manualshive.com logo in svg

H3C S5120-SI Series, Руководство по эксплуатации

Поделиться
Скачать
H3C S5120-SI Series Скачать руководство пользователя страница 416

 

1-1 

1  

PKI Configuration 

When configuring PKI, go to these sections for information you are interested in:  

z

 

Introduction to PKI 

z

 

PKI Configuration Task List 

z

 

Displaying and Maintaining PKI 

z

 

PKI Configuration Examples 

z

 

Troubleshooting PKI 

Introduction to PKI 

This section covers these topics: 

z

 

PKI Overview 

z

 

PKI Terms 

z

 

Architecture of PKI 

z

 

Applications of PKI 

z

 

Operation of PKI 

PKI Overview 

The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security 

through public key technologies.  

PKI, also called asymmetric key infrastructure, uses a key pair to encrypt and decrypt the data. The key 

pair consists of a private key and a public key. The private key must be kept secret while the public key 

needs to be distributed. Data encrypted by one of the two keys can only be decrypted by the other. 

A key problem of PKI is how to manage the public keys. Currently, PKI employs the digital certificate 

mechanism to solve this problem. The digital certificate mechanism binds public keys to their owners, 

helping distribute public keys in large networks securely.  

With digital certificates, the PKI system provides network communication and e-commerce with security 

services such as user authentication, data non-repudiation, data confidentiality, and data integrity. 

Currently, H3C's PKI system provides certificate management for Secure Sockets Layer (SSL). 

PKI Terms 

Digital certificate 

A digital certificate is a file signed by a certificate authority (CA) for an entity. It includes mainly the 

identity information of the entity, the public key of the entity, the name and signature of the CA, and the 

validity period of the certificate, where the signature of the CA ensures the validity and authority of the 

certificate. A digital certificate must comply with the international standard of ITU-T X.509. Currently, the 

most common standard is X.509 v3. 

This manual involves two types of certificates: local certificate and CA certificate. A local certificate is a 

digital certificate signed by a CA for an entity, while a CA certificate is the certificate of a CA. If multiple 

Содержание S5120-SI Series

Страница 1: ...H3C S5120 SI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 6W101 20090625 Product Version Release 1101...

Страница 2: ...G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective o...

Страница 3: ...tion 10 IP Addressing Introduces IP address configuration 11 IP Performance Optimization Introduces IP performance fundamental and the related configuration 12 ARP Introduces ARP and the related confi...

Страница 4: ...g table management and the related configuration 36 Cluster Management Introduces the configuration of Cluster and the related configuration 37 HTTP Introduces the configuration of HTTP and HTTPS 38 S...

Страница 5: ...r Symbols Convention Description Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment Mean...

Страница 6: ...Provides information about products and technologies as well as solutions Technical Support Document Technical Documents Provides several categories of product documentation such as installation conf...

Страница 7: ...e Release Notes 1 1 2 Correspondence Between Documentation and Software 2 1 Software Version 2 1 Manual List 2 1 3 Product Features 3 1 Introduction to Product 3 1 Feature Lists 3 1 Features 3 1 4 Net...

Страница 8: ...the H3C website Table 1 1 Download documentation from the H3C website How to apply for an account Access the homepage of H3C at http www h3c com and click Registration at the top right In the displaye...

Страница 9: ...C S5120 SI Series Ethernet Switches Command Manual are for the software version of Release 1101 of the S5120 SI series products Manual List Table 2 1 H3C S5120 SI Series Ethernet Switches Installation...

Страница 10: ...I series provide GE electrical interfaces for user access or low end switch convergence in the downlink direction Whereas in the uplink direction they are aggregated to large capacity Layer 3 switches...

Страница 11: ...ace z Enabling Bridging on an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface 03 Loopback Interface and Null Interfa...

Страница 12: ...c route overview z Static route configuration 17 Mulitcast z Multicast overview z IGMP Snooping overview z Configuring Basic Functions of IGMP Snooping z Configuring IGMP Snooping Port Functions z Con...

Страница 13: ...agement z File system management z Configuration File Management 32 System Maintaining and Debugging z Maintenance and debugging overview z Maintenance and debugging configuration 33 Basic System Conf...

Страница 14: ...s can be used for Gigabit to the Desktop GTTD access in enterprise networks and connecting data center server clusters Several typical networking applications are presented in this section Distributio...

Страница 15: ...S5120 SI series can serve as access switches to provide large access bandwidth and high port density Figure 4 2 Application of the S5120 SI series at the access layer S9500 S7500E S5120 SI Access Cor...

Страница 16: ...e 2 10 Console Port Login Configuration with Authentication Mode Being Scheme 2 11 Configuration Procedure 2 11 Configuration Example 2 13 3 Logging In Through Telnet SSH 3 1 Introduction 3 1 Telnet C...

Страница 17: ...requisites 7 1 Controlling Telnet Users by Source IP Addresses 7 1 Controlling Telnet Users by Source and Destination IP Addresses 7 2 Controlling Telnet Users by Source MAC Addresses 7 3 Configuratio...

Страница 18: ...r Interface Supported User Interfaces H3C S5120 SI series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port...

Страница 19: ...lt Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user int...

Страница 20: ...the screen length 0 command to disable the function to display information in pages Make terminal services available shell Optional By default terminal services are available in all user interfaces S...

Страница 21: ...g examples take H3C as the command line prompt Introduction To log in through the Console port is the most common way to log in to a switch It is also the prerequisite to configure other login methods...

Страница 22: ...PC to connect to the Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Fig...

Страница 23: ...apters for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console...

Страница 24: ...ion Set the timeout time of a user interface Optional The default timeout time is 10 minutes Changing of Console port configuration terminates the connection to the Console port To establish the conne...

Страница 25: ...AUX users Required Scheme Perform common configuration Perform common configuration for Console port login Optional Refer to Common Configuration for details Changes of the authentication mode of Cons...

Страница 26: ...terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You...

Страница 27: ...onsole user at the following aspects z The user is not authenticated when logging in through the Console port z Commands of level 2 are available to user logging in to the AUX user interface z The bau...

Страница 28: ...guration of the terminal emulation program running on the PC to make the configuration consistent with that on the switch Refer to Setting Up the Connection to the Console Port for details Console Por...

Страница 29: ...cut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available to the user interface shell Optional...

Страница 30: ...itch is configured to allow you to login through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the Console user at the following...

Страница 31: ...Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interfa...

Страница 32: ...tion password for the local user password simple cipher password Required Specify the service type for AUX users service type terminal Required Quit to system view quit Enter AUX user interface view u...

Страница 33: ...ser interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the...

Страница 34: ...through the Console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines th...

Страница 35: ...Server The IP address of the VLAN of the switch is configured and the route between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured Re...

Страница 36: ...view Sysname telnet server enable Sysname interface vlan interface 1 Sysname Vlan interface1 ip address 202 38 160 92 255 255 255 0 Step 2 Before Telnet users can log in to the switch corresponding co...

Страница 37: ...ssword Refer to Basic System Configuration for information about command hierarchy Telnetting to Another Switch from the Current Switch You can Telnet to another switch from the current switch In this...

Страница 38: ...e 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Remarks Configure the command level available to users logging in to the VTY user interface Optional By...

Страница 39: ...uration Perform common Telnet configuration Optional Refer to Table 3 2 Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentica...

Страница 40: ...a user interface Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available shell...

Страница 41: ...want to perform the following configuration for Telnet users logging in to VTY 0 z Do not authenticate users logging in to VTY 0 z Commands of level 2 are available to users logging in to VTY 0 z Tel...

Страница 42: ...password authentication mode password Required Set the local password set authentication password cipher simple password Required Configure the command level available to users logging in to the user...

Страница 43: ...se the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in the password mode the command level available to users logging in to a switch depe...

Страница 44: ...password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify commands of level 2 are availabl...

Страница 45: ...local user password simple cipher password Required Specify the service type for VTY users service type telnet Required Quit to system view quit Enter one or more VTY user interface views user interf...

Страница 46: ...d if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in th...

Страница 47: ...rd of the local user to 123456 in plain text Sysname luser guest password simple 123456 Set the service type to Telnet Sysname luser guest service type Enter VTY 0 user interface view Sysname user int...

Страница 48: ...en the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web bas...

Страница 49: ...tch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to ass...

Страница 50: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 4 2 appears enter the user name and...

Страница 51: ...anagement protocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 5 1 Requirements for log...

Страница 52: ...es for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface for Telnet Packets The co...

Страница 53: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Страница 54: ...rolling Telnet Users by Source and Destination IP Addresses Telnet By source MAC addresses Through Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through bas...

Страница 55: ...e implemented by advanced ACL an advanced ACL ranges from 3000 to 3999 For the definition of ACL refer to ACL Configuration Follow these steps to control Telnet users by source and destination IP addr...

Страница 56: ...ule id permit deny rule string Required You can define rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number la...

Страница 57: ...t Users by Source IP Addresses You can manage a H3C S5120 SI series Ethernet switch through network management software Network management users can access switches through SNMP You need to perform th...

Страница 58: ...iew notify view notify view acl acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Apply the ACL while co...

Страница 59: ...name snmp agent usm user v2c h3cuser h3cgroup acl 2000 Controlling Web Users by Source IP Addresses The Ethernet switches support Web based remote management which allows Web users to access the switc...

Страница 60: ...operation to force online Web users offline To do Use the command Remarks Force online Web users offline free web users all user id user id user name user name Required Use this command in user view C...

Страница 61: ...7 8 Sysname ip http acl 2030...

Страница 62: ...Group 1 3 Configuring an Auto negotiation Transmission Rate 1 4 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet port Statistics 1 6 Enabling Forwarding of Jumbo Frames 1...

Страница 63: ...Similarly if you configure the transmission rate for an Ethernet port by using the speed command with the auto keyword specified the transmission rate is determined through auto negotiation too For a...

Страница 64: ...ess and egress interfaces Follow these steps to enable flow control on an Ethernet port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type in...

Страница 65: ...port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name Use either command If configured in Ethernet po...

Страница 66: ...ate of the server group Server 1 Server 2 and Server 3 is 1000 Mbps and the transmission rate of GigabitEthernet 1 0 4 which provides access to the external network for the server group is 1000 Mbps t...

Страница 67: ...valid if you enable the storm constrain for the interface For information about the storm constrain function see Configuring the Storm Constrain Function on an Follow these steps to set storm suppress...

Страница 68: ...es Due to tremendous amount of traffic occurring on an Ethernet port it is likely that some frames greater than the standard Ethernet frame size are received Such frames called jumbo frames will be dr...

Страница 69: ...bled by default Configure the interval for port loopback detection loopback detection interval time time Optional 30 seconds by default Enter Ethernet port view interface interface type interface numb...

Страница 70: ...different from the remote MDI mode z When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto Follow these ste...

Страница 71: ...eds the threshold Alternatively you can configure the storm suppression function to control a specific type of traffic As the function and the storm constrain function are mutually exclusive do not en...

Страница 72: ...w the lower threshold from a point higher than the upper threshold Specify to send log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher...

Страница 73: ...on Available in any view Clear the statistics of an interface reset counters interface interface type interface number Available in user view Display the information about a manual port group or all t...

Страница 74: ...nfiguration 1 1 Loopback Interface 1 1 Introduction to Loopback Interface 1 1 Configuring a Loopback Interface 1 2 Null Interface 1 2 Introduction to Null Interface 1 2 Configuring Null 0 Interface 1...

Страница 75: ...ey are usually used as device identifications Therefore when you configure a rule on an authentication or security server to permit or deny packets generated by a device you can streamline the rule by...

Страница 76: ...ull Interface Introduction to Null Interface A null interface is a completely software based logical interface A null interface is always up However you can neither use it to forward data packets nor...

Страница 77: ...n text Optional By default the description of an interface is the interface name followed by the Interface string Displaying and Maintaining Loopback and Null Interfaces To do Use the command Remarks...

Страница 78: ...atic Aggregation Group 1 5 Configuring a Dynamic Aggregation Group 1 6 Configuring an Aggregate Interface 1 7 Configuring the Description of an Aggregate Interface 1 7 Enabling LinkUp LinkDown Trap Ge...

Страница 79: ...able connectivity because these member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate...

Страница 80: ...he partner of its system LACP priority system MAC address LACP port priority port number and operational key Upon receiving an LACPDU the partner compares the received information with the information...

Страница 81: ...plex high speed full duplex low speed half duplex high speed and half duplex low speed with full duplex high speed being the most preferred If two ports with the same duplex mode speed pair are presen...

Страница 82: ...port with smaller port number is selected as the reference port z If a port in up state is with the same port attributes and class two configuration as the reference port and the peer port of the port...

Страница 83: ...n Aggregate Interface Optional Configuring an Aggregation Group These ports cannot be assigned to 802 1X enabled ports Configuring a Static Aggregation Group Follow these steps to configure a Layer 2...

Страница 84: ...e a Layer 2 aggregate interface and enter the Layer 2 aggregate interface view interface bridge aggregation interface number Required When you create a Layer 2 aggregate interface a Layer 2 static agg...

Страница 85: ...nterface You can perform the following configurations for an aggregate interface z Configuring the Description of an Aggregate Interface z Enabling LinkUp LinkDown Trap Generation for an Aggregate Int...

Страница 86: ...interface is brought up the selected state of the ports in the corresponding aggregation group is re calculated Follow these steps to shut down an aggregate interface To do Use the command Remarks En...

Страница 87: ...d configure the port manually z Reference port Select a port as the reference port from the ports that are in up state and with the same class two configurations as the corresponding aggregate interfa...

Страница 88: ...1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link aggregation group 1 DeviceA GigabitEthernet1 0 2 quit DeviceA interface gigabitethernet 1 0 3 DeviceA GigabitEther...

Страница 89: ...Assign Layer 2 Ethernet interfaces GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link aggregatio...

Страница 90: ...tion 1 1 Introduction to Port Isolation 1 1 Configuring an Isolation Group for a Multiple Isolation Group Device 1 1 Adding a Port to an Isolation Group 1 1 Displaying and Maintaining Isolation Groups...

Страница 91: ...n the same VLAN Layer 2 data transmission between ports within and outside the isolation group is supported Configuring an Isolation Group for a Multiple Isolation Group Device Adding a Port to an Iso...

Страница 92: ...re connected to GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Device z Device provides access to the Internet through GigabitEthernet 1 0 4 z GigabitEthernet 1 0 1 GigabitEt...

Страница 93: ...late enable group 2 Device GigabitEthernet1 0 2 quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 port isolate enable group 2 Display information of isolation group 2 Device disp...

Страница 94: ...on to Port Mirroring 1 1 Classification of Port Mirroring 1 1 Implementing Port Mirroring 1 1 Configuring Local Port Mirroring 1 2 Displaying and Maintaining Port Mirroring 1 3 Port Mirroring Configur...

Страница 95: ...e mirroring port and the monitor port are located on the same device z In remote port mirroring the mirroring port and the monitor port can be located on the same device or different devices Currently...

Страница 96: ...te a local mirroring group mirroring group group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface n...

Страница 97: ...group group id local Available in any view Port Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements On a network shown in Figure 1 2 z Department 1 is conn...

Страница 98: ...oring group 1 mirroring port gigabitethernet 1 0 1 gigabitethernet 1 0 2 both DeviceC mirroring group 1 monitor port gigabitethernet 1 0 3 Display the configuration of all port mirroring groups Device...

Страница 99: ...tion Delay 1 8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 10 Setting the Encapsu...

Страница 100: ...rafted the Link Layer Discovery Protocol LLDP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends lo...

Страница 101: ...t have a MAC address the MAC address of the sending bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data FCS Frame check sequence a 32 bit CRC value...

Страница 102: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs a...

Страница 103: ...ently H3C devices support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Conf...

Страница 104: ...e its asset ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advert...

Страница 105: ...ceiving LLDPDUs An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDPDU it receives for validity violation If valid the information is saved and an aging timer i...

Страница 106: ...oup view port group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the...

Страница 107: ...sends LLDPDUs to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use the command Remarks Enter system view system view Enter Ethernet interface view inter...

Страница 108: ...ng format of the management address as string on the connecting port to guarantee normal communication with the neighbor Follow these steps to configure a management address to be advertised and its e...

Страница 109: ...mission is triggered lldp fast count count Optional 3 by default z The TTL can be up to 65535 seconds TTLs greater than it will be rounded down to 65535 seconds z LLDPDU transmit delay must be less th...

Страница 110: ...isco IP phones As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a requestin...

Страница 111: ...group view Enter port group view port group manual port group name Required Use either command Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin status cdp txrx Required By...

Страница 112: ...splay the information contained in the LLDP TLVs received through a port display lldp neighbor information interface interface type interface number brief Available in any view Display LLDP statistics...

Страница 113: ...ernet1 0 2 lldp admin status rx SwitchA GigabitEthernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 setting the LLDP...

Страница 114: ...D neighbors 0 Number of CDP neighbors 0 Number of sent optional TLV 0 Number of received unknown TLV 3 Tear down the link between Switch A and Switch B and then display the global LLDP status and port...

Страница 115: ...o a Cisco IP phone z Configure voice VLAN 2 on Switch A Enable CDP compatibility of LLDP on Switch A to allow the Cisco IP phones to automatically configure the voice VLAN thus confining their voice t...

Страница 116: ...rx SwitchA GigabitEthernet1 0 1 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 1 quit SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 lldp enable SwitchA Gigabit...

Страница 117: ...VLAN 1 8 Displaying and Maintaining VLAN 1 9 VLAN Configuration Example 1 9 2 Voice VLAN Configuration 2 1 Overview 2 1 Voice VLAN Assignment Modes 2 2 Security Mode and Normal Mode of Voice VLANs 2 3...

Страница 118: ...VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from ea...

Страница 119: ...SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The...

Страница 120: ...n a port at the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs proto...

Страница 121: ...steps to configure basic settings of a VLAN interface To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface vlan interface vlan in...

Страница 122: ...connectivity Default VLAN By default VLAN 1 is the default VLAN for all ports You can configure the default VLAN for a port as required Use the following guidelines when configuring the default VLAN...

Страница 123: ...is carried on the port z Drop the frame if its VLAN is not carried on the port Send the frame if its VLAN is carried on the port The frame is sent with the VLAN tag removed or intact depending on your...

Страница 124: ...port access vlan vlan id Optional By default all access ports belong to VLAN 1 Before assigning an access port to a VLAN create the VLAN first Assigning a Trunk Port to a VLAN A trunk port can carry...

Страница 125: ...do that on the aggregate interface it stops applying the configuration to the aggregation member ports If it fails to do that on an aggregation member port it simply skips the port and moves to the ne...

Страница 126: ...guration to the aggregate interface and its aggregation member ports If the system fails to do that on the aggregate interface it stops applying the configuration to the aggregation member ports If it...

Страница 127: ...mit vlan 1 Configure GigabitEthernet 1 0 1 to permit packets from VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through DeviceA GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 Please wa...

Страница 128: ...ytes 0 broadcasts 0 multicasts Input 0 input errors 0 runts 0 giants 0 throttles 0 CRC 0 frame 0 overruns 0 aborts 0 ignored 0 parity errors Output total 0 packets 0 bytes 0 broadcasts 0 multicasts 0...

Страница 129: ...determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Unique Identifier OUI addre...

Страница 130: ...on the device The system will remove a port from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically perf...

Страница 131: ...fic to realize the voice VLAN feature you must configure the default VLAN of the connecting port as the voice VLAN In this case 802 1X authentication function cannot be realized z The default VLANs fo...

Страница 132: ...or the device it is forwarded in the voice VLAN otherwise it is dropped Security mode Packets carrying other tags Forwarded or dropped depending on whether the port allows packets of these VLANs to pa...

Страница 133: ...tting a Port to Operate in Manual Voice VLAN Assignment Mode Follow these steps to set a port to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system vie...

Страница 134: ...rt to the voice VLAN manually Displaying and Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses...

Страница 135: ...ty mode DeviceA voice vlan security enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the...

Страница 136: ...Voice VLANs 1 Current Voice VLANs 1 Voice VLAN security mode Security Voice VLAN aging time 30 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 2 3 AUTO Manual Voice VLA...

Страница 137: ...igabitEthernet 1 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 2 DeviceA GigabitEthernet1 0 1 port hybrid vlan 2 untagged Enable...

Страница 138: ...2 10 PORT VLAN MODE GigabitEthernet1 0 1 2 MANUAL...

Страница 139: ...Switched Network 1 21 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 23 Configuring the Maximum Port Rate 1 23 Configuring Ports as Edge Ports 1 24 Setting the Link Type of a Port t...

Страница 140: ...requisites 1 34 Configuration Procedure 1 34 Configuration Example 1 35 Configuring No Agreement Check 1 36 Configuration Prerequisites 1 37 Configuration Procedure 1 37 Configuration Example 1 38 Con...

Страница 141: ...nd Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Introduction to STP Why STP STP was developed based on the 802 1...

Страница 142: ...root bridge is called the root port The root port is responsible for communication with the root bridge Each non root bridge has one and only one root port The root bridge has no root port Designated...

Страница 143: ...spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Страница 144: ...U has a lower priority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the r...

Страница 145: ...the ID of this device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port r...

Страница 146: ...port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received confi...

Страница 147: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Страница 148: ...ning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With p...

Страница 149: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Страница 150: ...rtcomings of STP and RSTP In addition to the support for rapid network convergence it also allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharin...

Страница 151: ...ing tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have th...

Страница 152: ...te the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to as a mult...

Страница 153: ...ate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a des...

Страница 154: ...es are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only differe...

Страница 155: ...guring MSTP you need to know the position of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete the...

Страница 156: ...ations made in Layer 2 aggregate interface view can take effect only on the aggregate interface configurations made on an aggregation member port can take effect only after the port is removed from th...

Страница 157: ...n name the same VLAN to MSTI mapping entries in the MST region and the same MST region revision level and they are interconnected via a physical link The configuration of MST region related parameters...

Страница 158: ...y root bridge you cannot change the priority of the device z You can configure the current device as the root bridge or a secondary root bridge of an MSTI which is specified by instance instance id in...

Страница 159: ...In RSTP mode all ports of the device send out RSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate...

Страница 160: ...maximum hops of an MST region you can restrict the region size The maximum hops configured on the regional root bridge will be used as the maximum hops of the MST region The regional root bridge alway...

Страница 161: ...Use the command Remarks Enter system view system view Configure the network diameter of the switched network stp bridge diameter bridge number Optional 7 by default z The network diameter is a paramet...

Страница 162: ...etting enables the device to timely detect link failures on the network without using excessive network resources If the hello time is set too long the device will take packet loss as a link failure a...

Страница 163: ...ur because the upstream device is busy In this case you can avoid such unwanted spanning tree calculation by lengthening the timeout time Configuration procedure Follow these steps to configure the ti...

Страница 164: ...et 1 0 1 Sysname GigabitEthernet1 0 1 stp transmit limit 5 Configuring Ports as Edge Ports If a port directly connects to a user terminal rather than another device or a shared LAN segment this port i...

Страница 165: ...nt link is a link directly connecting two devices If the two ports across a point to point link are root ports or designated ports the ports can rapidly transition to the forwarding state after a prop...

Страница 166: ...acket format recognition mode of a port is auto namely the port automatically distinguishes the two MSTP packet formats and determines the format of packets it will send based on the recognized format...

Страница 167: ...ckets Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 stp compliance dot1s Enabling the Output of Port State Transition Information In a large scale MSTP enabl...

Страница 168: ...bly you can use the undo stp enable command to disable the MSTP feature for certain ports so that they will not take part in spanning tree calculation and thus to save the device s CPU resources Confi...

Страница 169: ...ed on IEEE 802 1t z legacy The device calculates the default path cost for ports based on a private standard Follow these steps to specify a standard for the device to use when calculating the default...

Страница 170: ...e instance id cost cost Required By default MSTP automatically calculates the path cost of each port z If you change the standard that the device uses in calculating the default path cost the port pat...

Страница 171: ...ame priority value for all the ports on a device the specific priority of a port depends on the index number of the port Changing the priority of a port triggers a new spanning tree calculation proces...

Страница 172: ...z MSTP has been correctly configured on the device z MSTP is configured to operate in MSTP mode or RSTP mode Configuration Procedure You can perform mCheck on a port through two approaches which lead...

Страница 173: ...ture for a VLAN can make ports of the VLAN forward packets normally rather than comply with the calculated result of MSTP Configuration Procedure Follow these steps to configure VLAN Ignore To do Use...

Страница 174: ...ame MST region via checking the configuration ID in BPDU packets The configuration ID includes the region name revision level configuration digest that is in 16 byte length and is the result calculate...

Страница 175: ...eeded for in the same region check so the VLAN to MSTI mappings must be the same on associated ports z With global Digest Snooping enabled modification of VLAN to MSTI mappings and removing of the cur...

Страница 176: ...d state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agreement used to acknowledge rapid transition requests Both RSTP and MSTP devices can perform...

Страница 177: ...m device adopts MSTP and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream dev...

Страница 178: ...ult To make the No Agreement Check feature take effect enable it on the root port Configuration Example Network requirements z Device A connects to a third party s device that has different MSTP imple...

Страница 179: ...logy Under normal conditions these ports should not receive configuration BPDUs However if someone forges configuration BPDUs maliciously to attack the devices network instability will occur MSTP prov...

Страница 180: ...will keep playing the role of designated port on all MSTIs Once this port receives a configuration BPDU with a higher priority from an MSTI it immediately sets that port to the listening state in the...

Страница 181: ...rface view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Enable the loop guard function for the port s stp loop prote...

Страница 182: ...lable in any view View the root bridge information of all MSTIs display stp root Available in any view View the list of VLANs with VLAN Ignore enabled display stp ignored vlan Available in any view Cl...

Страница 183: ...region region name example DeviceA mst region instance 1 vlan 10 DeviceA mst region instance 2 vlan 20 DeviceA mst region instance 3 vlan 30 DeviceA mst region revision level 0 Activate MST region co...

Страница 184: ...region configuration DeviceB mst region quit Define Device B as the root bridge of MSTI 3 DeviceB stp instance 3 root primary Enable MSTP globally DeviceB stp enable View the MST region configuration...

Страница 185: ...29 31 to 4094 1 10 2 20 3 30 4 Configuration on Device D Enter MST region view DeviceD system view DeviceD stp region configuration DeviceD mst region region name example Configure the region name VLA...

Страница 186: ...1 46 Instance Vlans Mapped 0 1 to 9 11 to 19 21 to 29 31 to 4094 1 10 2 20 3 30...

Страница 187: ...onfiguration 1 1 IP Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 Displayi...

Страница 188: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Страница 189: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Страница 190: ...C networks before being subnetted use these default masks also called natural masks 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively Configuring IP Addresses An interface can communicate with oth...

Страница 191: ...information about a specified or all Layer 3 interfaces display ip interface interface type interface number Available in any view Display brief information about a specified or all Layer 3 interface...

Страница 192: ...ing Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuring TCP Attributes 1 2 Enabling the SYN...

Страница 193: ...Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcast packets are broadcast on a specific network In the destination IP address of a directed bro...

Страница 194: ...he establishment of a TCP connection involves the following three handshakes 1 The request originator sends a SYN message to the target server 2 After receiving the SYN message the target server estab...

Страница 195: ...ame state any of the six and request for no data so as to exhaust the memory resource of the server As a result the server cannot process normal services Protection against Naptha attacks reduces the...

Страница 196: ...en a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP connection will be terminated If a FIN packet is recei...

Страница 197: ...unreachable ICMP error packet z If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device the device sends a protocol unreachable IC...

Страница 198: ...isplay statistics of IP packets display ip statistics Available in any view Display ICMP statistics display icmp statistics Available in any view Display socket information display ip socket socktype...

Страница 199: ...uring the ARP Active Acknowledgement Function 2 1 Configuring Source MAC Address Based ARP Attack Detection 2 1 Introduction 2 1 Configuration Procedure 2 2 Displaying and Maintaining Source MAC Addre...

Страница 200: ...ly Figure 1 1 ARP message format The following describe the fields in Figure 1 1 z Hardware type This field specifies the hardware address type The value 1 represents Ethernet z Protocol type This fie...

Страница 201: ...ost B and an all zero MAC address respectively Because the ARP request is a broadcast all hosts on this subnet can receive the request but only the requested host namely Host B will respond to the req...

Страница 202: ...rmanent z A permanent static ARP entry can be directly used to forward packets When configuring a permanent static ARP entry you must configure a VLAN and an outbound interface for the entry besides t...

Страница 203: ...ber of dynamic ARP entries that an interface can learn To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the maxim...

Страница 204: ...Remarks Enter system view system view Enable the ARP entry check arp check enable Optional By default the device is disabled from learning multicast MAC addresses ARP Configuration Example Network re...

Страница 205: ...IP address of the device issuing the packet the sender MAC address is the MAC address of the device and the target MAC address is the broadcast address ff ff ff ff ff ff A device implements the follo...

Страница 206: ...ay the ARP entry for a specified IP address display arp ip address begin exclude include regular expression Available in any view Display the aging time for dynamic ARP entries display arp timer aging...

Страница 207: ...t to the source MAC address of the ARP entry Then z If an ARP reply is received within five seconds the ARP packet is ignored z If not the gateway unicasts an ARP request to the MAC address of the ARP...

Страница 208: ...tack detection even though it is an attacker You can specify certain MAC addresses such as that of a gateway or important servers as protected MAC addresses Follow these steps to configure protected M...

Страница 209: ...P Packet Rate Limit Function Follow these steps to configure ARP packet rate limit in Ethernet interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view...

Страница 210: ...dify the communication data Such an attack is called a man in the middle attack Figure 2 1 Man in the middle attack Switch Host A Host B IP_A MAC_A IP_B MAC_B IP_C MAC_C Host C Forged ARP reply Forged...

Страница 211: ...packet is considered valid and can pass the detection If all the detection types are specified the system uses static IP to MAC binding entries first then DHCP snooping entries and then 802 1X securit...

Страница 212: ...d against 802 1X security entries otherwise the packet is checked against 802 1X security entries If a match is found the packet is considered to be valid otherwise the packet is discarded z Before en...

Страница 213: ...he latter applies Displaying and Maintaining ARP Detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detection Available in any view Display the ARP detect...

Страница 214: ...itEthernet1 0 3 dhcp snooping trust SwitchA GigabitEthernet1 0 3 quit Enable ARP detection for VLAN 10 SwitchA vlan 10 SwitchA vlan10 arp detection enable Configure the upstream port as a trusted port...

Страница 215: ...on Configuration procedure 1 Add all the ports on Switch A into VLAN 10 the configuration procedure is omitted 2 Configure DHCP server the configuration procedure is omitted 3 Configure Host A and Hos...

Страница 216: ...to the attacker instead As a result the hosts cannot access external networks To prevent such gateway spoofing attacks you can enable the gateway to send gratuitous ARP packets containing its primary...

Страница 217: ...ooting DHCP Relay Agent Configuration 1 11 2 DHCP Client Configuration 2 1 Introduction to DHCP Client 2 1 Enabling the DHCP Client on an Interface 2 1 Displaying and Maintaining the DHCP Client 2 2 D...

Страница 218: ...ii Displaying and Maintaining BOOTP Client Configuration 4 2 BOOTP Client Configuration Example 4 3...

Страница 219: ...iguration Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHC...

Страница 220: ...DHCP client The administrator can locate the DHCP client to further implement security control and accounting If the DHCP relay agent supports Option 82 it will handle a client s request according to...

Страница 221: ...elay Agent Security Functions Optional Configuring the DHCP Relay Agent to Send a DHCP Release Request Optional Configuring the DHCP Relay Agent to Support Option 82 Optional Configuring the DHCP Rela...

Страница 222: ...CP server group and add a server into the group dhcp relay server group group id ip ip address Required Not created by default Enter interface view interface interface type interface number Correlate...

Страница 223: ...Disabled by default z The dhcp relay address check enable command is independent of other commands of the DHCP relay agent That is the invalid address check takes effect when this command is executed...

Страница 224: ...the IP address of the DHCP server which assigned an IP address to the DHCP client and the receiving interface The administrator can use this information to check out any DHCP unauthorized servers Foll...

Страница 225: ...type interface number Enable the relay agent to support Option 82 dhcp relay information enable Required Disabled by default Configure the handling strategy for requesting messages containing Option...

Страница 226: ...DHCP Relay Agent Configuration To do Use the command Remarks Display information about DHCP server groups correlated to a specified or all interfaces display dhcp relay all interface interface type i...

Страница 227: ...P relay agent Configuration procedure Specify IP addresses for the interfaces omitted Enable DHCP SwitchA system view SwitchA dhcp enable Add DHCP server 10 1 1 1 into DHCP server group 1 SwitchA dhcp...

Страница 228: ...Specify IP addresses for the interfaces omitted Enable DHCP SwitchA system view SwitchA dhcp enable Add DHCP server 10 1 1 1 into DHCP server group 1 SwitchA dhcp relay server group 1 ip 10 1 1 1 Ena...

Страница 229: ...agent to view the debugging information and interface state information for locating the problem Solution Check that z The DHCP is enabled on the DHCP server and relay agent z The address pool on the...

Страница 230: ...P server cannot be a Windows 2000 Server or Windows 2003 Server Introduction to DHCP Client With the DHCP client enabled an interface will use DHCP to obtain configuration parameters such as an IP add...

Страница 231: ...by executing the undo ip address dhcp alloc command and then the ip address dhcp alloc command Displaying and Maintaining the DHCP Client To do Use the command Remarks Display specified configuration...

Страница 232: ...Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network DHCP clients may obtain inva...

Страница 233: ...d Unauthorized DHCP server DHCP client DHCP reply messages As shown in Figure 3 1 a DHCP snooping device s port that is connected to an authorized DHCP server should be configured as a trusted port to...

Страница 234: ...n 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting If DHCP snooping supports Option 82...

Страница 235: ...normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strate...

Страница 236: ...iguring DHCP Snooping to Support Option 82 Follow these steps to configure DHCP snooping to support Option 82 To do Use the command Remarks Enter system view system view Enter interface view interface...

Страница 237: ...DHCP snooping to support Option 82 on the interface will not take effect After the interface quits the aggregation group the configuration will be effective z If the handling strategy of the DHCP sno...

Страница 238: ...rwards DHCP server responses while the other two do not Switch A records clients IP to MAC address bindings in DHCP REQUEST messages and DHCP ACK messages received from trusted ports Figure 3 3 Networ...

