the blacklist The candidate devices in a blacklist can be added to a cluster only if the administrator manua...

Страница 1155: ...e an NM host for a cluster the member devices in the cluster send their Trap messages to the shared SNMP NM host through the management device If the port of an access NM device including FTP TFTP ser...

Страница 1156: ...devices at one time simplifying the configuration process Follow these steps to configure the SNMP configuration synchronization function To do Use the command Remarks Enter system view system view En...

Страница 1157: ...onize the configurations to the member devices in the whitelist This operation is equal to performing the configurations on the member devices You need to enter your username and password when you log...

Страница 1158: ...y the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member number to member id mem...

Страница 1159: ...net 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As the configurations of...

Страница 1160: ...itchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure the management VLAN of the cluster as VLAN 10 SwitchB vlan 10 SwitchB...

Страница 1161: ...5 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01 0013 to the b...

Страница 1162: ...1 14 Configuring IRF Ports 1 14 Setting a Member ID for a Device 1 15 Specifying a Priority for an IRF Member 1 16 Specifying the Preservation Time of IRF Bridge MAC Address 1 16 Enabling Auto Upgrade...

Страница 1163: ...top maintenance of multiple devices Hereinafter the virtual device is called IRF Therefore the IRF in this manual has two meanings one is the IRF technology the other the IRF device Advantages IRF fea...

Страница 1164: ...RF Basic Concepts The IRF virtualization technology involves in the following basic concepts Role The devices that form an IRF are called IRF members Each of them plays either of the following two rol...

Страница 1165: ...connection between two devices and then the IRF becomes two IRFs This process is IRF split Figure 1 3 IRF split Member priority Member priority decides the role of the member device during a role elec...

Страница 1166: ...d 2 and ports on the interface module in slot 2 are numbered 3 and 4 as shown in Figure 1 4 which illustrates an example of inserting a CX4 dual port interface module Figure 1 4 Numbering physical IRF...

Страница 1167: ...thernet switches to form an IRF Correspondence between an IRF port and a physical IRF port The connection of IRF ports is based on that of physical IRF ports therefore you need to bind an IRF port wit...

Страница 1168: ...port interface module is installed you need to bind IRF port 1 to physical IRF port 1 and IRF port 2 to physical IRF port 2 as shown in Figure 1 7 because the serial number of the physical IRF port bo...

Страница 1169: ...are installed you need to bind IRF port 1 to physical IRF port 1 and IRF port 2 to physical IRF port 3 z If one dual port interface module and one single port interface module are installed the corres...

Страница 1170: ...rom this port periodically Upon receiving the topology information the directly connected neighbor updates the local topology information The collection process lasts for a period of time When all mem...

Страница 1171: ...as an existing one cannot join the IRF You can use the following two methods to ensure the uniqueness of member IDs 1 Before establishing an IRF plan and configure member IDs for IRF members Use the m...

Страница 1172: ...ID 3 IRF Port1 IRF Port2 Device A MemberID 1 MemberID 1 MemberID 1 MemberID 1 Device B Device C Device D Suppose Device B is elected as the master after the IRF is formed Interface name For a device o...

Страница 1173: ...GigabitEthernet 1 0 1 to trunk perform the following steps Master system view Master interface gigabitethernet 3 0 1 Master GigabitEthernet3 0 1 port link type trunk File system name You can use the n...

Страница 1174: ...rent working path is the root directory of the flash on the master Master copy test bin slot3 flash Copy flash test bin to slot3 flash test bin Y N y Copy file flash test bin to slot3 flash test bin D...

Страница 1175: ...ember device is down or an IRF link is down its direct neighbor broadcasts the leaving of the device to other IRF members immediately The member devices receiving the leave message determine whether i...

Страница 1176: ...mmended or fibers and then power on the devices Logging In to the Master Required Logging In to an IRF Logging In to a Slave Optional IRF Configuration Configuring IRF Ports IRF can be enabled on a de...

Страница 1177: ...cided first and then the member IDs of slaves are decided one by one according to their distances to the master that is the nearest slave gets the smallest available ID and the nearer slave gets the s...

Страница 1178: ...defaults to 1 You can modify the priority through command lines The greater the priority value the higher the priority A member with a higher priority is more likely to be a master and more likely to...

Страница 1179: ...the IRF bridge MAC address remains unchanged z Not preserved As soon as the master leaves the system will use the bridge MAC address of the newly elected master as that of the IRF Follow these steps...

Страница 1180: ...em boot file occupies large memory space to make the auto upgrade succeed ensure that there is enough space on the storage media of the slave Setting the Delay Time for the Link Layer to Report a Link...

Страница 1181: ...tead of that of the master device The system enters user view of the salve device and the command prompt is changed to Sysname member ID for example Sysname 2 What you have input on the access termina...

Страница 1182: ...e in any view IRF Configuration Examples IRF Connection Configuration Example Network requirements Three S5120 EI series switches in an IRF form a daisy chain connection Their member IDs are 1 2 and 3...

Страница 1183: ...member 1 irf port 2 port 3 Configure Switch 3 Switch3 system view Switch3 irf member 1 renumber 3 Warning Renumbering the switch number may result in configuration change or loss Continue Y N y Switch...

Страница 1184: ...l Networking of Automatic Configuration 1 1 How Automatic Configuration Works 1 2 Work Flow of Automatic Configuration 1 2 Obtaining the IP Address of an Interface and Related Information Through DHCP...

Страница 1185: ...onfiguration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical Networking of Aut...

Страница 1186: ...ters such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the con...

Страница 1187: ...en a device starts up without loading the configuration file the system automatically configures the first active interface if an active Layer 2 Ethernet interface exists this first interface is a vir...

Страница 1188: ...The DHCP server will select an address pool where an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters...

Страница 1189: ...z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and th...

Страница 1190: ...its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and...

Страница 1191: ...f the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed description of the UDP Helper...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды