H3C S5500-SI Series Скачать руководство пользователя

Страница: 671 / 1217

1-8

Configuring Port Security Features

Configuring NTK

The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow

frames to be forwarded to only devices passing authentication. The NTK feature supports three modes:

ntkonly

: Forwards only frames destined for authenticated MAC addresses.

ntk-withbroadcasts

: Forwards only frames destined for authenticated MAC addresses or the

broadcast address.

ntk-withmulticasts

: Forwards only frames destined for authenticated MAC addresses, multicast

addresses, or the broadcast address.

By default, NTK is disabled on a port and the port forwards all frames. With NTK configured, a port will

discard any unicast packet with an unknown MAC address no matter in which mode it operates.

Follow these steps to configure the NTK feature:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter interface view

interface

interface-type

interface-number

—

Configure the NTK feature

port-security ntk-mode

{

ntk-withbroadcasts

ntk-withmulticasts

ntkonly

}

Required

By default, NTK is disabled on
a port and all frames are
allowed to be sent.

Support for the NTK feature depends on the port security mode.

Configuring Intrusion Protection

The intrusion protection enables a device to perform either of the following security policies when it

detects illegal frames:

blockmac

: Adds the source MAC addresses of illegal frames to the blocked MAC addresses list

and discards frames with blocked source MAC addresses. A blocked MAC address is restored to

normal after being blocked for three minutes, which is fixed and cannot be changed.

disableport

: Disables the port permanently.

disableport-temporarily

: Disables the port for a specified period of time. Use the

port-security

timer disableport

command to set the period.

Follow these steps to configure the intrusion protection feature:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter interface view

interface

interface-type

interface-number

—

Содержание S5500-SI Series

Страница 1: ...H3C S5500 SI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20090930 C 1 01 Product Version Release 2202...

Страница 2: ...G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective o...

Страница 3: ...ing Volume RIPng Route Policy Mulitcast Overview IGMP Snooping Multicast VLAN MLD Snooping 04 Multicast Volume IPv6 Multicast VLAN 05 QoS Volume QoS User Profile AAA 802 1X HABP MAC Authentication Por...

Страница 4: ...brackets and separated by vertical bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments GUI conventions...

Страница 5: ...ability Volume and System Volume commands Obtaining Documentation You can access the most up to date H3C product documentation on the World Wide Web at this URL http www h3c com The following are the...

Страница 6: ...3C Website 1 1 Software Release Notes 1 1 2 Product Features 2 1 Introduction to Product 2 1 Feature Lists 2 1 3 Features 3 1 Access Volume 3 1 IP Services Volume 3 3 IP Routing Volume 3 4 Multicast V...

Страница 7: ...ct to update on an irregular basis due to product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version For the latest software documentation go to t...

Страница 8: ...ature list Volume Features Ethernet Interface Link Aggregation Port Isolation MSTP LLDP VLAN GVRP QinQ 01 Access Volume BPDU Tunneling Port Mirroring IP Addressing ARP DHCP DNS IP Performance Optimiza...

Страница 9: ...iguration Device Management File System Management HTTP SNMP RMON MAC Address Table Management System Maintaining and Debugging Information Center PoE Hotfix NQA NTP Cluster Management Stack Managemen...

Страница 10: ...Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an...

Страница 11: ...ARP Timers configuration QinQ As defined in IEEE802 1Q 12 bits are used to identify a VLAN ID so a device can support a maximum of 4094 VLANs The QinQ feature extends the VLAN space by allowing Ethern...

Страница 12: ...Name System DNS is a distributed database which provides the translation between domain name and the IP address This document describes z Configuring the DNS Client z Configuring the DNS Proxy IP Per...

Страница 13: ...rk applications This document describes z Static route configuration z Detecting Reachability of the Static Route s Nexthop RIP Routing Information Protocol RIP is a simple Interior Gateway Protocol I...

Страница 14: ...scovery Snooping MLD Snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups This document describes z Configuring Basic Functions...

Страница 15: ...tion MAC authentication provides a way for authenticating users based on ports and MAC addresses it requires no client software to be installed on the hosts This document describes z RADIUS Based MAC...

Страница 16: ...based on a series of preset matching criteria This document describes z ACL overview and ACL types z ACL configuration ARP Attack Protection Currently ARP attacks and viruses are threatening LAN secu...

Страница 17: ...P Authentication z Resetting DLDP State Ethernet OAM Ethernet OAM is a tool monitoring Layer 2 link status It helps network administrators manage their networks effectively This document describes z E...

Страница 18: ...t describes z Device management overview z Rebooting a device z Configuring the scheduled automatic execution function z Specifying a file for the next device boot z Upgrading Boot ROM z Configuring a...

Страница 19: ...rors This document describes z Maintenance and debugging overview z Maintenance and debugging configuration Information Center As the system information hub Information Center classifies and manages a...

Страница 20: ...P z Configuring Access Control Rights z Configuring NTP Authentication Cluster Management A cluster is a group of network devices Cluster management is to implement management of large numbers of dist...

Страница 21: ...Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router...

Страница 22: ...and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain R...

Страница 23: ...oint Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavel...

Страница 24: ...ernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC H...

Страница 25: ...IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Inte...

Страница 26: ...tate Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Manageme...

Страница 27: ...Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding...

Страница 28: ...ier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board P...

Страница 29: ...o wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authent...

Страница 30: ...gnal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree...

Страница 31: ...A Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Tr...

Страница 32: ...Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtu...

Страница 33: ...abling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring...

Страница 34: ...his document describes z GARP overview z GVRP configuration z GARP Timers configuration QinQ As defined in IEEE802 1Q 12 bits are used to identify a VLAN ID so a device can support a maximum of 4094 V...

Страница 35: ...an Ethernet Interface 1 4 Configuring Loopback Testing on an Ethernet Interface 1 4 Configuring a Port Group 1 5 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet Interfa...

Страница 36: ...e of a Combo port To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Enable a specified Combo port undo shutdown Option...

Страница 37: ...thernet1 0 1 Interface for example Set the duplex mode duplex auto full half Optional auto by default The optical interface of an SFP port and the electrical interface of an Ethernet port whose port r...

Страница 38: ...n transmission rate To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the auto negotiation transmission rate rang...

Страница 39: ...m view Enter Ethernet interface view interface interface type interface number Configure the up down suppression time of physical link state changes link delay delay time Required By default the physi...

Страница 40: ...Note that even though the settings are made on the port group they are saved on an interface basis rather than on a port group basis Thus you can only view the settings in the view of each interface w...

Страница 41: ...suppression ratio pps max pps Optional By default all broadcast traffic is allowed to pass through an interface that is broadcast traffic is not suppressed Set the multicast storm suppression ratio m...

Страница 42: ...tem view system view port group manual port group name In port group view jumboframe enable interface interface type interface number Enable the forwarding of jumbo frames In Ethernet interface view j...

Страница 43: ...configured in both system view and the interface view of the port z Loopback detection on all ports will be disabled after the configuration of the undo loopback detection enable command under system...

Страница 44: ...nterface mdi across auto normal Optional Defaults to auto That is the Ethernet interface determines the physical pin roles transmit or receive through negotiation Testing the Cable on an Ethernet Inte...

Страница 45: ...ffic z Shutting down the interface In this case the interface is shut down and stops forwarding all types of traffic Interfaces shut down by the storm constrain function can only be brought up by usin...

Страница 46: ...onstrain function is applicable to multicast packets and broadcast packets and you can specify the upper and lower threshold for any of the three types of packets Displaying and Maintaining an Etherne...

Страница 47: ...rt group manual all name port group name Available in any view Display the information about the loopback function display loopback detection Available in any view Display the information about storm...

Страница 48: ...nfiguring an Aggregate Interface 1 8 Configuring the Description of an Aggregate Interface 1 8 Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface 1 8 Shutting Down an Aggregate Interf...

Страница 49: ...hese member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate interface Aggregation group...

Страница 50: ...formation with the information received on other ports This allows the two systems to reach an agreement on which link aggregation member ports should be placed in the selected state 2 Extended LACP f...

Страница 51: ...s joined an isolation group QinQ QinQ enable state enable disable TPID values in VLAN tags outer VLAN tags to be added inner to outer VLAN priority mappings inner to outer VLAN tag mappings inner VLAN...

Страница 52: ...e selected ports become selected ports When the limit is exceeded set the candidate selected ports with smaller port numbers in the selected state and those with greater port numbers in the unselected...

Страница 53: ...em selects the candidate selected ports with smaller port IDs as the selected ports and set other candidate selected ports to unselected state At the same time the peer device being aware of the chang...

Страница 54: ...Enter system view system view Create a Layer 2 aggregate interface and enter the Layer 2 aggregate interface view interface bridge aggregation interface number Required When you create a Layer 2 aggre...

Страница 55: ...erface a Layer 2 static aggregation group numbered the same is created automatically Configure the aggregation group to work in dynamic aggregation mode link aggregation mode dynamic Required By defau...

Страница 56: ...onsider the situation when making configuration Configuring an Aggregate Interface You can perform the following configurations for an aggregate interface z Configuring the Description of an Aggregate...

Страница 57: ...in the corresponding aggregation group is re calculated Follow these steps to shut down an aggregate interface To do Use the command Remarks Enter system view system view Enter Layer 2 aggregate inte...

Страница 58: ...e load sharing mode for link aggregation groups in system view the switch supports configuring hash keys in the following modes z Use a source IP address a destination IP address a source MAC address...

Страница 59: ...e in any view Display link aggregation details of ports display link aggregation member port interface type interface number to interface type interface number Available in any view Display the summar...

Страница 60: ...et1 0 1 to GigabitEthernet1 0 3 Aggregate the ports on each device to form a static link aggregation group thus balancing outgoing traffic across the member ports In addition perform load sharing base...

Страница 61: ...on Configuration procedure 1 Configure Device A Configure the device to perform load sharing based on source and destination MAC addresses for link aggregation groups DeviceA system view DeviceA link...

Страница 62: ...1 Configure Device A Configure the global link aggregation load sharing mode as the source MAC based load sharing mode DeviceA system view DeviceA link aggregation load sharing mode source mac Create...

Страница 63: ...igabitethernet 1 0 3 DeviceA GigabitEthernet1 0 3 port link aggregation group 2 DeviceA GigabitEthernet1 0 3 quit DeviceA interface gigabitethernet 1 0 4 DeviceA GigabitEthernet1 0 4 port link aggrega...

Страница 64: ...olation Configuration 1 1 Introduction to Port Isolation 1 1 Configuring the Isolation Group 1 1 Assigning a Port to the Isolation Group 1 1 Displaying and Maintaining Isolation Groups 1 2 Port Isolat...

Страница 65: ...d between a port inside an isolation group and a port outside the isolation group but not between ports inside the isolation group Configuring the Isolation Group Assigning a Port to the Isolation Gro...

Страница 66: ...hat Host A Host B and Host C cannot communicate with one another at Layer 2 but can access the Internet Figure 1 1 Networking diagram for port isolation configuration Configuration procedure Add ports...

Страница 67: ...1 3 Uplink port support NO Group ID 1 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3...

Страница 68: ...of a Device 1 19 Configuring the Maximum Hops of an MST Region 1 20 Configuring the Network Diameter of a Switched Network 1 20 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 22 Conf...

Страница 69: ...ops at the data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking...

Страница 70: ...port The root bridge has no root port Designated bridge and designated port The following table describes designated bridges and designated ports Table 1 1 Description of designated bridges and design...

Страница 71: ...spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Страница 72: ...iority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configur...

Страница 73: ...device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be def...

Страница 74: ...port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received confi...

Страница 75: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Страница 76: ...ning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With p...

Страница 77: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Страница 78: ...gs of STP and RSTP In addition to the support for rapid network convergence it allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharing mechanism...

Страница 79: ...tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the sa...

Страница 80: ...constitute the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to a...

Страница 81: ...ate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a des...

Страница 82: ...are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only difference...

Страница 83: ...List Before configuring MSTP you need to know the role of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes...

Страница 84: ...nce mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume z MSTP is mutually exclusive with any of the following functions on a port service loopback RRPP...

Страница 85: ...rations of currently activated MST regions display stp region configuration The display command can be executed in any view z Two or more MSTP enabled devices belong to the same MST region only if the...

Страница 86: ...r if you specify a new primary root bridge for the instance then the secondary root bridge will not become the root bridge If you have specified multiple secondary root bridges for an instance when th...

Страница 87: ...e device send out MSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate to STP compatible mode Make t...

Страница 88: ...panning tree calculation and thereby the size of the MST region is confined Make this configuration on the root bridge only All the devices other than the root bridge in the MST region use the maximum...

Страница 89: ...the peer occur in a synchronized manner z Hello time is the time interval at which a device sends configuration BPDUs to the surrounding devices to ensure that the paths are fault free If a device fa...

Страница 90: ...l to timely launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max ag...

Страница 91: ...mit Required 10 by default The higher the maximum port rate is the more BPDUs will be sent within each hello time and the more system resources will be used By setting an appropriate maximum port rate...

Страница 92: ...flows to be forwarded along different physical links thus achieving VLAN based load balancing The device can automatically calculate the default path cost alternatively you can also configure the pat...

Страница 93: ...66 500 2 1 1 1 When calculating path cost for an aggregate interface 802 1d 1998 does not take into account the number of member ports in its aggregation group as 802 1t does The calculation formula o...

Страница 94: ...elected as the root port of a device If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled device a port can have different priori...

Страница 95: ...ew system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manu...

Страница 96: ...cy Required auto by default z MSTP provides the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and rece...

Страница 97: ...port group manual port group name Required Use either command Enable the MSTP feature for the ports stp enable Optional By default MSTP is enabled for all ports after it is enabled for the device glo...

Страница 98: ...RSTP or MSTP mode Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when the MST region related configurations domain name revision level VLAN to...

Страница 99: ...led by default z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to instance mappings must be the same on associated...

Страница 100: ...oping on Device B DeviceB system view DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 stp config digest snooping DeviceB GigabitEthernet1 0 1 quit DeviceB stp config digest snoopi...

Страница 101: ...P and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream device As a result the...

Страница 102: ...ice that has different MSTP implementation Both devices are in the same region z Device B is the regional root bridge and Device A is the downstream device Figure 1 9 No Agreement Check configuration...

Страница 103: ...by default BPDU guard does not take effect on loopback test enabled ports For information about loopback test refer to Ethernet Port Configuration in the Access Volume Enabling Root guard The root bri...

Страница 104: ...work The loop guard function can suppress the occurrence of such loops If a loop guard enabled port fails to receive BPDUs from the upstream device and if the port takes part in STP calculation all th...

Страница 105: ...U Dropping In a STP enabled network some users may send BPDU packets to the switch continuously in order to destroy the network When a switch receives the BPDU packets it will forward them to other sw...

Страница 106: ...taken effect display stp region configuration Available in any view View the root bridge information of all MSTIs display stp root Available in any view Clear the statistics information of MSTP reset...

Страница 107: ...MSTI 1 MSTI 3 and MSTI 4 respectively and configure the revision level of the MST region as 0 DeviceA system view DeviceA stp region configuration DeviceA mst region region name example DeviceA mst re...

Страница 108: ...w DeviceC stp region configuration DeviceC mst region region name example DeviceC mst region instance 1 vlan 10 DeviceC mst region instance 3 vlan 30 DeviceC mst region instance 4 vlan 40 DeviceC mst...

Страница 109: ...TID Port Role STP State Protection 0 GigabitEthernet1 0 1 DESI FORWARDING NONE 0 GigabitEthernet1 0 2 DESI FORWARDING NONE 0 GigabitEthernet1 0 3 DESI FORWARDING NONE 1 GigabitEthernet1 0 2 DESI FORWA...

Страница 110: ...0 2 ALTE DISCARDING NONE 4 GigabitEthernet1 0 3 ROOT FORWARDING NONE Based on the above information you can draw the MSTI corresponding to each VLAN as shown in Figure 1 11 Figure 1 11 MSTIs correspon...

Страница 111: ...ation Delay 1 8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 9 Setting an Encapsul...

Страница 112: ...in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major fun...

Страница 113: ...ng bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the...

Страница 114: ...nformation field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and...

Страница 115: ...ently H3C devices support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Conf...

Страница 116: ...set ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the...

Страница 117: ...resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved an...

Страница 118: ...ort group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the following...

Страница 119: ...ce view or port group view Enter port group view port group manual port group name Required Use either command Enable LLDP polling and set the polling interval lldp check change interval interval Requ...

Страница 120: ...s tlv ip address Optional By default the management address is sent through LLDPDUs and the management address is the main IP address of the lowest ID VLAN carried on the interface If the VLAN is not...

Страница 121: ...ming LLDP frame only when it is Ethernet II encapsulated z With SNAP encapsulation configured an LLDP port sends LLDPDUs in SNAP frames and processes an incoming LLDP frame only when it is SNAP encaps...

Страница 122: ...the voice VLAN configuration TLV for the IP phones to configure the voice VLAN automatically Thus the voice traffic is confined in the configured voice VLAN to be differentiated from other types of t...

Страница 123: ...ing LLDP Trapping LLDP trapping is used to notify the network management system NMS of events such as new neighboring devices detected and link malfunctions To prevent excessive LLDP traps from being...

Страница 124: ...ailable in any view Display types of advertisable optional LLDP TLVs display lldp tlv config interface interface type interface number Available in any view LLDP Configuration Examples Basic LLDP Conf...

Страница 125: ...ernet1 0 1 lldp enable SwitchB GigabitEthernet1 0 1 lldp admin status tx SwitchB GigabitEthernet1 0 1 quit 3 Verify the configuration Display the global LLDP status and port LLDP status on Switch A Sw...

Страница 126: ...A display lldp status Global status of LLDP Enable The current number of LLDP neighbors 1 The current number of CDP neighbors 0 LLDP neighbor information last changed time 0 days 0 hours 5 minutes 20...

Страница 127: ...view SwitchA vlan 2 SwitchA vlan2 quit Set the link type of GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to trunk and enable voice VLAN on them SwitchA interface gigabitethernet 1 0 1 SwitchA Gigab...

Страница 128: ...e neighbor information on Switch A SwitchA display lldp neighbor information CDP neighbor information of port 1 GigabitEthernet1 0 1 CDP neighbor index 1 Chassis ID SEP00141CBCDBFE Port ID Port 1 Sofr...

Страница 129: ...figuration 1 14 Introduction 1 14 Configuring an IP Subnet Based VLAN 1 14 Displaying and Maintaining VLAN 1 15 VLAN Configuration Example 1 16 2 Isolate User VLAN Configuration 2 1 Overview 2 1 Confi...

Страница 130: ...and excessive broadcasts cannot be avoided on an Ethernet To address the issue virtual LAN VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whe...

Страница 131: ...802 1Q inserts a four byte VLAN tag after the DA SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority...

Страница 132: ...t the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs protocol based...

Страница 133: ...n create one VLAN interface You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the V...

Страница 134: ...hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connecte...

Страница 135: ...t removing the tag if its VLAN is carried on the port but is different from the default one Hybrid Check whether the default VLAN is permitted on the port z If yes tag the frame with the default VLAN...

Страница 136: ...ations apply to the Layer 2 aggregate interface and all its member ports Configure the link type of the port or ports as access port link type access Optional The link type of a port is access by defa...

Страница 137: ...rt s port trunk pvid vlan vlan id Optional VLAN 1 is the default VLAN by default z To change the link type of a port from trunk to hybrid or vice versa you must set the link type to access first z The...

Страница 138: ...s through untagged Configure the default VLAN of the hybrid port port hybrid pvid vlan vlan id Optional VLAN 1 is the default by default z To change the link type of a port from trunk to hybrid or vic...

Страница 139: ...ANs to make the forwarding decision z When receiving a tagged frame the receiving port forwards the frame if it is assigned to the corresponding VLAN or drops the frame if it is not In this case port...

Страница 140: ...lan id priority priority Required Enter Ethernet interface view interface interface type interface number Enter Ethernet interface view or port group view Enter port group view port group manual port...

Страница 141: ...ckets of a port based VLAN z If the port permits the VLAN ID of the packet to pass through the port forwards the packet z If the port does not permit the VLAN ID of the packet to pass through the port...

Страница 142: ...of the matching packets will be the same as that of the ipx llc or ipx raw packets respectively z When you use the mode keyword to configure a user defined protocol template do not set etype id in eth...

Страница 143: ...be a multicast network segment or a multicast address Return to system view quit Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interfac...

Страница 144: ...address mac address mask mac mask static vlan vlan id Available in any view Display all interfaces with MAC based VLAN enabled display mac vlan interface Available in any view Display protocol inform...

Страница 145: ...a trunk port and configure its default VLAN ID as 100 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1 0 1 port trunk pvid vlan 100 Configure GigabitEthernet 1 0 1 to deny th...

Страница 146: ...c at 2000 04 26 12 01 40 Peak value of output 0 bytes sec at 2000 04 26 12 01 40 Last 300 seconds input 0 packets sec 0 bytes sec Last 300 seconds output 0 packets sec 0 bytes sec Input total 0 packet...

Страница 147: ...of only the isolate user VLAN but not the secondary VLANs network configuration is simplified and VLAN resources are saved z You can isolate the Layer 2 traffic of different users by assigning the por...

Страница 148: ...least one port takes the isolate user VLAN as its default VLAN Hybrid port Refer to Assigning a Hybrid Port to a VLAN Use either approach Return to system view quit Create secondary VLANs vlan vlan id...

Страница 149: ...to VLAN 3 z Configure VLAN 6 on Device C as an isolate user VLAN assign the uplink port GigabitEthernet 1 0 5 to VLAN 6 and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4 Assign GigabitEther...

Страница 150: ...n4 port gigabitethernet 1 0 4 Associate the isolate user VLAN with the secondary VLANs DeviceC vlan4 quit DeviceC isolate user vlan 6 secondary 3 to 4 Verification Display the isolate user VLAN config...

Страница 151: ...gigabitethernet 1 0 5 VLAN ID 3 VLAN Type static Isolate user VLAN type secondary Route Interface not configured Description VLAN 0003 Name VLAN 0003 Tagged Ports none Untagged Ports gigabitethernet 1...

Страница 152: ...OUI Addresses A device determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Uniqu...

Страница 153: ...from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically performed by the system z In manual mode you sh...

Страница 154: ...rt untagged If an IP phone sends tagged voice traffic and its connecting port is configured with 802 1X authentication and guest VLAN you should assign different VLAN IDs for the voice VLAN the defaul...

Страница 155: ...e that you cannot configure VLAN 1 the system default VLAN as a voice VLAN Setting a Port to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to set a port to operate in automatic vo...

Страница 156: ...UI address voice vlan mac address oui mask oui mask description text Optional By default each voice VLAN has default OUI addresses configured Refer to Table 3 1 for the default OUI addresses of differ...

Страница 157: ...y system display voice vlan oui Available in any view Voice VLAN Configuration Examples Automatic Voice VLAN Mode Configuration Example Network requirements As shown in Figure 3 1 z The MAC address of...

Страница 158: ...ure the allowed OUI addresses as MAC addresses prefixed by 0011 1100 0000 or 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the configured OUI addresses as voi...

Страница 159: ...ay voice vlan state Maximum of Voice VLANs 16 Current Voice VLANs 2 Voice VLAN security mode Security Voice VLAN aging time 30 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthern...

Страница 160: ...net 1 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 2 DeviceA GigabitEthernet1 0 1 port hybrid vlan 2 untagged Enable voice VLAN...

Страница 161: ...3 10 GigabitEthernet1 0 1 2 MANUAL...