Страница 239: ...itEthernet1 0 2 to support Option 82 SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping information enable SwitchA GigabitEthernet1 0 2 dhcp snooping information strate...

Страница 240: ...BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP...

Страница 241: ...protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Prot...

Страница 242: ...erver 10 1 1 4 25 Client Switch A Client DNS server 10 1 1 2 25 Vlan int1 10 1 1 1 25 Vlan int1 10 1 1 126 25 Configuration procedure The following describes only the configuration on Switch A serving...

Страница 243: ...Debugging an FTP Connection 1 6 Terminating an FTP Connection 1 6 FTP Client Configuration Example 1 6 Configuring the FTP Server 1 8 Configuring FTP Server Operating Parameters 1 8 Configuring Authen...

Страница 244: ...files z ASCII mode transfers files as text like txt bat and cfg files Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Fig...

Страница 245: ...nfiguration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP for security...

Страница 246: ...source IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source address of the transmitted packets is selected following these...

Страница 247: ...For how to establish an FTP connection refer to Establishing an FTP Connection you can create or delete folders under the authorized directory of the FTP server Follow these steps to operate the dire...

Страница 248: ...mand displays the name of a directory or file only while the dir command displays detailed information such as the file size and creation time Delete the specified file on the remote FTP server perman...

Страница 249: ...debugging Optional Disabled by default Terminating an FTP Connection After the device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection...

Страница 250: ...P Sysname ftp 10 1 1 1 Trying 10 1 1 1 Connected to 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 10 1 1 1 none abc 331 Give me your password please Password 230 Lo...

Страница 251: ...xample occurs during a file transfer z In normal mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer m...

Страница 252: ...pport FTP anonymous user access Assign a password to the user password simple cipher password Required Assign the FTP service to the user service type ftp Required By default the system does not suppo...

Страница 253: ...vel 3 the manage level Authorize ftp s access to the root directory of the flash and specify ftp to use FTP Sysname system view Sysname local user abc Sysname luser abc password simple pwd Sysname lus...

Страница 254: ...e the Boot ROM 3 Upgrade Device Specify newest bin as the main startup file to be used at the next startup Sysname boot loader file newest bin main Reboot the device and the startup file is updated at...

Страница 255: ...1 12...

Страница 256: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Страница 257: ...e is not overwritten This mode is more secure but consumes more memory You are recommended to use the secure mode or if you use the normal mode specify a filename not existing in the current directory...

Страница 258: ...quit Download or upload a file tftp server address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user v...

Страница 259: ...te the files not in use and then perform the following operations Enter system view Sysname system view Download application file newest bin from PC Sysname tftp 1 2 1 1 get newest bin Upload a config...

Страница 260: ...i Table of Contents 1 IP Routing Basics Configuration 1 1 IP Routing and Routing Table 1 1 Routing 1 1 Routing Table 1 1 Displaying and Maintaining a Routing Table 1 3...

Страница 261: ...interface a packet destined for a certain destination should go out to reach the next hop the next router or the directly connected destination Routes in a routing table can be divided into three cate...

Страница 262: ...ed into z Direct routes The destination is directly connected to the router z Indirect routes The destination is not directly connected to the router To prevent the routing table from getting too larg...

Страница 263: ...destination addresses in the specified range display ip routing table ip address1 mask length mask ip address2 mask length mask verbose Available in any view Display information about routes permitte...

Страница 264: ...1 Default Route 1 1 Application Environment of Static Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Displaying and Maintaining Static Routes 1...

Страница 265: ...e static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is configured on a router...

Страница 266: ...configure the next hop address z If you specify a broadcast interface such as a VLAN interface as the output interface you must specify the corresponding next hop for the output interface 3 Other att...

Страница 267: ...with the ip route static command the route is the default route Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration information display current con...

Страница 268: ...Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The c...

Страница 269: ...Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1 2...

Страница 270: ...Prerequisites 2 7 Enabling IGMP Snooping 2 7 Configuring the Version of IGMP Snooping 2 8 Configuring IGMP Snooping Port Functions 2 9 Configuration Prerequisites 2 9 Configuring Aging Timers for Dyna...

Страница 271: ...23 IGMP Snooping Querier Configuration Example 2 26 IGMP Snooping Proxying Configuration Example 2 28 Troubleshooting IGMP Snooping Configuration 2 31 Switch Fails in Layer 2 Multicast Forwarding 2 31...

Страница 272: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Страница 273: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Страница 274: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Страница 275: ...cast is confined to the same subnet while multicast is not Features of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast addr...

Страница 276: ...icast z G Indicates a rendezvous point tree RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast...

Страница 277: ...ence between the SSM model and the ASM model is that in the SSM model receivers already know the locations of the multicast sources by some other means In addition the SSM model uses a multicast addre...

Страница 278: ...he IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group add...

Страница 279: ...tination address is a multicast MAC address because the packet is directed to a group formed by a number of receivers rather than to one specific receiver As defined by IANA the high order 24 bits of...

Страница 280: ...he internet group management protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with the hosts These protocols define the mechanism of establishing and maintaining gr...

Страница 281: ...training mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices thus effectively controlling the floo...

Страница 282: ...rwarding z To process the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check o...

Страница 283: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 2 1 when IGMP snooping is not running on the switch multicast packets are flooded to all devices at...

Страница 284: ...device DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list...

Страница 285: ...age out How IGMP Snooping Works A switch running IGMP snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this s...

Страница 286: ...the attached hosts listening to the reported multicast address will suppress their own reports upon receiving this report according to the IGMP report suppression mechanism on them and this will preve...

Страница 287: ...port z If no IGMP report in response to the group specific query is received on the port before its aging timer expires this means that no hosts attached to the port are still listening to that group...

Страница 288: ...found the proxy creates the entry adds the receiving port to the outgoing port list as a dynamic member port and starts an aging timer for the port and then sends a report to the group out all router...

Страница 289: ...e effective only for the current port configurations made in Layer 2 aggregate interface view are effect only for the current interface configurations made in port group view are effective only for al...

Страница 290: ...ocess z IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages but not IGMPv3 messages which will be flooded in the VLAN z IGMP snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages...

Страница 291: ...when the aging timer of the port for that group expires If multicast group memberships change frequently you can set a relatively small value for the dynamic member port aging timer and vice versa Con...

Страница 292: ...tic router ports by default z A static S G joining can take effect only if a valid multicast source address is specified and IGMP snooping version 3 is currently running z A static member port does no...

Страница 293: ...port configured as a simulated member host will age out like a dynamic member port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process IGMP leave messages...

Страница 294: ...uery interval z Maximum response time to IGMP general queries z Source address of IGMP general queries and z Source address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multi...

Страница 295: ...sends an IGMP report to the corresponding multicast group An appropriate setting of the maximum response time for IGMP queries allows hosts to respond to queries quickly and avoids bursts of IGMP tra...

Страница 296: ...eiving an IGMP query whose source IP address is 0 0 0 0 on a port the switch does not enlist that port as a dynamic router port This may prevent multicast forwarding entries from being correctly creat...

Страница 297: ...ring a Source IP Address for the IGMP Messages Sent by the Proxy You can set the source IP addresses in the IGMP reports and leave messages sent by the IGMP snooping proxy on behalf of its attached ho...

Страница 298: ...lobally Follow these steps to configure a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP snooping view igmp snooping Configure a multicast group...

Страница 299: ...yer 2 device forwards only the first IGMP report per multicast group to the Layer 3 device and will not forward the subsequent IGMP reports from the same multicast group to the Layer 3 device This hel...

Страница 300: ...reasons the number of multicast groups that can be joined on the current switch or port may exceed the number configured for the switch or the port In addition in some specific applications a multicas...

Страница 301: ...t take effect Configuring 802 1p Precedence for IGMP Messages You can change 802 1p precedence of IGMP messages so that they can be assigned higher forwarding priority when congestion occurs on their...

Страница 302: ...nabled VLAN z The reset igmp snooping group command cannot clear the IGMP snooping multicast group information for static joins IGMP Snooping Configuration Examples Group Policy and Simulated Joining...

Страница 303: ...net1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit...

Страница 304: ...1 1 1 vlan 100 SwitchA GigabitEthernet1 0 4 quit 4 Verify the configuration Display the detailed IGMP snooping multicast groups information in VLAN 100 on Switch A SwitchA display igmp snooping group...

Страница 305: ...d to Switch C only along the path of Switch A Switch B Switch C z It is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router port so that multicast traffic...

Страница 306: ...gn GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to this VLAN and enable IGMP snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 3 SwitchA vl...

Страница 307: ...1 0 5 quit 6 Verify the configuration Display the detailed IGMP snooping multicast group information in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Tot...

Страница 308: ...As shown in Figure 2 6 in a Layer 2 only network environment two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224 1 1 1 and 225 1 1 1 respectively Host A and Host C...

Страница 309: ...in VLAN 100 SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping drop unknown Enable the IGMP Snooping querier function in VLAN 100 SwitchA vlan100 igmp snooping querier Set the source I...

Страница 310: ...3 Received IGMPv1 reports 0 Received IGMPv2 reports 12 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 specific queries 0 Received IGMPv3 reports 0 Received IGMPv3 reports with...

Страница 311: ...view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA int...

Страница 312: ...oup s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 2 port GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 2 port GE1 0 3 GE1...

Страница 313: ...ing Analysis IGMP snooping is not enabled Solution 1 Enter the display current configuration command to view the running status of IGMP snooping 2 If IGMP snooping is not enabled use the igmp snooping...

Страница 314: ...his command in IGMP snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied If not use the group policy or igmp snooping group policy...

Страница 315: ...in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 3 1 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device...

Страница 316: ...st VLAN and Switch A distributes the traffic to all the member ports in the multicast VLAN z For information about IGMP Snooping router ports and member ports refer to IGMP Snooping Configuration z Fo...

Страница 317: ...long as the default VLAN Configure the user ports to permit packets of the multicast VLAN to pass and untag the packets Thus upon receiving multicast packets tagged with the multicast VLAN ID from the...

Страница 318: ...icast VLAN view multicast vlan vlan id Required Not a multicast VLAN by default Assign ports to the multicast VLAN port interface list Required By default a multicast VLAN has no ports Configuring mul...

Страница 319: ...uter A IGMPv2 Snooping is required on Switch A Router A acts as the IGMP querier z Switch A s GigabitEthernet 1 0 1 belongs to VLAN 10 GigabitEthernet 1 0 2 through GigabitEthernet 1 0 4 belong to VLA...

Страница 320: ...0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet...

Страница 321: ...or GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as a multicast VLAN SwitchA multicast vlan 10 Assign GigabitEthernet 1 0 2...

Страница 322: ...oup s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 3 port G...

Страница 323: ...le 2 4 Applying the QoS Policy 2 5 Applying the QoS Policy to an Interface 2 5 Displaying and Maintaining QoS Policies 2 5 3 Priority Mapping Configuration 3 1 Priority Mapping Overview 3 1 Introducti...

Страница 324: ...guration procedure 4 2 Line rate configuration example 4 2 5 Congestion Management Configuration 5 1 Overview 5 1 Congestion Management Policies 5 1 Congestion Management Configuration Methods 5 3 Con...

Страница 325: ...alled best effort It delivers packets to their destinations as possibly as it can without any guarantee for delay jitter packet loss ratio and so on This service policy is only suitable for applicatio...

Страница 326: ...s forwarded over a low speed link z The packet flows enter a device from several incoming interfaces and are forwarded out an outgoing interface whose rate is smaller than the total rate of these inco...

Страница 327: ...gestion avoidance are the foundations for a network to provide differentiated services Mainly they implement the following functions z Traffic classification uses certain match criteria to organize pa...

Страница 328: ...port number for example or for all packets to a certain network segment When packets are classified on the network boundary the precedence bits in the ToS field of the IP packet header are generally r...

Страница 329: ...ccording to their DSCP values z Expedited Forwarding EF class In this class packets are forwarded regardless of link share of other traffic The class is suitable for preferential services requiring lo...

Страница 330: ...precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 1 4 An Ethernet frame with an 802 1Q tag...

Страница 331: ...802 1p Table 1 3 presents the values for 802 1p precedence Table 1 3 Description on 802 1p precedence 802 1p precedence decimal 802 1p precedence binary Description 0 000 best effort 1 001 background...

Страница 332: ...nsiders a packet belongs to a class only when the packet matches all the criteria in the class z or The device considers a packet belongs to a class as long as the packet matches one of the criteria i...

Страница 333: ...ce of the customer network The 8021p list argument is a list of CoS values in the range of 0 to 7 customer vlan id vlan id list Specifies to match the packets of specified VLANs of user networks The v...

Страница 334: ...c mac address To create multiple if match clauses or specify multiple values for a list argument for any of the matching criteria listed above ensure that the operator of the class is OR Defining a Tr...

Страница 335: ...a class and the behavior defined in the QoS policy applies to the class regardless of whether the match mode of the ACL clause is deny or permit QoS Policy Configuration Example Network requirements...

Страница 336: ...e number Enter interface view or port group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in...

Страница 337: ...or name Available in any view Display the configuration of user defined QoS policies display qos policy user defined policy name classifier tcl name Available in any view Display QoS policy configurat...

Страница 338: ...e 802 1p precedence DSCP values and EXP values refer to Packet Precedences Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds...

Страница 339: ...es switch can trust one of the following two priority types z Trusting the DSCP precedence of received packets In this mode the switch searches the dscp dot1p dscp mapping table based on the DSCP prec...

Страница 340: ...t dscp lp and dscp dot1p mappings Input priority value dscp lp mapping dscp dot1p mapping dscp Local precedence lp 802 1p precedence dot1p 0 to 7 0 0 8 to 15 1 1 16 to 23 2 2 24 to 31 3 3 32 to 39 4 4...

Страница 341: ...able view as required Configure the priority mapping table import import value list export export value Required Newly configured mappings overwrite the previous ones Display the configuration of the...

Страница 342: ...do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual...

Страница 343: ...rocedure refer to Configuring a Priority Mapping Table Configuration Procedure Follow these steps to configure the trusted precedence type To do Use the command Remarks Enter system view system view E...

Страница 344: ...dot1p Displaying and Maintaining Priority Mapping To do Use the command Remarks Display priority mapping table configuration information display qos map table dot1p dot1p dot1p dscp dot1p lp dscp dot1...

Страница 345: ...y handled by the token bucket at line rate If there are enough tokens in the token bucket packets can be forwarded otherwise packets are put into QoS queues for congestion management In this way the t...

Страница 346: ...ent interface settings in port group view take effect on all ports in the port group Configure the line rate for the interface port group qos lr inbound outbound cir committed information rate cbs com...

Страница 347: ...stion management involves queue creation traffic classification packet enqueuing and queue scheduling Congestion Management Policies In general congestion management adopts queuing technology The syst...

Страница 348: ...with the second highest priority and so on Thus you can assign mission critical packets to the high priority queue to ensure that they are always served first and common service packets to the low pri...

Страница 349: ...scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency SP WRR queuing Y...

Страница 350: ...t 1 0 1 to adopt SP queuing 2 Configuration procedure Enter system view Sysname system view Configure GigabitEthernet1 0 1 to adopt SP queuing Sysname interface gigabitethernet 1 0 1 Sysname GigabitEt...

Страница 351: ...GigabitEthernet1 0 1 qos wrr 2 group 2 weight 30 Sysname GigabitEthernet1 0 1 qos wrr 3 group 2 weight 50 Configuring SP WRR Queuing Configuration procedure Follow these steps to configure an SP WRR q...

Страница 352: ...being 10 and 50 respectively 2 Configuration procedure Enter system view Sysname system view Enable the SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 Sysname interface gigabitethernet 1 0...

Страница 353: ...X Basic Configuration 1 13 Configuration Prerequisites 1 13 Configuring 802 1X Globally 1 13 Configuring 802 1X for a Port 1 14 Enabling the Online User Handshake Function 1 15 Enabling the Multicast...

Страница 354: ...s the LAN only when it passes the authentication Those devices that fail to pass the authentication are denied access to the LAN To get more information about 802 1X go to these topics z Architecture...

Страница 355: ...ch then can relay the packets to the RADIUS server In EAP termination mode EAP packets are terminated at the device converted to the RADIUS packets either with the Password Authentication Protocol PAP...

Страница 356: ...ts z auto Places the port in the unauthorized state initially to allow only EAPOL packets to pass and turns the ports into the authorized state to allow access to the network after the users pass auth...

Страница 357: ...between a client and a device EAPOL Logoff a value of 0x02 Packet for logoff request present between a client and a device z Length Length of the data that is length of the Packet body field in bytes...

Страница 358: ...For information about RADIUS packet format refer to AAA Configuration EAP Message The EAP Message attribute is used to encapsulate EAP packets Figure 1 6 shows its encapsulation format The value of th...

Страница 359: ...30 seconds by default This method can be used to authenticate clients which cannot send EAPOL Start packets and therefore cannot trigger authentication for example the 802 1X client provided by Windo...

Страница 360: ...r the username of the client 4 When the client receives the EAP Request Identity packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 5 Upon receiv...

Страница 361: ...shake attempts end up with failure the device concludes that the client has gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 12 T...

Страница 362: ...rmation from the client to the RADIUS server for authentication 802 1X Access Control Method H3C devices not only implement the port based access control method defined in the 802 1X protocol but also...

Страница 363: ...the client is offline z Quiet timer quiet period When a client fails the authentication the device refuses further authentication requests from the client in this period of time z Periodic re authenti...

Страница 364: ...t will be added to the guest VLAN and all users accessing the port will be authorized to access the resources in the guest VLAN The device adds a PGV configured port into the guest VLAN according to t...

Страница 365: ...ning access rights When a user logs in through a port and the RADIUS server is configured with authorization ACLs the device will permit or deny data flows traversing through the port according to the...

Страница 366: ...word information must be configured on the device and the service type must be set to lan access For detailed configuration of the RADIUS client refer to AAA Configuration Configuring 802 1X Globally...

Страница 367: ...For detailed configuration refer to Configuring 802 1X for a Port The only difference between global configurations and configurations on a port lies in the applicable scope If both a global setting...

Страница 368: ...tication In this case you can configure the user name format command but it does not take effect For information about the user name format command refer to AAA Commands z If the username of a client...

Страница 369: ...face number Enable the multicast trigger function dot1x multicast trigger Optional Enabled by default Specifying a Mandatory Authentication Domain for a Port With a mandatory authentication domain spe...

Страница 370: ...fault After an 802 1X user passes authentication if the authentication server assigns a re authentication interval for the user through the session timeout attribute the assigned re authentication int...

Страница 371: ...ail VLAN If the traffic from a user side device carries VLAN tags and the 802 1X authentication and guest VLAN functions are configured on the access port you are recommended to configure different VL...

Страница 372: ...cation when no response from the RADIUS server is received If the RADIUS accounting fails the device gets users offline z A server group with two RADIUS servers is connected to the switch The IP addre...

Страница 373: ...localpass Switch luser localuser attribute idle cut 20 Switch luser localuser quit Create RADIUS scheme radius1 and enter its view Switch radius scheme radius1 Configure the IP addresses of the prima...

Страница 374: ...unting default radius scheme radius1 local Set the maximum number of users for the domain as 30 Switch isp aabbcc net access limit enable 30 Enable the idle cut function and set the idle cut interval...

Страница 375: ...802 1X and set VLAN 10 as the guest VLAN of the port If the device sends an EAP Request Identity packet from the port for the maximum number of times but still receives no response the device adds the...

Страница 376: ...hentication Configuration procedure z The following configuration procedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration z Configurations on th...

Страница 377: ...Switch GigabitEthernet1 0 2 dot1x port control auto Switch GigabitEthernet1 0 2 quit Create VLAN 10 Switch vlan 10 Switch vlan10 quit Specify port GigabitEthernet 1 0 2 to use VLAN 10 as its guest VLA...

Страница 378: ...ry authentication 10 1 1 1 1812 Switch radius 2000 primary accounting 10 1 1 2 1813 Switch radius 2000 key authentication abc Switch radius 2000 key accounting abc Switch radius 2000 user name format...

Страница 379: ...CL 3000 assigned by the RADIUS server functions Switch ping 10 0 0 1 PING 10 0 0 1 56 data bytes press CTRL_C to break Request time out Request time out Request time out Request time out Request time...

Страница 380: ...ions Forcibly 1 17 Configuring a NAS ID VLAN Binding 1 17 Displaying and Maintaining AAA 1 18 Configuring RADIUS 1 18 Creating a RADIUS Scheme 1 19 Specifying the RADIUS Authentication Authorization S...

Страница 381: ...ii Troubleshooting RADIUS 1 32...

Страница 382: ...centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA networking diagram When a user tries to establish a connection to the NAS...

Страница 383: ...ication Dial In User Service RADIUS is a distributed information interaction protocol in a client server model RADIUS can protect networks against unauthorized access and is often used in network envi...

Страница 384: ...prevent user passwords from being intercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods Moreover a RADIUS...

Страница 385: ...ADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 9 The RADIUS server returns a stop accounting response Accounting...

Страница 386: ...the Code Identifier Length Authenticator and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If t...

Страница 387: ...ct Tunnel Connection 22 Framed Route 69 Tunnel Password 23 Framed IPX Network 70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Tim...

Страница 388: ...sub attribute that can be encapsulated in Attribute 26 consists of the following four parts z Vendor ID four bytes Indicates the ID of the vendor Its most significant byte is 0 and the other three byt...

Страница 389: ...od No accounting none local accounting local or remote accounting scheme For login users it is necessary to configure the authentication mode for logging into the user interface as scheme For detailed...

Страница 390: ...ure ISP domains to perform AAA on accessing users In AAA users are divided into LAN users such as 802 1X users and login users such as SSH Telnet FTP and terminal access users Except for command line...

Страница 391: ...rname without an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to config...

Страница 392: ...ADIUS the device can use the standard RADIUS protocol or extended RADIUS protocol in collaboration with systems like iMC to implement user authentication Remote authentication features centralized inf...

Страница 393: ...tion and accounting Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users Authorization method configuration is opti...

Страница 394: ...l types of users and has a priority lower than that for a specific access mode z RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RA...

Страница 395: ...service type to be configured With AAA you can configure an accounting method specifically for each access mode and service type limiting the accounting protocols that can be used for access 3 Determ...

Страница 396: ...you need to create local users and configure user attributes on the device as needed A local user represents a set of user attributes configured on a device and is uniquely identified by the username...

Страница 397: ...ork directory directory name Optional By default no authorization attribute is configured for a local user Set the expiration time of the local user expiration date time Optional Not set by default Sp...

Страница 398: ...control attributes and authorization attributes for a user group By default every newly added local user belongs to a user group named system and bears all attributes of the group User group system i...

Страница 399: ...y local user idle cut disable enable service type ftp lan access ssh telnet terminal state active block user name user name vlan vlan id Available in any view Display configuration information about a...

Страница 400: ...default A RADIUS scheme can be referenced by more than one ISP domain at the same time Specifying the RADIUS Authentication Authorization Servers Follow these steps to specify the RADIUS authenticatio...