Страница 162: ...rotocols and Standards 1 4 GVRP Configuration Task List 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 6 GVRP Configuration Examples 1 7 GVRP Configur...

Страница 163: ...t is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application entities by z Sending Join messages to register...

Страница 164: ...imer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send LeaveAll messages at the interval set by its LeaveAll...

Страница 165: ...te Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Number of octets occupied by an attribute inclusive of the attribute length field 2 to 255 in bytes Attrib...

Страница 166: ...namically register and deregister VLANs and to propagate VLAN information except information about VLAN 1 A trunk port with forbidden registration type thus allows only VLAN 1 to pass through even tho...

Страница 167: ...remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more information about port mirroring refer to Port Mirroring Configuration in the Access...

Страница 168: ...r a timer you may change the value range by tuning the value of another related timer z If you want to restore the default settings of the timers restore the Hold timer first and then the Join Leave a...

Страница 169: ...nfiguration Examples GVRP Configuration Example I Network requirements Configure GVRP for dynamic VLAN information registration and update among devices adopting the normal registration mode on ports...

Страница 170: ...c Now the following dynamic VLAN exist s 2 GVRP Configuration Example II Network requirements Configure GVRP for dynamic VLAN information registration and update among devices Specify fixed GVRP regis...

Страница 171: ...a static VLAN Sysname vlan 3 3 Verify the configuration Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B De...

Страница 172: ...P globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to pass through DeviceB interface gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1...

Страница 173: ...3 Modifying the TPID in a VLAN Tag 1 3 QinQ Configuration Task List 1 5 Configuring Basic QinQ 1 5 Enabling Basic QinQ 1 5 Configuring Selective QinQ 1 5 Configuring an Outer VLAN Tagging Policy 1 5...

Страница 174: ...an support a maximum of 4094 VLANs In actual applications however a large number of VLANs are required to isolate users especially in metropolitan area networks MANs and 4094 VLANs are far from satisf...

Страница 175: ...ider network it is tagged with outer VLAN 4 In this way there is no overlap of VLAN IDs among customers and traffic from different customers does not become mixed By tagging tagged frames QinQ expands...

Страница 176: ...t the port tags it with the port s default VLAN tag regardless of whether the frame is tagged or untagged If the received frame is already tagged it becomes a double tagged frame if it is untagged it...

Страница 177: ...ID of the outer VLAN tag of QinQ frames to different values For compatibility with these systems you can modify the TPID value so that the QinQ frames when sent to the public network carry the TPID va...

Страница 178: ...nQ on a reflector port For information about reflector ports refer to Port Mirroring Configuration in the Access Volume Configuring Basic QinQ Enabling Basic QinQ Follow these steps to enable basic Qi...

Страница 179: ...AN raw vlan id inbound all vlan list Required z An inner VLAN tag corresponds to only one outer VLAN tag z If you want to change an outer VLAN tag you must delete the old outer VLAN tag configuration...

Страница 180: ...Figure 1 4 Network diagram for VLAN transparent transmission configuration Configuration procedure Make sure that the devices in the service provider network have been configured to allow QinQ packets...

Страница 181: ...gigabitethernet 1 0 1 ProviderB GigabitEthernet1 0 1 port access vlan 50 Enable basic QinQ on GigabitEthernet 1 0 1 ProviderB GigabitEthernet1 0 1 qinq enable ProviderB GigabitEthernet1 0 1 quit z Co...

Страница 182: ...configuration to achieve the following z VLAN 10 frames of Customer A and Customer B can be forwarded to each other across SVLAN 1000 z VLAN 20 frames of Customer A and Customer C can be forwarded to...

Страница 183: ...igabitEthernet1 0 2 qinq vid 1000 ProviderA GigabitEthernet1 0 2 vid 1000 raw vlan id inbound 10 ProviderA GigabitEthernet1 0 2 vid 1000 quit ProviderA GigabitEthernet1 0 2 quit z Configure GigabitEth...

Страница 184: ...w vlan id inbound 20 Set the TPID value in the outer tag to 0x8200 ProviderA GigabitEthernet1 0 3 quit ProviderA qinq ethernet type 8200 3 Configuration on third party devices Configure the third part...

Страница 185: ...ling Implementation 1 2 Configuring BPDU Tunneling 1 4 Configuration Prerequisites 1 4 Enabling BPDU Tunneling 1 4 Configuring Destination Multicast MAC Address for BPDUs 1 5 BPDU Tunneling Configurat...

Страница 186: ...ich belong to VLAN 100 User A s network is divided into network 1 and network 2 which are connected by the service provider network When Layer 2 protocol packets cannot be transparently transmitted in...

Страница 187: ...Tunneling Implementation The BPDU tunneling implementations for different protocols are all similar This section describes how BPDU tunneling is implemented by taking the Spanning Tree Protocol STP a...

Страница 188: ...e edge devices PE 1 and PE 2 in the service provider network allows BPDUs of the customer network to be transparently transmitted in the service provider network thus ensuring consistent spanning tree...

Страница 189: ...disable the protocol on the port first Because PVST is a special STP protocol before enabling BPDU tunneling for PVST on a port you need to disable STP and then enable BPDU tunneling for STP on the p...

Страница 190: ...steps to configure destination multicast MAC address for BPDUs To do Use the command Remarks Enter system view system view Configure the destination multicast MAC address for BPDUs bpdu tunnel tunnel...

Страница 191: ...vlan2 quit PE1 interface gigabitethernet 1 0 1 PE1 GigabitEthernet1 0 1 port access vlan 2 Disable STP on GigabitEthernet1 0 1 and then enable BPDU tunneling for STP on it PE1 GigabitEthernet1 0 1 und...

Страница 192: ...1 4 Network diagram for configuring BPDU tunneling for PVST Configuration procedure 1 Configuration on PE 1 Configure the destination multicast MAC address for BPDUs as 0x0100 0CCD CDD0 PE1 system vie...

Страница 193: ...unk PE2 GigabitEthernet1 0 2 port trunk permit vlan all Disable STP on GigabitEthernet1 0 2 and then enable BPDU tunneling for STP and PVST on it PE2 GigabitEthernet1 0 2 undo stp enable PE2 GigabitEt...

Страница 194: ...nfiguring Remote Port Mirroring 1 4 Configuration Prerequisites 1 4 Configuring a Remote Source Mirroring Group on the Source Device 1 4 Configuring a Remote Destination Mirroring Group on the Destina...

Страница 195: ...e mirroring port or ports and the monitor port can be located on the same device or different devices Currently remote port mirroring can be implemented only at Layer 2 As a monitor port can monitor m...

Страница 196: ...urce device is the device where the mirroring ports are located On it you must create a remote source mirroring group to hold the mirroring ports The source device copies the packets passing through t...

Страница 197: ...ing local port mirroring is to configure local mirroring groups A local mirroring group comprises one or multiple mirroring ports and one monitor port These ports must not have been assigned to any ot...

Страница 198: ...s enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Access Volume Configuration Prerequis...

Страница 199: ...tor egress monitor egress port id interface interface type interface number mirroring group groupid monitor egress Configure the egress port In interface view quit Required Use either approach Configu...

Страница 200: ...d remote destination Required Configure the remote probe VLAN mirroring group groupid remote probe vlan rprobe vlan id Required In system view mirroring group groupid monitor port monitor port id inte...

Страница 201: ...uration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Ethernet switches z Research and Development R D department...

Страница 202: ...the port mirroring groups SwitchC display mirroring group all mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEtherne...

Страница 203: ...nation mirroring group on Switch C Configure VLAN 2 as the remote port mirroring VLAN and port GigabitEthernet 1 0 2 to which the data monitoring device is connected as the destination port Figure 1 4...

Страница 204: ...port GigabitEthernet 1 0 1 as a trunk port and configure the port to permit the packets of VLAN 2 SwitchC system view SwitchC interface GigabitEthernet 1 0 1 SwitchC GigabitEthernet1 0 1 port link typ...

Страница 205: ...er model in which the client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client This document describes z DHCP relay...

Страница 206: ...sic IPv6 functions configuration z IPv6 NDP configuration z PMTU discovery configuration z IPv6 TCP properties configuration z ICMPv6 packet sending configuration z IPv6 DNS Client configuration Dual...

Страница 207: ...Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration...

Страница 208: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Страница 209: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Страница 210: ...IP address to the VLAN interface you may configure the VLAN interface to obtain one through BOOTP or DHCP as alternatives If you change the way an interface obtains an IP address from manual assignmen...

Страница 211: ...ts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN i...

Страница 212: ...es 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4...

Страница 213: ...ARP Entry Check 1 5 ARP Configuration Example 1 5 Configuring Gratuitous ARP 1 6 Introduction to Gratuitous ARP 1 6 Configuring Gratuitous ARP 1 6 Displaying and Maintaining ARP 1 6 2 Proxy ARP Config...

Страница 214: ...datagrams must be encapsulated within Ethernet frames before they can be transmitted over physical networks the sending host or device also needs to know the physical address of the destination host o...

Страница 215: ...A buffers the packet and broadcasts an ARP request in which the sender IP address and the sender MAC address are the IP address and the MAC address of Host A respectively and the target IP address an...

Страница 216: ...IP to MAC mapping specified in the static ARP entry Thus communications between the protected device and the specified device are ensured Static ARP entries can be classified into permanent or non per...

Страница 217: ...e argument must belong to that VLAN A VLAN interface must be created for the VLAN Configuring the Maximum Number of ARP Entries for an Interface Follow these steps to set the maximum number of dynamic...

Страница 218: ...able the ARP entry check arp check enable Optional By default the device is disabled from learning multicast MAC addresses ARP Configuration Example Network requirements z Enable the ARP entry check z...

Страница 219: ...RP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view Enable the device to send gratuitous ARP packets when receiving ARP requests from another...

Страница 220: ...1 7 Clearing ARP entries from the ARP table may cause communication failures...

Страница 221: ...ork Proxy ARP involves common proxy ARP and local proxy ARP which are described in the following sections The term proxy ARP in the following sections of this chapter refers to common proxy ARP unless...

Страница 222: ...hosts Figure 2 2 Application environment of local proxy ARP VLAN 2 Vlan int2 192 168 10 100 16 Switch B GE1 0 3 GE1 0 1 GE1 0 2 Host A 192 168 10 99 16 Host B 192 168 10 200 16 VLAN 2 port isolate gr...

Страница 223: ...Proxy ARP Configuration Examples Proxy ARP Configuration Example Network requirements Host A and Host D have the same IP prefix and mask Host A belongs to VLAN 1 Host D belongs to VLAN 2 Configure pr...

Страница 224: ...d Host B Figure 2 4 Network diagram for local proxy ARP between isolated ports Switch A Switch B GE1 0 2 GE1 0 3 GE1 0 1 Host A 192 168 10 99 24 Host B 192 168 10 200 24 GE1 0 2 VLAN 2 Vlan int2 192 1...

Страница 225: ...ser vlan which includes uplink port GigabitEthernet 1 0 1 and two secondary VLANs VLAN 2 and VLAN 3 GigabitEthernet 1 0 2 belongs to VLAN 2 and GigabitEthernet 1 0 3 belongs to VLAN 3 z Configure loca...

Страница 226: ...d GigabitEthernet 1 0 1 to it SwitchA system view SwitchA vlan 5 SwitchA vlan5 port gigabitethernet 1 0 1 SwitchA vlan5 interface vlan interface 5 SwitchA Vlan interface5 ip address 192 168 10 100 255...

Страница 227: ...2 4 Configuring the DHCP Relay Agent Security Functions 2 5 Configuring the DHCP Relay Agent to Send a DHCP Release Request 2 7 Configuring the DHCP Relay Agent to Support Option 82 2 7 Displaying an...

Страница 228: ...4 7 DHCP Snooping Option 82 Support Configuration Example 4 8 5 BOOTP Client Configuration 5 1 Introduction to BOOTP Client 5 1 BOOTP Application 5 1 Obtaining an IP Address Dynamically 5 2 Protocols...

Страница 229: ...on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request...

Страница 230: ...server via four steps 1 The client broadcasts a DHCP DISCOVER message to locate a DHCP server 2 A DHCP server offers configuration parameters including an IP address to the client in a DHCP OFFER mes...

Страница 231: ...ast to extend the lease duration Upon availability of the IP address the DHCP server returns a DHCP ACK unicast confirming that the client s lease duration has been extended or a DHCP NAK unicast deny...

Страница 232: ...rmat as the Bootstrap Protocol BOOTP message for compatibility but differs from it in the option field which identifies new features for DHCP DHCP uses the option field in DHCP messages to carry contr...

Страница 233: ...guration Server ACS parameters including the ACS URL username and password z Service provider identifier acquired by the customer premises equipment CPE from the DHCP server and sent to the ACS for se...

Страница 234: ...te the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other p...

Страница 235: ...interface that received the client s request Its format is shown in Figure 1 10 Figure 1 10 Sub option 1 in verbose padding format In Figure 1 10 except that the VLAN ID field has a fixed length of 2...

Страница 236: ...r not z Sub option 4 Failover route that specifies the destination IP address and the called number SIP users use such IP addresses and numbers to communicate with each other that a SIP user uses to r...

Страница 237: ...ported only on VLAN interfaces Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same s...

Страница 238: ...P address and forwards the message to the designated DHCP server in unicast mode 2 Based on the giaddr field the DHCP server returns an IP address and other configuration parameters to the relay agent...

Страница 239: ...Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82...

Страница 240: ...an IP address via the DHCP relay agent the address pool of the subnet to which the IP address of the DHCP relay agent belongs must be configured on the DHCP server Otherwise the DHCP client cannot obt...

Страница 241: ...mand Configuring the DHCP Relay Agent Security Functions Creating static bindings and enable IP address check The DHCP relay agent can dynamically record clients IP to MAC bindings after clients get I...

Страница 242: ...a specified interval The DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP REQUEST message to the DHCP server z If the server...

Страница 243: ...After you configure this task the DHCP relay agent actively sends a DHCP RELEASE request that contains the client s IP address to be released Upon receiving the DHCP RELEASE request the DHCP server th...

Страница 244: ...on user defined Option 82 Configure the code type for the remote ID sub option dhcp relay information remote id format type ascii hex Optional By default the code type is hex This code type configurat...

Страница 245: ...ings display dhcp relay security tracker Display information about the configuration of a specified or all DHCP server groups display dhcp relay server group group id all Display packet statistics on...

Страница 246: ...requirements z As shown in Figure 2 3 Enable Option 82 on the DHCP relay agent Switch A z Configure the handling strategy for DHCP requests containing Option 82 as replace z Configure the padding cont...

Страница 247: ...DHCP Relay Agent Configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent Analysis Some problems may occur with the DHCP relay agent or server configurat...

Страница 248: ...recommended to enable both the DHCP client and the DHCP snooping on the same device Otherwise DHCP snooping entries may fail to be generated or the DHCP client may fail to obtain an IP address Introd...

Страница 249: ...UP again by first executing the shutdown command and then the undo shutdown command or the DHCP client is enabled on the interface by executing the undo ip address dhcp alloc and ip address dhcp allo...

Страница 250: ...3 3 SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address dhcp alloc...

Страница 251: ...ng can implement the following 1 Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers 2 Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses f...

Страница 252: ...ng through For details refer to IP Source Guard Configuration in the Security Volume Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 4 1 Configure...

Страница 253: ...Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more information refer to Relay agen...

Страница 254: ...the message after adding the Option 82 padded in normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after addi...

Страница 255: ...yer 2 Ethernet interface to an aggregation group z Configuring both the DHCP snooping and selective QinQ function on the switch is not recommended because it may result in malfunctioning of DHCP snoop...

Страница 256: ...ooping information vlan vlan id circuit id string circuit id Optional By default the padding content depends on the padding format of Option 82 Configure user defined Option 82 Configure the padding c...

Страница 257: ...cket statistics Available in user view DHCP Snooping Configuration Examples DHCP Snooping Configuration Example Network requirements z As shown in Figure 4 3 Switch B is connected to a DHCP server thr...

Страница 258: ...ernet 1 0 1 as trusted SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 dhcp snooping trust SwitchB GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 to support Option 82 S...

Страница 259: ...Introduction to BOOTP Client This section covers these topics z BOOTP Application z Obtaining an IP Address Dynamically z Protocols and Standards BOOTP Application After you specify an interface of a...

Страница 260: ...the BOOTP client The BOOTP server then returns a BOOTP response to the BOOTP client 3 The BOOTP client obtains the IP address from the received response Protocols and Standards Some protocols and stan...

Страница 261: ...the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Figure 5 1 Network diagram for BOOTP WINS server 10 1 1 4 25 Client Switch B Client DNS server 10 1 1 2 25 DHCP serv...

Страница 262: ...onfiguring Static Domain Name Resolution 1 4 Configuring Dynamic Domain Name Resolution 1 4 Configuring the DNS Proxy 1 5 Displaying and Maintaining DNS 1 5 DNS Configuration Examples 1 5 Static Domai...

Страница 263: ...checks the local static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution T...

Страница 264: ...s valid and the DNS client gets the aging information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resol...

Страница 265: ...the DNS proxy instead of on each DNS client Figure 1 2 DNS proxy networking application Operation of a DNS proxy 1 A DNS client considers the DNS proxy as the DNS server and sends a DNS request to the...

Страница 266: ...us one if there is any You may create up to 50 static mappings between domain names and IP addresses Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name reso...

Страница 267: ...able in any view Clear the information of the dynamic domain name cache reset dns dynamic host Available in user view DNS Configuration Examples Static Domain Name Resolution Configuration Example Net...

Страница 268: ...is com The mapping between domain name Host and IP address 3 1 1 1 16 is stored in the com domain z Switch serves as a DNS client and uses the dynamic domain name resolution and the suffix to access...

Страница 269: ...uctions to create a new zone named com Figure 1 5 Create a zone Create a mapping between the host name and IP address Figure 1 6 Add a host In Figure 1 6 right click zone com and then select New Host...

Страница 270: ...st is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press...

Страница 271: ...r and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 1 8 1 Configure the DNS server This configuration may vary with different DNS server...

Страница 272: ...ttl 126 time 1 ms Reply from 3 1 1 1 bytes 56 Sequence 5 ttl 126 time 1 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 1 3 ms Trouble...

Страница 273: ...Directly Connected Network 1 1 Enabling Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configurati...

Страница 274: ...pecific network In the destination IP address of a directed broadcast the network ID is a network ID identifies the target network and the host ID is all one If a device is allowed to forward directed...

Страница 275: ...and executed last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN...

Страница 276: ...configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packet is received within the synwait timer interval the TCP connection cannot be created z fin...

Страница 277: ...o find out the best route 2 Sending ICMP timeout packets If the device received an IP packet with a timeout error it drops the packet and sends an ICMP timeout packet to the source The device will sen...

Страница 278: ...it to send ICMP error packets its performance will be reduced z As the redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becom...

Страница 279: ...Display socket information display ip socket socktype sock type task id socket id Display FIB information display fib begin include exclude regular expression acl acl number ip prefix ip prefix name D...

Страница 280: ...ntents 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 1 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Examples 1 2 UDP Helper Configuration...

Страница 281: ...relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Helper enabled the device decides whether to forward a received UDP br...

Страница 282: ...ion of all UDP ports is removed if you disable UDP Helper z You can configure up to 256 UDP port numbers to enable the forwarding of packets with these UDP port numbers z You can configure up to 20 de...

Страница 283: ...0 16 is available Enable UDP Helper SwitchA system view SwitchA udp helper enable Enable the forwarding broadcast packets with the UDP destination port 55 SwitchA udp helper port 55 Specify the destin...

Страница 284: ...to RA Messages 1 12 Configuring the Maximum Number of Attempts to Send an NS Message for DAD 1 15 Configuring PMTU Discovery 1 15 Configuring a Static PMTU for a Specified IPv6 Address 1 15 Configurin...

Страница 285: ...w Internet Protocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant dif...

Страница 286: ...ateful and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from a server for example a DHCP server z Stateless addre...

Страница 287: ...an be represented in a shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 address contains two or more consecutive groups of zeros they can be replaced by a double colon For example the abov...

Страница 288: ...ddresses including aggregatable global unicast address link local address and site local address z The aggregatable global unicast addresses equivalent to public IPv4 addresses are provided for networ...

Страница 289: ...0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 unicast or anycast address Interface identifier in IEEE EUI 64 format An interface identifier is used to iden...

Страница 290: ...ed to respond to an RS message Router advertisement RA message 134 With the RA message suppression disabled the router regularly sends an RA message containing information such as prefix information o...

Страница 291: ...on The DAD procedure is as follows 1 Node A sends an NS message whose source address is the unassigned address and destination address is the corresponding solicited node multicast address of the IPv6...

Страница 292: ...he source host so that the host can select a better next hop to forward packets similar to the ICMP redirection function in IPv4 The gateway sends an IPv6 ICMP redirect message when the following cond...

Страница 293: ...resses but also AAAA records IPv6 addresses The DNS server can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server implements the functions of both IPv6 DNS and IPv4...

Страница 294: ...Pv6 site local addresses or aggregatable global unicast addresses are configured manually IPv6 link local addresses can be configured in either of the following ways z Automatic generation The device...

Страница 295: ...t adopt manual assignment and then automatic generation the automatically generated link local address will not take effect and the link local address of an interface is still the manually assigned on...

Страница 296: ...quire the link layer address of a neighbor node through NS and NA messages and add it into the neighbor table Too large a neighbor table may reduce the forwarding performance of the device You can res...

Страница 297: ...hosts use the stateless autoconfiguration to acquire information other than IPv6 addresses Router lifetime This field is used to set the lifetime of the router that sends RA messages to serve as the d...

Страница 298: ...s is used as the prefix information Set the M flag bit to 1 ipv6 nd autoconfig managed address flag Optional By default the M flag bit is set to 0 that is hosts acquire IPv6 addresses through stateles...

Страница 299: ...uring a Static PMTU for a Specified IPv6 Address You can configure a static PMTU for a specified destination IPv6 address When a source host sends a packet through an interface it compares the interfa...

Страница 300: ...et the finwait timer tcp ipv6 timer fin timeout wait time Optional 675 seconds by default Set the synwait timer tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Set the size of the...

Страница 301: ...system view system view Enable sending of multicast echo replies ipv6 icmpv6 multicast echo reply enable Not enabled by default Enabling Sending of ICMPv6 Time Exceeded Packets A device sends an ICMPv...

Страница 302: ...r for resolution The system can support at most six DNS servers You can configure a DNS suffix so that you only need to enter part of a domain name and the system can automatically add the preset suff...

Страница 303: ...ace interface type interface number vlan vlan id count Display the PMTU information of an IPv6 address display ipv6 pathmtu ipv6 address all dynamic static Display socket information display ipv6 sock...

Страница 304: ...is 3001 2 64 and a route to Host is available z IPv6 is enabled for Host to automatically get an IPv6 address through IPv6 NDP and a route to Switch B is available Figure 1 6 Network diagram for IPv6...

Страница 305: ...001 15B E0EA 3524 E791 0015 e9a6 7d14 1 GE1 0 2 STALE D 1248 The above information shows that the IPv6 aggregatable global unicast address that Host obtained is 2001 15B E0EA 3524 E791 Verification Di...

Страница 306: ...80 20F E2FF FE00 1C0 Global unicast address es 2001 1 subnet is 2001 64 Joined group address es FF02 1 FF00 0 FF02 1 FF00 1 FF02 1 FF00 1C0 FF02 2 FF02 1 MTU is 1500 bytes ND DAD is enabled number of...

Страница 307: ...rface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE00 1234 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 F...