Страница 401: ...ying the RADIUS Accounting Servers and Relevant Parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations To do Use the command Remarks Enter system vie...

Страница 402: ...user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and secon...

Страница 403: ...the command manual for configuring RADIUS server response timeout period Setting the Supported RADIUS Server Type Follow these steps to set the supported RADIUS server type To do Use the command Rema...

Страница 404: ...authorization server state primary authentication active block Set the status of the primary RADIUS accounting server state primary accounting active block Set the status of the secondary RADIUS auth...

Страница 405: ...e users using the same username but in different ISP domains will be considered the same user z The unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of...

Страница 406: ...so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z Primary server quiet timer timer quiet I...

Страница 407: ...accounting on feature enabled a device sends whenever it reboots accounting on packets to the RADIUS server so that the server logs out users that have logged in through the device before the reboot...

Страница 408: ...marks Display the configuration information of a specified RADIUS scheme or all RADIUS schemes display radius scheme radius scheme name Available in any view Display statistics about RADIUS packets di...

Страница 409: ...pes of users is similar to that given in this example The only difference lies in the access type Figure 1 6 Configure AAA by separate servers for Telnet users Configuration procedure Configure the IP...

Страница 410: ...efault radius scheme rd When telneting into the switch a user enters username telnet bbb for authentication using domain bbb AAA for SSH Users by a RADIUS Server Network requirements As shown in Figur...

Страница 411: ...anagement Service as the service type z Select H3C as the access device type z Select the access device from the device list or manually add the device with the IP address of 10 1 1 2 z Click OK to fi...

Страница 412: ...re the IP address of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit...

Страница 413: ...it Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login radius scheme rad Switch isp bbb authorization login radius scheme rad Switch isp bbb accounting login...

Страница 414: ...tions Solution Check that 1 The communication links between the NAS and the RADIUS server work well at both physical and link layers 2 The IP address of the RADIUS server is correctly configured on th...

Страница 415: ...1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Disp...

Страница 416: ...sm to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides...

Страница 417: ...lish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of...

Страница 418: ...f PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private...

Страница 419: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Страница 420: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Страница 421: ...dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certific...

Страница 422: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Страница 423: ...ate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed inform...

Страница 424: ...command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of...

Страница 425: ...L checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verific...

Страница 426: ...nfiguration file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA Whe...

Страница 427: ...ive subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject nam...

Страница 428: ...he certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain...

Страница 429: ...etrieve CRLs properly 2 Configure the switch z Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa com...

Страница 430: ...rieval success Retrieve CRLs and save them locally Switch pki retrieval crl domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate m...

Страница 431: ...09v3 CRL Distribution Points URI http 4 4 4 133 447 myca crl Signature Algorithm sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3...

Страница 432: ...y the CA to the RA Right click on the CA server in the navigation tree and select Properties Policy Module Click Properties and then select Follow the settings in the certificate template if applicabl...

Страница 433: ...dulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits in the modulus default 1024 Generating Keys z Apply for certificates Retrieve the CA certificate and save it l...

Страница 434: ...7F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent 65537 0x10001 X509v3...

Страница 435: ...iguration refer to HTTP Configuration z The PKI domain to be referenced by the SSL policy must be created in advance For detailed configuration of the PKI domain refer to Configure the PKI domain 1 Co...

Страница 436: ...icy and certificate attribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Switch ip https ssl server policy myssl Apply the cer...

Страница 437: ...trieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for certificate request z Configure the r...

Страница 438: ...List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 5 Configuratio...

Страница 439: ...er and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key...

Страница 440: ...tion of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session ID peer certif...

Страница 441: ...s view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy Specify the...

Страница 442: ...fy the client to use SSL 3 0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and...

Страница 443: ...le client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure...

Страница 444: ...ient policy pki domain domain name Optional No PKI domain is configured by default Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc...

Страница 445: ...e for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certifi...

Страница 446: ...and Maintaining SSH 2 11 SSH Server Configuration Examples 2 12 When Switch Acts as Server for Password Authentication 2 12 When Switch Acts as Server for Publickey Authentication 2 14 SSH Client Conf...

Страница 447: ...ents but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH version...

Страница 448: ...pports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation ot...

Страница 449: ...entication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authentication Currentl...

Страница 450: ...ommands in text format the text must be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the comma...

Страница 451: ...on key on the SSH server and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The length of the modulus of RSA server keys and host keys must b...

Страница 452: ...ange the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This configuration task is only necessary for SSH users using pu...

Страница 453: ...c key view public key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public...

Страница 454: ...H1 does not support service type sftp if the client uses SSH1 to log into the server you must set the service type to stelnet or all on the server Otherwise the client will fail to log in z The workin...

Страница 455: ...server key pair update interval ssh server rekey interval hours Optional 0 by default that is the RSA server key pair is not updated Set the SSH user authentication timeout period ssh server authentic...

Страница 456: ...client will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the server T...

Страница 457: ...ge dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view Displaying and Maintaining SSH To do Use the command Remark...

Страница 458: ...nerate RSA and DSA key pairs and enable the SSH server Switch system view Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure an IP address for VLA...

Страница 459: ...nt software such as PuTTY and OpenSSH The following is an example of configuring SSH client using Putty Version 0 58 Establish a connection with the SSH server Launch PuTTY exe to enter the following...

Страница 460: ...dress will serve as the destination of the SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface1 quit Set the authenticat...

Страница 461: ...assign publickey Switch001 2 Configure the SSH client Generate an RSA key pair Run PuTTYGen exe select SSH 2 RSA and click Generate Figure 1 4 Generate a client key pair 1 While generating the key pai...

Страница 462: ...file name as key pub to save the public key Figure 1 6 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the p...

Страница 463: ...e client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of t...

Страница 464: ...as Client for Password Authentication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SS...

Страница 465: ...level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelne...

Страница 466: ...code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA p...

Страница 467: ...n for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces...

Страница 468: ...c key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the save...

Страница 469: ...TP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detai...

Страница 470: ...out value Optional 10 minutes by default Configuring an SFTP Client Specifying a Source IP Address or Interface for the SFTP Client You can configure a client to use only a specified source IP addres...

Страница 471: ...irectories To do Use the command Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh g...

Страница 472: ...irectory on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Upload a local file to the remote SFTP serv...

Страница 473: ...ommand Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh...

Страница 474: ...rface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Set the protocol that a remote user uses to log in as SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Before performing the...

Страница 475: ...SwitchA sftp 192 168 0 1 identity key rsa Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Continue Y N y Do you want to save...

Страница 476: ...e nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 no...

Страница 477: ...w Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Enable the SFTP server Switch sftp server enable Configure an IP address for VLAN interface 1 which the...

Страница 478: ...of SFTP client software The following takes the PSFTP of Putty Version 0 58 as an example z The PSFTP supports only password authentication Establish a connection with the remote SFTP server Run the...

Страница 479: ...ymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1...

Страница 480: ...sent for confidentiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types o...

Страница 481: ...ir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption and signature whereas DSA is used for signature only Asymmetric key a...

Страница 482: ...key on the screen or export it to a specified file so as to configure the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public ke...

Страница 483: ...o Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Enter the key...

Страница 484: ...A Create RSA key pairs on Device A DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minu...

Страница 485: ...view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5...

Страница 486: ...TRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 5...

Страница 487: ...tp quit 3 Upload the public key file of Device A to Device B FTP the public key file devicea pub to Device B with the file transfer mode of binary DeviceA ftp 10 1 1 2 Trying 10 1 1 2 Press CTRL K to...

Страница 488: ...03FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC...

Страница 489: ...Contents 1 HABP Configuration 1 1 Introduction to HABP 1 1 Configuring HABP 1 2 Configuring the HABP Server 1 2 Configuring an HABP Client 1 2 Displaying and Maintaining HABP 1 3 HABP Configuration E...

Страница 490: ...ort 802 1 client Otherwise the management device will fail to perform centralized management of the cluster member devices For more information about the cluster function refer to Cluster Configuratio...

Страница 491: ...n the HABP server and the HABP clients is implemented through the management VLAN Configuring HABP Complete the following tasks to configure HABP z Configuring the HABP Server z Configuring an HABP Cl...

Страница 492: ...tics display habp traffic Available in any view HABP Configuration Example Network requirements As shown in Figure 1 2 Switch A is the management device and connects two access devices Switch B and Sw...

Страница 493: ...and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify your configurati...

Страница 494: ...Basic ACL 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 2 Configuring an Advanced ACL 2 3 Configuration Prerequisites 2 3 Configuration Procedure 2 3 Configuring an Ethernet Frame Head...

Страница 495: ...Order z ACL Step z Effective Period of an ACL z IP Fragments Filtering with ACL ACL Classification ACLs identified by ACL numbers fall into three categories as shown in Table 1 1 Table 1 1 ACL categor...

Страница 496: ...address wildcard and compare packets against the rule configured with more zeros in the source IP address wildcard 2 If two rules are present with the same number of zeros in their source IP address...

Страница 497: ...n of a packet against ACL rules stops immediately after a match is found The packet is then processed as per the rule ACL Step Meaning of the step The step defines the difference between two neighbori...

Страница 498: ...network As for the configuration of a rule of an IPv4 ACL the fragment keyword specifies that the rule applies to non first fragment packets only and does not apply to non fragment packets or the fir...

Страница 499: ...e range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can be one of the following z Periodic time range created using the time range time...

Страница 500: ...ant to reference a time range in a rule define it with the time range command first Configuration Procedure Follow these steps to configure a basic ACL To do Use the command Remarks Enter system view...

Страница 501: ...address destination IP address protocol carried over IP and other protocol header fields such as the TCP UDP source port number TCP UDP destination port number TCP flag ICMP message type and ICMP mes...

Страница 502: ...ule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of...

Страница 503: ...e time range name Required To create or modify multiple rules repeat this step Set the rule numbering step step step value Optional 5 by default Configure a description for the Ethernet frame header A...

Страница 504: ...marks Enter system view system view Copy an existing ACL to generate a new one of the same type acl copy source acl number name source acl name to dest acl number name dest acl name Required z The sou...

Страница 505: ...et frame header ACL to the interface to filter Ethernet frames packet filter acl number name acl name inbound Required By default an interface does not filter Ethernet frames Filtering IPv4 Packets Fo...

Страница 506: ...study 8 00 to 18 00 daily Create basic ACL 2009 DeviceA acl number 2009 Create a basic ACL rule to deny packets sourced from 192 168 1 2 32 during time range study DeviceA acl basic 2009 rule deny sou...

Страница 507: ...ng the Boot ROM Program Through Command Lines 1 4 Upgrading the Boot File Through Command Lines 1 5 Clearing the 16 bit Interface Indexes Not Used in the Current System 1 5 Identifying and Diagnosing...

Страница 508: ...evice Optional Configuring the Scheduled Automatic Execution Function Optional Upgrading the Boot ROM Program Through Command Lines Optional Upgrading the Boot File Through Command Lines Optional Clea...

Страница 509: ...es You can set a time at which the device can automatically reboot or set a delay so that the device can automatically reboot within the delay The last two methods are command line operations Reboot t...

Страница 510: ...execution function enables the system to automatically execute a specified command at a specified time in a specified view This function is used for scheduled system upgrade or configuration Follow t...

Страница 511: ...z Only the last configuration takes effect if you execute the schedule job command repeatedly Upgrading Device Software Device Software Overview Device software consists of the Boot ROM program and th...

Страница 512: ...2 Use a command to specify the boot file for the next boot of the device 3 Reboot the device to make the boot file take effect When multiple Boot ROM files are available on the storage media you can...

Страница 513: ...in user view A confirmation is required when you execute this command If you fail to make a confirmation within 30 seconds or enter N to cancel the operation the command will not be executed Identify...

Страница 514: ...n data or archive information which is written to the storage component of a card during device debugging or testing The information includes name of the card device serial number and vendor name or n...

Страница 515: ...ot number Available in any view Display the reboot time of a device display schedule reboot Available in any view Display detailed configurations of the scheduled automatic execution function display...

Страница 516: ...Server luser aaa password cipher hello FTP Server luser aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa z Use text editor on the FTP server to edit batch fi...

Страница 517: ...pdate bat To ensure correctness of the file you can use the more command to view the content of the file Execute the scheduled automatic execution function to enable the device to be automatically upg...

Страница 518: ...e for NTP Messages 1 10 Disabling an Interface from Receiving NTP Messages 1 11 Configuring the Maximum Number of Dynamic Sessions Allowed 1 11 Configuring Access Control Rights 1 12 Configuration Pre...

Страница 519: ...within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within...

Страница 520: ...ce B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of s...

Страница 521: ...fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit ve...

Страница 522: ...synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address...

Страница 523: ...ends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and ent...

Страница 524: ...o exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continu...

Страница 525: ...a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mo...

Страница 526: ...device ntp service unicast peer ip address peer name authentication keyid keyid priority source interface interface type interface number version number Required No symmetric passive peer is specified...

Страница 527: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Страница 528: ...authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 1024 mult...

Страница 529: ...command the source interface of the broadcast or multicast NTP messages is the interface configured with the respective command Disabling an Interface from Receiving NTP Messages When NTP is enabled...

Страница 530: ...vice z peer full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that...

Страница 531: ...he symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication k...

Страница 532: ...er Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disa...

Страница 533: ...ce display ntp service trace Available in any view NTP Configuration Examples Configuring NTP Client Server Mode Network requirements z The local clock of Device A is to be used as a reference source...

Страница 534: ...ed to Device A and the clock stratum level of Device B is 3 while that of Device A is 2 View the NTP session information of Device B which shows that an association has been set up between Device B an...

Страница 535: ...UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the clock stratum level of Device B is 3 while that of Device C is 1 3 Configuration on Device C after D...

Страница 536: ...1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements z Switch C s local clock is to be used as a reference source...

Страница 537: ...chronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock p...

Страница 538: ...interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to work in the multicast client mode and receive mult...

Страница 539: ...e the multicast functions on Switch B before Switch A can receive multicast messages from Switch C Enable IP multicast routing and IGMP SwitchB system view SwitchB multicast routing enable SwitchB int...

Страница 540: ...26 16 0 40 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Client Server Mode with Authentication Network requirements z The local c...

Страница 541: ...t dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown above Device B has been synchronized to Device A and the clock stratum level of Devi...

Страница 542: ...itchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure Switch D to work in th...

Страница 543: ...atum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interfac...

Страница 544: ...uction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 Configuring SNMP Trap 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8 SNMPv1 SNMPv2c Configu...

Страница 545: ...NMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technologies Thus SNMP achieves effective management of devices from diffe...

Страница 546: ...used to encrypt packets between the NMS and agents preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy...

Страница 547: ...s are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure a local engine ID for an SNMP entity snmp agent local engineid engineid...

Страница 548: ...ed The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure a local engine ID for an SNMP entity snmp agent local engi...

Страница 549: ...ndex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the inform...

Страница 550: ...t for the specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information ou...

Страница 551: ...in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps...

Страница 552: ...e ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display basic information of the trap queue display snmp agent trap queue Display the mo...

Страница 553: ...2 24 using public as the community name Sysname snmp agent trap enable Sysname snmp agent target host trap address udp domain 1 1 1 2 udp port 5000 params securityname public v1 Ensure that the SNMP v...

Страница 554: ...Sysname system view Sysname undo snmp agent mib view ViewDefault Sysname snmp agent mib view included test interfaces Sysname snmp agent group v3 managev3group read view test write view test Sysname...

Страница 555: ...ected through an Ethernet z The IP address of the NMS is 1 1 1 2 24 z The IP address of the agent is 1 1 1 1 24 z Configure SNMP logging on the agent to record the operations performed by the NMS to t...

Страница 556: ...iption Jan 1 02 49 40 566 2006 The time when the SNMP log is generated seqNO Serial number of the SNMP log The system numbers the recorded SNMP logs automatically the serial number starts from 0 srcIP...

Страница 557: ...MIB style may vary depending on the device model To implement NMS s flexible management of the device the device allows you to configure the MIB style that is you can switch between the two styles of...

Страница 558: ...unction 1 3 Configuring the RMON Ethernet Statistics Function 1 4 Configuring the RMON History Statistics Function 1 4 Configuring the RMON Alarm Function 1 5 Configuration Prerequisites 1 5 Configura...

Страница 559: ...e potion of broadcast packets received in the total packets reaches a certain value Both the RMON protocol and the Simple Network Management Protocol SNMP are used for remote network management z RMON...

Страница 560: ...up Besides H3C also defines and implements the private alarm group which enhances the functions of the alarm group This section describes the five kinds of groups in general Event group The event grou...

Страница 561: ...ethernetHistoryTable for query convenience of the management device The statistics data includes bandwidth utilization number of error packets and total number of packets A history group collects sta...

Страница 562: ...tics Function Follow these steps to configure the RMON Ethernet statistics function To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type i...

Страница 563: ...function z If the alarm variable is the MIB variable defined in the history group or the Ethernet statistics group you must make sure that the RMON Ethernet statistics function or the RMON history st...

Страница 564: ...ld threshold value1 and falling threshold threshold value2 60 Prialarm Alarm variable formula alarm variable sampling interval sampling interval sampling type absolute changeratio or delta rising thre...

Страница 565: ...sname display rmon statistics GigabitEthernet 1 0 1 Statistics entry 1 owned by user1 rmon is VALID Interface Ethernet1 1 ifIndex 3 etherStatsOctets 21657 etherStatsPkts 307 etherStatsBroadcastPkts 56...

Страница 566: ...When traffic is above or below the thresholds Agent sends the corresponding traps to the NMS z Execute the display rmon statistics command on Agent to display the statistics result and query the stati...

Страница 567: ...n startup enables risingOrFallingAlarm Latest value 0 Display statistics for interface GigabitEthernet 1 0 1 Sysname display rmon statistics GigabitEthernet 1 0 1 Statistics entry 1 owned by user1 rmo...

Страница 568: ...Medium 1 5 Displaying and Maintaining the NAND Flash Memory 1 6 Setting File System Prompt Modes 1 7 File System Operations Example 1 7 2 Configuration File Management 2 1 Configuration File Overview...

Страница 569: ...cking Up the Startup Configuration File 2 7 Deleting the Startup Configuration File for the Next Startup 2 8 Restoring the Startup Configuration File 2 9 Displaying and Maintaining Device Configuratio...

Страница 570: ...ations and Setting File System Prompt Modes Filename Formats When you specify a file you must enter the filename in one of the following formats Filename formats Format Description Length Example file...

Страница 571: ...iew Displaying the Current Working Directory To do Use the command Remarks Display the current working directory pwd Required Available in user view Changing the Current Working Directory To do Use th...

Страница 572: ...cified directory or file information displaying file contents renaming copying moving removing restoring and deleting files You can create a file by copying downloading or using the save command Displ...

Страница 573: ...storage space To delete a file in the recycle bin you need to execute the reset recycle bin command in the directory that the file originally belongs It is recommended to empty the recycle bin timely...

Страница 574: ...s not bat use the rename command to change the suffix to bat 3 Execute the batch file Follow the steps below to execute a batch file To do Use the command Remarks Enter system view system view Execute...

Страница 575: ...Displaying and repairing bad blocks It is common to have bad blocks when an NAND flash memory is shipped from the factory Bad block ratio varies with products of different vendors The frequently used...

Страница 576: ...view Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert File System Operations Example Display the files and the subdirectories under the current di...

Страница 577: ...1 8 Return to the upper directory Sysname cd Display the current working directory Sysname pwd flash...

Страница 578: ...initialization when the device boots If this file does not exist the system boots using null configuration that is using the default parameters z Current configuration which refers to the currently r...

Страница 579: ...he main and backup startup configuration files for the next boot of the device in the following two methods z Specify them when saving the current configuration For detailed configuration refer to Sav...

Страница 580: ...current configuration and specify the configuration file as the main startup configuration file to be used at the next system startup z During the execution of the save safely backup main command the...

Страница 581: ...n file but not in the current configuration file z The rollback operation removes the commands that are different in the replacement configuration file and in the current configuration file and then e...

Страница 582: ...to the default meanwhile the saved configuration files are cleared z The value of the file number argument is determined by the memory space You are recommended to set a comparatively small value for...

Страница 583: ...on and save it manually If the modification to the configuration fails or is complicated you can save the current running configuration manually before you modify it Therefore if it really fails the d...

Страница 584: ...e for the Next System Startup A startup configuration file is the configuration file to be used at the next system startup You can specify a configuration file as the startup configuration file to be...

Страница 585: ...d at the next system startup using commands On a device that has the main and backup startup configuration files you can choose to delete either the main or backup startup configuration file However i...

Страница 586: ...s reachable the server is enabled with TFTP service and the client has read and write permission z After the command is successfully executed you can use the display startup command in user view to ve...

Страница 587: ...the command Remarks Display the current configuration display current configuration configuration configuration interface interface type interface number by linenum begin include exclude text Availab...

Страница 588: ...nd Debugging 1 1 Ping 1 1 Introduction 1 1 Configuring Ping 1 1 Ping Configuration Example 1 2 Tracert 1 4 Introduction 1 4 Configuring Tracert 1 4 System Debugging 1 5 Introduction to System Debuggin...

Страница 589: ...ping function is implemented through the Internet Control Message Protocol ICMP 1 The source device sends an ICMP echo request to the destination device 2 The source device determines whether the des...

Страница 590: ...Device A to Device C Figure 1 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING...

Страница 591: ...atistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 1 1 1 The source Device A sends an ICMP echo reques...

Страница 592: ...s the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3...

Страница 593: ...ity of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control the display of debugging information z...

Страница 594: ...l monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring terminal is disabled by default Available in user view Enable the terminal display of debuggi...

Страница 595: ...eviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4 5...

Страница 596: ...he Display of Copyright Information 1 6 Configuring a Banner 1 7 Configuring CLI Hotkeys 1 8 Configuring User Privilege Levels and Command Levels 1 9 Displaying and Maintaining Basic Configurations 1...

Страница 597: ...run normally when it has no configuration file or the configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved...

Страница 598: ...ser view system view Required Available in user view Exiting the Current View The system divides the command line interface into multiple command views which adopts a hierarchical structure For exampl...

Страница 599: ...zone and daylight saving time You can view the system clock by using the display clock command Follow these steps to configure the system clock To do Use the command Remarks Set time and date clock da...

Страница 600: ...ffset Configure clock timezone zone time add 1 Display 02 00 00 zone time Sat 01 01 2005 1 and 2 date time zone offset Configure clock datetime 2 00 2007 2 2 and clock timezone zone time add 1 Display...

Страница 601: ...0 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 D...

Страница 602: ...ummer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 3 00 2008 1 1 Display 03 00 00 ss Tue 01 01 2008 Enabling Disabling the Display of Copyright Information z With the display of co...

Страница 603: ...the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywords cannot e...

Страница 604: ...in any view Refer to Table 1 2 for hotkeys reserved by the system By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G...

Страница 605: ...the right Esc N Moves the cursor down by one line available before you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc Specifies the cursor as the beginning of t...