Страница 308: ...tchB Vlan interface2 ping ipv6 c 1 3001 1 PING 3001 1 56 data bytes press CTRL_C to break Reply from 3001 1 bytes 56 Sequence 1 hop limit 64 time 2 ms 3001 1 ping statistics 1 packet s transmitted 1 p...

Страница 309: ...mand in any view or the display this command in system view to verify that IPv6 is enabled z Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is corr...

Страница 310: ...i Table of Contents 1 Dual Stack Configuration 1 1 Dual Stack Overview 1 1 Configuring Dual Stack 1 1...

Страница 311: ...be selected at the transport layer while IPv6 stack is preferred at the network layer Figure 1 1 illustrates the IPv4 IPv6 dual stack in relation to the IPv4 stack Figure 1 1 IPv4 IPv6 dual stack in r...

Страница 312: ...n interface Automatically create an IPv6 link local address ipv6 address auto link local Configure an IPv6 address on the interface Configure an IPv6 link local address Manually specify an IPv6 link l...

Страница 313: ...Overview 1 1 Introduction to sFlow 1 1 Operation of sFlow 1 1 Configuring sFlow 1 2 Displaying and Maintaining sFlow 1 2 sFlow Configuration Example 1 3 Troubleshooting sFlow Configuration 1 4 The Rem...

Страница 314: ...ckets and displays the results sFlow has the following two sampling mechanisms z Packet based sampling An sFlow enabled port samples one packet out of a configurable number of packets passing through...

Страница 315: ...rts sflow interval interval time Optional 20 seconds by default Enter Ethernet port view interface interface type interface number Specify the sFlow version sflow version 4 5 Optional 5 by default Ena...

Страница 316: ...esults Network diagram Figure 1 1 Network diagram for sFlow configuration Configuration procedure Configure an IP address for the sFlow agent Switch system view Switch sflow agent ip 3 3 3 1 Specify t...

Страница 317: ...the sFlow collector specified on the sFlow agent is different from that of the remote sFlow collector z No IP address is configured for the Layer 3 interface on the device or the IP address is config...

Страница 318: ...y used in small sized networks This document describes z RIP basic functions configuration z RIP advanced functions configuration z RIP network optimization configuration IPv6 Static Routing Static ro...

Страница 319: ...verview 1 1 IP Routing and Routing Table 1 1 Routing 1 1 Routing Table 1 1 Routing Protocol Overview 1 3 Static Routing and Dynamic Routing 1 3 Routing Protocols and Routing Priority 1 3 Displaying an...

Страница 320: ...xt router or the directly connected destination Routes in a routing table can be divided into three categories by origin z Direct routes Routes discovered by data link protocols also known as interfac...

Страница 321: ...is not directly connected to the router To prevent the routing table from getting too large you can configure a default route All packets without matching any entry in the routing table will be forwa...

Страница 322: ...niquely determine the current optimal route to the destination For the purpose of route selection each routing protocol including static routes is assigned a priority The route found by the routing pr...

Страница 323: ...outing table Available in any view Display verbose IPv6 routing table information display ipv6 routing table verbose Available in any view Display routing information for a specified destination IPv6...

Страница 324: ...c Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 3 Detecting Reachability of the Static Route s Nexthop 1 3 Detecting Nexthop Reachability Through...

Страница 325: ...pological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route If the destin...

Страница 326: ...sion For a NULL0 or loopback interface if the output interface has already been configured there is no need to configure the next hop address In fact all the route entries must have a next hop address...

Страница 327: ...n flexibly control static routes by configuring tag values and using the tag values in the routing policy z If the destination IP address and mask are both configured as 0 0 0 0 with the ip route stat...

Страница 328: ...an existing static route simply associate the static route with a track entry For a non existent static route configure it and associate it with a Track entry z If a static route needs route recursio...

Страница 329: ...h A SwitchA system view SwitchA ip route static 0 0 0 0 0 0 0 0 1 1 4 2 Configure two static routes on Switch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 0 1 1 4 1 SwitchB ip rou...

Страница 330: ...1 5 5 Vlan600 1 1 5 5 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 1 1 6 0 24 Direct 0 0 192 168 1 47 Vlan100 1 1 6 1 32 Direct 0...

Страница 331: ...1 7 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete...

Страница 332: ...Priority for RIP 1 10 Configuring RIP Route Redistribution 1 11 Configuring RIP Network Optimization 1 11 Configuring RIP Timers 1 11 Configuring Split Horizon and Poison Reverse 1 12 Enabling Zero Fi...

Страница 333: ...f RIP Introduction RIP is a distance vector routing protocol using UDP packets for exchanging information through port 520 RIP uses a hop count to measure the distance to a destination The hop count f...

Страница 334: ...will be deleted from the routing table Routing loops prevention RIP is a distance vector D V routing protocol Since a RIP router advertises its own routing table to neighbors routing loops may occur...

Страница 335: ...roadcast and multicast Multicast is the default type using 224 0 0 9 as the multicast address The interface working in the RIPv2 broadcast mode can also receive RIPv1 messages RIP Message Format A RIP...

Страница 336: ...ndicates that the originator of the route is the best next hop otherwise it indicates a next hop better than the originator of the route RIPv2 authentication RIPv2 sets the AFI field of the first rout...

Страница 337: ...z RFC 1722 RIP Version 2 Protocol Applicability Statement z RFC 1724 RIP Version 2 MIB Extension z RFC 2082 RIPv2 MD5 Authentication z RFC2453 RIP Version 2 Configuring RIP Basic Functions Configurat...

Страница 338: ...ew interface interface type interface number Enable the interface to receive RIP messages rip input Optional Enabled by default Enable the interface to send RIP messages rip output Optional Enabled by...

Страница 339: ...figuring RIPv2 Route Summarization z Disabling Host Route Reception z Advertising a Default Route z Configuring Inbound Outbound Route Filtering z Configuring a Priority for RIP z Configuring RIP Rout...

Страница 340: ...n You can disable RIPv2 route automatic summarization if you want to advertise all subnet routes Follow these steps to enable RIPv2 route automatic summarization To do Use the command Remarks Enter sy...

Страница 341: ...can configure RIP to advertise a default route with a specified metric to RIP neighbors z In RIP view you can configure all the interfaces of the RIP process to advertise a default route in interface...

Страница 342: ...id Configure the filtering of incoming routes filter policy acl number gateway ip prefix name ip prefix ip prefix name gateway ip prefix name import interface type interface number Required Not config...

Страница 343: ...oute is 0 by default Redistribute routes from another protocol import route protocol process id all processes cost cost route policy route policy name tag tag Required No redistribution is configured...

Страница 344: ...unction takes effect The split horizon and poison reverse functions can avoid routing loops Enabling split horizon The split horizon function disables an interface from sending routes received from th...

Страница 345: ...RIPv1 messages To do Use the command Remarks Enter system view system view Enter RIP view rip process id Enable zero field check on received RIPv1 messages checkzero Optional Enabled by default Enabli...

Страница 346: ...ring key id rfc2453 key string simple password Required This task does not apply to RIPv1 because RIPv1 does not support authentication Although you can specify authentication modes for RIPv1 in inter...

Страница 347: ...formation in RIP packets to RIP neighbors Sending large numbers of RIP packets at the same time may affect device performance and consume large network bandwidth To solve this problem you can specify...

Страница 348: ...figure an IP address for each interface only the IP address configuration for the VLAN interfaces is given in the following examples Configure Switch A SwitchA system view SwitchA interface vlan inter...

Страница 349: ...uses a natural mask 3 On Switch A and Switch B specify the RIP version as RIPv2 and disable RIPv2 route automatic summarization to advertise all subnet routes Configure RIPv2 on Switch A SwitchA rip...

Страница 350: ...for 12 3 1 0 24 and 16 4 1 0 24 z Configure a filtering policy on Switch B to filter out the route 10 2 1 1 24 from RIP 100 making the route not advertised to Switch C Figure 1 5 Network diagram for R...

Страница 351: ...0 127 0 0 1 InLoop0 3 Configure route redistribution On Switch B configure RIP 200 to redistribute direct routes and routes from RIP 100 SwitchB rip 200 SwitchB rip 200 import route rip 100 SwitchB r...

Страница 352: ...InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 Configuring an Additional Metric for a RIP Interface Network requirements As shown in the following figure z RIP is enabled on all the interfaces of S...

Страница 353: ...n 2 SwitchE rip 1 undo summary Display the IP routing table of Switch A SwitchA display rip 1 database 1 0 0 0 8 cost 0 ClassfulSumm 1 1 1 0 24 cost 0 nexthop 1 1 1 1 Rip interface 1 1 2 0 24 cost 0 n...

Страница 354: ...dling RIP messages If the peer is configured to send multicast messages the same should be configured on the local end Solution z Use the display current configuration command to check RIP configurati...

Страница 355: ...Static Routing 1 1 Features of IPv6 Static Routes 1 1 Default IPv6 Route 1 1 Configuring an IPv6 Static Route 1 1 Configuration prerequisites 1 1 Configuring an IPv6 Static Route 1 2 Displaying and M...

Страница 356: ...n unavailable routes requiring the network administrator to manually configure and modify the static routes Features of IPv6 Static Routes Similar to IPv4 static routes IPv6 static routes work well in...

Страница 357: ...ing and Maintaining IPv6 Static Routes To do Use the command Remarks Display IPv6 static route information display ipv6 routing table protocol static inactive verbose Available in any view Remove all...

Страница 358: ...re the default gateway of Host A as 1 1 that of Host B as 2 1 and that of Host C as 3 1 4 Display configuration information Display the IPv6 routing table of SwitchA SwitchA display ipv6 routing table...

Страница 359: ...254 time 62 ms Reply from 3 1 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 1 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 1 bytes 56 Sequence 5 hop limit 254 time 63 ms 3 1 p...

Страница 360: ...Configuring an Additional Routing Metric 1 4 Configuring RIPng Route Summarization 1 5 Advertising a Default Route 1 5 Configuring a RIPng Route Filtering Policy 1 6 Configuring a Priority for RIPng...

Страница 361: ...ext hop 128 bit IPv6 address z Source address RIPng uses FE80 10 as the link local source address RIPng Working Mechanism RIPng is a routing protocol based on the distance vector D V algorithm RIPng u...

Страница 362: ...iguration in the IP Routing Volume RIPng Packet Format Basic format A RIPng packet consists of a header and multiple route table entries RTEs The maximum number of RTEs in a packet depends on the IPv6...

Страница 363: ...ested routing information to the requesting router in the response packet Response packet The response packet containing the local routing table information is generated as z A response to a request z...

Страница 364: ...a Default Route z Configuring a RIPng Route Filtering Policy z Configuring a Priority for RIPng z Configuring RIPng Route Redistribution Before the configuration accomplish the following tasks first...

Страница 365: ...Summarization Follow these steps to configure RIPng route summarization To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Adver...

Страница 366: ...ting information Configuring a Priority for RIPng Any routing protocol has its own protocol priority used for optimal route selection You can set a priority for RIPng manually The smaller the value is...

Страница 367: ...d Remarks Enter system view system view Enter RIPng view ripng process id Configure RIPng timers timers garbage collect garbage collect value suppress suppress value timeout timeout value update updat...

Страница 368: ...hese steps to configure poison reverse To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enable the poison reverse function rip...

Страница 369: ...rements As shown in Figure 1 4 all switches run RIPng Configure Switch B to filter the route 3 64 learnt from Switch C which means the route will not be added to the routing table of Switch B and Swit...

Страница 370: ...enable SwitchC Vlan interface600 quit Display the routing table of Switch B SwitchB display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interf...

Страница 371: ...witchB display ripng 1 route Route Flags A Aging S Suppressed G Garbage collect Peer FE80 20F E2FF FE23 82F5 on Vlan interface100 Dest 1 64 via FE80 20F E2FF FE23 82F5 cost 1 tag 0 A 2 Sec Dest 2 64 v...

Страница 372: ...a Route Policy 1 4 Prerequisites 1 4 Creating a Route Policy 1 4 Defining if match Clauses 1 5 Defining apply Clauses 1 6 Displaying and Maintaining the Route Policy 1 7 Route Policy Configuration Exa...

Страница 373: ...6 route policy Introduction to Route Policy Route Policy A route policy is used on a router for route filtering and attributes modification when routes are received advertised or redistributed To conf...

Страница 374: ...matched first Once a node is matched the route policy is passed and the packet will not go to the next node A route policy node comprises a set of if match and apply clauses The if match clauses defin...

Страница 375: ...other IPv4 routing information to pass For example the following configuration filters routes 10 1 0 0 16 10 2 0 0 16 and 10 3 0 0 16 but allows other routes to pass Sysname system view Sysname ip ip...

Страница 376: ...f a route policy can be configured by referencing filters above mentioned A route policy can comprise multiple nodes and each route policy node contains z if match clauses Define the match criteria th...

Страница 377: ...fine if match clauses for a route policy node To do Use the command Remarks Enter system view system view Enter route policy node view route policy route policy name permit deny node node number Requi...

Страница 378: ...Enter system view system view Enter route policy node view route policy route policy name permit deny node node number Required Not created by default for IPv4 routes apply ip address next hop ip add...

Страница 379: ...ate with each other at the network layer through RIPv2 Switch A has static routes to networks 20 0 0 0 8 30 0 0 0 8 and 40 0 0 0 8 Switch B needs to access these networks through Switch A while Switch...

Страница 380: ...outing table of Switch B and verify the configuration SwitchB display rip 1 route Route Flags R RIP T TRIP P Permanent A Aging S Suppressed G Garbage collect Peer 192 168 1 3 on Vlan interface100 Dest...

Страница 381: ...n interface100 quit Configure three static routes SwitchA ipv6 route static 20 32 11 2 SwitchA ipv6 route static 30 32 11 2 SwitchA ipv6 route static 40 32 11 2 Configure a route policy SwitchA ip ipv...

Страница 382: ...col runs normally Analysis At least one item of the IP prefix list should be configured as permit mode and at least one node in the Route policy should be configured as permit mode Solution 1 Use the...

Страница 383: ...oping Policy Multicast VLAN The multicast VLAN feature configured on the Layer 2 device can saves the network bandwidth and lessens the burden of the Layer 3 device This document describes z Configuri...

Страница 384: ...f Information Transmission Techniques 1 1 Features of Multicast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 5 Multicast Architecture 1 6 Multi...

Страница 385: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Страница 386: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Страница 387: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Страница 388: ...f Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast address Hosts join a multicast group to become members of the multicast g...

Страница 389: ...G represents a specific multicast group z S G Indicates a shortest path tree SPT or a multicast packet that multicast source S sends to multicast group G Here S represents a specific multicast source...

Страница 390: ...locations of the multicast sources by some other means In addition the SSM model uses a multicast address range that is different from that of the ASM SFM model and dedicated multicast forwarding path...

Страница 391: ...TTL value in the IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8...

Страница 392: ...ticast address are as follows z 0xFF The most significant 8 bits are 11111111 indicating that this address is an IPv6 multicast address Figure 1 5 Format of the Flags field z Flags Referring to Figure...

Страница 393: ...the scope defined by the Scope field Ethernet multicast MAC addresses When a unicast IP packet is transmitted over Ethernet the destination MAC address is the MAC address of the receiver When a multic...

Страница 394: ...ple of IPv6 to MAC address mapping Multicast Protocols z Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multi...

Страница 395: ...iver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in t...

Страница 396: ...on the Layer 2 device This avoids waste of network bandwidth and extra burden on the Layer 3 device Multicast Packet Forwarding Mechanism In a multicast model a multicast source sends information to t...

Страница 397: ...11 Enabling IGMP Snooping Querier 1 11 Configuring IGMP Queries and Responses 1 12 Configuring Source IP Address of IGMP Queries 1 13 Configuring an IGMP Snooping Policy 1 13 Configuration Prerequisi...

Страница 398: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 1 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at...

Страница 399: ...e DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list z Me...

Страница 400: ...age out How IGMP Snooping Works A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this s...

Страница 401: ...tening to the reported multicast address will suppress their own reports upon receiving this report and this will prevent the switch from knowing whether the reported multicast group still has active...

Страница 402: ...st of the forwarding table entry for that multicast group when the aging timer expires Protocols and Standards IGMP Snooping is documented in z RFC 4541 Considerations for Internet Group Management Pr...

Страница 403: ...ate port view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate port do not interfere with configurations made on its member ports nor do they take part in aggregation...

Страница 404: ...e version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding...

Страница 405: ...ging time interval Optional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLA...

Страница 406: ...ber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running IGMP responds to IGMP querie...

Страница 407: ...n IGMP leave message on a port the switch immediately removes that port from the outgoing port list of the forwarding table entry for the indicated group Then when receiving IGMP group specific querie...

Страница 408: ...rce address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general...

Страница 409: ...by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously z For IGMP general queries you can configure the maximum response time to fill their Max...

Страница 410: ...nd cause multicast traffic forwarding failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem you are commended to configure a non all zero IP address...

Страница 411: ...re a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Configure a multicast group filter group policy acl number vlan...

Страница 412: ...se either approach Enable multicast source port filtering igmp snooping source deny Required Disabled by default S5500 SI series switches when enabled to filter IPv4 multicast data based on the source...

Страница 413: ...d over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report suppres...

Страница 414: ...dition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is channel switching namely by joining a...

Страница 415: ...the multicast group replacement functionality will not take effect Displaying and Maintaining IGMP Snooping To do Use the command Remarks View IGMP Snooping multicast group information display igmp s...

Страница 416: ...can be forwarded through GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch A even if Host A and Host B accidentally temporarily stop receiving multicast data Network diagram Figure 1 3 Networ...

Страница 417: ...chA acl basic 2001 quit SwitchA igmp snooping SwitchA igmp snooping group policy 2001 vlan 100 SwitchA igmp snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts f...

Страница 418: ...itEthernet 1 0 5 on Switch C are required to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the n...

Страница 419: ...M DM on each interface and enable IGMP on GigabitEthernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable Ro...

Страница 420: ...tEthernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable IGMP Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 igm...

Страница 421: ...100 on Switch C SwitchC display igmp snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real...

Страница 422: ...nown multicast data packets z Because a switch does not enlist a port that has heard an IGMP query with a source IP address of 0 0 0 0 default as a dynamic router port configure a non all zero IP addr...

Страница 423: ...mp snooping enable SwitchB vlan100 igmp snooping drop unknown SwitchB vlan100 quit Configurations on Switch C and Switch D are similar to the configuration on Switch B 3 Verify the configuration After...

Страница 424: ...to join specific multicast groups the hosts can still receive multicast data addressed to other multicast groups Analysis z The ACL rule is incorrectly configured z The multicast group policy is not...

Страница 425: ...Prerequisites 1 3 Configuring Sub VLAN Based Multicast VLAN 1 3 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring Multicast VLA...

Страница 426: ...ayer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without multicast VLAN The multicast VLAN featu...

Страница 427: ...t A Host B and Host C are in three different user VLANs All the user ports ports with attached hosts on Switch A are hybrid ports On Switch A configure VLAN 10 as a multicast VLAN assign all the user...

Страница 428: ...n is given preference Configuring Sub VLAN Based Multicast VLAN Configuration Prerequisites Before configuring sub VLAN based multicast VLAN complete the following tasks z Create VLANs as required z E...

Страница 429: ...e port view are effective only for the current port configurations made in port group view are effective for all the ports in the current port group Configuration Prerequisites Before configuring port...

Страница 430: ...packets of VLAN 1 to pass For details about the port link type port hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring Multicast VLAN Ports In this...

Страница 431: ...A port can belong to only one multicast VLAN Displaying and Maintaining Multicast VLAN To do Use the command Remarks Display information about a multicast VLAN display multicast vlan vlan id Availabl...

Страница 432: ...sses Configure an IP address and subnet mask for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IP multicast routing enable PIM DM on ea...

Страница 433: ...nfiguration Display information about the multicast VLAN SwitchA display multicast vlan Total 1 multicast vlan s Multicast vlan 10 subvlan list vlan 2 4 port list no port View the IGMP Snooping multic...

Страница 434: ...match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 1 port GE1 0 4 Vlan id 10 Total 1...

Страница 435: ...port based multicast VLAN feature so that Router A just sends multicast data to Switch A through the multicast VLAN and Switch A forwards the multicast data to the receivers that belong to different...

Страница 436: ...1 0 2 to permit packets of VLAN 2 and VLAN 10 to pass and untag the packets when forwarding them SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 port link type hybrid SwitchA Gig...

Страница 437: ...rt C Copy port Subvlan flags R Real VLAN C Copy VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s matc...

Страница 438: ...iguration Prerequisites 1 11 Enabling MLD Snooping Querier 1 11 Configuring MLD Queries and Responses 1 12 Configuring Source IPv6 Addresses of MLD Queries 1 13 Configuring an MLD Snooping Policy 1 14...

Страница 439: ...een ports and multicast MAC addresses and forwards IPv6 multicast data based on these mappings As shown in Figure 1 1 when MLD Snooping is not running IPv6 multicast packets are broadcast to all devic...

Страница 440: ...s Router port Member port Ports involved in MLD Snooping as shown in Figure 1 2 are described as follows z Router port A router port is a port on the Ethernet switch that leads switch towards the Laye...

Страница 441: ...tialized to the dynamic router port aging time MLD general query of which the source address is not 0 0 or IPv6 PIM hello The switch removes this port from its router port list Dynamic member port agi...

Страница 442: ...d IPv6 multicast group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exi...

Страница 443: ...the port suppose it is a dynamic member port before its aging timer expires this means that some host attached to the port is receiving or expecting to receive IPv6 multicast data for that IPv6 multi...

Страница 444: ...up view are effective only for all the ports in the current port group For a given port a configuration made in MLD Snooping view is effective only if the same configuration is not made in Ethernet po...

Страница 445: ...MLDv1 and MLDv2 messages Follow these steps to configure the version of MLD Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of M...

Страница 446: ...ure aging timers for dynamic ports globally To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Configure dynamic router port aging time router aging time...

Страница 447: ...mber ports and static router ports never age out To remove such a port you need to use the corresponding undo command Configuring Simulated Joining Generally a host running MLD responds to MLD queries...

Страница 448: ...er port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process MLD done messages in a fast way With the fast leave processing feature enabled when receiving a...

Страница 449: ...ng querier prepare the following data z MLD general query interval z MLD last member query interval z Maximum response time for MLD general queries z Source IPv6 address of MLD general queries and z S...

Страница 450: ...n to 0 the host sends an MLD report to the corresponding IPv6 multicast group An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids...

Страница 451: ...e time for MLD general queries otherwise undesired deletion of IPv6 multicast members may occur Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6...

Страница 452: ...entry for this port in the MLD Snooping forwarding table otherwise the switch drops this report message Any IPv6 multicast data that fails the ACL check will not be sent to this port In this way the s...

Страница 453: ...rt filtering globally Follow these steps to configure IPv6 multicast source port filtering To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable IPv6...

Страница 454: ...ort suppression To do Use the command Remarks Enter system view system view Enter MLD Snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default Configurin...

Страница 455: ...in some specific applications an IPv6 multicast group newly joined on the switch needs to replace an existing IPv6 multicast group automatically A typical example is channel switching namely by joinin...

Страница 456: ...ng IPv6 multicast group replacement Otherwise the IPv6 multicast group replacement functionality will not take effect Displaying and Maintaining MLD Snooping To do Use the command Remarks View MLD Sno...

Страница 457: ...ven if Host A and Host B accidentally temporarily stop receiving IPv6 multicast data Network diagram Figure 1 3 Network diagram for IPv6 group policy simulated joining configuration Source Router A Sw...

Страница 458: ...group policy 2001 vlan 100 SwitchA mld snooping quit Configure GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 as simulated hosts for IPv6 multicast group FF1E 101 SwitchA interface gigabitethernet 1...

Страница 459: ...red to be configured as static member ports for multicast group 224 1 1 1 to enhance the reliability of multicast traffic transmission z Suppose STP runs on the network To avoid data loops the forward...

Страница 460: ...IM DM on each interface and enable MLD on GigabitEthernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 mld enabl...

Страница 461: ...hernet 1 0 1 through GigabitEthernet 1 0 5 to this VLAN and enable MLD Snooping in the VLAN SwitchC vlan 100 SwitchC vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 5 SwitchC vlan100 mld sno...

Страница 462: ...0 on Switch C SwitchC display mld snooping group vlan 100 verbose Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Port flags D Dynamic port S Static port C Copy port Subvlan flags R Real VL...

Страница 463: ...e MLD Snooping querier Network diagram Figure 1 5 Network diagram for MLD Snooping querier configuration Configuration procedure 1 Configure Switch A Enable IPv6 forwarding and enable MLD Snooping glo...

Страница 464: ...l queries 3 Received MLDv1 specific queries 0 Received MLDv1 reports 12 Received MLD dones 0 Sent MLDv1 specific queries 0 Received MLDv2 reports 0 Received MLDv2 reports with right and wrong records...

Страница 465: ...ured z The IPv6 multicast group policy is not correctly applied Solution 1 Use the display acl ipv6 command to check the configured IPv6 ACL rule Make sure that the IPv6 ACL rule conforms to the IPv6...

Страница 466: ...isites 1 3 Configuring Sub VLAN Based IPv6 Multicast VLAN 1 3 Configuring Port Based IPv6 Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 4 Configuring IPv6 Multi...

Страница 467: ...to the Layer 2 device Switch A This results in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 1 1 Multicast transmission without IPv6 multicast VLAN The IPv6 mu...

Страница 468: ...in Figure 1 3 Host A Host B and Host C are in three different user VLANs All the user ports are hybrid ports On Switch A configure VLAN 10 as an IPv6 multicast VLAN assign all the user ports to this I...

Страница 469: ...cast VLAN on a device the port based IPv6 multicast VLAN configuration is given preference Configuring IPv6 Sub VLAN Based IPv6 Multicast VLAN Configuration Prerequisites Before configuring sub VLAN b...

Страница 470: ...effective only for the current port configurations made in Layer 2 aggregate port view are effective only for the current port configurations made in port group view are effective for all the ports i...

Страница 471: ...t hybrid pvid vlan and port hybrid vlan commands refer to VLAN Commands in the Access Volume Configuring IPv6 Multicast VLAN Ports In this approach you need to configure a VLAN as an IPv6 multicast VL...

Страница 472: ...elong to only one IPv6 multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN To do Use the command Remarks Display information about an IPv6 multicast VLAN display multicast vlan ipv6 vlan id...

Страница 473: ...gure an IPv6 address and address prefix for each interface as per Figure 1 4 The detailed configuration steps are omitted here 2 Configure Router A Enable IPv6 multicast routing enable IPv6 PIM DM on...

Страница 474: ...display multicast vlan ipv6 Total 1 IPv6 multicast vlan s IPv6 Multicast vlan 10 subvlan list vlan 2 4 port list no port View the MLD Snooping IPv6 multicast group information on Switch A SwitchA disp...

Страница 475: ...otal 1 IP Source s Total 1 MAC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 0 port MAC g...

Страница 476: ...2 GE1 0 2 GE1 0 3 GE1 0 4 Switch A MLD querier Router A GE1 0 1 1 2 64 GE1 0 2 2001 1 64 1 1 64 Receiver Host B VLAN 3 Receiver Host C VLAN 4 GE1 0 1 Configuration procedure 1 Enable IPv6 forwarding a...

Страница 477: ...witchA GigabitEthernet1 0 2 port hybrid vlan 10 untagged SwitchA GigabitEthernet1 0 2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration s...

Страница 478: ...AC Group s Router port s total 1 port GE1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF1E 101 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC...

Страница 479: ...ter and packet loss rate This document describes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing Configuration z Line rate configuration z Congestion mana...

Страница 480: ...g Overview 3 1 Introduction to Priority Mapping 3 1 Priority Mapping Tables 3 1 Priority Trust Mode on a Port 3 2 Priority Mapping Procedure 3 2 Priority Mapping Configuration Tasks 3 3 Configuring Pr...

Страница 481: ...rking Overview 7 1 Configuring Priority Marking 7 1 Priority Marking Configuration Example 7 2 Priority Marking Configuration Example 7 2 8 Traffic Redirecting Configuration 8 1 Traffic Redirecting Ov...

Страница 482: ...iii Uncolored Priority Mapping Tables 11 2 Appendix C Introduction to Packet Precedences 11 3 IP Precedence and DSCP Values 11 3 802 1p Priority 11 5...

Страница 483: ...QoS techniques used most widely Using these techniques reasonably in the specific environments you can improve the QoS effectively Introduction to QoS Service Models This section covers three typical...

Страница 484: ...s of the QoS techniques in a network As shown in Figure 1 1 traffic classification traffic shaping traffic policing congestion management and congestion avoidance mainly implement the following functi...

Страница 485: ...estion avoidance monitors the usage status of network resources and is usually applied to the outgoing traffic of a port As congestion becomes worse it actively reduces the amount of traffic by droppi...

Страница 486: ...ring QoS policies A QoS policy defines what QoS actions to take on what class of traffic for purposes such as traffic shaping or traffic policing Before configuring a QoS policy be familiar with these...

Страница 487: ...r tcl name operator and or Required By default the relationship between match criteria is AND Configure match criteria if match match criteria Required match criteria Match criterion Table 2 1 shows t...

Страница 488: ...this argument at a time VLAN ID is in the range 1 to 4094 In a class configured with the operator and the logical relationship between the customer VLAN IDs specified for the customer vlan id keyword...

Страница 489: ...with a specified source MAC address Suppose the logical relationship between classification rules is and Note the following when using the if match command to define matching rules z If multiple matc...

Страница 490: ...viors and classifier behavior associations in a QoS policy already applied To check whether a QoS policy has been applied successfully use the display qos policy interface command z The switch may sav...

Страница 491: ...pplied in a certain direction remove the QoS policy application first Follow these steps to apply the QoS policy to online users To do Use the command Remarks Enter system view system view Enter user...

Страница 492: ...Ns for example VLANs created by GVRP z Do not apply a QoS policy to a VLAN and the ports in the VLAN at the same time Displaying and Maintaining QoS Policies To do Use the command Remarks Display info...

Страница 493: ...2 8...

Страница 494: ...ly scheduled z Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially When a packet enters the device from a port the device assig...

Страница 495: ...carried in packets There are three priority trust modes on H3C S5500 SIseries switches z dot1p Uses the 802 1p priority carried in packets for priority mapping z dscp Uses the DSCP carried in packets...

Страница 496: ...port priority as the 802 1p priority for priority mapping Look up the dot1p dp and dot1p lp mapping tables Mark the packet with local precedence and drop precedence Port priority The priority mapping...

Страница 497: ...ing table display qos map table dot1p dp dot1p lp dscp dot1p dscp dp dscp dscp Optional Available in any view You cannot configure mapping any DSCP value to drop precedence 1 Configuring the Priority...

Страница 498: ...r port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in port group view take effect on all ports in the port...

Страница 499: ...to GigabitEthernet 1 0 3 of Device which sets the 802 1p priority of traffic from the management department to 5 Configure port priority 802 1p to local priority mapping table and priority marking to...

Страница 500: ...gabitethernet 1 0 2 Device GigabitEthernet1 0 2 qos priority 4 Device GigabitEthernet1 0 2 quit Set the port priority of GigabitEthernet 1 0 3 to 5 Device interface gigabitethernet 1 0 3 Device Gigabi...

Страница 501: ...vior admin quit Device qos policy admin Device qospolicy admin classifier http behavior admin Device qospolicy admin quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 qos apply p...

Страница 502: ...ing a certain number of tokens The system puts tokens into the bucket at a set rate When the token bucket is full the extra tokens overflows Evaluating traffic with the token bucket The evaluation of...

Страница 503: ...z If the C bucket does not have enough tokens but the E bucket has enough tokens packets are colored yellow z If neither the C bucket nor the E bucket has sufficient tokens packets are colored red Tr...

Страница 504: ...en bucket approach to traffic control bursty traffic can be transmitted so long as enough tokens are available in the token bucket if tokens are inadequate packets cannot be transmitted until the requ...

Страница 505: ...traffic policing on GigabitEthernet 1 0 1 to limit the rate of received HTTP traffic to 512 kbps and drop the exceeding traffic Enter system view Sysname system view Configure advanced ACL 3000 to mat...

Страница 506: ...ormation rate cbs committed burst size Required Configuration Example Limit the outbound line rate of GigabitEthernet 1 0 1 to 512 kbps Enter system view Sysname system view Enter interface view Sysna...

Страница 507: ...o common cases Figure 5 1 Traffic congestion causes 100M 10M 100M 10M 50M 100M 100M 100M 100M 50M 10M 10M 1 2 Congestion may bring these negative results z Increased delay and jitter during packet tra...

Страница 508: ...ing As shown in Figure 5 2 SP queuing classifies eight queues on a port into eight classes numbered 7 to 0 in descending priority order SP queuing schedules the eight queues strictly according to the...

Страница 509: ...advantage of WRR queuing is that while the queues are scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This impro...

Страница 510: ...port currently with the precedence being 0 1 2 3 and 4 and the minimum guaranteed bandwidth being 128 kbps 128 kbps 128 kbps 64 kbps and 64 kbps respectively z The assignable bandwidth 10 Mbps 128 kb...

Страница 511: ...e settings in port group view take effect on all ports in the port group Configure SP queuing qos sp Required By default all the ports adopt the WRR queue scheduling algorithm with the weight values a...

Страница 512: ...group with their weights being 1 2 4 6 8 10 12 and 14 2 Configuration procedure Enter system view Sysname system view Configure the WRR queues on port GigabitEthernet1 0 1 Sysname interface GigabitEth...

Страница 513: ...4 6 8 10 12 and 14 respectively z Set the minimum guaranteed bandwidth of queue 0 to 128 kbps 2 Configuration procedure Enter system view Sysname system view Configure WFQ queues on GigabitEthernet 1...

Страница 514: ...ssigned to queue 0 through queue 7 being 1 2 3 4 5 9 13 and 15 Configuration Example Network requirements z Configure to adopt SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 z Configure que...

Страница 515: ...figuration information display qos wrr interface interface type interface number Display SP queue configuration information display qos sp interface interface type interface number Display WFQ queue c...

Страница 516: ...to configure traffic filtering To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria...

Страница 517: ...n procedure Create advanced ACL 3000 and configure a rule to match packets whose source port number is 21 DeviceA system view DeviceA acl number 3000 DeviceA acl basic 3000 rule 0 permit tcp source po...

Страница 518: ...6 3 Apply the policy named policy to the incoming traffic of GigabitEthernet 1 0 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 qos apply policy policy inbound...

Страница 519: ...hange its transmission priority in the network To configure priority marking you can associate a class with a behavior configured with the priority marking action to set the priority fields or flag bi...

Страница 520: ...plying the QoS policy to a VLAN Display the priority marking configuration display traffic behavior user defined behavior name Optional Available in any view Priority Marking Configuration Example Pri...

Страница 521: ...destination IP address 192 168 0 3 Device acl number 3002 Device acl adv 3002 rule permit ip destination 192 168 0 3 0 Device acl adv 3002 quit Create a class named classifier_dbserver and reference A...

Страница 522: ...behavior_fserver Device behavior behavior_fserver remark local precedence 2 Device behavior behavior_fserver quit Create a policy named policy_server and associate classes with behaviors in the polic...

Страница 523: ...r 2 interface z Redirecting traffic to the next hop redirects packets which require processing by an interface to the interface This action is applicable to only Layer 3 packets Configuring Traffic Re...

Страница 524: ...the QoS policy to a VLAN z Generally the action of redirecting traffic to the CPU the action of redirecting traffic to an interface and the action of redirecting traffic to the next hop are mutually...

Страница 525: ...terface z Mirroring traffic to the CPU copies the matching packets on an interface to a CPU the CPU of the device where the traffic mirroring enabled interface resides Configuring Traffic Mirroring To...

Страница 526: ...w Create a class and enter class view traffic classifier tcl name operator and or Configure the match criteria if match match criteria Exit class view quit Create a behavior and enter behavior view tr...

Страница 527: ...nfiguring traffic mirroring to a port Configuration Procedure Configure Switch Enter system view Sysname system view Configure basic IPv4 ACL 2000 to match packets with the source IP address 192 168 0...

Страница 528: ...icy 1 quit Apply the QoS policy to the incoming traffic of GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 qos apply policy 1 inbound After the configuration...

Страница 529: ...nting Follow these steps to configure class based accounting To do Use the command Remarks Enter system view system view Create a class and enter class view traffic classifier tcl name operator and or...

Страница 530: ...1 DeviceA system view DeviceA acl number 2000 DeviceA acl basic 2000 rule permit source 1 1 1 1 0 DeviceA acl basic 2000 quit Create a class named classifier_1 and reference ACL 2000 in the class Dev...

Страница 531: ...configuration DeviceA display qos policy interface gigabitethernet 1 0 1 Interface GigabitEthernet1 0 1 Direction Inbound Policy policy Classifier classifier_1 Operator AND Rule s If match acl 2000 Be...

Страница 532: ...lass Based Weighted Fair Queuing CE Customer Edge CIR Committed Information Rate CQ Custom Queuing DAR Deeper Application Recognition DiffServ Differentiated Service DSCP Differentiated Services Codep...

Страница 533: ...Shaping VoIP Voice over IP VPN Virtual Private Network WFQ Weighted Fair Queuing WRED Weighted Random Early Detection Appendix B Default Priority Mapping Tables Uncolored Priority Mapping Tables For...

Страница 534: ...o 39 0 4 40 to 47 0 5 48 to 55 0 6 56 to 63 0 7 Appendix C Introduction to Packet Precedences IP Precedence and DSCP Values Figure 11 1 ToS and DS fields As shown in Figure 11 1 the ToS field of the I...

Страница 535: ...111 network Table 11 5 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af...

Страница 536: ...the 802 1Q tag header The Priority field in the 802 1Q tag header is called the 802 1p priority because its use is defined in IEEE 802 1p Table 11 6 presents the values for 802 1p priority Figure 11...

Страница 537: ...on 1 1 User Profile Overview 1 1 User Profile Configuration 1 1 User Profile Configuration Task List 1 1 Creating a User Profile 1 2 Applying a QoS Policy to User Profile 1 2 Enabling a User Profile 1...

Страница 538: ...access no users pass the authentication or users have logged out user profile does not take effect as it is a predefined configuration With user profile you can z Make use of system resources more gra...

Страница 539: ...s you will directly enter the corresponding user profile view The configuration made in user profile view takes effect when the user profile is enabled and the corresponding users are online Refer to...

Страница 540: ...being enabled Follow these steps to enable a user profile To do Use the command Remarks Enter system view system view Enable a user profile user profile profile name enable Required A user profile is...

Страница 541: ...is used as the standard for LAN user access authentication This document describes z 802 1X overview z 802 1X configuration z 802 1X Guest VLAN configuration HABP On an HABP capable switch HABP packet...

Страница 542: ...nt z Configuring an SFTP Server z Configuring an SFTP Client PKI The Public Key Infrastructure PKI is a hierarchical framework designed for providing information security through public key technologi...

Страница 543: ...omain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 19 Configuring User Group Attributes 1 21 Tearing down User Connections Forcibly 1 21 Displayin...

Страница 544: ...d to the Data Sent to HWTACACS Server 1 34 Setting Timers Regarding HWTACACS Servers 1 35 Displaying and Maintaining HWTACACS 1 35 AAA Configuration Examples 1 36 AAA for Telnet Users by a HWTACACS Se...

Страница 545: ...e network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA net...

Страница 546: ...s Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distributed information...

Страница 547: ...ntercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods for example the Password Authentication Protocol PAP...

Страница 548: ...the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response and starts accounting 6 The user accesses the network resources 7 The host requests the RADIUS client to...

Страница 549: ...1 byte long is for matching request packets and response packets and detecting retransmitted request packets The request and response packets of the same type have the same identifier 4 The Length fie...

Страница 550: ...Login Service 62 Port Limit 16 Login TCP Port 63 Login LAT Port 17 unassigned 64 Tunnel Type 18 Reply_Message 65 Tunnel Medium Type 19 Callback Number 66 Tunnel Client Endpoint 20 Callback ID 67 Tunn...

Страница 551: ...Vender Specific defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor can encapsulate multiple type lengt...

Страница 552: ...rity and having good flexibility and extensibility Meanwhile they also have differences as listed in Table 1 3 Table 1 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP provid...

Страница 553: ...continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS serve...

Страница 554: ...difications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Configur...

Страница 555: ...User Connections Forcibly Optional Displaying and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authoriza...

Страница 556: ...te authentication authorization accounting policies for all the other types of users For a user who has logged in to the device AAA can provide the command authorization service to enhance device secu...

Страница 557: ...an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to configure ISP domain...

Страница 558: ...r HWTACACS server to authenticate users As for RADIUS the device can use the standard RADIUS protocol or extended RADIUS protocol in collaboration with systems like iMC to implement user authenticatio...

Страница 559: ...pt message from the RADIUS server does include the authorization information but the authentication process ignores the information z With the radius scheme radius scheme name local or hwtacacs scheme...

Страница 560: ...or service type to be configured With AAA you can configure an authorization scheme specifically for each access mode and service type limiting the authorization protocols that can be used for access...

Страница 561: ...guring AAA Accounting Methods for an ISP Domain In AAA accounting is a separate process at the same level as authentication and authorization Its responsibility is to send accounting start update end...

Страница 562: ...the command accounting method accounting command hwtacacs scheme hwtacacs scheme name Optional The default accounting method is used by default Specify the accounting method for LAN users accounting l...

Страница 563: ...you need to create local users and configure user attributes on the device as needed A local user represents a set of user attributes configured on a device and such a user set is uniquely identified...

Страница 564: ...rt number mac mac address vlan vlan id Optional By default no binding attribute is configured for a local user Configure the authorization attributes for the local user authorization attribute acl acl...

Страница 565: ...ider what attributes are needed Configuring User Group Attributes For simplification of local user configuration and manageability of local users the concept of user group is introduced A user group c...

Страница 566: ...l user idle cut disable enable service type ftp lan access portal ssh telnet terminal state active block user name user name vlan vlan id Available in any view Display configuration information about...

Страница 567: ...nced by more than one ISP domain at the same time Specifying the RADIUS Authentication Authorization Servers Follow these steps to specify the RADIUS authentication authorization servers To do Use the...

Страница 568: ...rvers and Relevant Parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations To do Use the command Remarks Enter system view system view Create a RADIUS...

Страница 569: ...nting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and secondary accounting servers cannot...

Страница 570: ...in the command manual for configuring RADIUS server response timeout period Setting the Supported RADIUS Server Type Follow these steps to set the supported RADIUS server type To do Use the command Re...

Страница 571: ...primary RADIUS authentication authorization server state primary authentication active block Set the status of the primary RADIUS accounting server state primary accounting active block Set the status...

Страница 572: ...ore sending a username including a domain name You can configure the user name format without domain command on the device for this purpose z If a RADIUS scheme defines that the username is sent witho...

Страница 573: ...ult Set the real time accounting interval timer realtime accounting minutes Optional 12 minutes by default z The maximum number of retransmission attempts of RADIUS packets multiplied by the RADIUS se...

Страница 574: ...ou can specify up to eight security policy servers for a RADIUS scheme Enabling the Listening Port of the RADIUS Client Follow these steps to enable the listening port of the RADIUS client To do Use t...

Страница 575: ...ed on a per scheme basis Before performing other HWTACACS configurations follow these steps to create a HWTACACS scheme and enter HWTACACS scheme view To do Use the command Remarks Enter system view s...

Страница 576: ...ry and secondary authentication servers cannot be the same Otherwise the configuration fails z You can remove an authentication server only when no active TCP connection for sending authentication pac...

Страница 577: ...ACACS accounting server primary accounting ip address port number Specify the secondary HWTACACS accounting server secondary accounting ip address port number Required Configure at least one of the co...

Страница 578: ...butes Related to the Data Sent to HWTACACS Server Follow these steps to configure the attributes related to the data sent to the HWTACACS server To do Use the command Remarks Enter system view system...

Страница 579: ...for the primary server timer quiet minutes Optional 5 minutes by default Set the real time accounting interval timer realtime accounting minutes Optional 12 minutes by default z For real time accounti...

Страница 580: ...nting Its IP address is 10 1 1 1 z On the switch set the shared keys for authentication authorization and accounting packets to expert Configure the switch to remove the domain name from a user name b...

Страница 581: ...horization default hwtacacs scheme hwtac Switch isp bbb accounting default hwtacacs scheme hwtac When telneting into the switch a user enters username userid bbb for authentication using domain bbb AA...

Страница 582: ...uthorization expert Switch hwtacacs hwtac user name format without domain Switch hwtacacs hwtac quit Configure the RADIUS scheme Switch radius scheme rd Switch radius rd primary accounting 10 1 1 1 18...

Страница 583: ...ver is 10 1 1 1 24 z Set both the shared keys for authentication and accounting packets exchanged with the RADIUS server to expert and specify that a username sent to the RADIUS server carries the dom...

Страница 584: ...dd an access device Add a user for device management Log into the iMC management platform select the User tab and select Access User View Device Mgmt User from the navigation tree to enter the Device...

Страница 585: ...switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Generate RSA and DSA key pairs and enable the SSH server...

Страница 586: ...A Troubleshooting RADIUS Symptom 1 User authentication authorization always fails Analysis 1 A communication failure exists between the NAS and the RADIUS server 2 The username is not in the format of...

Страница 587: ...ion and accounting are available Symptom 3 A user is authenticated and authorized but accounting for the user is not normal Analysis 1 The accounting port number is not correct 2 Configuration of the...

Страница 588: ...a Port 1 15 Configuring an 802 1X Guest VLAN 1 16 Configuring an Auth Fail VLAN 1 17 Displaying and Maintaining 802 1X 1 18 802 1X Configuration Example 1 18 Guest VLAN and VLAN Assignment Configurati...

Страница 589: ...f an access control device can access the resources on the LAN only after passing authentication The port security feature provides rich security modes that combine or extend 802 1X and MAC address au...

Страница 590: ...on the LAN z Between the device and the RADIUS server EAP protocol packets can be handled in two modes EAP relay and EAP termination In EAP relay mode EAP protocol packets are encapsulated by using th...

Страница 591: ...to access the network without authentication z unauthorized force Places the port in the unauthorized state denying any access requests from users of the ports z auto Places the port in the unauthoriz...

Страница 592: ...Length of the data that is length of the Packet body field in bytes If the value of this field is 0 no subsequent data field is present z Packet body Content of the packet The format of this field va...

Страница 593: ...kets Figure 1 6 shows its encapsulation format The value of the Type field is 79 The String field can be up to 253 bytes If the EAP packet is longer than 253 bytes it can be fragmented and encapsulate...

Страница 594: ...30 seconds by default This method can be used to authenticate clients which cannot send EAPOL Start frames and therefore cannot trigger authentication for example the 802 1X client provided by Windows...

Страница 595: ...packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 4 Upon receiving the EAP Response Identity packet the device relays the packet in a RADIUS Acc...

Страница 596: ...as gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 11 The client can also send an EAPOL Logoff frame to the device to go offline...

Страница 597: ...s section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout tim...

Страница 598: ...hentication server sends authorization information to the device If the authorization information contains VLAN authorization information the device adds the port connecting the client to the assigned...

Страница 599: ...a port that uses the port based access control method With PGV configured on a port if no user initiates authentication on the port in a certain period of time 90 seconds by default the port will be a...

Страница 600: ...but fails the authentication the port stays in the Auth Fail VLAN If the user passes the authentication successfully the port leaves the Auth Fail VLAN and z If the authentication server assigns a VLA...

Страница 601: ...s Meanwhile for EAP relay mode 802 1X authentication that uses certificates the certificate of a user determines the authentication domain of the user However you can specify different mandatory authe...

Страница 602: ...for the username request timeout timer Enable the quiet timer dot1x quiet period Optional Disabled by default Note that z For 802 1X to take effect on a port you must enable it both globally in syste...

Страница 603: ...l authorized force auto unauthorized force Optional auto by default Set the port access control method for the port dot1x port method macbased portbased Optional macbased by default Set the maximum nu...

Страница 604: ...st VLAN z The guest VLAN function and the free IP function in EAD fast deployment are mutually exclusive on a port z If the traffic from a user side device carries VLAN tags and the 802 1X authenticat...

Страница 605: ...MGV cannot take effect For description on the intrusion protection function of disabling a port refer to Port Security Configuration in the Security Volume Configuring an Auth Fail VLAN z The Auth Fai...

Страница 606: ...function of disabling a port refer to Port Security Configuration in the Security Volume Displaying and Maintaining 802 1X To do Use the command Remarks Display 802 1X session information statistics...

Страница 607: ...ver 20 minutes Figure 1 10 Network diagram for 802 1X configuration Configuration procedure The following configuration procedure covers most AAA RADIUS configuration commands for the device while con...

Страница 608: ...he RADIUS server Device radius radius1 user name format without domain Device radius radius1 quit Create domain aabbcc net and enter its view Device domain aabbcc net Set radius1 as the RADIUS scheme...

Страница 609: ...802 1X and set VLAN 10 as the guest VLAN of the port If the device sends an EAP Request Identity packet from the port for the maximum number of times but still receives no response the device adds the...

Страница 610: ...Configuration procedure z The following configuration procedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration in the Security Volume z Configura...

Страница 611: ...Set the port access control mode to auto Device GigabitEthernet1 0 2 dot1x port control auto Device GigabitEthernet1 0 2 quit Create VLAN 10 Device vlan 10 Device vlan10 quit Specify port GigabitEther...

Страница 612: ...000 key authentication abc Device radius 2000 key accounting abc Device radius 2000 user name format without domain Device radius 2000 quit Create an ISP domain and specify the AAA schemes Device doma...

Страница 613: ...1 25 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss C...

Страница 614: ...evice which tends to be time consuming and inefficient To address the issue quick EAD deployment was developed In conjunction with 802 1X it can have an access switch to force all attached devices to...

Страница 615: ...before passing 802 1X authentication Once a free IP is configured the fast deployment of EAD is enabled Follow these steps to configure a freely accessible network segment To do Use the command Remar...

Страница 616: ...rk segment but fail the authentication ACLs will soon be used up and new users will be rejected An EAD rule timeout timer is designed to solve this problem When a user accesses the network this timer...

Страница 617: ...192 168 2 0 24 GE1 0 1 Configuration procedure 1 Configure the WEB server Before using the EAD fast deployment function you need to configure the WEB server to provide the download service of 802 1X c...

Страница 618: ...cified URL Analysis z The address is in the string format In this case the operating system of the host regards the string a website name and tries to have it resolved If the resolution fails the oper...

Страница 619: ...Contents 1 HABP Configuration 1 1 Introduction to HABP 1 1 Configuring HABP 1 2 Configuring the HABP Server 1 2 Configuring an HABP Client 1 3 Displaying and Maintaining HABP 1 3 HABP Configuration E...

Страница 620: ...devices of the cluster to bypass 802 1X authentication because network devices usually do not support 802 1 client Otherwise the management device will fail to perform centralized management of the cl...

Страница 621: ...n link layer frames exchanged between the clients can bypass the 802 1X authentication on ports of the server without affecting the normal operation of the whole network All HABP packets must travel i...

Страница 622: ...y default Configure HABP to work in client mode undo habp server Optional HABP works in client mode by default Displaying and Maintaining HABP To do Use the command Remarks Display HABP configuration...

Страница 623: ...nfigure Switch B and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify...

Страница 624: ...Authentication 1 2 ACL Assigning 1 3 Configuring MAC Authentication 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Configuring a Guest VLAN 1 4 Configuration Prerequisites 1 4 Configu...

Страница 625: ...and password z Fixed username where all users use the same preconfigured username and password for authentication regardless of the MAC addresses RADIUS Based MAC Authentication In RADIUS based MAC au...

Страница 626: ...n MAC address that has passed another type of authentication the quiet function does not take effect VLAN Assigning For separation of users from restricted network resources users and restricted resou...

Страница 627: ...sernames and passwords on the device or server ensure that z The type of username and password must be consistent with that used for MAC authentication z All the letters in the MAC address to be used...

Страница 628: ...on for ports first However the configuration takes effect only after you enable MAC authentication globally z Enabling MAC authentication on a port is mutually exclusive with adding the port to an agg...

Страница 629: ...in EAD fast deployment on a port For the free IP configuration refer to 802 1X Configuration in the Security Volume Displaying and Maintaining MAC Authentication To do Use the command Remarks Display...

Страница 630: ...SP domain for MAC authentication Device mac authentication domain aabbcc net Set the MAC authentication timers Device mac authentication timer offline detect 180 Device mac authentication timer quiet...

Страница 631: ...seconds and the quiet timer to 3 minutes z All users belong to ISP domain 2000 z The username type of fixed username is used for authentication with the username being aaa and password being 123456 F...

Страница 632: ...uiet 180 Specify to use the username aaa and password 123456 for MAC authentication of all users Device mac authentication user name format fixed account aaa password simple 123456 2 Verify the config...

Страница 633: ...access the FTP server whose IP address is 10 0 0 1 Figure 1 3 Network diagram for ACL assignment Configuration procedure z Make sure that there is a route available between the RADIUS server and the s...

Страница 634: ...Sysname mac authentication domain 2000 Specify the MAC authentication username type as MAC address that is using the MAC address of a user as the username and password for MAC authentication of the u...

Страница 635: ...ng out Users 1 9 Specifying a Mandatory Authentication Domain 1 10 Displaying and Maintaining Portal 1 10 Portal Configuration Examples 1 11 Configuring Direct Portal Authentication 1 11 Configuring R...

Страница 636: ...rtal website enter username and password for authentication This authentication mode is called active authentication There is still another authentication mode namely forced authentication in which th...

Страница 637: ...tion of a client depends on the communications between the portal client and the security policy server Access device Device for broadband access It can be a switch or a router that provides the follo...

Страница 638: ...rity authentication result z Since a portal client uses an IP address as its ID ensure that there is no Network Address Translation NAT device between the authentication client access device portal se...

Страница 639: ...a client is uniquely identified by an IP address This is because the mode supports Layer 3 forwarding devices between the authentication client and the access device but the access device does not le...

Страница 640: ...equest message and sends it to the access device Meanwhile the portal server starts a timer to wait for an authentication acknowledgment message 4 The access device and the RADIUS server exchange RADI...

Страница 641: ...al server that it has obtained a public IP address 8 The portal server notifies the access device that the authentication client has obtained a new public IP address 9 Detecting the change of the IP a...

Страница 642: ...the users are configured on the RADIUS server and the RADIUS client configurations are performed on the access device For information about RADIUS client configuration refer to AAA Configuration in th...

Страница 643: ...uthentication mode can be used in applications with Layer 3 forwarding devices present between the authentication clients and the access device However Layer 3 authentication does not require any Laye...

Страница 644: ...emarks Enter system view system view Enter interface view interface interface type interface number Configure an authentication subnet portal auth network network address mask length mask Optional By...

Страница 645: ...ecurity Volume Displaying and Maintaining Portal To do Use the command Remarks Display the ACLs on a specified interface display portal acl all dynamic static interface interface type interface number...

Страница 646: ...uthentication The host is assigned with a public network IP address manually or automatically by a DHCP server Before portal authentication users using the host can access only the portal server After...

Страница 647: ...uring the iMC UAM installation Usually their default settings are used Figure 1 5 Portal server configuration Configure the IP address group Select Portal Service Management IP Group from the navigati...

Страница 648: ...the portal device with the IP address group As shown in Figure 1 8 in the device list on the portal device configuration page click the icon in the Port Group Information Management column of device S...

Страница 649: ...gure the keys for communication with the servers Switch radius rs1 primary authentication 192 168 0 112 Switch radius rs1 primary accounting 192 168 0 112 Switch radius rs1 key authentication radius S...

Страница 650: ...hentication on the interface connecting the host Switch interface vlan interface 100 Switch Vlan interface100 portal server newpt method direct Switch quit Configuring Re DHCP Portal Authentication Ne...

Страница 651: ...ver type for the RADIUS scheme When using the iMC server you need set the server type to extended Switch radius rs1 server type extended Specify the primary authentication server and primary accountin...

Страница 652: ...t relay Switch Vlan interface100 dhcp relay server select 0 Switch Vlan interface100 dhcp relay address check enable Enable re DHCP portal authentication on the interface connecting the host Switch Vl...

Страница 653: ...enter its view SwitchA system view SwitchA radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended SwitchA radius rs1 server typ...

Страница 654: ...interface 4 SwitchA Vlan interface4 portal server newpt method layer3 SwitchA Vlan interface4 quit Configure the IP address of the interface connected with the portal server SwitchA interface vlan int...

Страница 655: ...S scheme named rs1 and enter its view Switch system view Switch radius scheme rs1 Set the server type for the RADIUS scheme When using the iMC server you need set the server type to extended Switch ra...

Страница 656: ...es On the security policy server you need to specify ACL 3000 as the isolation ACL and ACL 3001 as the security ACL Switch acl number 3000 Switch acl adv 3000 rule permit ip destination 192 168 0 0 0...

Страница 657: ...onfigure re DHCP portal authentication with extended functions Configuration procedure z For re DHCP authentication you need to configure a public address pool 20 20 20 0 24 in this example and a priv...

Страница 658: ...1 quit 2 Configure an authentication domain Create an ISP domain named dm1 and enter its view Switch domain dm1 Configure the ISP domain to use RADIUS scheme rs1 Switch isp dm1 authentication portal r...

Страница 659: ...n interface100 dhcp select relay Switch Vlan interface100 dhcp relay server select 0 Switch Vlan interface100 dhcp relay address check enable Enable re DHCP portal authentication on the interface conn...

Страница 660: ...mary accounting 192 168 0 112 SwitchA radius rs1 key accounting radius SwitchA radius rs1 key authentication radius SwitchA radius rs1 user name format without domain Configure the IP address of the s...

Страница 661: ...4 SwitchA Vlan interface4 ip address 20 20 20 1 255 255 255 0 SwitchA Vlan interface4 portal server newpt method layer3 SwitchA Vlan interface4 quit On Switch B you need to configure a default route t...

Страница 662: ...e is not 50100 the destination port of the REQ_LOGOUT message is not the actual listening port on the server Thus the portal server cannot receive the REQ_LOGOUT message As a result you cannot force t...

Страница 663: ...re 1 7 Configuring Port Security Features 1 8 Configuring NTK 1 8 Configuring Intrusion Protection 1 8 Configuring Trapping 1 9 Configuring Secure MAC Addresses 1 9 Configuration Prerequisites 1 10 Co...

Страница 664: ...needed When a port security enabled device detects an illegal frame it triggers the corresponding port security feature and takes a pre defined action automatically This reduces your maintenance workl...

Страница 665: ...oRestrictions Port security is disabled on the port and access to the port is not restricted In this mode neither the NTK nor the intrusion protection feature is triggered autoLearn In this mode a por...

Страница 666: ...uthentication upon receiving 802 1X frames macAddressElseUs erLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication having a higher pri...

Страница 667: ...entication method is to be used However 802 1X authentication is preferred by wireless users z userLogin with Secure specifies MAC based 802 1X authentication z Ext indicates allowing multiple 802 1X...

Страница 668: ...Follow these steps to enable port security To do Use the command Remarks Enter system view system view Enable port security port security enable Required Disabled by default Note that 1 Enabling port...

Страница 669: ...owed on a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum number of secure MAC addresses allowed on...

Страница 670: ...e userlogin secure mac else userlogin secure ext secure userlogin userlogin secure userlogin secure ext userlogin secure or mac userlogin secure or mac ext userlogin withoui Required By default a port...

Страница 671: ...nterface interface type interface number Configure the NTK feature port security ntk mode ntk withbroadcasts ntk withmulticasts ntkonly Required By default NTK is disabled on a port and all frames are...

Страница 672: ...x user logoff z ralmlogfailure ralmlogoff A port learns MAC authentication failure MAC authentication user logoff z intrusion A port learns illegal frames Follow these steps to configure port security...

Страница 673: ...iguration file and will not get lost when the port goes up or goes down After you save the configuration file the secure MAC address saved in the configuration file are maintained even after the devic...

Страница 674: ...of the switch as follows z Allow up to 64 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as secure MAC addresses z After the number...

Страница 675: ...s to disable the port DisablePortTemporarily for 30 seconds You can also use the above command repeatedly to track the number of MAC addresses learned by the port or use the display this command in in...

Страница 676: ...he client is connected to the switch through port GigabitEthernet 1 0 1 The switch authenticates the client by the RADIUS server If the authentication succeeds the client is authorized to access the I...

Страница 677: ...192 168 1 3 Switch radius radsun secondary accounting 192 168 1 2 Switch radius radsun key authentication name Switch radius radsun key accounting money Switch radius radsun timer response timeout 5...

Страница 678: ...eName radsun Index 1 Type standard Primary Auth IP 192 168 1 2 Port 1812 State active Primary Acct IP 192 168 1 3 Port 1813 State active Second Auth IP 192 168 1 3 Port 1812 State active Second Acct I...

Страница 679: ...ure MAC addresses stored is 1 You can also use the following command to view information about 802 1X users Switch display dot1x interface gigabitethernet 1 0 1 Equipment 802 1X protocol is enabled CH...

Страница 680: ...Mode Network requirements The client is connected to the switch through GigabitEthernet 1 0 1 The switch authenticates the client by the RADIUS server If the authentication succeeds the client is aut...

Страница 681: ...itEthernet1 0 1 port security ntk mode ntkonly 3 Verify the configuration After completing the above configurations you can use the following command to view the port security configuration informatio...

Страница 682: ...link up 802 1X protocol is enabled Handshake is enabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac based 802 1X Multicast trigger is enabled Mandatory authentica...

Страница 683: ...resses Switch GigabitEthernet1 0 1 port security mac address security 1 1 2 vlan 1 Error Can not operate security MAC address for current port mode is not autoLearn Analysis No secure MAC address can...

Страница 684: ...er is online Solution Use the cut command to forcibly disconnect the user from the port before changing the port security mode Switch GigabitEthernet1 0 1 quit Switch cut connection interface gigabite...

Страница 685: ...ing Dynamic Binding Function 1 2 Displaying and Maintaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 3 Static Binding Entry Configuration Example 1 3 Dynamic Binding Function Confi...

Страница 686: ...uard If there is a match the port forwards the packet Otherwise the port discards the packet IP source guard filters packets based on the following types of binding entries z IP port binding entry z M...

Страница 687: ...0 0 0 0 z A static binding entry can be configured on only Layer 2 Ethernet ports Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard will rec...

Страница 688: ...e static binding entries on Switch A and Switch B to meet the following requirements z On port GigabitEthernet 1 0 2 of Switch A only IP packets from Host C can pass z On port GigabitEthernet 1 0 1 of...

Страница 689: ...SwitchB interface gigabitethernet 1 0 1 SwitchB GigabitEthernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static binding entries are confi...

Страница 690: ...e gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping trust SwitchA GigabitEthernet1 0 2 quit 2 Verify the configuration Display dynamic binding function is configured successfully on por...

Страница 691: ...ted by DHCP snooping after it is configured with dynamic binding function Troubleshooting IP Source Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring st...

Страница 692: ...and Maintaining SSH 1 11 SSH Server Configuration Examples 1 12 When Switch Acts as Server for Password Authentication 1 12 When Switch Acts as Server for Publickey Authentication 1 14 SSH Client Conf...

Страница 693: ...ents but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH version...

Страница 694: ...pports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation ot...

Страница 695: ...lid the authentication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authenticat...

Страница 696: ...t be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the command text exceeds 2000 bytes you can...

Страница 697: ...and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The length of the modulus of RSA server keys and host keys must be in the range 512 to 20...

Страница 698: ...H you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This configuration task is only necessary for SSH...

Страница 699: ...ublic key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public key from a...

Страница 700: ...ervice type sftp if the client uses SSH1 to log into the server you must set the service type to stelnet or all on the server Otherwise the client will fail to log in z The working folder of an SFTP u...

Страница 701: ...Set the SSH user authentication timeout period ssh server authentication timeout time out value Optional 60 seconds by default Set the maximum number of SSH authentication attempts ssh server authenti...

Страница 702: ...ient will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the server To...

Страница 703: ...ryption algorithms preferred HMAC algorithms and preferred key exchange algorithm For an IPv4 IPv6 server ssh2 ipv6 server port number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hm...

Страница 704: ...he SSH server for secure data exchange z Password authentication is required The username and password are saved on the switch Figure 1 1 Switch acts as server for password authentication Configuratio...

Страница 705: ...the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configure th...

Страница 706: ...entication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the SSH server for secure data exchange z Publickey authen...

Страница 707: ...4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key in a file named key...

Страница 708: ...key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 Otherwise the process bar stops moving and the key pair g...

Страница 709: ...1 17 Figure 1 5 Generate a client key pair 2 After the key pair is generated click Save public key and specify the file name as key pub to save the public key Figure 1 6 Generate a client key pair 3...

Страница 710: ...After generating a key pair on a client you need to transmit the saved public key file to the server through FTP or TFTP and have the configuration on the server done before continuing configuration...

Страница 711: ...name After entering the correct username client002 you can enter the configuration interface SSH Client Configuration Examples When Switch Acts as Client for Password Authentication Network requiremen...

Страница 712: ...bcc SwitchB luser client001 service type ssh SwitchB luser client001 authorization attribute level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authent...

Страница 713: ...932E69D3B1F18517AD95 SwitchA pkey key code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 883...

Страница 714: ...n for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces...

Страница 715: ...c key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the save...

Страница 716: ...TP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detai...

Страница 717: ...r the SFTP Client You can configure a client to use only a specified source IP address or interface to access the SFTP server thus enhancing the service manageability Follow these steps to specify a s...

Страница 718: ...nclude z Changing or displaying the current working directory z Displaying files under a specified directory or the directory information z Changing the name of a specified directory on the server z C...

Страница 719: ...96 Required Execute the command in user view Change the name of a specified file or directory on the SFTP server rename old name new name Optional Download a file from the remote server and save it l...

Страница 720: ...number identity key dsa rsa prefer ctos cipher aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher aes128 des prefer stoc hmac md5...

Страница 721: ...use the client software to generate RSA key pairs on the client save the host public key in a file named pubkey and then upload the file to the SSH server through FTP or TFTP For details refer to Con...

Страница 722: ...ccessfully sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noon...

Страница 723: ...the name to public sftp client get pubkey2 public Remote file pubkey2 Local file public Downloading file successfully ended Upload the local file pu to the server save it as puk and check if the file...

Страница 724: ...tch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface1 quit Set the authentication mode of the user interfaces to AAA Switch user interface...

Страница 725: ...supports only password authentication Establish a connection with the remote SFTP server Run the psftp exe to launch the client interface as shown in Figure 2 3 and enter the following command open 19...

Страница 726: ...1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Disp...

Страница 727: ...e this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides network c...

Страница 728: ...is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of these CRLs CA policy A CA policy is a set of criteria that...

Страница 729: ...PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private network V...

Страница 730: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Страница 731: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Страница 732: ...dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certific...

Страница 733: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Страница 734: ...The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about...

Страница 735: ...command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of...

Страница 736: ...L checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verific...

Страница 737: ...file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the priva...

Страница 738: ...ect name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject name and alternative subject name by default Return to system view quit Cr...

Страница 739: ...ed when RSA Keon is used In this case when configuring a PKI domain you need to use the certificate request from ca command to specify that the entity requests a certificate from a CA Requesting a Cer...

Страница 740: ...d the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa common name switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter it...

Страница 741: ...domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certifica...

Страница 742: ...AEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A...

Страница 743: ...olicy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwise automatically issue the certificate z Modify the Internet Information Services IIS...

Страница 744: ...Generating Keys z Apply for certificates Retrieve the CA certificate and save it locally Switch pki retrieval certificate ca domain torsa Retrieving CA RA certificates Please wait a while The trusted...

Страница 745: ...onent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier B68E4107 91D7C44C 7ABCE3BA 9BF385F8 A448F4E1 X509v3 Authority Key Identifier keyid 9D823258 EADFEFA2 4A663E75 F416B6F6 D41EE4FE X509...

Страница 746: ...must be created in advance For detailed configuration of the PKI domain refer to Configure the PKI domain 1 Configure the HTTPS server Configure the SSL policy for the HTTPS server to use Switch syste...

Страница 747: ...ribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Switch ip https ssl server policy myssl Apply the certificate attribute base...

Страница 748: ...trieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for certificate request z Configure the r...

Страница 749: ...List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 5 Configuratio...

Страница 750: ...and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key In...

Страница 751: ...ity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session...

Страница 752: ...nd enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy S...

Страница 753: ...r TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and accesses the HTTPS server thro...

Страница 754: ...ssl client verify enable Device ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure HTTPS service to use SSL server policy myssl Device...

Страница 755: ...r the SSL client policy pki domain domain name Required No PKI domain is configured by default Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_aes_128_cbc_sha rsa_des_cb...

Страница 756: ...e for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certifi...

Страница 757: ...Asymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer...

Страница 758: ...ntiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types of key algorithms...

Страница 759: ...ir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption decryption and signature whereas DSA are used for signature only Asym...

Страница 760: ...he local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public key To do Use the command Remarks Enter system view system view Display t...

Страница 761: ...lic key of a peer manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public...

Страница 762: ...ocal create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits of the modulus default 1024 Genera...

Страница 763: ...3818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A 9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB12503...

Страница 764: ...ime of Key pair created 09 50 06 2007 08 07 Key name HOST_KEY Key type RSA Encryption Key Key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F985 4C4421B57CAC...

Страница 765: ...logged in ftp binary 200 Type set to I ftp put devicea pub 227 Entering Passive Mode 10 1 1 2 5 148 125 BINARY mode data connection already open transfer starting for devicea pub 226 Transfer complete...

Страница 766: ...e 2 1 Configuration Procedure 2 1 Configuration Example 2 2 Configuring a Basic IPv4 ACL 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 3 Configuration Example 2 3 Configuring an Advanc...

Страница 767: ...erequisites 3 4 Configuration Procedure 3 4 Displaying and Maintaining IPv6 ACLs 3 5 IPv6 ACL Configuration Example 3 5 Network Requirements 3 5 Network Diagram 3 5 Configuration Procedure 3 5 4 ACL A...

Страница 768: ...ch as source MAC address destination MAC address source IP address destination IP address and port number Application of ACLs on the Switch The switch supports two ACL application modes z Hardware bas...

Страница 769: ...ltering with IPv4 ACL IPv4 ACL Classification IPv4 ACLs identified by ACL numbers fall into three categories as shown in Table 1 1 Table 1 1 IPv4 ACL categories Category ACL number Matching criteria B...

Страница 770: ...it to the protocol type that is configured with the ip keyword has the lowest precedence Rules each of which has a single specified protocol type are of the same precedence level 2 If the protocol typ...

Страница 771: ...e defined already the first defined rule will get a number of 0 Another benefit of using the step is that it allows you to insert new rules between existing ones as needed For example after creating f...

Страница 772: ...me name IPv6 ACL Match Order Similar to IPv4 ACLs an IPv6 ACL consists of multiple rules each of which specifies different matching criteria These criteria may have overlapping or conflicting parts Th...

Страница 773: ...es are the same look at the destination IPv6 address prefixes Then compare packets against the rule configured with a longer prefix for the destination IPv6 address 4 If the prefix lengths for the des...

Страница 774: ...quired Display the configuration and status of one or all time ranges display time range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can...

Страница 775: ...e ends at the latest time that the system supports namely 24 00 12 31 2100 Configuration Example Create a time range that is active from 8 00 to 18 00 every working day Sysname system view Sysname tim...

Страница 776: ...ption text Optional By default a basic IPv4 ACL has no ACL description Configure a rule description rule rule id comment text Optional By default an IPv4 ACL rule has no rule description Note that z Y...

Страница 777: ...rule define it with the time range command first Configuration Procedure Follow these steps to configure an advanced IPv4 ACL To do Use the command Remarks Enter system view system view Create an adv...

Страница 778: ...uto a newly created rule will be inserted among the existing rules in the depth first match order Note that the IDs of the rules still remain the same z You can modify the match order of an ACL with t...

Страница 779: ...order is config If you specify a name for an IPv4 ACL when creating the ACL you can use the acl name acl name command to enter the view of the ACL later Create or modify a rule rule rule id deny permi...

Страница 780: ...xist Configuration Example Configure ACL 4000 to deny frames with the 802 1p priority of 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 Verify the configu...

Страница 781: ...Available in any view Clear statistics about a specified or all IPv4 ACLs that are referenced by upper layer software reset acl counter acl number all name acl name Available in user view IPv4 ACL Co...

Страница 782: ...Pv4 ACL 3000 Switch traffic classifier c_rd Switch classifier c_rd if match acl 3000 Switch classifier c_rd quit Configure traffic behavior b_rd to deny matching packets Switch traffic behavior b_rd S...

Страница 783: ...ch GigabitEthernet1 0 2 qos apply policy p_rd inbound Switch GigabitEthernet1 0 2 quit Apply QoS policy p_market to interface GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 3 Switch Gigabi...

Страница 784: ...ure Follow these steps to configure an IPv6 ACL To do Use the command Remarks Enter system view system view Create a basic IPv6 ACL view and enter its view acl ipv6 number acl6 number name acl6 name m...

Страница 785: ...l ipv6 number acl6 number name acl6 name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command must already exist Configurat...

Страница 786: ...v6 type icmpv6 code icmpv6 message logging source source source prefix source source prefix any source port operator port1 port2 time range time range name Required To create or modify multiple rules...

Страница 787: ...tcp source 2030 5060 9050 64 Verify the configuration Sysname acl6 adv 3000 display acl ipv6 3000 Advanced IPv6 ACL 3000 named none 1 rule ACL s step is 5 rule 0 permit tcp source 2030 5060 9050 64 5...

Страница 788: ...range display time range time range name all Available in any view Clear statistics about a specified or all IPv6 ACLs that are referenced by upper layer software reset acl ipv6 counter acl6 number al...

Страница 789: ...matching packets Switch traffic behavior b_rd Switch behavior b_rd filter deny Switch behavior b_rd quit Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd Switch qos policy p_rd S...

Страница 790: ...remove and modify rules and the edited rules take effect immediately Filtering Ethernet Frames Follow these steps to apply an Ethernet frame header ACL to an interface to filter Ethernet frames To do...

Страница 791: ...v6 ACL is applied to the interface Configuring Packet Filtering Statistics Function The S5500 SI series provides the packet filtering statistics function so that the device can output packet filtering...

Страница 792: ...s the device outputs packet filtering statistics except those that have been displayed by the command during that interval ACL Application Example Applying an ACL to an Ethernet Interface Network requ...

Страница 793: ...from 14 00 to 18 00 during working days without affecting communication between Host A and Host B Figure 4 2 Network diagram for applying an ACL to a VLAN interface Vlan int100 192 168 1 1 Host A 192...

Страница 794: ...ency Check 1 5 Introduction 1 5 Configuration Procedure 1 5 Configuring ARP Active Acknowledgement 1 5 Introduction 1 5 Configuration Procedure 1 5 Configuring ARP Detection 1 6 Introduction 1 6 Confi...

Страница 795: ...mmunication failure occurs z A large number of IP packets with unreachable destinations As a result the receiving device continuously resolves destination IP addresses and thus its CPU is overloaded z...

Страница 796: ...nations z The device sends large numbers of ARP requests to the destination subnets which increases the load of the destination subnets z The device keeps trying to resolve destination IP addresses wh...

Страница 797: ...nst IP Packet Attacks To do Use the command Remarks Display the ARP source suppression configuration information display arp source suppression Available in any view Configuring ARP Packet Rate Limit...

Страница 798: ...these ARP packets from being discarded you can specify the MAC address of the gateway or server as a protected MAC address A protected MAC address is excluded from ARP attack detection even if it is...

Страница 799: ...tency check To do Use the command Remarks Enter system view system view Enable ARP packet source MAC address consistency check arp anti attack valid check enable Required Disabled by default Configuri...

Страница 800: ...c Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded z...

Страница 801: ...s is found the device compares the ARP packet s sender IP and MAC addresses against the DHCP snooping entries 802 1X security entries and OUI MAC addresses z If a match is found in any of the entries...

Страница 802: ...s as the sender MAC address when voice VLAN is enabled z When configuring an IP Source Guard binding entry you need to specify the VLAN otherwise no ARP packet will pass the ARP detection based on sta...

Страница 803: ...system view SwitchB dhcp snooping SwitchB interface gigabitethernet 1 0 1 SwitchB gigabitethernet 1 0 1 dhcp snooping trust SwitchB gigabitethernet 1 0 1 quit Enable ARP detection for VLAN 10 SwitchB...

Страница 804: ...enable 802 1X on Switch B Enable ARP detection for VLAN 10 to allow only packets from valid clients to pass Configure Host A and Host B as local 802 1X access users Figure 1 2 Network diagram for ARP...

Страница 805: ...ding configurations are complete when ARP packets arrive at interfaces GigabitEthernet1 0 1 and GigabitEthernet1 0 2 they are checked against 802 1X security entries Configuring ARP Automatic Scanning...

Страница 806: ...c ARP entries into static z The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports As a result the device may fail...

Страница 807: ...shown in Figure 1 3 Host B launches gateway spoofing attacks to Switch B As a result traffic that Switch B intends to send to Switch A is sent to Host B It is required to make proper configuration on...

Страница 808: ...view system view Enter Layer 2 Ethernet interface view interface interface type interface number Configure an ARP filtering entry arp filter binding ip address mac address Required Not configured by d...

Страница 809: ...1 quit SwitchB interface GigabitEthernet 1 0 2 SwitchB GigabitEthernet1 0 2 arp filter binding 10 1 1 9 000f e349 1233 After the above configuration is complete GigabitEthernet1 0 1 will permit incomi...

Страница 810: ...ice to be aware of the up down state change of the ports on an indirectly connected link This document describes z Monitor Link Overview z Configuring Monitor Link RRPP RRPP is a link layer protocol d...

Страница 811: ...uring Link Monitoring z Enabling OAM Loopback Testing Connectivity Fault Detection Connectivity fault detection is an end to end per VLAN link layer OAM mechanism for link connectivity detection fault...

Страница 812: ...orts for a Smart Link Group 1 6 Configuring Role Preemption for a Smart Link Group 1 7 Enabling the Sending of Flush Messages 1 7 Smart Link Device Configuration Example 1 8 Configuring an Associated...

Страница 813: ...ice connects to two different upstream devices as shown in Figure 1 1 Figure 1 1 Diagram for a dual uplink network GE1 0 1 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 2 GE1 0 2 A dual uplink network demonstrates hi...

Страница 814: ...ch form a smart link group with GE1 0 1 being active and GE1 0 2 being standby Master slave port Master port and slave port are two port roles in a smart link group When both ports in a smart link gro...

Страница 815: ...nge z To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link switc...

Страница 816: ...Ports for a Smart Link Group Required Configuring Role Preemption for a Smart Link Group Optional Configuring a Smart Link Device Enabling the Sending of Flush Messages Optional Configuring an Associa...

Страница 817: ...MSTIs To view VLAN to MSTI mappings use the display stp region configuration command For VLAN to MSTI mapping configuration refer to MSTP Configuration in the Access Volume Configuring Member Ports fo...

Страница 818: ...nk group view smart link group group id Enable role preemption preemption mode role Required Disabled by default Configure the preemption delay preemption delay delay time Optional 1 second by default...

Страница 819: ...1 Sysname GigabitEthernet1 0 1 undo stp enable Sysname GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 20 Sysname GigabitEthernet1 0 1 quit Sysname interf...

Страница 820: ...hey are not the same the associated device will forward the received flush messages directly without any processing z Do not remove the control VLANs Otherwise flush messages cannot be sent properly z...

Страница 821: ...C and Device D are dually uplinked to Device A z Configure Smart Link on the devices for dual uplink backup using VLAN 1 the default for flush update Figure 1 2 Single smart link group configuration...

Страница 822: ...ort gigabitethernet 1 0 2 slave Enable flush message sending in smart link group 1 DeviceC smlk group1 flush enable DeviceC smlk group1 quit 2 Configuration on Device D Create VLANs 1 through 30 map V...

Страница 823: ...iceB GigabitEthernet1 0 1 port trunk permit vlan 1 to 30 DeviceB GigabitEthernet1 0 1 smart link flush enable DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1 0 2 DeviceB GigabitE...

Страница 824: ...to 30 DeviceA GigabitEthernet1 0 1 smart link flush enable DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEt...

Страница 825: ...oup 1 references MSTI 0 and smart link group 2 references MSTI 2 z The control VLAN of smart link group 1 is VLAN 10 and that of smart link group 2 is VLAN 101 Figure 1 3 Multiple smart link groups lo...

Страница 826: ...lk group 1 flush enable control vlan 10 DeviceC smlk group 1 quit Create smart link group 2 and configure all VLANs mapped to MSTI 2 as the protected VLANs for smart link group 2 DeviceC smart link gr...

Страница 827: ...igabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2 port link type trunk DeviceD GigabitEthernet1 0 2 port trunk permit vlan 1 to 200 DeviceD GigabitEthernet1 0 2 smart link flush enable control vlan 10...

Страница 828: ...ROLE Control VLAN 101 Protected VLAN Reference Instance 2 Member Role State Flush count Last flush time GigabitEthernet1 0 2 MASTER ACTVIE 5 16 37 20 2009 02 21 GigabitEthernet1 0 1 SLAVE STANDBY 1 1...

Страница 829: ...w 1 1 Terminology 1 1 How Monitor Link Works 1 1 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Monitor Link Configuration Example 1 2 Displaying and Maintain...

Страница 830: ...port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the...

Страница 831: ...more uplink ports In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate interface view p...

Страница 832: ...er in the smart link group For detailed information about smart link refer to Smart Link Configuration in the High Availability Volume Figure 1 1 Network diagram for smart link in combination with mon...

Страница 833: ...2 DeviceA GigabitEthernet1 0 2 smart link flush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 1 0 1 as an u...

Страница 834: ...1 and GigabitEthernet 1 0 2 separately DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet...

Страница 835: ...iguring Control VLANs 1 11 Configuring Protected VLANs 1 11 Configuring RRPP Rings 1 12 Configuring RRPP Ports 1 12 Configuring RRPP Nodes 1 13 Activating an RRPP Domain 1 15 Configuring RRPP Timers 1...

Страница 836: ...e protocols RRPP features the following z Fast topology convergence z Convergence time independent of Ethernet ring size Background Metropolitan area networks MANs and enterprise networks usually use...

Страница 837: ...ne of the following two states z Health state All the physical links on the Ethernet ring are connected z Disconnect state Some physical links on the Ethernet ring are broken As shown in Figure 1 1 Do...

Страница 838: ...detect the integrity of the primary ring and perform loop guard As shown in Figure 1 1 Ring 1 is the primary ring and Ring 2 is a subring Device A is the master node of Ring 1 Device B Device C and D...

Страница 839: ...ing group configured on an assistant edge node is called an assistant edge node RRPP ring group Up to one subring in an edge node RRPP ring group is allowed to send Edge Hello packets RRPPDUs Table 1...

Страница 840: ...ed Hello packets ensuring that all nodes in the ring network are consistent in the two timer settings How RRPP Works Polling mechanism The polling mechanism is used by the master node of an RRPP ring...

Страница 841: ...raffic by transmitting traffic of different VLANs along different paths By configuring an individual RRPP domain for transmitting the traffic of the specified VLANs referred to as protected VLANs in a...

Страница 842: ...s shown in Figure 1 3 there are two or more rings in the network topology and only one common node between rings In this case you need to define an RRPP domain for each ring Figure 1 3 Schematic diagr...

Страница 843: ...for a dual homed ring network Single ring load balancing In a single ring network you can achieve load balancing by configuring multiple domains As shown in Figure 1 6 Ring 1 is configured as the pri...

Страница 844: ...Device E is configured as the master node of Ring 2 in both Domain 1 and Domain 2 However different ports on Device E are blocked in Domain 1 and Domain 2 With the configurations you can enable traffi...

Страница 845: ...r node in the RRPP domain Configuring an RRPP Ring Group Optional Perform this task on the edge node and assistant edge node in the RRPP domain z RRPP does not have an auto election mechanism so you m...

Страница 846: ...ed with RRPP you must ensure only the two ports connecting the device to the RRPP ring permit the packets of the control VLANs Otherwise the packets from other VLANs may go into the control VLANs in t...

Страница 847: ...g RRPP Ports Perform this configuration on each node s ports intended for accessing RRPP rings Follow these steps to configure RRPP ports To do Use the command Remarks Enter system view system view En...

Страница 848: ...Configuring RRPP Nodes z The maximum number of rings that can be configured on a device in all RRPP domains is 16 z If a device carries multiple RRPP rings in an RRPP domain only one ring can be confi...

Страница 849: ...interface number secondary port interface type interface number level level value Required Specify the current device as the edge node of a subring and specify the edge port ring ring id node mode ed...

Страница 850: ...e or assistant edge node enable disable the primary ring and subrings separately as follows z Enable the primary ring of an RRPP domain before enabling subrings of the RRPP domain z Disable the primar...

Страница 851: ...marks Enter system view system view Create an RRPP ring group and enter RRPP ring group view rrpp ring group ring group id Required Assign the specified subrings to the RRPP ring group domain domain i...

Страница 852: ...control VLAN of RRPP domain 1 as VLAN 4092 and RRPP domain 1 protects all VLANs z Device A Device B Device C and Device D constitute primary ring 1 z Specify Device A as the master node of primary ri...

Страница 853: ...ng 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceA rrpp domain1 ring 1 node mode master primary port gigabitethernet 1 0 1 se...

Страница 854: ...here 5 Verification After the above configuration you can use the display command to view RRPP configuration and operational information on each device Intersecting Ring Configuration Example Network...

Страница 855: ...interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 link delay 0 DeviceA GigabitEthernet1 0 2 undo stp enable DeviceA GigabitEthernet1 0 2 port link type trunk DeviceA GigabitEthernet1 0 2 po...

Страница 856: ...Ethernet1 0 2 quit DeviceB interface gigabitethernet 1 0 3 DeviceB GigabitEthernet1 0 3 link delay 0 DeviceB GigabitEthernet1 0 3 undo stp enable DeviceB GigabitEthernet1 0 3 port link type trunk Devi...

Страница 857: ...interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type trunk DeviceC GigabitEthernet1 0 3 po...

Страница 858: ...P domain 1 and configure VLANs mapped to MSTIs 0 through 16 as the protected VLANs of RRPP domain 1 DeviceD rrpp domain 1 DeviceD rrpp domain1 control vlan 4092 DeviceD rrpp domain1 protected vlan ref...

Страница 859: ...l information on each device Intersecting Ring Load Balancing Configuration Example Networking requirements z Device A Device B Device C Device D and Device F constitute RRPP domain 1 and VLAN 100 is...

Страница 860: ...igure the suppression time of physical link state changes on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as zero disable STP configure the two ports as trunk ports remove them from VLAN 1 and assi...

Страница 861: ...pp domain1 ring 1 enable DeviceA rrpp domain1 quit Create RRPP domain 2 configure VLAN 105 as the primary control VLAN of RRPP domain 2 and configure the VLAN mapped to MSTI 2 as the protected VLAN of...

Страница 862: ...ure the port as a trunk port remove it from VLAN 1 and assign it to VLAN 20 and configure it to trust the 802 1p precedence of the received packets DeviceB interface gigabitethernet 1 0 3 DeviceB Giga...

Страница 863: ...node of primary ring 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring 1 DeviceB rrpp domain2 ring 1 node mode transit primary port gigab...

Страница 864: ...e of the received packets DeviceC interface gigabitethernet 1 0 3 DeviceC GigabitEthernet1 0 3 link delay 0 DeviceC GigabitEthernet1 0 3 undo stp enable DeviceC GigabitEthernet1 0 3 port link type tru...

Страница 865: ...itEthernet 1 0 2 as the secondary port and enable ring 1 DeviceC rrpp domain2 ring 1 node mode transit primary port gigabitethernet 1 0 1 secondary port gigabitethernet 1 0 2 level 0 DeviceC rrpp doma...

Страница 866: ...ence instance 1 Configure Device D as the transit node of primary ring 1 in RRPP domain 1 with GigabitEthernet 1 0 1 as the primary port and GigabitEthernet 1 0 2 as the secondary port and enable ring...

Страница 867: ...0 2 undo stp enable DeviceE GigabitEthernet1 0 2 port link type trunk DeviceE GigabitEthernet1 0 2 undo port trunk permit vlan 1 DeviceE GigabitEthernet1 0 2 port trunk permit vlan 20 DeviceE Gigabit...

Страница 868: ...permit vlan 10 DeviceF GigabitEthernet1 0 2 qos trust dot1p DeviceF GigabitEthernet1 0 2 quit Create RRPP domain 1 configure VLAN 100 as the primary control VLAN and configure the VLAN mapped to MSTI...

Страница 869: ...e RRPP ring z Some ports are abnormal Solution z Use the display rrpp brief command to check whether RRPP is enabled for all nodes If not use the rrpp enable command and the ring enable command to ena...

Страница 870: ...val for Sending Advertisement Packets 1 10 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 10 Configuring DLDP Authentication 1 11 Resetting DLDP State 1 11 Resetting DLDP State in S...

Страница 871: ...shooting Overview Sometimes unidirectional links may appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links result in...

Страница 872: ...For a link with the devices on the both sides of it operating properly DLDP checks to see if the cable is connected correctly and if packets can be exchanged between the two devices Note that DLDP is...

Страница 873: ...timer This timer is set to 10 seconds and is triggered when a device transits to the Probe state or an enhanced detect is launched When the Echo timer expires and no Echo packet has been received from...

Страница 874: ...d DLDP mode when an entry timer expires the Enhanced timer is triggered and the device sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is...

Страница 875: ...The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration z Plain text authentic...

Страница 876: ...onding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and transits to Probe state Advertisement packet with RSY tag Retrieving the neighbor information If the corres...

Страница 877: ...rmation If not no process is performed LinkDown packet Check to see if the local port operates in Enhanced mode If yes and the local port is not in Disable state the local transits to Disable state 3...

Страница 878: ...s state when it is just detected and is being probed No information indicating the state of the neighbor is received A neighbor is in this state only when it is being probed It transits to Two way sta...

Страница 879: ...therwise DLDP may operate improperly Enabling DLDP Follow these steps to enable DLDP To do Use the command Remarks Enter system view system view Enable DLDP globally dldp enable Required Globally disa...

Страница 880: ...ore you are recommended to use the default value z To enable DLDP to operate properly make sure the intervals for sending Advertisement packets on both sides of a link are the same Setting the DelayDo...

Страница 881: ...hut down by DLDP when it receives a packet sent by itself causing remote OAM loopback to operate improperly To prevent this you need to set the port shutdown mode to auto mode z If the device is busy...

Страница 882: ...hut down by DLDP Follow these steps to reset DLDP in system view To do Use the command Remarks Enter system view system view Reset DLDP state dldp reset Required Resetting DLDP State in Port view Port...

Страница 883: ...r the fiber connections are corrected Figure 1 4 Network diagram for DLDP configuration Device A GE1 0 50 GE1 0 51 Device B PC GE1 0 50 GE1 0 51 Configuration procedure 1 Configuration on Device A Ena...

Страница 884: ...tate down The neighbor number of the port is 0 The output information indicates that both GigabitEthernet 1 0 50 and GigabitEthernet 1 0 51 are in Disable state and the links are down which means unid...

Страница 885: ...vertisement packets on Device A and Device B are not the same z DLDP authentication modes passwords on Device A and Device B are not the same Solution Make sure the interval for sending Advertisement...

Страница 886: ...ation Task List 1 5 Configuring Basic Ethernet OAM Functions 1 6 Configuring Link Monitoring 1 6 Configuring Errored Symbol Event Detection 1 7 Configuring Errored Frame Event Detection 1 7 Configurin...

Страница 887: ...net has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance OAM on Ethernet networks has now become an urgent matter As a tool...

Страница 888: ...be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the encapsulated protocol in the Ethernet...

Страница 889: ...interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM conn...

Страница 890: ...k faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity s...

Страница 891: ...y across established OAM connections an Ethernet OAM entity can inform one of its OAM peers of link faults through Information OAMPDUs Therefore the network administrator can keep track of link status...

Страница 892: ...Ethernet port establishes an Ethernet OAM connection with its peer port Follow these steps to configure basic Ethernet OAM functions To do Use the command Remarks Enter system view System view Enter...

Страница 893: ...em view Configure the errored frame event detection interval oam errored frame period period value Optional 1 second by default Configure the errored frame event triggering threshold oam errored frame...

Страница 894: ...s than the errored frame seconds detection interval Otherwise no errored frame seconds event can be generated Enabling OAM Remote Loopback After enabling OAM remote loopback on a port you can send loo...

Страница 895: ...z Enabling internal loopback test on a port in remote loopback test can terminate the remote loopback test For more information about loopback test refer to Ethernet Interface Configuration in the Ac...

Страница 896: ...iew DeviceB interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 oam mode active DeviceB GigabitEthernet1 0 1 oam enable DeviceB GigabitEthernet1 0 1 quit 3 Verify the configuration Use the di...

Страница 897: ...p 0 Critical Event 0 According to the above output information no critical link event occurred on the link between Device A and Device B Display Ethernet OAM link event statistics of the remote end of...

Страница 898: ...uration Prerequisites 1 8 Configuring Procedure 1 8 Configuring LB on MEPs 1 8 Configuration Prerequisites 1 8 Configuration Procedure 1 9 Configuring LT on MEPs 1 9 Configuration Prerequisites 1 9 Fi...

Страница 899: ...ined by some maintenance association end points MEPs configured on the ports A MD is identified by an MD name To locate faults exactly CFD introduces eight levels from 0 to 7 to MDs The bigger the num...

Страница 900: ...P ID The MEPs of an MD define the range and boundary of the MD The MA and MD that a MEP belongs to define the VLAN attribute and level of the packets sent by the MEP MEPs fall into inward facing MEPs...

Страница 901: ...forwards packets at a higher level without any processing Figure 1 4 demonstrates a grading example of the CFD module In the figure there are six devices labeled 1 through 6 respectively Suppose each...

Страница 902: ...EPs send CCMs at the same time the multipoint to multipoint link check is achieved Loopback Similar to ping at the IP layer loopback is responsible for verifying the connectivity between a local devic...

Страница 903: ...e designed at the device port MEPs can be designed on devices or ports that are not at the edges Complete the following tasks to configure CFD Tasks Remarks Basic Configuration Tasks Required These co...

Страница 904: ...ed by default Create a service instance cfd service instance instance id md md name ma ma name Required Not created by default z These configuration tasks are the foundation for other CFD configuratio...

Страница 905: ...ed By default neither the MIPs nor the rules for generating MIPs are configured MIPs are generated on each port automatically according to the rules specified in the cfd mip rule command If a port has...

Страница 906: ...the interval field value in the CCM messages the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 1 2 Table 1 2 Relationship of the interval field value th...

Страница 907: ...MEP fails to receive the CCMs from the remote MEP within 3 5 sending intervals the link between the two is regarded as faulty and LTMs will be sent out Based on the LTRs that echo back the fault sour...

Страница 908: ...ep service instance instance id mep mep id Available in any view Display the content of the LTR that responds to LTM messages display cfd linktrace reply auto detection size size value Available in an...

Страница 909: ...B DeviceB system view DeviceB cfd enable DeviceB cfd md MD_A level 5 DeviceB cfd ma MA_MD_A md MD_A vlan 100 DeviceB cfd service instance 1 md MD_A ma MA_MD_A DeviceB cfd md MD_B level 3 DeviceB cfd...

Страница 910: ...1001 DeviceA GigabitEthernet1 0 1 cfd remote mep 4002 service instance 1 mep 1001 DeviceA GigabitEthernet1 0 1 cfd mep service instance 1 mep 1001 enable DeviceA GigabitEthernet1 0 1 cfd cc service in...

Страница 911: ...twork requirements After finishing MEP configuration you can continue to configure the MIPs MIPs which are generated by some rules are configured in the following way z Decide the device on which MIPs...

Страница 912: ...wn in Figure 1 6 enable LB on Device A so that Device A can send LBM messages to MEPs on Device D Configuration procedure Configure Device A DeviceA system view DeviceA cfd loopback service instance 1...

Страница 913: ...ation Task List 1 2 Configuring Collaboration Between the Track Module and the Detection Modules 1 2 Configuring Track NQA Collaboration 1 2 Configuring Collaboration Between the Track Module and the...

Страница 914: ...gh the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the Track module Afte...

Страница 915: ...arks Configuring Collaboration Between the Track Module and the Detection Modules Configuring Track NQA Collaboration Required Configuring Collaboration Between the Track Module and the Application Mo...

Страница 916: ...tatic Routing collaboration so as to check the reachability of the next hop of the static route ip route static dest address mask mask length next hop address track track entry number preference prefe...

Страница 917: ...int3 10 2 1 1 24 Switch C Vlan int3 10 2 1 2 24 Switch B Switch A Configuration procedure 1 Configure the IP address of each interface as shown in Figure 1 2 2 Configure a static route on Switch A and...

Страница 918: ...Positive Reference object NQA entry admin test Reaction 1 Display the routing table of Switch A SwitchA display ip routing table Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto P...

Страница 919: ...Interface 10 2 1 0 24 Direct 0 0 10 2 1 2 Vlan3 10 2 1 2 32 Direct 0 0 127 0 0 1 InLoop0 127 0 0 0 8 Direct 0 0 127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The output information above...

Страница 920: ...Packets z Controlling Login Users Basic System Configuration Basic system configuration involves the configuration of device name system clock welcome message user privilege levels and so on This docu...

Страница 921: ...ress Table Management A switch maintains a MAC address table for fast forwarding packets This document describes z MAC address table overview z Configuring MAC Address Entries z Configuring the Aging...

Страница 922: ...ng Optional Parameters Common to an NQA Test Group z Scheduling an NQA Test Group NTP Network Time Protocol NTP is the TCP IP that advertises the accurate time throughout the network This document des...

Страница 923: ...Configuration Overview z Configuring the Master Device of a Stack z Configuring Stack Ports of a Slave Device z Logging In to the CLI of a Slave from the Master Automatic Configuration Automatic confi...

Страница 924: ...onfiguration Procedure 2 7 Configuration Example 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 3 Logging In Thro...

Страница 925: ...olling Telnet Users by Source and Destination IP Addresses 7 2 Controlling Telnet Users by Source MAC Addresses 7 2 Configuration Example 7 3 Controlling Network Management Users by Source IP Addresse...

Страница 926: ...supports two types of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port is usually...

Страница 927: ...s you to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in t...

Страница 928: ...user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configuration of the current a specified user interface display user i...

Страница 929: ...thods By default you can log in to an H3C S5500 SI series Ethernet switch through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user t...

Страница 930: ...perTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are config...

Страница 931: ...mation about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port login Conf...

Страница 932: ...t history command buffer size history command max size value Optional By default the history command buffer can contain up to 10 commands Set the timeout time of a user interface idle timeout minutes...

Страница 933: ...Procedure Follow these steps to perform Console port login configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter AUX user interface view u...

Страница 934: ...aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 3...

Страница 935: ...uthentication password cipher simple password Required By default no password is configured Configuration Example Network requirements Assume the switch is configured to allow you to login through Tel...

Страница 936: ...n to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain...

Страница 937: ...ystem view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to a...

Страница 938: ...level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the local user to be guest z Set the...

Страница 939: ...Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history com...

Страница 940: ...ttings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available Telnet Connection Establishment Telnetting to...

Страница 941: ...gure 3 1 Network diagram for Telnet connection establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethernet port Step 4 Launch Telnet on your PC with the IP address o...

Страница 942: ...user name and password for Telnet on the switch operating as the Telnet server Refer to section Telnet Login Configuration with Authentication Mode Being None section Telnet Login Configuration with...

Страница 943: ...g tasks escape key default character Optional By default you can use Ctrl C to terminate a task Configure the type of terminal display under the current user interface terminal type ansi vt100 Optiona...

Страница 944: ...elnet configuration with authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last numb...

Страница 945: ...command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Login Configuration with Authentication Mode Being Pa...

Страница 946: ...dure Enter system view and enable the Telnet service Sysname system view Sysname telnet server enable Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users loggi...

Страница 947: ...eme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to AAA Configuration in the Security Vol...

Страница 948: ...creen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes 2 Network diagram Figure 3 6 Network diagram for Telnet configuration...

Страница 949: ...e timeout time to 6 minutes Sysname ui vty0 idle timeout 6 z Configure the authentication scheme Configure the authentication server by referring to related parts in AAA Configuration Logging In Throu...

Страница 950: ...N of the switch is configured The route between the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user na...

Страница 951: ...ss to the management VLAN interface of the switch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the fo...

Страница 952: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 4 2 appears enter the user name and...

Страница 953: ...rotocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 5 1 Requirements for logging in to...

Страница 954: ...source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface...

Страница 955: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Страница 956: ...ugh Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses Controlling Telnet Users Pr...

Страница 957: ...stination IP addresses To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl ipv6 number acl number match order config auto As for the acl n...

Страница 958: ...ber last number Apply the ACL to control Telnet users by source MAC addresses acl acl number inbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch L...

Страница 959: ...denying Controlling Network Management Users by Source IP Addresses Follow these steps to control network management users by source IP addresses To do Use the command Remarks Enter system view syste...

Страница 960: ...e permitted to access the switch Figure 7 2 Network diagram for controlling SNMP users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic ACL...

Страница 961: ...ontrolling Web users by source IP addresses To do Use the command Remarks Enter system view system view Create a basic ACL or enter basic ACL view acl ipv6 number acl number match order config auto Re...

Страница 962: ...network Host B 10 110 100 52 Configuration procedure Create a basic ACL Sysname system view Sysname acl number 2030 match order config Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Refer...

Страница 963: ...ion 1 5 Configuring a Banner 1 6 Configuring CLI Hotkeys 1 7 Configuring Command Alias 1 8 Configuring User Privilege Levels and Command Levels 1 9 Displaying and Maintaining Basic Configurations 1 15...

Страница 964: ...nfiguration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the startup configuration file Follow these steps to...

Страница 965: ...ng the Device Name The device name is used to identify a device in a network Inside the system the device name corresponds to the prompt of the CLI For example if the device name is Sysname the prompt...

Страница 966: ...the clock datetime z 2 indicates time zone has been configured with the clock timezone command and the offset time is zone offset z 3 indicates daylight saving time has been configured with the clock...

Страница 967: ...08 1 1 Display 01 00 00 UTC Tue 01 01 2008 Configure clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 and clock datetime 1 30 2007 1 1 Display 23 30 00 UTC Sun 12 31 2006 1 3 and 1 date time...

Страница 968: ...me range date time summer offset is displayed If the value of date time summer offset is in the summer time range date time is displayed Configure clock timezone zone time add 1 clock summer time ss o...

Страница 969: ...authentication or login process if entering N the user quits the authentication or login process Y and N are case insensitive Configuring a banner When you configure a banner the system supports two...

Страница 970: ...iew Configure CLI hotkeys hotkey CTRL_G CTRL_L CTRL_O CTRL_T CTRL_U command Optional The Ctrl G Ctrl L and Ctrl O hotkeys are specified with command lines by default Display hotkeys display hotkey Ava...

Страница 971: ...you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc Specifies the cursor as the beginning of the clipboard Esc Specifies the cursor as the ending of the clipboar...

Страница 972: ...is not saved and restored in its alias z If you press Tab after you input the keyword of an alias the original format of the keyword will be displayed z At present the device supports up to 20 comman...

Страница 973: ...parameters If the user interface authentication mode is scheme when a user logs in and username and password are needed at login then the user privilege level is specified in the configuration of AAA...

Страница 974: ...verify their usernames and passwords locally and specify the user privilege level as 3 Sysname system view Sysname user interface vty 1 Sysname ui vty1 authentication mode scheme Sysname ui vty1 quit...

Страница 975: ...ces is 0 Follow these steps to configure the user privilege level under a user interface none or password authentication mode To do Use the command Remarks Enter system view system view Enter user int...

Страница 976: ...other user terminal interface ssh2 Establish a secure shell client connection super Set the current user priority level telnet Establish one TELNET connection terminal Set the terminal line character...

Страница 977: ...ord for security s sake This password is for level switching only and is different from the login password If the entered password is incorrect or no password is configured the switching fails Therefo...

Страница 978: ...onding commands display command alias Display information on terminal users display users all Display the valid configuration under current view display this by linenum Display clipboard information d...

Страница 979: ...wing features for you to configure and manage your devices z Hierarchical command protection where you can only execute the commands at your own or lower levels Refer to Configuring User Privilege Lev...

Страница 980: ...to terminal 3 Enter a command and a separated by a space If is at the position of a parameter the description about this parameter is given Sysname system view Sysname interface vlan interface 1 4094...

Страница 981: ...command editing functions and supports multi line editing When you execute a command the system automatically goes to the next line if the maximum length of the command is reached You cannot press Ent...

Страница 982: ...est output information Slash is equal to the keyword begin minus is equal to the keyword exclude and plus is equal to the keyword include Keywords begin exclude and include have the following meanings...

Страница 983: ...ly used with or For example 123A means a character group 123A 408 12 can match 40812 or 408121212 But it cannot match 408 index Repeats a specified character group for once A character group refers to...

Страница 984: ...ontaining can match a string containing and b can match a string containing b Multiple screen output When there is a lot of information to be output the system displays the information in multiple scr...

Страница 985: ...CLI saves the commands in the format that you have input that is if you input a command in its incomplete form the saved history command is also incomplete z If you execute a command for multiple time...

Страница 986: ...line errors Error information Cause The command was not found The keyword was not found Parameter type error Unrecognized command found at position The parameter value is beyond the allowed range Inco...

Страница 987: ...mmand Lines 1 4 Upgrading the Boot File Through Command Lines 1 5 Disabling Boot ROM Access 1 5 Configuring a Detection Interval 1 6 Clearing the 16 bit Interface Indexes Not Used in the Current Syste...

Страница 988: ...e current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List Complete these tasks to configure device...

Страница 989: ...lot Powering off a running device will cause data loss and hardware damages It is not recommended z Trigger the immediate reboot through command lines z Enable the scheduled reboot function through co...

Страница 990: ...ed command at a specified time in a specified view This function is used for scheduled system upgrade or configuration Follow these steps to configure the scheduled automatic execution function To do...

Страница 991: ...is powered on the Boot ROM program initialize the hardware and display the hardware information Then runs the boot file The boot file provides hardware driver and adaptation for the system and provide...

Страница 992: ...of the device 3 Reboot the device to make the boot file take effect Follow the step below to upgrade the boot file To do Use the command Remarks Specify a boot file for the next boot boot loader file...

Страница 993: ...these steps to configure a detection interval To do Use the command Remarks Enter system view system view Configure a detection interval shutdown interval time Optional The detection interval is 30 se...

Страница 994: ...be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable Generally used for 100M 1000M Ethernet interfaces or POS 155M 622M 2 5G interfaces Yes Yes GBIC Giga...

Страница 995: ...e digital diagnosis function which monitors the key parameters of a transceiver such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take cor...

Страница 996: ...detailed configurations of the scheduled automatic execution function display schedule job Available in any view Display the exception handling method display system failure Available in any view Devi...

Страница 997: ...llo FTP Server luser aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa z Use text editor on the FTP server to edit batch file auto update txt The following is...

Страница 998: ...pdate bat To ensure correctness of the file you can use the more command to view the content of the file Execute the scheduled automatic execution function to enable the device to be automatically upg...

Страница 999: ...r the Next Startup 1 10 Restoring the Startup Configuration File 1 11 Displaying and Maintaining Device Configuration 1 11 2 FTP Configuration 2 1 FTP Overview 2 1 Introduction to FTP 2 1 Operation of...

Страница 1000: ...es problems such as data loss or corruption the file system will prompt you to confirm the operation by default Depending on the managed object file system operations fall into Directory Operations Fi...

Страница 1001: ...tory or file information and so on Displaying directory information To do Use the command Remarks Display directory or file information dir all file url Required Available in user view Displaying the...

Страница 1002: ...cified directory or file information displaying file contents renaming copying moving removing restoring and deleting files You can create a file by copying downloading or using the save command Displ...

Страница 1003: ...ally belongs It is recommended to empty the recycle bin timely with the reset recycle bin command to save storage space z The delete unreserved file url command deletes a file permanently and the acti...

Страница 1004: ...xecute filename Required Execution of a batch file does not guarantee the successful execution of every command in the batch file If a command has error settings or the conditions for executing the co...

Страница 1005: ...om misoperations the alert mode is preferred To do Use the command Remarks Enter system view system view Set the operation prompt mode of the file system file prompt alert quiet Optional The default i...

Страница 1006: ...alls into two types z Startup configuration a configuration file used for initialization when the device boots If this file does not exist the system boots using null configuration that is using the d...

Страница 1007: ...current configuration For detailed configuration refer to Saving the Current Configuration z Specify them when specifying the startup configuration file for the next system startup For detailed config...

Страница 1008: ...figuration file to be used at the next system startup may be lost if the device reboots or the power supply fails In this case the device will boot with the null configuration and after the device reb...

Страница 1009: ...isplay startup command in user view to see whether you have set the startup configuration file and use the dir command to see whether this file exists If the file is set as NULL or does not exist the...

Страница 1010: ...addr src filename Required Available in user view z The restore operation restores the main startup configuration file z Before restoring a configuration file you should ensure that the server is rea...

Страница 1011: ...the command Remarks Display the current configuration display current configuration configuration configuration interface interface type interface number by linenum begin include exclude text Availab...

Страница 1012: ...r btm z ASCII mode for text file transmission like files with the suffixes txt bat or cfg Operation of FTP FTP adopts the client server model Your device can function either as the client or as the se...

Страница 1013: ...FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP...

Страница 1014: ...matched route as the source IP address to communicate with an FTP server z If the source address is specified with the ftp client source or ftp command this source address is used to communicate with...

Страница 1015: ...e in user view and the open ipv6 command is available in FTP client view Configuring the FTP Client After a device serving as the FTP client has established a connection with the FTP server For how to...

Страница 1016: ...elete specified directory on the FTP server rmdir directory Optional Disconnect from the FTP server without exiting the FTP client view disconnect Optional Equal to the close command Disconnect from t...

Страница 1017: ...ory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following operations...

Страница 1018: ...fter a file is transferred to the memory This prevents the existing file on the FTP server from being corrupted in the event that anomaly power failure for example occurs during a file transfer z In n...

Страница 1019: ...ailed configuration refer to AAA Configuration in the Security Volume Follow these steps to configure authentication and authorization for FTP server To do Use the command Remarks Enter system view sy...

Страница 1020: ...C z PC keeps the updated startup file of the device Use FTP to upgrade the device and back up the configuration file z Set the username to abc and the password to pwd for the FTP client to log in to t...

Страница 1021: ...le config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the configuration file newest bin to Device ftp put newest bin ftp bye z You can take the same steps to upgra...

Страница 1022: ...oader command refer to Device Management Commands in the System Volume Displaying and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client display ftp client confi...

Страница 1023: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Страница 1024: ...e secure mode or if you use the normal mode specify a filename not existing in the current directory as the target filename when downloading the startup file or the startup configuration file Source a...

Страница 1025: ...ional Available in user view Download or upload a file in an IPv6 network tftp ipv6 tftp ipv6 server i interface type interface number get put source file destination file Optional Available in user v...

Страница 1026: ...es not in use and then perform the following operations Enter system view Sysname system view Download application file newest bin from PC Sysname tftp 1 2 1 1 get newest bin Upload a configuration fi...

Страница 1027: ...n ACL 1 2 Displaying and Maintaining HTTP 1 2 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HT...

Страница 1028: ...y the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You...

Страница 1029: ...t number Required By default the port number of the HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service w...

Страница 1030: ...s the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data s...

Страница 1031: ...server policy command is executed repeatedly the HTTPS service is only associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS serv...

Страница 1032: ...ssociate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute acces...

Страница 1033: ...e HTTPS service with an ACL To do Use the command Remarks Enter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default Displaying an...

Страница 1034: ...icate request entity en Device pki domain 1 quit Generate a local RSA key pair Device public key local create rsa Obtain a server certificate from CA Device pki retrieval certificate ca domain 1 Apply...

Страница 1035: ...h certificate attribute access control policy myacp Device ip https certificate access control policy myacp 6 Enable the HTTPS service Enable the HTTPS service Device ip https enable 7 Verify the conf...

Страница 1036: ...MP Logging 1 5 Introduction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 SNMP Trap Configuration 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8...

Страница 1037: ...the underlying networking technology Thus SNMP achieves effective management of devices from different manufacturers especially in small high speed and low cost network environments SNMP Mechanism An...

Страница 1038: ...een the NMS and agent preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy authentication without privac...

Страница 1039: ...are as follows Hangzhou H3C Tech Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure an SNMP agent group snmp agent group v3 group name authentication privacy read vie...

Страница 1040: ...v3 all Required The defaults are as follows Hangzhou H3C Tech Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configur e directly Create an SNMP commun ity snmp agent commu...

Страница 1041: ...ex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the informat...

Страница 1042: ...specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output desti...

Страница 1043: ...MP module the SNMP module saves the traps in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destinatio...

Страница 1044: ...Display SNMP agent system information including the contact location and version of the SNMP display snmp agent sys info contact location version Display SNMP agent statistics display snmp agent stati...

Страница 1045: ...mp agent community write private Configure VLAN interface 2 with the IP address of 1 1 1 1 24 Add the port GigabitEthernet 1 0 1 to VLAN 2 Sysname vlan 2 Sysname vlan2 port GigabitEthernet 1 0 1 Sysna...

Страница 1046: ...LAN interface on the agent is 1 1 1 1 24 z Configure community name access right and SNMP version on the agent Figure 1 4 Network diagram for SNMP logging Configuration procedure The configurations fo...

Страница 1047: ...1 02 49 40 566 2006 The time when SNMP log is generated seqNO Sequence number of the SNMP log srcIP IP address of NMS op SNMP operation type GET or SET node Node name of the SNMP operations and OID o...

Страница 1048: ...le management of the device the device allows you to configure MIB style that is you can switch between the two styles of MIBs However you need to ensure that the MIB style of the device is the same a...

Страница 1049: ...uration 1 1 RMON Overview 1 1 Introduction 1 1 Working Mechanism 1 1 RMON Groups 1 2 Configuring RMON 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 Displaying and Maintaining RMON 1...

Страница 1050: ...k monitor or a network probe It monitors and collects statistics on traffic over the network segments connected to its interfaces such as the total number of packets passed through a network segment o...

Страница 1051: ...n upper event is triggered if the sampled value of the monitored variable is lower than or equal to the lower threshold a lower event is triggered The event is then handled as defined in the event gro...

Страница 1052: ...undersize oversize packets broadcasts multicasts bytes received packets received bytes sent packets sent and so on After the creation of a statistics entry on an interface the statistics group starts...

Страница 1053: ...that can be created the creation fails z When you create an entry in the history table if the specified buckets number argument exceeds the history table size supported by the device the entry will be...

Страница 1054: ...g entry number Available in any view RMON Configuration Example Network requirements Agent is connected to a configuration terminal through its console port and to a remote NMS across the Internet Cre...

Страница 1055: ...sname rmon event 1 log owner 1 rmon Configure an alarm group to sample received bytes on GigabitEthernet 1 0 1 When the received bytes exceed the upper or below the lower limit logging is enabled Sysn...

Страница 1056: ...MAC Learning Limit 1 4 Displaying and Maintaining MAC Address Table Management 1 5 MAC Address Table Management Configuration Example 1 5 2 MAC Information Configuration 2 1 Overview 2 1 Introduction...

Страница 1057: ...interface to which this device is connected and ID of the VLAN to which the interface belongs When forwarding a frame the device looks up the MAC address table according to the destination MAC addres...

Страница 1058: ...d specific user devices to the port thus preventing hackers from stealing data using forged MAC addresses Manually configured MAC address table entries have a higher priority than dynamically learned...

Страница 1059: ...ow these steps to add modify or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view mac address blackhole mac address vlan vlan id Add modify a...

Страница 1060: ...C Learning Limit To prevent a MAC address table from getting so large that it may degrade forwarding performance you may restrict the number of MAC addresses that can be learned on a per port port gro...

Страница 1061: ...nto your device from the Console port to configure MAC address table management as follows z Set the aging timer to 500 seconds for dynamic MAC address entries z Add a static entry 000f e235 dc71 for...

Страница 1062: ...tion Works When a new MAC address is learned or an existing MAC address is deleted on a device the device writes related information about the MAC address to the buffer area used to store user informa...

Страница 1063: ...g the Interval for Sending Syslog or Trap Messages To prevent Syslog or Trap messages being sent too frequently and thus affecting system performance you can set the interval for sending Syslog or Tra...

Страница 1064: ...twork requirements z Host A is connected to a remote server Server through Device z Enable MAC Information on GigabitEthernet 1 0 1 on Device Device sends MAC address change information using Syslog m...

Страница 1065: ...hernet1 0 1 mac address information enable added Device GigabitEthernet1 0 1 mac address information enable deleted Device GigabitEthernet1 0 1 quit Set the MAC Information queue length to 100 Device...

Страница 1066: ...Debugging 1 1 System Maintaining and Debugging Overview 1 1 Introduction to System Maintaining 1 1 Introduction to System Debugging 1 2 System Maintaining and Debugging 1 3 System Maintaining 1 3 Syst...

Страница 1067: ...istics Output of the ping command falls into the following z The ping command can be applied to the destination s name or IP address If the destination s name is unknown the prompt information is disp...

Страница 1068: ...nformation to help users diagnose errors The following two switches control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Sc...

Страница 1069: ...te from the source to the destination tracert ipv6 f first ttl m max ttl p port q packet number w timeout remote system Optional Used in IPv6 network Available in any view z For a low speed network yo...

Страница 1070: ...the detailed debugging information on the terminal For the detailed description on the terminal debugging and terminal monitor commands refer to Information Center Commands in the System Volume Syste...

Страница 1071: ...tem Information to a Log Host 1 8 Outputting System Information to the Trap Buffer 1 9 Outputting System Information to the Log Buffer 1 10 Outputting System Information to the SNMP Module 1 11 Config...

Страница 1072: ...dule z Outputs the above information to different information channels according to the user defined output rules z Outputs the information to different destinations based on the information channel t...

Страница 1073: ...tem information The system supports six information output destinations including the console monitor terminal monitor log buffer log host trap buffer and SNMP module The specific destinations support...

Страница 1074: ...formation source modules Default output rules of system information The default output rules define the source modules allowed to output information on each output destination the output information t...

Страница 1075: ...ons z If the output destination is not the log host such as console monitor terminal logbuffer trapbuffer SNMP the system information is in the following format timestamp sysname module level digest c...

Страница 1076: ...conds sysname Sysname is the system name of the current host You can use the sysname command to modify the system name Refer to Basic System Configuration Commands in the System Volume for details Thi...

Страница 1077: ...tor Terminal Optional Outputting System Information to a Log Host Optional Outputting System Information to the Trap Buffer Optional Outputting System Information to the Log Buffer Optional Outputting...

Страница 1078: ...e command Remarks Enable the monitoring of system information on the console terminal monitor Optional Enabled on the console and disabled on the monitor terminal by default Enable the display of debu...

Страница 1079: ...monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on...

Страница 1080: ...rimary IP address of this interface is the source IP address of the log information Configure the format of the time stamp for system information output to the log host info center timestamp loghost d...

Страница 1081: ...ion center info center enable Optional Enabled by default Name the channel with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default...

Страница 1082: ...odule info center snmp channel channel number channel name Optional By default system information is output to the SNMP module through channel 5 known as snmpagent Configure the output rules of the sy...

Страница 1083: ...n in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The...

Страница 1084: ...og file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize Available in any view Reset the...

Страница 1085: ...utput to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state on Sysname info...

Страница 1086: ...t ps ae grep syslogd 147 kill HUP 147 syslogd r After the above configurations the system will be able to record log information into the log file Outputting Log Information to a Linux Log Host Networ...

Страница 1087: ...Device info log Step 3 Edit file etc syslog conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the l...

Страница 1088: ...ut of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configu...

Страница 1089: ...terminal monitor Current terminal monitor is on Sysname terminal logging Current terminal logging is on After the above configuration takes effect if the specified module generates log information the...

Страница 1090: ...E Interfaces Through a PoE Configuration File 1 3 Configuring PoE Power Management 1 5 Configuring PD Power Management 1 5 Configuring the PoE Monitoring Function 1 6 Configuring a Power Alarm Thresho...

Страница 1091: ...et interfaces through twisted pair cables Advantages z Reliable Power is supplied in a centralized way so that it is very convenient to provide a backup power supply z Easy to connect A network termin...

Страница 1092: ...l z When the PoE power or PSE fails you cannot configure PoE z Turning off of the PoE power during the startup of the device might result in the failure to restore the PoE configuration Configuring th...

Страница 1093: ...default Configure a description for the PD connected to the PoE interface poe pd description string Optional By default no description for the PD connected to the PoE interface is available Configurin...

Страница 1094: ...figur ation file to the PoE interface s Apply the PoE configuration file to the current PoE interface in PoE interface view apply poe profile index index name profile name Use either approach z After...

Страница 1095: ...for a PoE interface the interface with a higher priority can preempt the power of the interface with a lower priority to ensure the normal working of the higher priority interface z If the sudden inc...

Страница 1096: ...t time the system will send a Trap message z When the PSE starts or stops supplying power to a PD the system will send a Trap message too Configuring a Power Alarm Threshold for the PSE To do Use the...

Страница 1097: ...on detection mode To do Use the command Remarks Enter system view system view Configure a PD disconnection detection mode poe disconnect ac dc Optional The default PD disconnection detection mode vari...

Страница 1098: ...e pse pse id interface power Display all information of the configurations and applications of the PoE configuration file display poe profile index index name profile name Display all information of t...

Страница 1099: ...Sysname GigabitEthernet1 0 12 poe enable Sysname GigabitEthernet1 0 12 quit Set the power priority level of GigabitEthernet 1 0 2 to critical Sysname system view Sysname interface GigabitEthernet 1 0...

Страница 1100: ...the configuration requirements of the PoE interface z Another PoE configuration file is already applied to the PoE interface Solution z In the first case you can solve the problem by removing the ori...

Страница 1101: ...n 1 6 Step by Step Patch Installation Task List 1 6 Configuring the Patch File Location 1 6 Loading a Patch File 1 6 Activating Patches 1 7 Confirming Running Patches 1 7 One Step Patch Uninstallation...

Страница 1102: ...ts they will be numbered as 1 2 and 3 respectively Incremental patch Patches in a patch file are all incremental patches An incremental patch means that the patch is dependent on the previous patch un...

Страница 1103: ...turn to the ACTIVE state Figure 1 1 Relationship between patch state changes and command actions Information about patch states is saved in file patchstate on the flash It is recommended not to opera...

Страница 1104: ...te At this time the patch states in the system are as shown in Figure 1 3 The patches that are in the DEACTIVE state will be still in the DEACTIVE state after system reboot Figure 1 3 A patch file is...

Страница 1105: ...of the system are as shown in Figure 1 5 Figure 1 5 Patches are running The patches that are in the RUNNING state will be still in the RUNNING state after system reboot Hotfix Configuration Task List...

Страница 1106: ...tch name S5500 SI PATCH XXX patch_xxx bin One Step Patch Installation You can use the patch install command to install patches in one step After you execute the command the system displays the message...

Страница 1107: ...t The patch install command changes patch file location specified with the patch location command to the directory specified by the patch location argument of the patch install command For example if...

Страница 1108: ...iew system view Activate the specified patches patch active patch number Required Confirming Running Patches After you confirm the running of a patch the patch state becomes RUNNING and the patch is i...

Страница 1109: ...by Step Patch Uninstallation Task List Task Remarks Stop Running Patches Required Deleting Patches Required Stop Running Patches After you stop running a patch the patch state becomes DEACTIVE and th...

Страница 1110: ...on procedure 1 Configure TFTP Server Note that the configuration varies depending on server type and the configuration procedure is omitted z Enable the TFTP server function z Save the patch file patc...

Страница 1111: ...1 10 Installing patches Installation completed and patches will continue to run after reboot...

Страница 1112: ...g a Voice Test 1 15 Configuring a DLSw Test 1 17 Configuring the Collaboration Function 1 18 Configuring Trap Delivery 1 19 Configuring the NQA Statistics Function 1 20 Configuring Optional Parameters...

Страница 1113: ...nsfer rate With the NQA test results you can 1 Know network performance in time and then take corresponding measures 2 Diagnose and locate network faults Features of NQA Supporting multiple test types...

Страница 1114: ...d Take static routing as an example You have configured a static route with the next hop 192 168 0 88 If 192 168 0 88 is reachable the static route is valid if 192 168 0 88 is unreachable the static r...

Страница 1115: ...est one probe means to carry out a corresponding function z For an ICMP echo or UDP echo test one packet is sent in one probe z For an SNMP test three packets are sent in one probe NQA client and serv...

Страница 1116: ...e the following configurations on the NQA client 1 Enable the NQA client 2 Create a test group and configure test parameters according to the test type The test parameters may vary with test types 3 S...

Страница 1117: ...r tcp connect udp echo ip address port number Required The IP address and port number must be consistent with those configured on the NQA client and must be different from those of an existing listeni...

Страница 1118: ...cho and enter test type view type icmp echo Required Configure the destination address for a test operation destination ip ip address Required By default no destination IP address is configured for a...

Страница 1119: ...a DHCP server on the network as well as the time necessary for the DHCP server to respond to a client request and assign an IP address to the client Configuration prerequisites Before performing a DH...

Страница 1120: ...example you need to configure the username and password used to log onto the FTP server For the FTP server configuration see File System Management Configuration in the System Volume Configuring an FT...

Страница 1121: ...the get command the device does not save the files obtained from the FTP server z When you execute the get command the FTP test cannot succeed if a file named file name does not exist on the FTP serve...

Страница 1122: ...for the HTTP is get that is obtaining data from the HTTP server Configure the website that an HTTP test visits url url Required Configure the HTTP version used in the HTTP test http version v1 0 Opti...

Страница 1123: ...r system view system view Enter NQA test group view nqa entry admin name operation tag Configure the test type as UDP jitter and enter test type view type udp jitter Required Configure the destination...

Страница 1124: ...arameters See Configuring Optional Parameters Common to an NQA Test Group Optional The number of probes made in a UDP jitter test depends on the probe count command while the number of probe packets s...

Страница 1125: ...tween the client and the specified port on the NQA server and the setup time for the connection thus judge the availability and performance of the services provided on the specified port on the server...

Страница 1126: ...onnectivity and roundtrip time of a UDP echo packet from the client to the specified UDP port on the NQA server Configuration prerequisites A UDP echo test requires cooperation between the NQA server...

Страница 1127: ...an interface on the device and the interface must be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Conf...

Страница 1128: ...when you evaluate the voice quality Configuration prerequisites A voice test requires cooperation between the NQA server and the NQA client Before a voice test make sure that the UDP listening functi...

Страница 1129: ...1 law codec type and is 32 bytes for G 729 A law codec type Configure the filler string of a probe packet sent data fill string Optional By default the filler string of a probe packet is the hexadecim...

Страница 1130: ...be up Otherwise the test will fail Configure common optional parameters See Configuring Optional Parameters Common to an NQA Test Group Optional Configuring the Collaboration Function Collaboration is...

Страница 1131: ...he snmp agent target host command create an NQA test group and configure related parameters For the introduction to the snmp agent target host command see SNMP Commands in the System Volume Configurin...

Страница 1132: ...unction To do Use the command Remarks Enter system view system view Enter NQA test group view nqa entry admin name operation tag Enter test type view of the test group type dlsw ftp http icmp echo snm...

Страница 1133: ...obes in an NQA test probe count times Optional By default one probe is performed in a test Only one probe can be made in one voice test Therefore this command is not available in a voice test Configur...

Страница 1134: ...use the display clock command to view the current system time Configuration prerequisites Before scheduling an NQA test group make sure z Required test parameters corresponding to a test type have bee...

Страница 1135: ...ndtrip time of packets Figure 1 3 Network diagram for ICMP echo tests Configuration procedure Create an ICMP echo test group and configure related test parameters DeviceA system view DeviceA nqa entry...

Страница 1136: ...se Status Time 370 3 Succeeded 2007 08 23 15 00 01 2 369 3 Succeeded 2007 08 23 15 00 01 2 368 3 Succeeded 2007 08 23 15 00 01 2 367 5 Succeeded 2007 08 23 15 00 01 2 366 3 Succeeded 2007 08 23 15 00...

Страница 1137: ...res due to timeout 0 Failures due to disconnect 0 Failures due to no connection 0 Failures due to sequence error 0 Failures due to internal error 0 Failures due to other errors 0 Packet s arrived late...

Страница 1138: ...tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 173 173 173 Square Sum of round trip time 29929 Last succeeded pro...

Страница 1139: ...A undo nqa schedule admin test Display results of the last HTTP test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation ti...

Страница 1140: ...admin test udp jitter destination ip 10 2 2 2 DeviceA nqa admin test udp jitter destination port 9000 DeviceA nqa admin test udp jitter frequency 1000 DeviceA nqa admin test udp jitter quit Enable UDP...

Страница 1141: ...delay 15 Max DS delay 16 Min SD delay 7 Min DS delay 7 Number of SD delay 10 Number of DS delay 10 Sum of SD delay 78 Sum of DS delay 85 Square sum of SD delay 666 Square sum of DS delay 787 SD lost...

Страница 1142: ...DS delay 3891 Square sum of SD delay 45987 Square sum of DS delay 49393 SD lost packet s 0 DS lost packet s 0 Lost packet s for unknown reason 0 The display nqa history command cannot show you the re...

Страница 1143: ...min test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation times 1 Receive response times 1 Min Max Average round trip time 50 50 50 Square Sum of round trip t...

Страница 1144: ...eA nqa schedule admin test start time now lifetime forever Disable TCP test after the test begins for a period of time DeviceA undo nqa schedule admin test Display results of the last TCP test DeviceA...

Страница 1145: ...lated test parameters DeviceA system view DeviceA nqa entry admin test DeviceA nqa admin test type udp echo DeviceA nqa admin test udp echo destination ip 10 2 2 2 DeviceA nqa admin test udp echo dest...

Страница 1146: ...Configuration procedure 1 Configure Device B Enable the NQA server and configure the listening IP address as 10 2 2 2 and port number as 9000 DeviceB system view DeviceB nqa server enable DeviceB nqa...

Страница 1147: ...erage 6 Positive SD square sum 54127 Positive DS square sum 1691967 Min negative SD 1 Min negative DS 1 Max negative SD 203 Max negative DS 1297 Negative SD number 255 Negative DS number 259 Negative...

Страница 1148: ...egative DS 1297 Negative SD number 1028 Negative DS number 1022 Negative SD sum 1028 Negative DS sum 1022 Negative SD average 4 Negative DS average 5 Negative SD square sum 495901 Negative DS square s...

Страница 1149: ...o nqa schedule admin test Display the result of the last DLSw test DeviceA display nqa result admin test NQA entry admin admin tag test test results Destination IP address 10 2 2 2 Send operation time...

Страница 1150: ...NQA test group Create an NQA test group with the administrator name being admin and operation tag being test SwitchA nqa entry admin test Configure the test type of the NQA test group as ICMP echo Swi...

Страница 1151: ...127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the static route with the next hop 10 2 1 1 is active and the status of the track entry is positive The static route configur...

Страница 1152: ...127 0 0 1 InLoop0 127 0 0 1 32 Direct 0 0 127 0 0 1 InLoop0 The above information shows that the next hop 10 2 1 1 of the static route is not reachable and the status of the track entry is negative Th...

Страница 1153: ...e for NTP Messages 1 10 Disabling an Interface from Receiving NTP Messages 1 11 Configuring the Maximum Number of Dynamic Sessions Allowed 1 11 Configuring Access Control Rights 1 12 Configuration Pre...

Страница 1154: ...within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within...

Страница 1155: ...ce B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of s...

Страница 1156: ...fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit ve...

Страница 1157: ...ement clock synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the...

Страница 1158: ...ssage the client sends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and...

Страница 1159: ...es the first multicast message the client and the server start to exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the ser...

Страница 1160: ...when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creat...

Страница 1161: ...ymmetric active device To do Use the command Remarks Enter system view system view Specify a symmetric passive peer for the device ntp service unicast peer ip address peer name authentication keyid ke...

Страница 1162: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Страница 1163: ...NTP multicast server mode ntp service multicast server ip address authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after it...

Страница 1164: ...e broadcast server or ntp service multicast server command the source interface of the broadcast or multicast NTP messages is the interface configured with the respective command Disabling an Interfac...

Страница 1165: ...full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer d...

Страница 1166: ...he symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication k...

Страница 1167: ...er Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disa...

Страница 1168: ...play ntp service trace Available in any view NTP Configuration Examples Configuring NTP Client Server Mode Network requirements z The local clock of Switch A is to be used as a master clock with the s...

Страница 1169: ...ck stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an association has been set up between Switch B and Switch A SwitchB display...

Страница 1170: ...15 ms Peer dispersion 34 29 ms Reference time 15 22 47 083 UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the clock stratum level of Device B is 3 3 C...

Страница 1171: ...eer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Broadcast Mode Network requirements z The local clock of Switch C is to be used as the master clock with a stratum level of...

Страница 1172: ...Switch C View the NTP status of Switch D after clock synchronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal fr...

Страница 1173: ...h a stratum level of 2 z Switch C works in the multicast server mode and sends out multicast messages from VLAN interface 2 z Switch A and Switch D work in the multicast client mode and receive multic...

Страница 1174: ...ice multicast client Because Switch D and Switch C are on the same subnet Switch D can receive the multicast messages from Switch C without being enabled with the multicast functions and can be synchr...

Страница 1175: ...vlan 3 SwitchB vlan3 port gigabitethernet 1 0 1 SwitchB vlan3 quit SwitchB interface vlan interface 3 SwitchB Vlan interface3 igmp enable SwitchB Vlan interface3 quit SwitchB interface gigabitethernet...

Страница 1176: ...itch A is to be used as the master clock with a stratum level of 2 z Switch B works in the client mode and Switch A is to be used as the NTP server of Switch B with Switch B as the client z NTP authen...

Страница 1177: ...shown above Switch B has been synchronized to Switch A and the clock stratum level of Switch B is 3 while that of Switch A is 2 View the NTP session information of Switch B which shows that an associa...

Страница 1178: ...SwitchD system view SwitchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure...

Страница 1179: ...clock stratum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vla...

Страница 1180: ...ween the Management Device and the Member Devices Within a Cluster 1 11 Configuring Cluster Management Protocol Packets 1 11 Cluster Member Management 1 12 Configuring the Member Devices 1 13 Enabling...

Страница 1181: ...ng topology discovery and display function which is useful for network monitoring and debugging z Allowing simultaneous software upgrading and parameter configuration on multiple devices free of topol...

Страница 1182: ...ent is implemented through HW Group Management Protocol version 2 HGMPv2 which consists of the following three protocols z Neighbor Discovery Protocol NDP z Neighbor Topology Discovery Protocol NTDP z...

Страница 1183: ...nformation of all its neighbors The information collected will be used by the management device or the network management software to implement required functions When a member device detects a change...

Страница 1184: ...aves the state information of its member device and identifies it as Active And the member device also saves its state information and identifies itself as Active z After a cluster is created its mana...

Страница 1185: ...he management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the memb...

Страница 1186: ...r Optional Configuring Cluster Management Protocol Packets Optional Configuring the Management Device Cluster Member Management Optional Enabling NDP Optional Enabling NTDP Optional Manually Collectin...

Страница 1187: ...ed to a cluster that is the entry with the destination address as the management device cannot be added to the routing table the candidate device will be added to and removed from the cluster repeated...

Страница 1188: ...ckets otherwise the NDP table may become instable Enabling NTDP Globally and for Specific Ports For NTDP to work normally you must enable NTDP both globally and on specific ports Follow these steps to...

Страница 1189: ...3 by default Configure the interval to collect topology information ntdp timer interval time Optional 1 minute by default Configure the delay to forward topology collection request packets on the fir...

Страница 1190: ...cluster in two ways manually and automatically With the latter you can establish a cluster according to the prompt information The system 1 Prompts you to enter a name for the cluster you want to est...

Страница 1191: ...packets and the holdtime of a device on the management device This configuration applies to all member devices within the cluster For a member device in Connect state z If the management device does n...

Страница 1192: ...y default Configure the interval to send MAC address negotiation broadcast packets cluster mac syn interval interval time Optional One minute by default When you configure the destination MAC address...

Страница 1193: ...ling NDP Refer to Enabling NDP Globally and for Specific Ports Enabling NTDP Refer to Enabling NTDP Globally and for Specific Ports Manually Collecting Topology Information Refer to Manually Collectin...

Страница 1194: ...hentication is passed z When a candidate device is added to a cluster and becomes a member device its super password will be automatically synchronized to the management device Therefore after a clust...

Страница 1195: ...ncluded in the blacklist the MAC address and access port of the latter are also included in the blacklist The candidate devices in a blacklist can be added to a cluster only if the administrator manua...

Страница 1196: ...e an NM host for a cluster the member devices in the cluster send their Trap messages to the shared SNMP NM host through the management device If the port of an access NM device including FTP TFTP ser...

Страница 1197: ...devices at one time simplifying the configuration process Follow these steps to configure the SNMP configuration synchronization function To do Use the command Remarks Enter system view system view En...

Страница 1198: ...onize the configurations to the member devices in the whitelist This operation is equal to performing the configurations on the member devices You need to enter your username and password when you log...

Страница 1199: ...y the current topology information or the topology path between two devices display cluster current topology mac address mac address to mac address mac address member id member number to member id mem...

Страница 1200: ...net 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As the configurations of...

Страница 1201: ...itchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure the management VLAN of the cluster as VLAN 10 SwitchB vlan 10 SwitchB...

Страница 1202: ...5 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Add the device whose MAC address is 00E0 FC01 0013 to the b...

Страница 1203: ...Configuring the Master Device of a Stack 1 2 Configuring a Private IP Address Pool for a Stack 1 2 Configuring Stack Ports 1 3 Creating a Stack 1 3 Configuring Stack Ports of a Slave Device 1 4 Loggi...

Страница 1204: ...stack management can help reduce customer investments and simplify network management Introduction to Stack A stack is a management domain that comprises several network devices connected to one anoth...

Страница 1205: ...ork device which is desired to be the master device z Configure ports between the stack devices as stack ports z The master device automatically adds the slave devices into the stack and assigns a num...

Страница 1206: ...guring Stack Ports On the master device configure ports that connect to slave devices as stack ports Follow the steps below to configure stack ports To do Use the command Remarks Enter system view sys...

Страница 1207: ...ster device and Sysname is the system name of the device Logging In to the CLI of a Slave from the Master In a stack you can log in to the CLI of a slave device from the master device and perform conf...

Страница 1208: ...for the stack on Switch A SwitchA system view SwitchA stack ip pool 192 168 1 1 24 Configure port Ten GigabitEthernet 1 1 1 as a stack port on Switch A SwitchA stack stack port 1 port Ten GigabitEthe...

Страница 1209: ...SwitchA Switch type H3C S5500 28C SI MAC address 000f e200 1000 Number 1 Role Slave Sysname stack_1 SwitchB Device type H3C S5500 52C SI MAC address 000f e200 1001 Number 2 Role Slave Sysname stack_2...

Страница 1210: ...l Networking of Automatic Configuration 1 1 How Automatic Configuration Works 1 2 Work Flow of Automatic Configuration 1 2 Obtaining the IP Address of an Interface and Related Information Through DHCP...

Страница 1211: ...onfiguration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical Networking of Aut...

Страница 1212: ...ters such as an IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the con...

Страница 1213: ...en a device starts up without loading the configuration file the system automatically configures the first active interface if an active Layer 2 Ethernet interface exists this first interface is a vir...

Страница 1214: ...The DHCP server will select an address pool where an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters...

Страница 1215: ...z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and th...

Страница 1216: ...its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and...

Страница 1217: ...f the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed description of the UDP Helper...

Результаты поиска

Содержание S5500-SI Series

Отзывы:

Похожие инструкции для S5500-SI Series

Бренды по названию

Популярные бренды

H3C S5500-SI Series, Руководство по эксплуатации

Результаты поиска

Содержание S5500-SI Series

Отзывы:

Похожие инструкции для S5500-SI Series

Бренды по названию

Популярные бренды