Страница 606: ...TP TFTP Xmodem command download user management level setting as well as parameter setting within a system the last case involves those non protocol or non RFC provisioned commands Configuring user pr...

Страница 607: ...mmands z For the introduction to SSH refer to SSH 2 0 Configuration 2 Example of configuring user privilege level by using AAA authentication parameters Authenticate the users telnetting to the device...

Страница 608: ...ging in from the current user interface user privilege level level Optional By default the user privilege level for users logging in from the console user interface is 3 and that for users logging fro...

Страница 609: ...tion and use the following commands Sysname User view commands cluster Run cluster command debugging Enable system debugging functions display Display current system information ping Ping function qui...

Страница 610: ...peration by others Users can switch from a high user privilege level to a low user privilege level without entering a password when switching from a low user privilege level to a high user privilege l...

Страница 611: ...lay information on system version display version Display information on the system clock display clock Display information on terminal users display users all Display the valid configuration under cu...

Страница 612: ...at your own or lower levels Refer to Configuring User Privilege Levels and Command Levels for details z Easy access to on line help by entering z Abundant debugging information for fault diagnosis z...

Страница 613: ...view Sysname interface vlan interface 1 4094 VLAN interface number Sysname interface vlan interface 1 cr Sysname interface vlan interface 1 Where cr indicates that there is no parameter at this posit...

Страница 614: ...ute a command the system automatically goes to the next line if the maximum length of the command is reached You cannot press Enter to go to the next line otherwise the system will automatically execu...

Страница 615: ...exclude and include keywords is as follows z begin Displays the line that matches the regular expression and all the subsequent lines z exclude Displays the lines that do not match the regular express...

Страница 616: ...12 can match 40812 or 408121212 But it cannot match 408 index Repeats a specified character group for once A character group refers to the string in before index refers to the sequence number starting...

Страница 617: ...f the characters will be removed For example can match a string containing can match a string containing and b can match a string containing b Multiple screen output When there is a lot of information...

Страница 618: ...erface For the detailed description of the history command max size command refer to Login Commands The following table lists the operations that you can perform In addition z The commands saved in th...

Страница 619: ...f they have no syntax error Otherwise error information is reported Table 1 7 lists some common errors Table 1 7 Common command line errors Error information Cause The command was not found The keywor...

Страница 620: ...ation to the Console 1 7 Outputting System Information to a Monitor Terminal 1 8 Outputting System Information to a Log Host 1 9 Outputting System Information to the Trap Buffer 1 10 Outputting System...

Страница 621: ...rs and developers in monitoring network performance and diagnosing network problems The following describes the working process of information center z Receives the log trap and debugging information...

Страница 622: ...enormous information waiting for processing Classification of System Information The system information of the information center falls into three types z Log information z Trap information z Debuggin...

Страница 623: ...tput destinations can be changed through commands Besides you can configure channels 7 8 and 9 without changing the default configuration of the eight channels Table 1 2 Information channels and outpu...

Страница 624: ...face log information with severity level equal to or higher than informational is allowed to be output to the log host log information with severity level equal to or higher than warning is allowed to...

Страница 625: ...MP or log file the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the devi...

Страница 626: ...and to modify the system name Refer to Basic System Configuration Commands for details This field is a preamble used to identify a vendor It is displayed only when the output destination is log host n...

Страница 627: ...P Module Optional Outputting System Information to the Web Interface Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system informa...

Страница 628: ...ogging Optional Enabled by default Enable the display of trap information on the console terminal trapping Optional Enabled by default Outputting System Information to a Monitor Terminal System inform...

Страница 629: ...nable the display of debugging information on a monitor terminal terminal debugging Required Disabled by default Enable the display of log information on a monitor terminal terminal logging Optional E...

Страница 630: ...ate no year date none Optional date by default Outputting System Information to the Trap Buffer The trap buffer receives the trap information only and discards the log and debugging information even i...

Страница 631: ...th a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be o...

Страница 632: ...el with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can...

Страница 633: ...ation info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional Refer to Defau...

Страница 634: ...n in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The...

Страница 635: ...og file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize Available in any view Reset the...

Страница 636: ...utput to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state on Sysname info...

Страница 637: ...l be able to record log information into the log file Outputting Log Information to a Linux Log Host Network requirements z Send log information to a Linux log host with an IP address of 1 2 0 1 16 z...

Страница 638: ...on messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to receive logs info is the information level The Linux syste...

Страница 639: ...es on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configurations for different channels are different you need...

Страница 640: ...ysname terminal logging Info Current terminal logging is on After the above configuration takes effect if the specified module generates log information the information center automatically sends the...

Страница 641: ...Table Entries 1 2 MAC Address Table Based Frame Forwarding 1 2 Configuring a MAC Address Table 1 3 Configuring MAC Address Table Entries 1 3 Configuring the Aging Timer for Dynamic MAC Address Entries...

Страница 642: ...ound the frame is forwarded rather than broadcast Thus broadcasts are reduced How a MAC Address Table Entry Is Created A MAC address table entry can be dynamically learned or manually configured Dynam...

Страница 643: ...ses Types of MAC Address Table Entries A MAC address table may contain these types of entries z Static entries which are manually configured and never age out z Dynamic entries which can be manually c...

Страница 644: ...ally by learning the source MAC addresses of received frames To improve port security you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses thus fending of...

Страница 645: ...ress entry Configuring the Aging Timer for Dynamic MAC Address Entries The MAC address table on your device is available with an aging mechanism for dynamic entries In this way dynamic MAC address ent...

Страница 646: ...teps to configure the MAC learning limit on an Ethernet port Layer 2 aggregate interface or the Ethernet ports in a port group To do Use the command Remarks Enter system view system view Enter Etherne...

Страница 647: ...ty sake add a destination blackhole MAC address entry on the device to prevent the host from receiving packets z Set the aging timer for dynamic MAC address entries to 500 seconds Configuration proced...

Страница 648: ...1 7 1 mac address es found View the aging time of dynamic MAC address entries Sysname display mac address aging time Mac address aging time 500s...

Страница 649: ...ishing a Cluster 1 9 Configuring Communication Between the Management Device and the Member Devices Within a Cluster 1 10 Cluster Member Management 1 11 Configuring the Member Devices 1 11 Enabling ND...

Страница 650: ...configuration and management tasks By configuring a public IP address on one device you can configure and manage a group of devices without the trouble of logging in to each device separately z Provid...

Страница 651: ...r A member device becomes a candidate device after it is removed from the cluster How a Cluster Works Cluster management is implemented through HW Group Management Protocol version 2 HGMPv2 which cons...

Страница 652: ...NDP information of all the devices in a specific network range as well as the connection information of all its neighbors The information collected will be used by the management device or the network...

Страница 653: ...Disconnect Connect z After a cluster is created a candidate device is added to the cluster and becomes a member device the management device saves the state information of its member device and identi...

Страница 654: ...he management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the memb...

Страница 655: ...for a Cluster Optional z Disabling the NDP and NTDP functions on the management device and member devices after a cluster is created will not cause the cluster to be dismissed but will influence the...

Страница 656: ...do not need to join the cluster preventing the management device from adding the device which needs not to join the cluster and collecting the topology information of this device Configuring NDP Para...

Страница 657: ...the maximum hops for collecting topology information you can get topology information of the devices in a specified range thus avoiding unlimited topology collection After the interval for collecting...

Страница 658: ...e topology information collection thus managing and monitoring the device on real time regardless of whether a cluster is created Follow these steps to configure to manually collect topology informati...

Страница 659: ...ing Communication Between the Management Device and the Member Devices Within a Cluster In a cluster the management device and member devices communicate by sending handshake packets to maintain conne...

Страница 660: ...mac address mac address password password Required Removing a member device To do Use the command Remarks Enter system view system view Enter cluster view cluster Remove a member device from the clus...

Страница 661: ...er devices of a cluster To do Use the command Remarks Switch from the operation interface of the management device to that of a member device cluster switch to member number mac address mac address Re...

Страница 662: ...a Cluster Configuring Topology Management The concepts of blacklist and whitelist are used for topology management An administrator can diagnose the network by comparing the current topology namely t...

Страница 663: ...information topology restore from ftp server local flash Optional Configuring Interaction for a Cluster After establishing a cluster you can configure FTP TFTP server NM host and log host for the clus...

Страница 664: ...interface name Optional To isolate management protocol packets of a cluster from packets outside the cluster you are recommended to configure to prohibit packets from the management VLAN from passing...

Страница 665: ...ndp statistics interface interface list Available in user view Support for the display ntdp single device command depends on the device model Cluster Management Configuration Example Network requireme...

Страница 666: ...terface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As th...

Страница 667: ...port as 15 ms SwitchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure ports GigabitEthernet 1 2 and GigabitEthernet 1 3 as T...

Страница 668: ...69 172 55 4 Add the device whose MAC address is 000f e201 0013 to the blacklist abc_0 SwitchB cluster black list add mac 000f e201 0013 abc_0 SwitchB cluster quit Add port GigabitEthernet 1 0 1 to VLA...

Страница 669: ...n ACL 1 2 Displaying and Maintaining HTTP 1 3 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HT...

Страница 670: ...y the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You...

Страница 671: ...ber of the HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service with an ACL By associating the HTTP servic...

Страница 672: ...1 3 Displaying and Maintaining HTTP To do Use the command Remarks Display information about HTTP display ip http Available in any view...

Страница 673: ...nts to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the se...

Страница 674: ...nly associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again y...

Страница 675: ...e steps to associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate att...

Страница 676: ...rks Enter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default z If you execute the ip https acl command for multiple times to ass...

Страница 677: ...pki entity en quit Configure a PKI domain Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url http 10 1 2 2 8080 certsrv mscep mscep dll Device pki...

Страница 678: ...SSL server policy Associate the HTTPS service with the SSL server policy myssl Device ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy...

Страница 679: ...Configuring the Master Device of a Stack 1 2 Configuring a Private IP Address Pool for a Stack 1 2 Configuring Stack Ports 1 3 Creating a Stack 1 3 Configuring Stack Ports of a Slave Device 1 3 Loggi...

Страница 680: ...stack management can help reduce customer investments and simplify network management Introduction to Stack A stack is a management domain that comprises several network devices connected to one anoth...

Страница 681: ...t Complete the following tasks to configure stack Task Remarks Configuring a Private IP Address Pool for a Stack Required Configuring Stack Ports Required Configuring the Master Device of a Stack Crea...

Страница 682: ...pecified ports as stack ports stack stack port stack port num port interface list Required By default a port is not a stack port Creating a Stack After you execute the stack role master command on a s...

Страница 683: ...tions for the slave device Follow the step below to log in to the CLI of a slave device from the master device To do Use the command Remarks Log in to the CLI of the specified slave device from the ma...

Страница 684: ...witchA stack stack port 1 port gigabitethernet 1 0 1 Configure switch A as the master device SwitchA stack role master 2 Configure the slave devices On Switch B configure local ports GigabitEthernet 1...

Страница 685: ...Slave Sysname stack_1 SwitchB Device type H3C S5120 MAC address 000f e200 1001 Number 2 Role Slave Sysname stack_2 DeviceC Device type H3C S5120 MAC address 000f e200 1002 Number 3 Role Slave Sysname...

Страница 686: ...Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router...

Страница 687: ...and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain R...

Страница 688: ...oint Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavel...

Страница 689: ...ernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC H...

Страница 690: ...IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Inte...

Страница 691: ...tate Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Manageme...

Страница 692: ...Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding...

Страница 693: ...ier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board P...

Страница 694: ...o wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authent...

Страница 695: ...gnal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree...

Страница 696: ...A Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Tr...

Страница 697: ...Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtu...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды