H3C S5810 Series Скачать руководство пользователя страница 424

Страница: 424 / 820

1-15

The authentication method specified with the

authentication default

command is for all types of

users and has a priority lower than that for a specific access mode.

With an authentication method that references a RADIUS scheme, AAA accepts only the

authentication result from the RADIUS server. The Access-Accept message from the RADIUS

server does include the authorization information, but the authentication process ignores the

information.

With the

radius-scheme

radius-scheme-name

local

hwtacacs-scheme

hwtacacs-scheme-name local

, local authentication is the backup method and is used only when

the remote server is not available.

If the primary authentication method is

local

none

, the system performs local authentication or

does not perform any authentication, and will not use any RADIUS, HWTACACS authentication

scheme.

Configuring AAA Authorization Methods for an ISP Domain

In AAA, authorization is a separate process at the same level as authentication and accounting. Its

responsibility is to send authorization requests to the specified authorization server and to send

authorization information to users. Authorization method configuration is optional in AAA configuration.

AAA supports the following authorization methods:

No authorization: No authorization exchange is performed. Every user is trusted and has the

corresponding default rights of the system.

Local authorization: Users are authorized by the access device according to the attributes

configured for them.

Remote authorization: The access device cooperates with a RADIUS or HWTACACS server to

authorize users. RADIUS authorization is bound with RADIUS authentication. RADIUS

authorization can work only after RADIUS authentication is successful, and the authorization

information is carried in the Access-Accept message. HWTACACS authorization is separate from

HWTACACS authentication, and the authorization information is carried in the authorization

response after successful authentication. You can configure local authorization or no authorization

as the backup method to be used when the remote server is not available.

By default, an ISP domain uses the local authorization method. If the no authorization method (

none

) is

configured, the users are not required to be authorized, in which case an authenticated user has the

default right. The default right is visiting (the lowest one) for EXEC users (that is, console users who use

the console, AUX, asynchronous serial port, or Telnet to connect to the device, such as Telnet or SSH

users. Each connection of these types is called an EXEC user). The default right for FTP users is to use

the root directory of the device.

Before configuring authorization methods, complete these three tasks:

1) For HWTACACS authorization, configure the HWTACACS scheme to be referenced first. For

RADIUS authorization, the RADIUS authorization scheme must be the same as the RADIUS

authentication scheme; otherwise, it does not take effect.

Содержание S5810 Series

Страница 1: ...H3C S5810 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 6W100 20090626 Product Version Release 1102...

Страница 2: ...G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective o...

Страница 3: ...w IGMP Snooping Multicast VLAN 05 QoS Volume QoS AAA IP Source Guard SSH2 0 PKI 06 Security Volume SSL Public Key ACL Login Basic System Configuration Device Management File System Management HTTP SNM...

Страница 4: ...ols Convention Description Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment Means an a...

Страница 5: ...rovides information about products and technologies as well as solutions Technical Support Document Technical Documents Provides several categories of product documentation such as installation operat...

Страница 6: ...bsite 1 1 Software Release Notes 1 1 2 Product Features 2 1 Introduction to Product 2 1 Feature Lists 2 1 3 Features 3 1 Access Volume 3 1 IP Services Volume 3 3 IP Routing Volume 3 4 IP Multicast Vol...

Страница 7: ...the H3C website Table 1 1 Download documentation from the H3C website How to apply for an account Access the homepage of H3C at http www h3c com and click Registration at the top right In the displaye...

Страница 8: ...cuments are divided into the volumes as listed in Table 2 1 Table 2 1 Feature list Volume Features Ethernet Interface Link Aggregation Port Isolation Loopback Interface and Null Interface DLDP LLDP MS...

Страница 9: ...rface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface Link aggregation Link aggreg...

Страница 10: ...ion to MSTP z Configuring the Root Bridge z Configuring Leaf Nodes z Performing mCheck z Configuring the VLAN Ignore Feature z Configuring Digest Snooping z Configuring No Agreement Check z Configurin...

Страница 11: ...TCP Attributes z Configuring ICMP to Send Error Packets ARP Address Resolution Protocol ARP is used to resolve an IP address into a data link layer address This document describes z ARP Overview z Co...

Страница 12: ...es in IP Multicast volume Features Description Multicast Overview This document describes the main concepts in multicast z Introduction to Multicast z Multicast Models z Multicast Architecture z Multi...

Страница 13: ...om traveling through thus improving the network security This document describes z Configuring a Static Binding Entry z Configuring Dynamic Binding Function SSH2 0 SSH ensures secure login to a remote...

Страница 14: ...me message user privilege levels and so on This document describes z Configuration display z Basic configurations z CLI features Device Management Through the device management function you can view t...

Страница 15: ...Center classifies and manages all types of system information This document describes z Information Center Overview z Setting to Output System Information to the Console z Setting to Output System Inf...

Страница 16: ...nt Device and Its Member Devices z Adding a Candidate Device to a Cluster z Configuring Advanced Cluster Functions Stack Management A stack is a set of network devices Administrators can group multipl...

Страница 17: ...lication Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASCI...

Страница 18: ...Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain Routi...

Страница 19: ...Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelengt...

Страница 20: ...t GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High...

Страница 21: ...PSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automatic Tu...

Страница 22: ...LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data...

Страница 23: ...verhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Mult...

Страница 24: ...OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB...

Страница 25: ...tual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority...

Страница 26: ...Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicas...

Страница 27: ...ibution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBa...

Страница 28: ...I Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary...

Страница 29: ...abling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring...

Страница 30: ...he conditions of the communications links This document describes z Introduction to LLDP z Performing Basic LLDP Configuration z Configuring LLDP Trapping MSTP MSTP is used to eliminate loops in a LAN...

Страница 31: ...AN GVRP GVRP is a GARP application This document describes z GARP overview z GVRP configuration z GARP Timers configuration Port Mirroring Port mirroring copies packets passing through a port to anoth...

Страница 32: ...to Power Down on an Ethernet Interface 1 4 Configuring a Port Group 1 5 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet Interface Statistics 1 6 Enabling Forwarding of J...

Страница 33: ...view system view Enter Ethernet interface view interface interface type interface number Enable a specified double Combo port undo shutdown Optional By default of the two ports in a Combo port the one...

Страница 34: ...ernet interfaces z Full duplex mode full Interfaces operating in this mode can send and receive packets simultaneously z Half duplex mode half Interfaces operating in this mode can either send or rece...

Страница 35: ...ts do not support the duplex command or the speed command Configuring Flow Control on an Ethernet Interface When flow control is enabled on both sides if traffic congestion occurs at the ingress inter...

Страница 36: ...loopback test if an interface is down only the former is available on it if the interface is shut down both are unavailable z The speed duplex mdi and shutdown commands are not applicable during loop...

Страница 37: ...view Create a manual port group and enter manual port group view port group manual port group name Required Add Ethernet interfaces to the manual port group group member interface list Required Config...

Страница 38: ...adcast multicast and unknown unicast storm suppression ratios on a port using different suppression standards percentage of the total bandwidth packets per second or kilobytes per second the system au...

Страница 39: ...ops may cause broadcast storms The purpose of loopback detection is to detect loops on an interface When loopback detection is enabled on an Ethernet interface the device periodically checks whether t...

Страница 40: ...n be used to connect Ethernet devices crossover cable and straight through cable To accommodate these two types of cables an Ethernet interface on a device can operate in one of the following three Me...

Страница 41: ...e packet If such an entry exists but the egress interface in the entry is the receiving interface itself the device discards this packet However if bridging is enabled on the receiving interface the d...

Страница 42: ...can specify the system to act as follows when the traffic detected exceeds the threshold z Blocking the interface In this case the interface is blocked and thus stops forwarding the traffic of this ty...

Страница 43: ...next period Thus it is normal that a period longer than one statistic period is waited for a control action to happen if you enable the function while the packet storm is present However the action w...

Страница 44: ...1 12 To do Use the command Remarks Display the information about storm constrain display storm constrain broadcast multicast unicast interface interface type interface number Available in any view...

Страница 45: ...Dynamic Aggregation Group 1 6 Configuring an Aggregate Interface 1 7 Configuring the Description of an Aggregate Interface 1 7 Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface 1 8...

Страница 46: ...ese member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate interface Aggregation group...

Страница 47: ...aces to determine the interfaces that can operate as selected interfaces This allows the two systems to reach an agreement on which link aggregation member ports should be placed in selected state Ope...

Страница 48: ...ment which makes dynamic aggregation instable Static aggregation mode LACP is disabled on the member ports in a static aggregation group In a static aggregation group the system sets a port to selecte...

Страница 49: ...are the same compare the system MAC addresses The system with the smaller MAC address wins out z Compare the port IDs of the ports on the system with the smaller system ID A port ID comprises a port L...

Страница 50: ...ber port Link Aggregation Configuration Task List Complete the following tasks to configure link aggregation Task Remarks Configuring a Static Aggregation Group Configuring an Aggregation Group Config...

Страница 51: ...s the corresponding aggregation group At the same time the member ports of the aggregation group if any leave the aggregation group z To guarantee a successful static aggregation ensure that the ports...

Страница 52: ...z Removing a dynamic aggregate interface also removes the corresponding aggregation group At the same time the member ports of the aggregation group if any leave the aggregation group z To guarantee...

Страница 53: ...p generation is enabled globally and on all interfaces Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enable linkUp linkDown trap generation for the aggregate int...

Страница 54: ...nd Remarks Enter system view system view Configure the global link aggregation load sharing mode link aggregation load sharing mode destination ip destination mac destination port ingress port source...

Страница 55: ...these configurations consistent you should configure the port manually z Reference port Select a port as the reference port from the ports that are in up state and with the same class two configuratio...

Страница 56: ...t1 0 1 port link aggregation group 1 DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link aggregation group 1 DeviceA GigabitEthernet1 0 2 q...

Страница 57: ...rface bridge aggregation 1 DeviceA Bridge Aggregation1 link aggregation mode dynamic DeviceA Bridge Aggregation1 quit Assign Ethernet interfaces GigabitEthernet1 0 1 through GigabitEthernet1 0 3 to ag...

Страница 58: ...Port Isolation 1 1 Configuring the Isolation Group for a Isolation Group Device 1 2 Assigning a Port to the Isolation Group 1 2 Specifying the Uplink Port for the Isolation Group 1 2 Displaying and Ma...

Страница 59: ...ere is no restriction on the number of ports assigned to an isolation group The member port of an aggregation group cannot be configured as the uplink port of an isolation group and vice versa If you...

Страница 60: ...m view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or...

Страница 61: ...configured these ports are set to the unselected state in the aggregation group that is these ports cannot forward user traffic Configure the current port as the uplink port of the isolation group por...

Страница 62: ...orts GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to the isolation group Device system view Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 port isolate ena...

Страница 63: ...1 5 Port isolate group information Uplink port support YES Group ID 1 Uplink port GigabitEthernet1 0 4 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3...

Страница 64: ...ration 1 1 Loopback Interface 1 1 Introduction to Loopback Interface 1 1 Configuring a Loopback Interface 1 1 Null Interface 1 2 Introduction to Null Interface 1 2 Configuring Null 0 Interface 1 2 Dis...

Страница 65: ...ion or security server to permit or deny packets generated by a device you can streamline the rule by configuring it to permit or deny packets carrying the loopback interface address identifying the d...

Страница 66: ...ace is always up However you can neither use it to forward data packets nor configure an IP address or link layer protocol on it With a null interface specified as the next hop of a static route to a...

Страница 67: ...n of an interface is the interface name followed by the Interface string Displaying and Maintaining Logical Interfaces To do Use the command Remarks Display information about loopback interfaces displ...

Страница 68: ...etting the Interval for Sending Advertisement Packets 1 10 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 11 Configuring DLDP Authentication 1 11 Resetting DLDP State 1 12 Resetting...

Страница 69: ...shooting Overview Sometimes unidirectional links may appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links result in...

Страница 70: ...nd DLDP ensures that physical logical unidirectional links can be detected and shut down and prevents failure of other protocols such as STP If both ends of a link are operating normally at the physic...

Страница 71: ...isement packets which defaults to 5 seconds Probe timer Determines the interval to send Probe packets which defaults to 0 5 seconds That is a device in the probe state sends two Probe packets every se...

Страница 72: ...mal DLDP mode when an entry timer expires the device removes the corresponding neighbor entry and sends an Advertisement packet with RSY tag z In enhanced DLDP mode when an entry timer expires the Enh...

Страница 73: ...The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration z Plain text authentic...

Страница 74: ...onding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and transits to Probe state Advertisement packet with RSY tag Retrieving the neighbor information If the corres...

Страница 75: ...rmation If not no process is performed LinkDown packet Check to see if the local port operates in Enhanced mode If yes and the local port is not in Disable state the local transits to Disable state 3...

Страница 76: ...s state when it is just detected and is being probed No information indicating the state of the neighbor is received A neighbor is in this state only when it is being probed It transits to Two way sta...

Страница 77: ...DP globally dldp enable Required Globally disabled by default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port...

Страница 78: ...me for the device to detect unidirectional links thus causing more traffic forwarding errors if the interval is too short unnecessary Advertisement packets can be generated to consume bandwidth Theref...

Страница 79: ...dministrator z Auto mode In this mode when a unidirectional link is detected DLDP transits to Disable state generates log and traps and set the port as DLDP Down Follow these steps to set port shutdow...

Страница 80: ...Port view Port Group View The DLDP state that the port transits to upon the DLDP state reset operation depends on its physical state If the port is physically down it transits to Inactive state if the...

Страница 81: ...ion Example Network requirements z Device A and Device B are connected through two fiber pairs in which two fibers are cross connected as shown in Figure 1 4 z It is desired that the unidirectional li...

Страница 82: ...A DeviceA display dldp DLDP global status enable DLDP interval 6s DLDP work mode enhance DLDP authentication mode none DLDP unidirectional shutdown auto DLDP delaydown timer 2s The number of enabled p...

Страница 83: ...time 11 The output information indicates that both GigabitEthernet 1 0 49 and GigabitEthernet 1 0 50 are in Advertisement state and the links are up which means unidirectional links are not detected...

Страница 84: ...erating Mode 1 8 Setting the LLDP Re Initialization Delay 1 8 Enable LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 9 Configuring the Management Address and Its Encoding Format 1 9 Setting t...

Страница 85: ...The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions managemen...

Страница 86: ...E a multicast MAC address Source MAC address The MAC address of the sending port If the port does not have a MAC address the MAC address of the sending bridge is used Type The Ethernet type for the up...

Страница 87: ...ypes of TLVs of which the chassis ID TLV port ID TLV TTL TLV and end of LLDPDU TLV end TLV in the figure are mandatory TLVs that must be carried and other TLVs are optional TLVs TLVs are type length a...

Страница 88: ...evice System Description Description of the sending device System Capabilities Identifies the primary functions of the sending device and the primary functions that have been enabled Management Addres...

Страница 89: ...TLVs Type Description LLDP MED Capabilities Allows a MED endpoint to advertise the supported LLDP MED TLVs and its device type Network Policy Allows a network device or MED endpoint to advertise LAN t...

Страница 90: ...ion changes To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change an interval is introduced between two successive LLDP frames This interval...

Страница 91: ...Ethernet interface view takes effect only on the current port and those made in port group view takes effect on all ports in the current port group Performing Basic LLDP Configuration Enabling LLDP To...

Страница 92: ...s on a port the port initializes the protocol state machines after a certain delay By adjusting the LLDP re initialization delay you can avoid frequent initializations caused by frequent LLDP operatin...

Страница 93: ...ce type country code ca type ca value 1 10 elin address tel number network policy power over ethernet Optional By default all types of LLDP TLVs except location identification TLV are advertisable Con...

Страница 94: ...on a recipient device You can configure the TTL of locally sent LLDP frames to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier Th...

Страница 95: ...ated in Ethernet II frames If the neighbor devices encapsulate LLDPDUs in SNAP frames you can configure the encapsulation format for LLDPDUs as SNAP thus guaranteeing communication with the other devi...

Страница 96: ...bal interface interface type interface number Available in any view Display the information contained in the LLDP TLVs received through a port display lldp neighbor information interface interface typ...

Страница 97: ...ernet1 0 2 lldp admin status rx SwitchA GigabitEthernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 setting the LLDP...

Страница 98: ...eived unknown TLV 3 As the sample output shows GigabitEthernet1 0 1 of Switch A connects a MED device and GigabitEthernet1 0 2 of Switch A connects a non MED device Both ports operate in Rx mode that...

Страница 99: ...f received unknown TLV 5 Port 2 GigabitEthernet1 0 2 Port status of LLDP Enable Admin status Rx_Only Trap flag No Roll time 0s Number of neighbors 0 Number of MED neighbors 0 Number of CDP neighbors 0...

Страница 100: ...witched Network 1 21 Configuring Timers of MSTP 1 22 Configuring the Timeout Factor 1 23 Configuring the Maximum Port Rate 1 24 Configuring Ports as Edge Ports 1 25 Setting the Link Type of a Port to...

Страница 101: ...isites 1 36 Configuration Procedure 1 36 Configuration Example 1 36 Configuring No Agreement Check 1 37 Configuration Prerequisites 1 38 Configuration Procedure 1 38 Configuration Example 1 39 Configu...

Страница 102: ...ning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Introduction to STP Why STP The Spanning Tree Protocol STP was developed based o...

Страница 103: ...e root bridge is called the root port The root port is responsible for communication with the root bridge Each non root bridge has one and only one root port The root bridge has no root port 3 Designa...

Страница 104: ...e spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Страница 105: ...rity than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configurat...

Страница 106: ...ice z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be define...

Страница 107: ...eceives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the re...

Страница 108: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Страница 109: ...ison processes described in the table above a spanning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree The spanning tree calcu...

Страница 110: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Страница 111: ...ortcomings of STP and RSTP In addition to the support for rapid network convergence it also allows data flows of different VLANs to be forwarded along separate paths thus providing a better load shari...

Страница 112: ...MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the same region n...

Страница 113: ...panning tree being independent of another Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 1 4 for example multiple spanning trees can exist in each MST region eac...

Страница 114: ...is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a designated port When the designated port is blocked the backup port becomes a new designated p...

Страница 115: ...nfiguration BPDUs to calculate spanning trees The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent 1 CIST calcul...

Страница 116: ...node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete these tasks to configure MSTP Task Remarks Configuring an MST Region Required Specifying the...

Страница 117: ...in this case make sure that this VLAN is mapped to the CIST MSTI 0 when configuring the VLAN to MSTI mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume...

Страница 118: ...ctive MST region configuration information display stp region configuration The display command can be executed in any view Two or more MSTP enabled devices belong to the same MST region only if they...

Страница 119: ...red By default a device does not function as the root bridge Specifying the current device as a secondary root bridge of a specific spanning tree Follow these steps to specify the current device as a...

Страница 120: ...Specify the current device as the root bridge of MSTI 1 and a secondary root bridge of MSTI 2 Sysname system view Sysname stp instance 1 root primary Sysname stp instance 2 root secondary Configuring...

Страница 121: ...n if all devices in a spanning tree have the same priority the one with the lowest MAC address will be selected as the root bridge of the spanning tree Configuration example Set the device priority in...

Страница 122: ...k are interconnected through a specific path composed of a series of devices The network diameter is the number of devices on the path composed of the most devices Configuration procedure Follow these...

Страница 123: ...ps to configure the timers of MSTP To do Use the command Remarks Enter system view system view Configure the forward delay timer stp timer forward delay centi seconds Optional 1 500 centiseconds 15 se...

Страница 124: ...y launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max age must mee...

Страница 125: ...send within each hello time The maximum rate of a port is related to the physical status of the port and the network structure Configuration procedure Follow these steps to configure the maximum rate...

Страница 126: ...know whether a port is directly connected to a terminal you need to manually configure the port to be an edge port After that this port can transition rapidly from the blocked state to the forwarding...

Страница 127: ...a point to point link are root ports or designated ports the ports can rapidly transition to the forwarding state after a proposal agreement handshake process Configuration procedure Follow these ste...

Страница 128: ...ket format recognition mode of a port is auto namely the port automatically distinguishes the two MSTP packet formats and determines the format of packets it will send based on the recognized format Y...

Страница 129: ...sname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 stp compliance dot1s Enabling the Output of Port State Transition Information In a large scale MSTP enabled netwo...

Страница 130: ...for the device globally before any other MSTP related configuration can take effect z To control MSTP flexibly you can use the undo stp enable command to disable the MSTP feature for certain ports so...

Страница 131: ...rts the following standards z dot1d 1998 The device calculates the default path cost for ports based on IEEE 802 1d 1998 z dot1t The device calculates the default path cost for ports based on IEEE 802...

Страница 132: ...To do Use the command Remarks Enter system view system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port gr...

Страница 133: ...t group view port group manual port group name Required Use either command Configurations made in interface view will take effect on the current port only configurations made in port group view will t...

Страница 134: ...ver it will not be able to migrate automatically back to the MSTP or RSTP mode but will remain working in the STP compatible mode under the following circumstances z The device running STP is shut dow...

Страница 135: ...Device A allows the traffic of VLAN 1 to pass through and port C allows the traffic of VLAN2 to pass through port B on Device B allows the traffic of VLAN 1 to pass through and port D allows the traf...

Страница 136: ...n Display the VLAN Ignore enabled VLAN DeviceB display stp ignored vlan STP Ignored VLAN 2 Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when...

Страница 137: ...its private key to calculate the configuration digest z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to MSTI mappi...

Страница 138: ...ment Check In RSTP and MSTP two types of messages are used for rapid state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agreement used to acknowledg...

Страница 139: ...from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream device fails to transit rapidly and can only change to the forwardi...

Страница 140: ...by default To make the No Agreement Check feature take effect enable it on the root port Configuration Example Network requirements z Device A connects to a third party s device that has different MS...

Страница 141: ...start a new spanning tree calculation process This will cause a change of network topology Under normal conditions these ports should not receive configuration BPDUs However if someone forges configu...

Страница 142: ...guard function to protect the root bridge If the root guard function is enabled on a port of a root bridge this port will keep playing the role of designated port on all MSTIs Once this port receives...

Страница 143: ...ate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configurations...

Страница 144: ...in any view View the historical information of port role calculation for the specified MSTI or all MSTIs display stp instance instance id history Available in any view View the statistics of TC TCN BP...

Страница 145: ...Device C Figure 1 12 Network diagram for MSTP configuration G E 1 0 1 G E 1 0 1 G E 1 0 1 G E 1 0 1 Configuration procedure 1 VLAN and VLAN member port configuration Create VLAN 10 VLAN 20 and VLAN 3...

Страница 146: ...l 0 Activate MST region configuration DeviceB mst region active region configuration DeviceB mst region quit Specify the current device as the root bridge of MSTI 3 DeviceB stp instance 3 root primary...

Страница 147: ...on each device after the network is stable Display brief spanning tree information on Device A DeviceA display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet1 0 1 ALTE DISCARDING NO...

Страница 148: ...spanning tree information on Device D DeviceD display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet1 0 1 ROOT FORWARDING NONE 0 GigabitEthernet1 0 2 ALTE DISCARDING NONE 0 GigabitEt...

Страница 149: ...ember Ports for a Smart Link Group 1 6 Configuring Role Preemption for a Smart Link Group 1 6 Enabling the Sending of Flush Messages 1 7 Smart Link Device Configuration Example 1 7 Configuring an Asso...

Страница 150: ...ble for users who have high demand on convergence speed For more information about STP refer to MSTP Configuration in the Access Volume Smart Link is a feature developed to address the slow convergenc...

Страница 151: ...her port role in a smart link group When both ports in a smart link group are up the slave port is placed in the standby state When the master port fails the slave port takes over to forward traffic A...

Страница 152: ...ND entries To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link...

Страница 153: ...mpleting the smart link group configuration z Disable STP and RRPP on the ports you want to add to the smart link group and make sure that the ports are not member ports of any aggregation group or se...

Страница 154: ...ure member ports for a smart link group in interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view or layer 2 aggregate interface view interface interf...

Страница 155: ...ges cannot be sent properly Smart Link Device Configuration Example Network requirements z Create smart link group 1 z The protected VLANs of smart link group 1 are mapped to MSTI 0 through 8 z Config...

Страница 156: ...onfigured on Device C and E Follow these steps to enable the receiving of flush messages To do Use the command Remarks Enter system view system view Enter Ethernet interface view or Layer 2 aggregate...

Страница 157: ...ormation display smart link group group id all Available in any view Display information about the received flush messages display smart link flush Available in any view Clear the statistics about flu...

Страница 158: ...ush enable 2 Configuration on Device E Disable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 DeviceE system view DeviceE interface gigabitethernet 1 0 1 DeviceE GigabitEthernet1 0 1 undo stp...

Страница 159: ...bitEthernet 1 0 3 DeviceA system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 smart link flush enable DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1...

Страница 160: ...ugh DeviceC interface gigabitethernet 1 0 1 DeviceC GigabitEthernet1 0 1 undo stp enable DeviceC GigabitEthernet1 0 1 port link type trunk DeviceC GigabitEthernet1 0 1 port trunk permit vlan 1 to 200...

Страница 161: ...ce gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan 1 to 200 DeviceB GigabitEthernet1 0 1 smart link flush enable control vla...

Страница 162: ...port trunk permit vlan 1 to 200 DeviceA GigabitEthernet1 0 1 smart link flush enable control vlan 10 101 DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEther...

Страница 163: ...w 1 1 Terminology 1 1 How Monitor Link Works 1 1 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Monitor Link Configuration Example 1 2 Displaying and Maintain...

Страница 164: ...port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the...

Страница 165: ...is step to add more uplink ports In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate i...

Страница 166: ...link failure and perform link switchover in the smart link group For detailed information about smart link refer to Smart Link Configuration in the Access Volume Figure 1 1 Network diagram for smart...

Страница 167: ...lush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 1 0 1 as an uplink port and GigabitEthernet 1 0 2 as a do...

Страница 168: ...quit DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2...

Страница 169: ...guring Basic VLAN Settings 1 3 Configuring Basic Settings of a VLAN Interface 1 4 Port Based VLAN Configuration 1 5 Introduction to Port Based VLAN 1 5 Assigning an Access Port to a VLAN 1 6 Assigning...

Страница 170: ...VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from ea...

Страница 171: ...as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The 16 bit TP...

Страница 172: ...ubnet z Policy z Other criteria This chapter covers port based VLAN Configuring Basic VLAN Settings Follow these steps to configure basic VLAN settings To do Use the command Remarks Enter system view...

Страница 173: ...ss and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN Follow these steps to configure basic settings of a VLAN interface To...

Страница 174: ...hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connecte...

Страница 175: ...its VLAN is carried on the port but is different from the default one Hybrid Check whether the default VLAN is permitted on the port z If yes tag the frame with the default VLAN tag z If not drop the...

Страница 176: ...y to the current port z In port group view the subsequent configurations apply to all ports in the port group z In Layer 2 aggregate interface view the subsequent configurations apply to the Layer 2 a...

Страница 177: ...e the default VLAN of the trunk port s port trunk pvid vlan vlan id Optional VLAN 1 is the default VLAN by default z To change the link type of a port from trunk to hybrid or vice versa you must set t...

Страница 178: ...type to access first z Before assigning a hybrid port to a VLAN create the VLAN first z After configuring the default VLAN for a hybrid port you must use the port hybrid vlan command to configure the...

Страница 179: ...a trunk port and configure its default VLAN ID as 100 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1 0 1 port trunk pvid vlan 100 Configure GigabitEthernet 1 0 1 to deny th...

Страница 180: ...capsulation IEEE 802 1q Port priority 0 Last 300 seconds input 0 packets sec 0 bytes sec Last 300 seconds output 0 packets sec 0 bytes sec Input total 0 packets 0 bytes 0 broadcasts 0 multicasts Input...

Страница 181: ...rotocols and Standards 1 4 GVRP Configuration Task List 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 7 GVRP Configuration Examples 1 7 GVRP Configur...

Страница 182: ...pant is present on a port on your device the port is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application...

Страница 183: ...ster its attribute information Then a LeaveAll timer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send Leave...

Страница 184: ...for GVRP indicating the VLAN ID attribute Attribute List Contains one or multiple attributes Attribute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Numbe...

Страница 185: ...ed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs z Forbidden Disables the port to dynamically register and deregister VLA...

Страница 186: ...ts z If both GVRP and remote port mirroring are used GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more informati...

Страница 187: ...value Optional 20 centiseconds by default Configure the Leave timer garp timer leave timer value Optional 60 centiseconds by default As shown in Table 1 2 the values of GARP timers are dependent on ea...

Страница 188: ...he global GVRP state display gvrp status Available in any view Display the information about dynamic VLAN operations performed on a port display gvrp vlan operation interface interface type interface...

Страница 189: ...trunk permit vlan all Enable GVRP on trunk port GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 gvrp DeviceB GigabitEthernet1 0 1 quit Create VLAN 3 a static VLAN DeviceB vlan 3 3 Verify the config...

Страница 190: ...quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to p...

Страница 191: ...trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 and set the GVRP registration type to forbidden on the port DeviceA GigabitEthernet1 0 1 gvrp DeviceA GigabitEthernet1 0 1 gvrp registration...

Страница 192: ...1 11 Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic No dynamic vlans exist...

Страница 193: ...figuring Remote Port Mirroring 1 5 Configuration Prerequisites 1 5 Configuring a Remote Source Mirroring Group on the Source Device 1 5 Configuring a Remote Destination Mirroring Group on the Destinat...

Страница 194: ...or remote z In local port mirroring the mirroring port or ports and the monitor port are located on the same device z In remote port mirroring the mirroring port or ports and the monitor port can be...

Страница 195: ...lyze Figure 1 1 Local port mirroring implementation PC Mirroring port Monitor port Data monitoring device Mirroring port How the device processes packets Monitor port Traffic mirrored to Remote port m...

Страница 196: ...u must create the remote destination mirroring group When receiving a packet the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote de...

Страница 197: ...r system view system view Create a local mirroring group mirroring group group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interf...

Страница 198: ...the destination device If GVRP is enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Acce...

Страница 199: ...ce view you can assign only the current interface to the mirroring group To monitor multiple ports repeat the step In system view mirroring group groupid reflector port reflector port id interface int...

Страница 200: ...e mirroring group z You are recommended to use a remote probe VLAN exclusively for the mirroring purpose z A port can belong to only one mirroring group Configuring a Remote Destination Mirroring Grou...

Страница 201: ...ure operation of your device do not enable STP MSTP or RSTP on the monitor port z You are recommended to use a monitor port only for port mirroring This is to ensure that the data monitoring device re...

Страница 202: ...Marketing department Configuration procedure Configure Switch C Create a local port mirroring group SwitchC system view SwitchC mirroring group 1 local Add port GigabitEthernet 1 0 1 and GigabitEthern...

Страница 203: ...ce mirroring group For the mirroring group configure VLAN 2 as the remote probe VLAN ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as mirroring ports and port GigabitEthernet 1 0 4 as the refl...

Страница 204: ...1 port trunk permit vlan 2 Configure port GigabitEthernet 1 0 2 as a trunk port that permits the packets of VLAN 2 to pass through DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1...

Страница 205: ...1 12 After finishing the configuration you can monitor all the packets received and sent by Department 1 and Department 2 on the Server...

Страница 206: ...etwork z Configuring TCP Attributes z Configuring ICMP to Send Error Packets ARP Address Resolution Protocol ARP is used to resolve an IP address into a data link layer address This document describes...

Страница 207: ...FTP is an application layer protocol for sharing files between server and client over a TCP IP network The Trivial File Transfer Protocol TFTP provides functions similar to those provided by FTP This...

Страница 208: ...Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration...

Страница 209: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Страница 210: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Страница 211: ...55 255 255 0 respectively Configuring IP Addresses An interface can communicate with other hosts after it obtains an IP address Besides directly assigning an IP address to an interface you may configu...

Страница 212: ...N interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks Figure 1 3 Network diagram for IP addressing configuration Configuration procedure Assign a primary IP addres...

Страница 213: ...tl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms...

Страница 214: ...of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuration Example 1 2 Configuring TCP Attributes 1 3 Enab...

Страница 215: ...er size z Enabling ICMP error packets sending Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcast packets are broadcast on a specific network In...

Страница 216: ...xecuted last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN inte...

Страница 217: ...or and waits for a response 3 After receiving the SYN ACK message the originator returns an ACK message Thus the TCP connection is established Attackers may mount SYN Flood attacks during TCP connecti...

Страница 218: ...er As a result the server cannot process normal services Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCP connections in a state After the feature is...

Страница 219: ...en a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP connection will be terminated If a FIN packet is recei...

Страница 220: ...n of a packet is not itself and the TTL field of the packet is 1 it will send a TTL timeout ICMP error message z When the device receives the first fragment of an IP datagram whose destination is the...

Страница 221: ...d by default Enable sending of ICMP timeout packets ip ttl expires enable Required Disabled by default Enable sending of ICMP destination unreachable packets ip unreachables enable Required Disabled b...

Страница 222: ...ackets reset ip statistics Available in user view Clear statistics of TCP connections reset tcp statistics Available in user view Clear statistics of UDP traffic reset udp statistics Available in user...

Страница 223: ...ive Acknowledgement 2 2 Introduction to ARP Active Acknowledgement 2 2 Configuring ARP Active Acknowledgement 2 2 Configuring Source MAC Address Based ARP Attack Detection 2 3 Introduction to Source M...

Страница 224: ...f the destination device Therefore a mapping between the IP address and the physical address is needed ARP is the protocol to implement the mapping function ARP Message Format ARP messages are classif...

Страница 225: ...address and the MAC address of Host A respectively and the target IP address and the target MAC address are the IP address of Host B and an all zero MAC address respectively Because the ARP request i...

Страница 226: ...ng a long static ARP entry you must configure a VLAN and an outbound interface for the entry besides the IP address and the MAC address z A short static ARP entry has only an IP address and a MAC addr...

Страница 227: ...mber of dynamic ARP entries that an interface can learn To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the maxi...

Страница 228: ...Remarks Enter system view system view Enable the ARP entry check arp check enable Optional By default the device is disabled from learning multicast MAC addresses ARP Configuration Example Network re...

Страница 229: ...both the IP address of the device issuing the packet the sender MAC address is the MAC address of the device and the target MAC address is the broadcast address ff ff ff ff ff ff A device implements t...

Страница 230: ...ay the ARP entry for a specified IP address display arp ip address begin exclude include regular expression Available in any view Display the aging time for dynamic ARP entries display arp timer aging...

Страница 231: ...number of ARP packets to bring a great impact to the CPU For details about ARP attack features and types refer to ARP Attack Protection Technology White Paper Currently ARP attacks and viruses are th...

Страница 232: ...Use the command Remarks Enter system view system view Enable ARP source suppression arp source suppression enable Required Disabled by default Set the maximum number of packets with the same source IP...

Страница 233: ...rotected MAC address A protected MAC address is excluded from ARP attack detection even if it is an attacker Only the ARP packets delivered to the CPU are detected Configuring Source MAC Address Based...

Страница 234: ...by default Configuring ARP Packet Rate Limit Introduction to ARP Packet Rate Limit This feature allows you to limit the rate of ARP packets to be delivered to the CPU For example if an attacker sends...

Страница 235: ...C through a switch After intercepting the traffic between Host A and Host C a hacker Host B forwards forged ARP replies to Host A and Host C respectively Upon receiving the ARP replies the two hosts...

Страница 236: ...ies Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function For details refer to DHCP Configuration in the IP Service Volume Static IP Source Guard binding entries...

Страница 237: ...by default that is all packets are considered to be invalid by default Configure a static IP to MAC binding for ARP detection arp detection static bind ip address mac address Optional Not configured...

Страница 238: ...figure ARP detection based on specified objects To do Use the command Remarks Enter system view system view Specify objects for ARP detection arp detection validate dst mac ip src mac Required Not spe...

Страница 239: ...0 SwitchA vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untrusted ports a port is an untrusted port by default SwitchA vlan10 interface GigabitE...

Страница 240: ...itchA arp detection validate dst mac ip src mac After the preceding configurations are completed when ARP packets arrive at interfaces GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 their MAC and IP...

Страница 241: ...Configuring DHCP Snooping to Support Option 82 2 5 Prerequisites 2 5 Configuring DHCP Snooping to Support Option 82 2 5 Displaying and Maintaining DHCP Snooping 2 6 DHCP Snooping Configuration Exampl...

Страница 242: ...use DHCP for IP address acquisition via a relay agent the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server Introduction to DHCP Client With the DHCP client enabled an interface will...

Страница 243: ...en the undo shutdown command or re enable the DHCP client on the interface by executing the undo ip address dhcp alloc command and then the ip address dhcp alloc command Displaying and Maintaining the...

Страница 244: ...ervers If there is an unauthorized DHCP server on a network DHCP clients may obtain invalid IP addresses and network configuration parameters and cannot normally communicate with other network devices...

Страница 245: ...nt of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 2 1 Configure trusted and untrusted ports Trusted DHCP server DHCP snooping Untrusted Untrusted Unauthorized DHCP serve...

Страница 246: ...n 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting If DHCP snooping supports Option 82...

Страница 247: ...normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strate...

Страница 248: ...Configuring DHCP Snooping to Support Option 82 Follow these steps to configure DHCP snooping to support Option 82 To do Use the command Remarks Enter system view system view Enter interface view inte...

Страница 249: ...is configured as replace you need to configure a padding format for Option 82 If the handling strategy is keep or drop you need not configure any padding format z If the Option 82 is padded with the...

Страница 250: ...fy GigabitEthernet1 0 1 as trusted SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 dhcp snooping trust SwitchA GigabitEthernet1 0 1 quit DHCP Snooping Option 82 Support Configurat...

Страница 251: ...GigabitEthernet1 0 2 dhcp snooping information circuit id string company001 SwitchA GigabitEthernet1 0 2 dhcp snooping information remote id string device001 SwitchA GigabitEthernet1 0 2 quit Configu...

Страница 252: ...BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP...

Страница 253: ...protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Prot...

Страница 254: ...ork diagram DHCP server Gateway A WINS server 10 1 1 4 25 Client Switch A Client DNS server 10 1 1 2 25 Vlan int1 10 1 1 1 25 Vlan int1 10 1 1 126 25 Configuration procedure The following describes on...

Страница 255: ...he IPv4 DNS Client 1 3 Configuring Static Domain Name Resolution 1 3 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining IPv4 DNS 1 4 IPv4 DNS Configuration Examples 1 4 Static D...

Страница 256: ...ppings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolution means setting up mappings between domain names and IP...

Страница 257: ...ply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and delimi...

Страница 258: ...previous one if there is any z You may create up to 50 static mappings between domain names and IPv4 addresses Configuring Dynamic Domain Name Resolution To send DNS queries to a correct server for r...

Страница 259: ...uration Examples Static Domain Name Resolution Configuration Example Network requirements As shown in Figure 1 2 static domain name resolution is configured on the device and thus the device can use t...

Страница 260: ...e resolution and the domain name suffix are configured on the device that serves as a DNS client and thus the device can use domain name host to access the host with the domain name host com and the I...

Страница 261: ...e instructions to create a new zone named com Figure 1 4 Create a zone Create a mapping between host name and IP address Figure 1 5 Add a host In Figure 1 5 right click zone com and then select New Ho...

Страница 262: ...is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press C...

Страница 263: ...d domain name is in the cache z If the specified domain name does not exist check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specifi...

Страница 264: ...Debugging an FTP Connection 1 6 Terminating an FTP Connection 1 6 FTP Client Configuration Example 1 7 Configuring the FTP Server 1 8 Configuring FTP Server Operating Parameters 1 8 Configuring Authen...

Страница 265: ...files z ASCII mode transfers files as text like txt bat and cfg files Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Fig...

Страница 266: ...FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP...

Страница 267: ...e interface or source IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source address of the transmitted packets is selected fo...

Страница 268: ...irectories on an FTP Server After the device serving as the FTP client has established a connection with an FTP server For how to establish an FTP connection refer to Establishing an FTP Connection yo...

Страница 269: ...FTP server dir remotefile localfile Optional The ls command displays the name of a directory or file only while the dir command displays detailed information such as the file size and creation time Q...

Страница 270: ...e the command Remarks Display the help information of FTP related commands supported by the remote FTP server remotehelp protocol command Optional Enable information display in a detailed manner verbo...

Страница 271: ...lable memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following o...

Страница 272: ...to update a file when you upload the file use the put command to the FTP server z In fast mode the FTP server starts writing data to the storage medium after a file is transferred to the memory This p...

Страница 273: ...password with the account The following configuration is used when the FTP server authenticates and authorizes a local FTP user If the FTP server needs to authenticate a remote FTP user you need to co...

Страница 274: ...n the user level of the FTP login users that is any level from 0 to 3 is allowed FTP Server Configuration Example Network requirements z As shown in Figure 1 3 use Device as an FTP server and the PC a...

Страница 275: ...1 1 1 1 none abc 331 Password required for abc Password 230 User logged in Download the configuration file config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the c...

Страница 276: ...oot ROM program through FTP you must execute the bootrom update command to upgrade the Boot ROM Displaying and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client...

Страница 277: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Страница 278: ...r example due to network disconnection the device can still start up because the original system file is not overwritten This mode is more secure but consumes more memory You are recommended to use th...

Страница 279: ...ient source interface interface type interface number ip source ip address Optional A device uses the source address determined by the matched route to communicate with the TFTP server by default Retu...

Страница 280: ...he PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the available memory space of the device is not enough use the fixdisk command to clear the memory o...

Страница 281: ...tartup must be saved under the root directory of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device M...

Страница 282: ...escribes z Introduction to IP routing and routing table z Routing protocol overview Static Routing A static route is manually configured by the administrator The proper configuration and usage of stat...

Страница 283: ...i Table of Contents 1 IP Routing Overview 1 1 IP Routing and Routing Table 1 1 Routing 1 1 Routing Table 1 1 Displaying and Maintaining a Routing Table 1 3...

Страница 284: ...ace a packet destined for a certain destination should go out to reach the next hop the next router or the directly connected destination Routes in a routing table can be divided into three categories...

Страница 285: ...to z Direct routes The destination is directly connected to the router z Indirect routes The destination is not directly connected to the router To prevent the routing table from getting too large you...

Страница 286: ...able ip address1 mask length mask ip address2 mask length mask verbose Available in any view Display information about routes permitted by an IPv4 basic ACL display ip routing table acl acl number ver...

Страница 287: ...1 Default Route 1 1 Application Environment of Static Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Displaying and Maintaining Static Routes 1...

Страница 288: ...or has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is con...

Страница 289: ...nagement Ethernet port M GigabitEthernet you must specify the corresponding next hop for the output interface 3 Other attributes You can configure different preferences for different static routes so...

Страница 290: ...ation in the System Volume Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration information display current configuration Display the brief informat...

Страница 291: ...Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The c...

Страница 292: ...32 Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1...

Страница 293: ...ding Mechanism IGMP Snooping Running at the data link layer IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control This...

Страница 294: ...of Information Transmission Techniques 1 1 Features of Multicast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 6 Multicast Architecture 1 6 Mult...

Страница 295: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Страница 296: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Страница 297: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Страница 298: ...cast is confined to the same subnet while multicast is not Features of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast addr...

Страница 299: ...icast z G Indicates a rendezvous point tree RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast...

Страница 300: ...ence between the SSM model and the ASM model is that in the SSM model receivers already know the locations of the multicast sources by some other means In addition the SSM model uses a multicast addre...

Страница 301: ...he IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group add...

Страница 302: ...tination address is a multicast MAC address because the packet is directed to a group formed by a number of receivers rather than to one specific receiver As defined by IANA the high order 24 bits of...

Страница 303: ...tions of Layer 3 multicast protocols 1 Multicast management protocols Typically the internet group management protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with...

Страница 304: ...hanged between the hosts and Layer 3 multicast devices thus effectively controlling the flooding of multicast data in a Layer 2 network 2 Multicast VLAN In the traditional multicast on demand mode whe...

Страница 305: ...cess the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on the incoming in...

Страница 306: ...iguring Source IP Address of IGMP Queries 1 15 Configuring IGMP Snooping Proxying 1 15 Configuration Prerequisites 1 15 Enabling IGMP Snooping Proxying 1 15 Configuring a Source IP Address for the IGM...

Страница 307: ...ii Configured Multicast Group Policy Fails to Take Effect 1 32...

Страница 308: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 1 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at...

Страница 309: ...packets Router port Member port Ports involved in IGMP Snooping as shown in Figure 1 2 are described as follows z Router port A router port is a port on an Ethernet switch that leads the switch toward...

Страница 310: ...namic router port the switch sets a timer initialized to the dynamic router port aging time IGMP general query of which the source address is not 0 0 0 0 or PIM hello The switch removes this port from...

Страница 311: ...rted group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exists for the...

Страница 312: ...ific query the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group and performs the following to the port on which it received the IGMP leave mess...

Страница 313: ...ding table for the entry for the multicast group If the forwarding entry is found with the receiving port contained as a dynamic member port in the outgoing port list the proxy resets the aging timer...

Страница 314: ...nal Configuring IGMP Queries and Responses Optional Configuring IGMP Snooping Querier Configuring Source IP Address of IGMP Queries Optional Enabling IGMP Snooping Proxying Optional Configuring IGMP S...

Страница 315: ...ggregate interface view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate interface do not interfere with configurations made on its member ports nor do they take part...

Страница 316: ...e version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding...

Страница 317: ...ional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps t...

Страница 318: ...Simulated Joining Generally a host running IGMP responds to IGMP queries from the IGMP querier If a host fails to respond due to some reasons the multicast router may deem that no member of this mult...

Страница 319: ...he switch will not forward them to that port In VLANs where only one host is attached to each port fast leave processing helps improve bandwidth and resource usage However if fast leave processing is...

Страница 320: ...lish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called an IGMP querier However a Layer 2 multicast swit...

Страница 321: ...igure the IGMP last member query interval to fill their Max Response time field Namely for IGMP group specific queries the maximum response time equals to the IGMP last member query interval Configuri...

Страница 322: ...Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the source address of IGMP general queries igmp snooping general query source ip ip address current interface Optional 0 0...

Страница 323: ...leave messages sent by the proxy igmp snooping leave source ip ip address current interface The default is 0 0 0 0 Configuring an IGMP Snooping Policy Configuration Prerequisites Before configuring an...

Страница 324: ...t group view port group manual port group name Required Use either approach Configure a multicast group filter igmp snooping group policy acl number vlan vlan list Required No group filter is configur...

Страница 325: ...tted over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report supp...

Страница 326: ...gured for the switch or the port In addition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is...

Страница 327: ...1p precedence of IGMP messages so that they can be assigned higher forwarding priority when congestion occurs on their outgoing ports Configuring 802 1p precedence for IGMP messages globally Follow t...

Страница 328: ...z The reset igmp snooping group command cannot clear the IGMP Snooping multicast group information for static joins IGMP Snooping Configuration Examples Group Policy and Simulated Joining Configuratio...

Страница 329: ...net1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit...

Страница 330: ...1 1 1 vlan 100 SwitchA GigabitEthernet1 0 4 quit 4 Verify the configuration Display the detailed IGMP Snooping multicast groups information in VLAN 100 on Switch A SwitchA display igmp snooping group...

Страница 331: ...flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router...

Страница 332: ...gn GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 3 SwitchA vl...

Страница 333: ...1 0 5 quit 6 Verify the configuration Display the detailed IGMP Snooping multicast group information in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Tot...

Страница 334: ...As shown in Figure 1 6 in a Layer 2 only network environment two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224 1 1 1 and 225 1 1 1 respectively Host A and Host C...

Страница 335: ...in VLAN 100 SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping drop unknown Enable the IGMP Snooping querier function in VLAN 100 SwitchA vlan100 igmp snooping querier Set the source I...

Страница 336: ...3 Received IGMPv1 reports 0 Received IGMPv2 reports 12 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 specific queries 0 Received IGMPv3 reports 0 Received IGMPv3 reports with...

Страница 337: ...view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA int...

Страница 338: ...o one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 2 port GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 2 port GE1 0 3 GE1 0 4 Display...

Страница 339: ...ing Analysis IGMP Snooping is not enabled Solution 1 Enter the display current configuration command to view the running status of IGMP Snooping 2 If IGMP Snooping is not enabled use the igmp snooping...

Страница 340: ...his command in IGMP Snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied If not use the group policy or igmp snooping group policy...

Страница 341: ...Prerequisites 1 3 Configuring Sub VLAN Based Multicast VLAN 1 3 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 5 Configuring Multicast VLA...

Страница 342: ...ograms on demand service the Layer 3 device Router A needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device Switch A This results in not only waste of networ...

Страница 343: ...Ns When forwarding multicast data to Switch A Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN and Switch A distributes the traffic to the multicast VLAN s s...

Страница 344: ...figuration Task List Complete the following tasks to configure multicast VLAN Task Remarks Configuring Sub VLAN Based Multicast VLAN Configuring User Port Attributes Configuring Port Based Multicast V...

Страница 345: ...t VLAN The total number of sub VLANs for all multicast VLANs on the switch cannot exceed 1024 Configuring Port Based Multicast VLAN When configuring port based multicast VLAN you need to configure the...

Страница 346: ...ybrid Required Access by default Specify the user VLAN that comprises the current user port s as the default VLAN port hybrid pvid vlan vlan id Required VLAN 1 by default Configure the current user po...

Страница 347: ...d VLAN as a multicast VLAN and enter multicast VLAN view multicast vlan vlan id Required Not a multicast VLAN by default Return to system view quit interface interface type interface number Enter inte...

Страница 348: ...A respectively z The multicast source sends multicast data to multicast group 224 1 1 1 Host A Host B and Host C are receivers of the multicast group z Configure the sub VLAN based multicast VLAN feat...

Страница 349: ...onfiguration for VLAN 2 Create VLAN 10 assign GigabitEthernet 1 0 1 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 10 SwitchA vlan10 port GigabitEthernet 1 0 1 SwitchA vlan10 igmp snoo...

Страница 350: ...ource s Total 1 MAC Group s Router port s total 0 port IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 3 D MAC gr...

Страница 351: ...Ethernet 1 0 1 and to Switch A through GigabitEthernet 1 0 2 z IGMPv2 is required on Router A IGMPv2 Snooping is required on Switch A Router A acts as the IGMP querier z Switch A s GigabitEthernet 1 0...

Страница 352: ...thernet 1 0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigab...

Страница 353: ...2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as a multicast VLAN SwitchA multicast vlan 10 Ass...

Страница 354: ...1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D Eth1 4 D MAC group s MAC group address 0100 5e...

Страница 355: ...ed as follows Features Description QoS This document describes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing Configuration z Traffic shaping Configurati...

Страница 356: ...icy 2 6 Applying the QoS Policy to an Interface 2 6 Applying the QoS Policy to a VLAN 2 7 Applying the QoS Policy Globally 2 8 Support for QoS actions in different directions 2 8 Displaying and Mainta...

Страница 357: ...Configuration Example 5 2 Referencing Aggregation CAR in a Traffic Behavior 5 2 Configuration Prerequisites 5 2 Configuration Procedure 5 2 Configuration Example 5 3 Displaying and Maintaining Aggreg...

Страница 358: ...t Function to Automatically Set the Shared Buffer 8 1 Configuring the Shared Buffer Manually 8 2 Displaying and Maintaining Port Buffer 8 2 Burst Configuration Example 8 3 Network Requirements 8 3 Con...

Страница 359: ...alled best effort It delivers packets to their destinations as possibly as it can without any guarantee for delay jitter packet loss ratio and so on This service policy is only suitable for applicatio...

Страница 360: ...s forwarded over a low speed link z The packet flows enter a device from several incoming interfaces and are forwarded out an outgoing interface whose rate is smaller than the total rate of these inco...

Страница 361: ...gestion avoidance are the foundations for a network to provide differentiated services Mainly they implement the following functions z Traffic classification uses certain match criteria to organize pa...

Страница 362: ...port number for example or for all packets to a certain network segment When packets are classified on the network boundary the precedence bits in the ToS field of the IP packet header are generally r...

Страница 363: ...ccording to their DSCP values z Expedited Forwarding EF class In this class packets are forwarded regardless of link share of other traffic The class is suitable for preferential services requiring lo...

Страница 364: ...precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 1 4 An Ethernet frame with an 802 1Q tag...

Страница 365: ...802 1p Table 1 3 presents the values for 802 1p precedence Table 1 3 Description on 802 1p precedence 802 1p precedence decimal 802 1p precedence binary Description 0 000 best effort 1 001 background...

Страница 366: ...nsiders a packet belongs to a class only when the packet matches all the criteria in the class z or The device considers a packet belongs to a class as long as the packet matches one of the criteria i...

Страница 367: ...specified by its number or name The access list number argument specifies an ACL by its number which ranges from 2000 to 3999 the name acl name keyword argument combination specifies an ACL by its na...

Страница 368: ...or these matching criteria or input multiple values for a list argument such as the 8021p list argument listed below in a traffic class avoid doing that Otherwise the QoS policy referencing the class...

Страница 369: ...etailed information about traffic mirroring refer to Traffic Mirroring Configuration Insert a VLAN tag nest top most vlan id vlan id value Optional Redirect traffic to a specified target redirect cpu...

Страница 370: ...e mappings are executed according to the order configured Follow these steps to define a policy To do Use the command Remarks Enter system view system view Create a policy and enter policy view qos po...

Страница 371: ...fferent occasions z Applied to an interface the policy takes effect on the traffic sent or received on the interface z Applied to a VLAN the policy takes effect on the traffic sent or received on all...

Страница 372: ...packets OSPF packets RIP packets BGP packets LDP packets RSVP packets and SSH packets and so on Configuration example Apply QoS policy test_policy to the inbound direction of GigabitEthernet 1 0 1 Sy...

Страница 373: ...licy to the inbound direction globally Sysname system view Sysname qos apply policy test_policy global inbound Support for QoS actions in different directions Before creating and applying a QoS policy...

Страница 374: ...figuration information display traffic behavior user defined behavior name Available in any view Display the configuration of user defined QoS policies display qos policy user defined policy name clas...

Страница 375: ...et Precedences The local precedence and drop precedence are defined as follows z Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corre...

Страница 376: ...ing trusting port priority An S5810 series switch can trust one of the following two priority types z Trusting the DSCP precedence of received packets In this mode the switch searches the dscp dot1p d...

Страница 377: ...p mappings Input priority value dscp lp mapping dscp dot1p mapping dscp Local precedence lp 802 1p precedence dot1p 0 to 7 0 0 8 to 15 1 1 16 to 23 2 2 24 to 31 3 3 32 to 39 4 4 40 to 47 5 5 48 to 55...

Страница 378: ...rity mapping table display qos map table dot1p dscp dot1p lp dscp dot1p dscp lp Optional Available in any view Configuration Example Network requirements Configure a dot1p lp mapping table as shown be...

Страница 379: ...take effect on all ports in the port group Configure a priority for the port qos priority priority value Required The default port priority is 0 Configuration Example Network requirements Set the por...

Страница 380: ...port group view port group manual port group name Use either command Settings in interface view Ethernet or WLAN ESS take effect on the current interface settings in port group view take effect on al...

Страница 381: ...rks Display priority mapping table configuration information display qos map table dot1p dscp dot1p lp dscp dot1p dscp lp Available in any view Display the trusted precedence type on the port display...

Страница 382: ...l policies are applied Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Bucket Token bucket features A token bucket can be considered as a container hol...

Страница 383: ...acket transmission or forwarding rate allowed by the E bucket z Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward Figure 4 1 A two bucket syst...

Страница 384: ...ts whose evaluation result is conforming z Dropping the packets whose evaluation result is excess Traffic Shaping Traffic shaping provides measures to adjust the rate of outbound traffic actively A ty...

Страница 385: ...interface of Switch A to avoid unnecessary packet loss Packets exceeding the limit are cached in Switch A Once resources are released traffic shaping takes out the cached packets and sends them out I...

Страница 386: ...erface port group qos car inbound acl ipv6 acl number cir committed information rate cbs committed burst size ebs excess burst size pir peak information rate red action Required Display CAR policy inf...

Страница 387: ...se the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port...

Страница 388: ...erver and Host A respectively as follows z Limit the rate of packets from Server to 560 kbps When the traffic rate is below 560 kbps the traffic is forwarded normally When the traffic rate exceeds 560...

Страница 389: ...eceived on GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 qos car inbound acl 2001 cir 560 red discard SwitchA GigabitEthernet1 0 1 qos car inbound acl 2002...

Страница 390: ...ion CAR policy is to be applied z Traffic match criteria the ACL or CAR list must be predefined z Refer to ACL configuration in the Security Volume for how to define ACL rules Configuration Procedure...

Страница 391: ...qos car aggcar 1 aggregative cir 200 cbs 2000 red discard Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 qos car inbound acl 2000 name aggcar 1 Referencing Aggregation CAR in a...

Страница 392: ...2 000 and red packets are dropped Reference aggregation CAR aggcar 1 in traffic behavior be1 Sysname system view Sysname qos car aggcar 1 aggregative cir 200 cbs 2000 red discard Sysname traffic beha...

Страница 393: ...tion occurs Congestion management involves queue creation traffic classification packet enqueuing and queue scheduling Congestion Management Policies In general congestion management adopts queuing te...

Страница 394: ...with the second highest priority and so on Thus you can assign mission critical packets to the high priority queue to ensure that they are always served first and common service packets to the low pri...

Страница 395: ...series use group based WRR queuing You can assign the output queues to WRR scheduling group 1 and WRR scheduling group 2 as required Note that the queues in the same group must be consecutive The dev...

Страница 396: ...ystem view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Use either command...

Страница 397: ...uing configuration information on interface s display qos wrr interface interface type interface number Optional Available in any view When you use the WRR queue scheduling algorithm make sure that qu...

Страница 398: ...pplies to all the ports in the port group Configure SP queue scheduling qos wrr queue id group sp Required Configure WRR queue scheduling qos wrr queue id group group id weight schedule value Required...

Страница 399: ...ysname GigabitEthernet1 0 1 qos wrr 2 group 1 weight 20 Sysname GigabitEthernet1 0 1 qos wrr 3 group 1 weight 70 Sysname GigabitEthernet1 0 1 qos wrr 4 group 1 weight 100 Sysname GigabitEthernet1 0 1...

Страница 400: ...he CPU copies the matching packets on an interface to a CPU the CPU of the board where the traffic mirroring enabled interface resides z Mirroring traffic to a VLAN copies the matching packets on an i...

Страница 401: ...Required Displaying and Maintaining Traffic Mirroring To do Use the command Remarks Display traffic behavior configuration information display traffic behavior user defined behavior name Available in...

Страница 402: ...2000 Sysname classifier 1 quit Configure a traffic behavior and define the action of mirroring traffic to GigabitEthernet1 0 2 in the traffic behavior Sysname traffic behavior 1 Sysname behavior 1 mi...

Страница 403: ...r you to set the shared buffer z Configuring the Burst Function to Automatically Set the Shared Buffer z Configuring the Shared Buffer Manually When manually setting the shared buffer area take the tr...

Страница 404: ...nter system view system view Set in blocks the shared transmit buffer or shared receive buffer buffer manage ingress egress share size size value Optional By default there is no shared receive buffer...

Страница 405: ...hosts irregularly z Each host connects to the switch through a 100 Mbps network adapter Configure the switch to process dense traffic from the server to guarantee that packets can reach the hosts Fig...

Страница 406: ...c Binding Function SSH2 0 SSH ensures secure login to a remote device in a non secure network environment By encryption and strong authentication it protects the device against attacks This document d...

Страница 407: ...scription ACL An ACL is used for identifying traffic based on a series of preset matching criteria This document describes z ACL overview and ACL types z ACL configuration z ACL Application for Packet...

Страница 408: ...P Domain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 18 Configuring User Group Attributes 1 20 Configuring a NAS ID VLAN Binding 1 20 Displaying...

Страница 409: ...to the Data Sent to HWTACACS Server 1 33 Setting Timers Regarding HWTACACS Servers 1 33 Displaying and Maintaining HWTACACS 1 34 AAA Configuration Examples 1 34 AAA for Telnet Users by an HWTACACS Se...

Страница 410: ...e network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA net...

Страница 411: ...multiple protocols Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distri...

Страница 412: ...prevent user passwords from being intercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods Moreover a RADIUS...

Страница 413: ...ADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 9 The RADIUS server returns a stop accounting response Accounting...

Страница 414: ...the Code Identifier Length Authenticator and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If t...

Страница 415: ...ct Tunnel Connection 22 Framed Route 69 Tunnel Password 23 Framed IPX Network 70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Tim...

Страница 416: ...other three bytes contain a code complying with RFC 1700 The vendor ID of H3C is 2011 z Vendor Type Indicates the type of the sub attribute z Vendor Length Indicates the length of the sub attribute z...

Страница 417: ...s only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on diffe...

Страница 418: ...continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS serve...

Страница 419: ...Modifications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Confi...

Страница 420: ...ing and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authorization Servers Required Specifying the RADIUS...

Страница 421: ...authentication authorization or accounting you must create the RADIUS or HWTACACS scheme first For RADIUS scheme configuration refer to Configuring RADIUS For HWTACACS scheme configuration refer to C...

Страница 422: ...stem view system view Enter ISP domain view domain isp name Place the ISP domain to the state of active or blocked state active block Optional When created an ISP domain is in the active state by defa...

Страница 423: ...multiple devices You can configure local authentication as the backup method to be used when the remote server is not available You can configure AAA authentication to work alone without authorizatio...

Страница 424: ...he system z Local authorization Users are authorized by the access device according to the attributes configured for them z Remote authorization The access device cooperates with a RADIUS or HWTACACS...

Страница 425: ...he default authorization method is used by default z The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specif...

Страница 426: ...methods complete these three tasks 1 For RADIUS or HWTACACS accounting configure the RADIUS or HWTACACS scheme to be referenced first The local and none authentication methods do not require any sche...

Страница 427: ...n you need to create local users and configure user attributes on the device as needed A local user represents a set of user attributes configured on a device and is uniquely identified by the usernam...

Страница 428: ...ation attributes for the local user authorization attribute acl acl number callback number callback number idle cut minute level level user profile profile name vlan vlan id work directory directory n...

Страница 429: ...ure local user attributes for a user group to implement centralized management of user attributes for the local users in the group Currently you can configure authorization attributes for a user group...

Страница 430: ...he RADIUS protocol is configured on a per scheme basis After creating a RADIUS scheme you need to configure the IP addresses and UDP ports of the RADIUS servers for the scheme The servers include auth...

Страница 431: ...d Configure at least one of the commands No authentication server by default z It is recommended to specify only the primary RADIUS authentication authorization server if backup is not required z If b...

Страница 432: ...nting server in a scheme and the secondary accounting server in another scheme Besides because RADIUS uses different UDP ports to receive authentication authorization and accounting packets the port f...

Страница 433: ...mber of transmission attempts exceeds the specified limit but it still receives no response it considers that the authentication has failed Follow these steps to set the upper limit of RADIUS request...

Страница 434: ...the device turns to the secondary server In this case z If the secondary server is available the device triggers the primary server quiet timer After the quiet timer times out the status of the prima...

Страница 435: ...the RADIUS Server Follow these steps to configure the attributes related to data to be sent to the RADIUS server To do Use the command Remarks Enter system view system view Enable the RADIUS trap fun...

Страница 436: ...three timers z RADIUS server response timeout response timeout If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request authentication authorization or...

Страница 437: ...o the corresponding part in the Access Volume z To configure the maximum number of retransmission attempts of RADIUS packets refer to the command retry in the command manual Configuring RADIUS Account...

Страница 438: ...client enable Optional Enabled by default Displaying and Maintaining RADIUS To do Use the command Remarks Display the configuration information of a specified RADIUS scheme or all RADIUS schemes displ...

Страница 439: ...cheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default z Up to 16 HWTACACS schemes can be configured z A scheme can be deleted only when it is not re...

Страница 440: ...ary HWTACACS authorization server primary authorization ip address port number Specify the secondary HWTACACS authorization server secondary authorization ip address port number Required Configure at...

Страница 441: ...dresses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails z You can remove an accounting server only when no active TCP connection for sending accoun...

Страница 442: ...ce to send HWTACACS packets In system view hwtacacs nas ip ip address Use either command By default the outbound port serves as the source IP address to send HWTACACS packets z If an HWTACACS server d...

Страница 443: ...t buffered stop accounting requests that get no responses display stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in any view Clear HWTACACS statistics reset hwtacacs statistics...

Страница 444: ...g 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without...

Страница 445: ...ting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given...

Страница 446: ...in radius scheme rd Switch isp bbb quit Configure the default AAA methods for all types of users Switch domain bbb Switch isp bbb authentication default local Switch isp bbb authorization default hwta...

Страница 447: ...navigation tree to enter the Service Configuration page Then click Add to enter the Add Access Device window and perform the following configurations z Set both the shared keys for authentication and...

Страница 448: ...om the navigation tree to enter the All Access Users page Then click Add to enter the Add Device Management User window and perform the following configurations z Add a user named hello bbb and specif...

Страница 449: ...interface2 quit Configure the IP address of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switc...

Страница 450: ...Switch isp bbb accounting login radius scheme rad Switch isp bbb quit When using SSH to log in a user enters a username in the form userid bbb for authentication using domain bbb 3 Verify the configu...

Страница 451: ...d link layers 2 The IP address of the RADIUS server is correctly configured on the NAS 3 UDP ports for authentication authorization accounting configured on the NAS are the same as those configured on...

Страница 452: ...ing Dynamic Binding Function 1 2 Displaying and Maintaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 3 Static Binding Entry Configuration Example 1 3 Dynamic Binding Function Confi...

Страница 453: ...s including source IP address source MAC address and VLAN tag of the packet in the binding entries of the IP source guard If there is a match the port forwards the packet Otherwise the port discards t...

Страница 454: ...x nor 0 0 0 0 z A static binding entry can be configured on only Layer 2 Ethernet ports Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard wi...

Страница 455: ...onnected to port GigabitEthernet 1 0 1 of Switch A Configure static binding entries on Switch A and Switch B to meet the following requirements z On port GigabitEthernet 1 0 2 of Switch A only IP pack...

Страница 456: ...thernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static binding entries are configured successfully SwitchA display user bind Total entri...

Страница 457: ...splay that the dynamic binding function is configured successfully on port GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 display this interface GigabitEthe...

Страница 458: ...Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic binding function fails on a port Analysis IP Source Guard is not s...

Страница 459: ...and Maintaining SSH 2 11 SSH Server Configuration Examples 2 12 When Switch Acts as Server for Password Authentication 2 12 When Switch Acts as Server for Publickey Authentication 2 14 SSH Client Conf...

Страница 460: ...ents but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH version...

Страница 461: ...pports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation ot...

Страница 462: ...lid the authentication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authenticat...

Страница 463: ...ommands in text format the text must be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the comma...

Страница 464: ...key As SSH2 uses the DH algorithm to generate the session key on the SSH server and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The lengt...

Страница 465: ...user interface configured to support SSH you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This confi...

Страница 466: ...ublic key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public key from a...

Страница 467: ...t SFTP refer to SFTP Overview z For successful login through SFTP you must set the user service type to sftp or all z As SSH1 does not support service type sftp if the client uses SSH1 to log into the...

Страница 468: ...rks Enter system view system view Enable the SSH server to support SSH1 clients ssh server compatible ssh1x enable Optional By default the SSH server supports SSH1 clients Set the RSA server key pair...

Страница 469: ...configured with the server host public key accesses the server for the first time the user can continue accessing the server and save the host public key on the client When accessing the server again...

Страница 470: ...ey exchange algorithm ssh2 server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer...

Страница 471: ...nd password are saved on the switch Figure 1 1 Switch acts as server for password authentication SSH client SSH server Host Switch 192 168 0 2 24 Vlan int1 192 168 0 1 24 Configuration procedure 1 Con...

Страница 472: ...the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configure th...

Страница 473: ...interface When Switch Acts as Server for Publickey Authentication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the...

Страница 474: ...o 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key i...

Страница 475: ...key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 Otherwise the process bar stops moving and the key pair g...

Страница 476: ...file name as key pub to save the public key Figure 1 6 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the p...

Страница 477: ...e client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of t...

Страница 478: ...as Client for Password Authentication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SS...

Страница 479: ...level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelne...

Страница 480: ...code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA p...

Страница 481: ...n for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces...

Страница 482: ...c key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the save...

Страница 483: ...TP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detai...

Страница 484: ...out value Optional 10 minutes by default Configuring an SFTP Client Specifying a Source IP Address or Interface for the SFTP Client You can configure a client to use only a specified source IP addres...

Страница 485: ...eating or deleting a directory Follow these steps to work with the SFTP directories To do Use the command Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher...

Страница 486: ...3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view Change the name of a specified file or directory on the SFTP server rename old name new name Optiona...

Страница 487: ...onnection to the remote SFTP server To do Use the command Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha...

Страница 488: ...rface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Set the protocol that a remote user uses to log in as SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Before performing the...

Страница 489: ...SwitchA sftp 192 168 0 1 identity key rsa Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Continue Y N y Do you want to save...

Страница 490: ...e nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 no...

Страница 491: ...w Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Enable the SFTP server Switch sftp server enable Configure an IP address for VLAN interface 1 which the...

Страница 492: ...of SFTP client software The following takes the PSFTP of Putty Version 0 58 as an example z The PSFTP supports only password authentication Establish a connection with the remote SFTP server Run the...

Страница 493: ...1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Disp...

Страница 494: ...age the public keys Currently PKI employs the digital certificate mechanism to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in...

Страница 495: ...revoked certificates and provide an effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a...

Страница 496: ...f PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private...

Страница 497: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Страница 498: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Страница 499: ...dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certific...

Страница 500: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Страница 501: ...The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about...

Страница 502: ...command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of...

Страница 503: ...L checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verific...

Страница 504: ...file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the priva...

Страница 505: ...ive subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject nam...

Страница 506: ...he certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain...

Страница 507: ...etrieve CRLs properly 2 Configure the switch z Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa com...

Страница 508: ...rieval success Retrieve CRLs and save them locally Switch pki retrieval crl domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate m...

Страница 509: ...stribution Points URI http 4 4 4 133 447 myca crl Signature Algorithm sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2...

Страница 510: ...o the RA Right click on the CA server in the navigation tree and select Properties Policy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwis...

Страница 511: ...C to abort Input the bits in the modulus default 1024 Generating Keys z Apply for certificates Retrieve the CA certificate and save it locally Switch pki retrieval certificate ca domain torsa Retrievi...

Страница 512: ...C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier B68E4...

Страница 513: ...e z For detailed information about HTTPS configuration refer to HTTP Server Configuration in the System Volume z The PKI domain to be referenced by the SSL policy must be created in advance For detail...

Страница 514: ...permit mygroup2 Switch pki cert acp myacp quit 4 Apply the SSL server policy and certificate attribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy mys...

Страница 515: ...nection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for cert...

Страница 516: ...List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuratio...

Страница 517: ...er and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key...

Страница 518: ...ing identity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the...

Страница 519: ...nd enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy S...

Страница 520: ...fy the client to use SSL 3 0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and...

Страница 521: ...for the SSL server policy as 1 Device ssl server policy myssl pki domain 1 Enable client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit 3 Assoc...

Страница 522: ...icy To do Use the command Remarks Enter system view system view Create an SSL client policy and enter its view ssl client policy policy name Required Specify a PKI domain for the SSL client policy pki...

Страница 523: ...e problem z If the SSL server has no certificate request one for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certifi...

Страница 524: ...ymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1...

Страница 525: ...sent for confidentiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types o...

Страница 526: ...Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption and signature whereas DSA is used for signature only Asymmetric...

Страница 527: ...key on the screen or export it to a specified file so as to configure the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public ke...

Страница 528: ...o Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Enter the key...

Страница 529: ...A Create RSA key pairs on Device A DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minu...

Страница 530: ...view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5...

Страница 531: ...TRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 5...

Страница 532: ...tp quit 3 Upload the public key file of Device A to Device B FTP the public key file devicea pub to Device B with the file transfer mode of binary DeviceA ftp 10 1 1 2 Trying 10 1 1 2 Press CTRL K to...

Страница 533: ...03FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC...

Страница 534: ...Prerequisites 2 2 Configuration Procedure 2 2 Configuring an Advanced IPv4 ACL 2 3 Configuration Prerequisites 2 3 Configuration Procedure 2 3 Configuring an Ethernet Frame Header ACL 2 5 Configuratio...

Страница 535: ...ii 4 ACL Application for Packet Filtering 4 1 Filtering IPv4 Packets 4 1 Filtering IPv6 Packets 4 1 ACL Application Example 4 2...

Страница 536: ...d ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document Go to these sections for information you are interested in z Introduction to IPv4 ACL z Introduction to IPv6 ACL z ACL Application...

Страница 537: ...n share the same name IPv4 ACL Match Order An ACL may consist of multiple rules which specify different matching criteria These criteria may have overlapping or conflicting parts The match order is fo...

Страница 538: ...address wildcard masks are the same look at the Layer 4 port number ranges namely the TCP UDP port number ranges Then compare packets against the rule configured with the smaller port number range 5 I...

Страница 539: ...v4 ACL You can control when a rule can take effect by referencing a time range in the rule A referenced time range can be one that has not been created yet The rule however can take effect only after...

Страница 540: ...verlapping or conflicting parts The match order is for determining how a packet should be matched against the rules Two match orders are available for IPv6 ACLs z config Packets are compared against A...

Страница 541: ...nges namely the TCP UDP port number ranges Then compare packets against the rule configured with the smaller port number range 5 If the port number ranges are the same compare packets against the rule...

Страница 542: ...ime1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 Required Display the configuration and status of one or all time ranges display time range time range name all Optional Availab...

Страница 543: ...e ends at the latest time that the system supports namely 24 00 12 31 2100 Configuring a Basic IPv4 ACL Basic IPv4 ACLs match packets based on only source IP address They are numbered from 2000 to 299...

Страница 544: ...he match order of an ACL with the acl number acl number name acl name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command...

Страница 545: ...fication z If the QoS policy is applied to the inbound direction the logging keyword is not supported z If the QoS policy is applied to the outbound direction the keywords of logging precedence icmp t...

Страница 546: ...Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required The default match order is config If y...

Страница 547: ...rules still remain the same z You can modify the match order of an ACL with the acl number acl number name acl name match order auto config command but only when the ACL does not contain any rules z T...

Страница 548: ...bout one or all IPv4 ACLs display acl acl number all name acl name Available in any view Display the usage of ACL resources display acl resource Available in any view Display the configuration and sta...

Страница 549: ...6 address They are numbered in the range 2000 to 2999 Configuration Prerequisites If you want to reference a time range in a rule define it with the time range command first Configuration Procedure Fo...

Страница 550: ...of the settings in which case the other settings remain the same z You cannot create a rule with or modify a rule to have the same permit deny statement as an existing rule in the ACL z When the ACL...

Страница 551: ...sage logging source source source prefix source source prefix any source port operator port1 port2 time range time range name Required To create or modify multiple rules repeat this step When an advan...

Страница 552: ...ing an IPv6 ACL This feature allows you to copy an existing IPv6 ACL to generate a new one which is of the same type and has the same match order rules rule numbering step and descriptions as the sour...

Страница 553: ...me Available in any view Display the usage of ACL resources display acl resource Available in any view Display the configuration and status of one or all time ranges display time range time range name...

Страница 554: ...system view system view Enter interface view interface interface type interface number Apply a basic or advanced IPv4 ACL to the interface to filter IPv4 packets packet filter acl number name acl nam...

Страница 555: ...Configuration procedure Create a time range named study setting it to become active from 08 00 to 18 00 everyday DeviceA system view DeviceA time range study 8 00 to 18 00 daily Create basic IPv4 ACL...

Страница 556: ...ace for Telnet Packets z Controlling Login Users Basic System Configuration Basic system configuration involves the configuration of device name system clock welcome message user privilege levels and...

Страница 557: ...MAC Address Table Management A switch maintains a MAC address table for fast forwarding packets This document describes z MAC address table overview z Configuring MAC Address Entries z Configuring MAC...

Страница 558: ...onfiguration z IPv6 Based VRRP configuration Cluster Management A cluster is a group of network devices Cluster management is to implement management of large numbers of distributed network devices Th...

Страница 559: ...mple 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 3 Logging In Through Telnet SSH 3 1 Logging In Through Telnet...

Страница 560: ...8 Controlling Login Users 8 1 Introduction 8 1 Controlling Telnet Users 8 1 Prerequisites 8 1 Controlling Telnet Users by Source IP Addresses 8 1 Controlling Telnet Users by Source and Destination IP...

Страница 561: ...et switch supports two types of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port i...

Страница 562: ...to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in the se...

Страница 563: ...ame string Optional Display the information about the current user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configur...

Страница 564: ...methods By default you can log in to an H3C S5810 series Ethernet switch through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user te...

Страница 565: ...perTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are config...

Страница 566: ...for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port l...

Страница 567: ...Terminal configuration Set the timeout time of a user interface idle timeout minutes seconds Optional The default timeout time is 10 minutes Changing of Console port configuration terminates the conn...

Страница 568: ...password of a remote user are configured on the RADIUS server Refer to user manual of RADIUS server for details Manage AUX users Set service type for AUX users Required Scheme Perform common configura...

Страница 569: ...rk diagram Figure 2 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interfac...

Страница 570: ...By default users logging in through the Console port are not authenticated while users logging in through the Telnet need to pass the password authentication Set the local password set authentication...

Страница 571: ...n to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain...

Страница 572: ...ystem view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to a...

Страница 573: ...through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the loca...

Страница 574: ...heme Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number...

Страница 575: ...et Server The IP address of the VLAN of the switch is configured and the route between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured...

Страница 576: ...ubnet mask as 255 255 255 0 Sysname system view Sysname telnet server enable Sysname interface vlan interface 1 Sysname Vlan interface1 ip address 202 38 160 92 255 255 255 0 Step 2 Before Telnet user...

Страница 577: ...r to Basic System Configuration in the System Volume for information about command hierarchy Telnetting to Another Switch from the Current Switch You can Telnet to another switch from the current swit...

Страница 578: ...ion about the commands Common Configuration Table 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Remarks Enter system view system view Make the switch to...

Страница 579: ...terfaces Telnet Configuration with Authentication Mode Being Password Configure to authenticate users logging in to user interfaces using a local password and configure the local password Telnet Confi...

Страница 580: ...2 Network diagram Figure 3 4 Network diagram for Telnet configuration with the authentication mode being none 3 Configuration procedure Enter system view and enable the Telnet service Sysname system...

Страница 581: ...the user privilege level level command Configuration Example 1 Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in t...

Страница 582: ...erface views user interface vty first number last number Configure to authenticate users locally or remotely authentication mode scheme Required The specified AAA scheme determines whether to authenti...

Страница 583: ...ied using the authorization attribute level level command When the RADIUS or HWTACACS authentication mode is used the user levels are set on the corresponding RADIUS or HWTACACS servers For more infor...

Страница 584: ...ame ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 Sysname ui vty0 scree...

Страница 585: ...o it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is prop...

Страница 586: ...le port be set to a value lower than the transmission speed of the modem Otherwise packets may get lost Step 3 Connect your PC the modems and the switch as shown in the following figure Figure 4 1 Est...

Страница 587: ...ter the character at anytime for help Refer to the following chapters for information about the configuration commands If you perform no AUX user related configuration on the switch the commands of le...

Страница 588: ...itch through its Console port by using a modem you will enter the AUX user interface The corresponding configuration on the switch is the same as those when logging into the switch locally through its...

Страница 589: ...4 5 Configuration on switch when the authentication mode is scheme Refer to Console Port Login Configuration with Authentication Mode Being Scheme...

Страница 590: ...e switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web based ne...

Страница 591: ...tch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to ass...

Страница 592: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 5 2 appears enter the user name and...

Страница 593: ...rotocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to...

Страница 594: ...security Specifying source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source...

Страница 595: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Страница 596: ...net Users by Source and Destination IP Addresses Telnet By source MAC addresses Through Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Con...

Страница 597: ...ed by advanced ACL an advanced ACL ranges from 3000 to 3999 For the definition of ACL refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destina...

Страница 598: ...e ACL rule rule id permit deny rule string Required You can define rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type fir...

Страница 599: ...nt Users by Source IP Addresses You can manage a H3C S5810 series Ethernet switch through network management software Network management users can access switches through SNMP You need to perform the...

Страница 600: ...tion privacy read view read view write view write view notify view notify view acl acl number Apply the ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl...

Страница 601: ...ists ACLs you can control the access of Web users to the switches Prerequisites The control policies to be implemented on Web users are decided including the source IP addresses to be controlled and t...

Страница 602: ...Example Network requirements Configure a basic ACL to allow only Web users using IP address 10 110 100 52 to access the switch Figure 8 3 Configure an ACL to control the access of HTTP users to the s...

Страница 603: ...he Display of Copyright Information 1 6 Configuring a Banner 1 7 Configuring CLI Hotkeys 1 8 Configuring User Privilege Levels and Command Levels 1 9 Displaying and Maintaining Basic Configurations 1...

Страница 604: ...lly when it has no configuration file or the configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the s...

Страница 605: ...ser view system view Required Available in user view Exiting the Current View The system divides the command line interface into multiple command views which adopts a hierarchical structure For exampl...

Страница 606: ...zone and daylight saving time You can view the system clock by using the display clock command Follow these steps to configure the system clock To do Use the command Remarks Set time and date clock da...

Страница 607: ...ffset Configure clock timezone zone time add 1 Display 02 00 00 zone time Sat 01 01 2005 1 and 2 date time zone offset Configure clock datetime 2 00 2007 2 2 and clock timezone zone time add 1 Display...

Страница 608: ...0 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 D...

Страница 609: ...summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 3 00 2008 1 1 Display 03 00 00 ss Tue 01 01 2008 Enabling Disabling the Display of Copyright Information z With the display of...

Страница 610: ...e is to input all the banner information right after the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the in...

Страница 611: ...in any view Refer to Table 1 2 for hotkeys reserved by the system By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G...

Страница 612: ...the right Esc N Moves the cursor down by one line available before you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc Specifies the cursor as the beginning of t...

Страница 613: ...command download user management level setting as well as parameter setting within a system the last case involves those non protocol or non RFC provisioned commands Configuring user privilege level U...

Страница 614: ...refer to AAA Commands in the Security Volume z For the introduction to SSH refer to SSH 2 0 Configuration in the Security Volume 2 Example of configuring user privilege level by using AAA authenticat...

Страница 615: ...the user logging in from the current user interface user privilege level level Optional By default the user privilege level for users logging in from the console user interface is 3 and that for users...

Страница 616: ...tion and use the following commands Sysname User view commands cluster Run cluster command debugging Enable system debugging functions display Display current system information ping Ping function qui...

Страница 617: ...peration by others Users can switch from a high user privilege level to a low user privilege level without entering a password when switching from a low user privilege level to a high user privilege l...

Страница 618: ...sic Configurations To do Use the command Remarks Display information on system version display version Display information on the system clock display clock Display information on terminal users displ...

Страница 619: ...es the following features for you to configure and manage your devices z Hierarchical command protection where you can only execute the commands at your own or lower levels Refer to Configuring User P...

Страница 620: ...f description Sysname terminal debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information...

Страница 621: ...d undo can form an undo command Almost every configuration command has an undo form undo commands are generally used to restore the system default disable a function or cancel a configuration For exam...

Страница 622: ...n The device provides the function to filter the output information You can specify a regular expression to search the information you need You can use these two methods to filter the output informati...

Страница 623: ...means numbers from 1 to 9 inclusive a h means from a to h inclusive A range of characters Matches any character in the specified range For example 16A can match a string containing any character among...

Страница 624: ...t in install but not t in big top character1 w Used to match character1character2 character2 must be a number letter or underline and w equals A Za z0 9_ For example v w can match vlan with v being c...

Страница 625: ...mand execution Ctrl E Moves the cursor to the end of the current line PageUp Displays information on the previous page PageDown Displays information on the next page Saving Commands in the History Buf...

Страница 626: ...f there is any You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet However the up arrow and down arrow keys are invalid in Windows 9X HyperTerminal because they...

Страница 627: ...gh Command Lines 1 5 Upgrading the Boot File Through Command Lines 1 5 Configuring Temperature Alarm Thresholds for a Device 1 6 Clearing the 16 bit Interface Indexes Not Used in the Current System 1...

Страница 628: ...the current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List Complete these tasks to configure devi...

Страница 629: ...t off which is also called hard reboot or cold start This method impacts the device a lot Powering off a running device will cause data loss and hardware damages It is not recommended z Trigger the im...

Страница 630: ...ice or you can power off the device then power it on and the system automatically uses the backup boot file to restart the device z If you are performing file operations when the device is to be reboo...

Страница 631: ...views such as system view quit and the commands used to modify status of a user that is executing commands such as super the operation interface command view and status of the current user are not cha...

Страница 632: ...emarks upgrade the Boot ROM program on devices bootrom update file file url main backup Required Available in user view Upgrading the Boot File Through Command Lines Follow the steps to upgrade the bo...

Страница 633: ...etwork management software requires the device to provide a uniform stable 16 bit interface index That is a one to one relationship should be kept between the interface name and the interface index in...

Страница 634: ...Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigabit Ethernet Transceiver Package Generally used for 10G Ethernet interfaces Yes Yes Identifying pluggable transce...

Страница 635: ...of the pluggable transceiver s display transceiver alarm interface interface type interface number Available for all pluggable transceivers Display the currently measured value of the digital diagnosi...

Страница 636: ...ftware version is soft version1 for Device Upgrade the software version of Device to soft version2 and configuration file to new config at a time when few services are processed for example at 3 am th...

Страница 637: ...r note that the prompt may vary with servers Device ftp 2 2 2 2 Trying 2 2 2 2 Press CTRL K to abort Connected to 2 2 2 2 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 2 2 2...

Страница 638: ...fo Command execute auto update bat in system view will be executed at 03 00 12 11 2007 in 12 hours and 0 minutes After the device reboots use the display version command to check if the upgrade is suc...

Страница 639: ...Medium 1 5 Displaying and Maintaining the NAND Flash Memory 1 6 Setting File System Prompt Modes 1 7 File System Operations Example 1 7 2 Configuration File Management 2 1 Configuration File Overview...

Страница 640: ...cking Up the Startup Configuration File 2 7 Deleting the Startup Configuration File for the Next Startup 2 8 Restoring the Startup Configuration File 2 9 Displaying and Maintaining Device Configuratio...

Страница 641: ...ons and Setting File System Prompt Modes Filename Formats When you specify a file you must enter the filename in one of the following formats Filename formats Format Description Length Example file na...

Страница 642: ...iew Displaying the Current Working Directory To do Use the command Remarks Display the current working directory pwd Required Available in user view Changing the Current Working Directory To do Use th...

Страница 643: ...cified directory or file information displaying file contents renaming copying moving removing restoring and deleting files You can create a file by copying downloading or using the save command Displ...

Страница 644: ...storage space To delete a file in the recycle bin you need to execute the reset recycle bin command in the directory that the file originally belongs It is recommended to empty the recycle bin timely...

Страница 645: ...s not bat use the rename command to change the suffix to bat 3 Execute the batch file Follow the steps below to execute a batch file To do Use the command Remarks Enter system view system view Execute...

Страница 646: ...Displaying and repairing bad blocks It is common to have bad blocks when an NAND flash memory is shipped from the factory Bad block ratio varies with products of different vendors The frequently used...

Страница 647: ...iew Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert File System Operations Example Display the files and the subdirectories under the current dir...

Страница 648: ...1 8 Return to the upper directory Sysname cd Display the current working directory Sysname pwd flash...

Страница 649: ...initialization when the device boots If this file does not exist the system boots using null configuration that is using the default parameters z Current configuration which refers to the currently r...

Страница 650: ...tion files for the next boot of the device in the following two methods z Specify them when saving the current configuration For detailed configuration refer to Saving the Current Configuration z Spec...

Страница 651: ...tartup may be lost if the device reboots or the power supply fails In this case the device will boot with the null configuration and after the device reboots you need to re specify a startup configura...

Страница 652: ...Task List Complete these tasks to configure the configuration rollback Task Remarks Configuring Parameters for Saving the Current Running Configuration Required Saving the Current Running Configurati...

Страница 653: ...number argument if the available memory space is small Saving the Current Running Configuration Automatically You can configure the system to save the current running configuration at a specified int...

Страница 654: ...before the modification Follow the step below to save the current running configuration manually To do Use the command Remarks Save the current running configuration manually archive configuration Req...

Страница 655: ...z Use the save command If you save the current configuration to the specified configuration file in the interactive mode the system automatically sets the file as the configuration file to be used at...

Страница 656: ...p configuration file However in the case that the main and backup startup configuration files are the same if you perform the delete operation for once the system will not delete the configuration fil...

Страница 657: ...can use the display startup command in user view to verify that the filename of the configuration file to be used at the next system startup is the same with that specified by the filename argument a...

Страница 658: ...n ACL 1 2 Displaying and Maintaining HTTP 1 3 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HT...

Страница 659: ...y the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You...

Страница 660: ...system view Configure the port number of the HTTP service ip http port port number Required By default the port number of the HTTP service is 80 If you execute the ip http port command for multiple t...

Страница 661: ...ACLs the HTTP service is only associated with the last specified ACL z For the detailed introduction to ACL refer to ACL Configuration in the Security Volume Displaying and Maintaining HTTP To do Use...

Страница 662: ...ss the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security mana...

Страница 663: ...nly associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again y...

Страница 664: ...ssociate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute acces...

Страница 665: ...ter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default z If you execute the ip https acl command for multiple times to associate...

Страница 666: ...pki entity en quit Configure a PKI domain Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url http 10 1 2 2 8080 certsrv mscep mscep dll Device pki...

Страница 667: ...PS service with the SSL server policy myssl Device ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy Associate the HTTPS service with ce...

Страница 668: ...uction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 Configuring SNMP Trap 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8 SNMPv1 SNMPv2c Configu...

Страница 669: ...NMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technologies Thus SNMP achieves effective management of devices from diffe...

Страница 670: ...used to encrypt packets between the NMS and agents preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy...

Страница 671: ...s follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMPv1 SNMPv2c SNMPv3 for the version Configure a local engine ID for an SNMP entity snmp agent local engineid en...

Страница 672: ...sys location version v1 v2c v3 all Required The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMPv1 SNMPv2c SNMPv3 for the version Configure a l...

Страница 673: ...value configured and the error code and error index of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system p...

Страница 674: ...ules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output destinations By d...

Страница 675: ...in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps...

Страница 676: ...e ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display basic information of the trap queue display snmp agent trap queue Display the mo...

Страница 677: ...e sending of traps to the NMS with an IP address of 1 1 1 2 24 using public as the community name Sysname snmp agent trap enable Sysname snmp agent target host trap address udp domain 1 1 1 2 udp port...

Страница 678: ...ser v3 managev3user managev3group authentication mode md5 authkey privacy mode des56 prikey Configure the contact person and physical location information of the Switch Sysname snmp agent sys info con...

Страница 679: ...ou can omit this configuration Sysname terminal monitor Sysname terminal logging Enable the information center to output the system information with the severity level equal to or higher than informat...

Страница 680: ...Index Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is null meaning the value obtained with...

Страница 681: ...MIB style may vary depending on the device model To implement NMS s flexible management of the device the device allows you to configure the MIB style that is you can switch between the two styles of...

Страница 682: ...RMON Statistics Function 1 3 Configuration Prerequisites 1 3 Configuring the RMON Ethernet Statistics Function 1 4 Configuring the RMON History Statistics Function 1 4 Configuring the RMON Alarm Funct...

Страница 683: ...packets reaches a certain value Both the RMON protocol and the simple network management protocol SNMP are used for remote network management z The RMON is implemented on the basis of the SNMP which i...

Страница 684: ...roup The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group The events can be...

Страница 685: ...atistics on various traffic information on the interface at present only Ethernet interfaces are supported and saves the statistics in the Ethernet statistics table ethernetStatsTable for query conven...

Страница 686: ...terface interface type interface number Create an entry in the RMON history control table rmon history entry number buckets number interval sampling interval owner text Required z The entry number mus...

Страница 687: ...umber description string log log trap log trapcommunity none trap trap community owner text Required Create an entry in the alarm table rmon alarm entry number alarm variable sampling interval absolut...

Страница 688: ...tics interface type interface number Available in any view Display the RMON history control entry and history sampling information display rmon history interface type interface number Available in any...

Страница 689: ...CRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resources 0 Packets received according to length 64 235 65 127 67 128 255 4 256 511 1 512 1023 0 1024 1518 0 Create an event t...

Страница 690: ...ies 1 2 MAC Address Table Based Frame Forwarding 1 2 Configuring MAC Address Table Management 1 3 Configuring MAC Address Table Entries 1 3 Configuring the Aging Timer for Dynamic MAC Address Entries...

Страница 691: ...MAC address table entry can be dynamically learned or manually configured Dynamically learning MAC address entries Usually a device can populate its MAC address table automatically by learning the sou...

Страница 692: ...s of MAC Address Table Entries A MAC address table may contain these types of entries z Static entries which are manually configured and never age out z Dynamic entries which can be manually configure...

Страница 693: ...e steps to add modify or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view Add modify a MAC address entry mac address dynamic static mac addr...

Страница 694: ...e MAC Learning Limit Configuring the MAC learning limit on ports As the MAC address table is growing the forwarding performance of your device may degrade To prevent the MAC address table from getting...

Страница 695: ...ddress entries display mac address aging time Display MAC address statistics display mac address statistics Available in any view MAC Address Table Management Configuration Example Network requirement...

Страница 696: ...nd Debugging 1 1 Ping 1 1 Introduction 1 1 Configuring Ping 1 1 Ping Configuration Example 1 2 Tracert 1 4 Introduction 1 4 Configuring Tracert 1 4 System Debugging 1 5 Introduction to System Debuggin...

Страница 697: ...ping function is implemented through the Internet Control Message Protocol ICMP 1 The source device sends an ICMP echo request to the destination device 2 The source device determines whether the des...

Страница 698: ...Device A to Device C Figure 1 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING...

Страница 699: ...atistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 1 1 1 The source Device A sends an ICMP echo reques...

Страница 700: ...s the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3...

Страница 701: ...ocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain screen As Figure 1 3 illust...

Страница 702: ...minal is disabled by default Available in user view Enable the terminal display of debugging information terminal debugging Required Disabled by default Available in user view Enable debugging for a s...

Страница 703: ...eviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4 5...

Страница 704: ...tem Information to a Log Host 1 9 Outputting System Information to the Trap Buffer 1 10 Outputting System Information to the Log Buffer 1 11 Outputting System Information to the SNMP Module 1 12 Confi...

Страница 705: ...rs and developers in monitoring network performance and diagnosing network problems The following describes the working process of information center z Receives the log trap and debugging information...

Страница 706: ...enormous information waiting for processing Classification of system information The system information of the information center falls into three types z Log information z Trap information z Debuggin...

Страница 707: ...nels and output destinations can be changed through commands Besides you can configure channels 7 8 and 9 without changing the default configuration of the seven channels Table 1 2 Information channel...

Страница 708: ...d to be output to the log file log information with severity level equal to or higher than informational is allowed to be output to the log host log information with severity level equal to or higher...

Страница 709: ...or log file the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the device...

Страница 710: ...ify the system name Refer to Basic System Configuration Commands in the System Volume for details This field is a preamble used to identify a vendor It is displayed only when the output destination is...

Страница 711: ...System Information to the SNMP Module Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system information to the console To do Use...

Страница 712: ...by default Enable the display of log information on the console terminal logging Optional Enabled by default Enable the display of trap information on the console terminal trapping Optional Enabled by...

Страница 713: ...rminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the monitoring of system information on a monitor terminal terminal mon...

Страница 714: ...l Refer to Default output rules of system information Specify the source IP address for the log information info center loghost source interface type interface number Optional By default the source in...

Страница 715: ...none Optional The time stamp format for log trap and debugging information is date by default Outputting System Information to the Log Buffer You can configure to output log trap and debugging inform...

Страница 716: ...aps to the SNMP module and then set the trap sending parameters for the SNMP module to further process traps For details refer to SNMP Configuration in the System Volume Follow these steps to configur...

Страница 717: ...n such as log information is output before you input any information under the current command line prompt the system will not display the command line prompt after the system information output z If...

Страница 718: ...Display the information of each output destination display info center Available in any view Display the state of the log buffer and the log information recorded display logbuffer reverse level sever...

Страница 719: ...channel loghost in this example first and then configure the output rule as needed so that unnecessary information will not be output Configure the information output rule allow log information of AR...

Страница 720: ...e process ID of syslogd kill the syslogd process and then restart syslogd using the r option to make the modified configuration take effect ps ae grep syslogd 147 kill HUP 147 syslogd r After the abov...

Страница 721: ...Device info log Step 3 Edit file etc syslog conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the l...

Страница 722: ...ut of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configu...

Страница 723: ...nal monitor Info Current terminal monitor is on Sysname terminal logging Info Current terminal logging is on After the above configuration takes effect if the specified module generates log informatio...

Страница 724: ...ration Between the Track Module and the Interface Management Module 1 2 Configuring Collaboration Between the Track Module and the Application Modules 1 3 Configuring Track VRRP Collaboration 1 3 Conf...

Страница 725: ...h the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the Track module After...

Страница 726: ...laboration between the Track module and the detection modules and between the Track module and the application modules Complete these tasks to configure Track module Task Remarks Configuring Collabora...

Страница 727: ...reases by a specified value allowing a higher priority router in the VRRP group to become the master to maintain proper communication between the hosts in the LAN and the external network z Monitor th...

Страница 728: ...tored Track object can be nonexistent so that you can first specify the Track object to be monitored using the vrrp vrid track command and then create the Track object using the track command z Refer...

Страница 729: ...er you use the track command to create the Track object the association takes effect z If a static route needs route recursion the associated Track object must monitor the next hop of the recursive ro...

Страница 730: ...iew SwitchA track 1 interface vlan interface 3 protocol ipv4 3 Configure a Track object on Switch A Configure Track object 1 and associate it with Reaction entry 1 of the NQA test group with the admin...

Страница 731: ...ost A and you can see that Host B is reachable Use the display vrrp command to view the configuration result Display detailed information about VRRP group 1 on Switch A SwitchA Vlan interface2 display...

Страница 732: ...eempt Mode Yes Delay Time 5 Auth Type Simple Key hello Virtual IP 10 1 1 10 Master IP 10 1 1 2 VRRP Track Information Track Object 1 State Negative Pri Reduced 30 Display detailed information about VR...

Страница 733: ...as shown in Figure 1 3 2 Configure a static route on Switch A and associate it with the Track object Configure the address of the next hop of the static route to Switch C as 10 2 1 1 and configure the...

Страница 734: ...3 SwitchB Vlan interface3 undo ip address Display information of the Track object on Switch A SwitchA display track all Track ID 1 Status Negative Reference object Track interface Interface status In...

Страница 735: ...e for NTP Messages 1 10 Disabling an Interface from Receiving NTP Messages 1 11 Configuring the Maximum Number of Dynamic Sessions Allowed 1 11 Configuring Access Control Rights 1 12 Configuration Pre...

Страница 736: ...within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within...

Страница 737: ...ce B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of s...

Страница 738: ...fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit ve...

Страница 739: ...synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address...

Страница 740: ...ends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and ent...

Страница 741: ...o exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continu...

Страница 742: ...a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mo...

Страница 743: ...ou need to specify a symmetric passive peer on a symmetric active peer Following these steps to configure a symmetric active device To do Use the command Remarks Enter system view system view Specify...

Страница 744: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Страница 745: ...authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 1024 mult...

Страница 746: ...command the source interface of the broadcast or multicast NTP messages is the interface configured with the respective command Disabling an Interface from Receiving NTP Messages When NTP is enabled...

Страница 747: ...full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer d...

Страница 748: ...he symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication k...

Страница 749: ...er Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disa...

Страница 750: ...ce display ntp service trace Available in any view NTP Configuration Examples Configuring NTP Client Server Mode Network requirements z The local clock of Device A is to be used as a reference source...

Страница 751: ...B has been synchronized to Device A and the clock stratum level of Device B is 3 while that of Device A is 2 View the NTP session information of Device B which shows that an association has been set u...

Страница 752: ...UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the clock stratum level of Device B is 3 while that of Device C is 1 3 Configuration on Device C after D...

Страница 753: ...3 0 1 32 3 0 1 31 3 3 64 16 6 4 4 8 1 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Broadcast Mode Network requirements z Switch C s lo...

Страница 754: ...chronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock p...

Страница 755: ...nfigure Switch D to work in the multicast client mode and receive multicast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service mult...

Страница 756: ...ks in the client mode and Device A is to be used as the NTP server of Device B with Device B as the client z NTP authentication is to be enabled on both Device A and Device B Figure 1 11 Network diagr...

Страница 757: ...stratum level of Device B is 3 while that of Device A is 2 View the NTP session information of Device B which shows that an association has been set up Device B and Device A DeviceB display ntp servic...

Страница 758: ...itchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure Switch D to work in th...

Страница 759: ...atum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interfac...

Страница 760: ...ion Between Virtual IP Address and MAC Address 1 8 Creating VRRP Group and Configuring Virtual IP Address 1 8 Configuring Router Priority Preemptive Mode and Tracking Function 1 9 Configuring VRRP Pac...

Страница 761: ...th the gateway as the next hop for every host on a network segment All packets destined to other network segments are sent over the default route to the gateway and then be forwarded by the gateway Ho...

Страница 762: ...bines a group of routers including a master and multiple backups on a LAN into a virtual router called VRRP group A VRRP group has the following features z A virtual router has an IP address A host on...

Страница 763: ...s assigned a higher priority later z Preemptive mode When a backup finds its priority higher than that of the master the backup sends VRRP advertisements to start a new master election in the VRRP gro...

Страница 764: ...re its existence VRRP packets are also used for checking the parameters of the virtual router and electing the master Figure 1 3 Format of a VRRPv2 packet As shown in Figure 1 3 an IPv4 based VRRP pac...

Страница 765: ...ity of VRRP It provides backup not only when the interface to which a VRRP group is assigned fails but also when other interfaces such as uplink interfaces on the router become unavailable If the upli...

Страница 766: ...refore can forward packets to external networks whereas Router B and Router C are backups and are thus in the state of listening If Router A fails Router B and Router C elect for a new master The new...

Страница 767: ...e backups For load sharing among Router A Router B and Router C hosts on the LAN need to be configured to use VRRP group 1 2 and 3 as the default gateways respectively When configuring VRRP priorities...

Страница 768: ...the packets from a host are forwarded to the IP address owner according the real MAC address Follow these steps to configure the association between MAC address and virtual IP address To do Use the co...

Страница 769: ...nterface on the IP address owner to resolve the collision z The virtual IP address of the VRRP group cannot be 0 0 0 0 255 255 255 255 loopback addresses non class A B C addresses or other illegal IP...

Страница 770: ...ptional Not configured by default z The running priority of an IP address owner is always 255 and you do not need to configure it An IP address owner always works in the preemptive mode z Do not confi...

Страница 771: ...fic or different timer setting on routers can cause the Backup timer to time out abnormally and trigger a change of the state To solve this problem you can prolong the time interval to send VRRP packe...

Страница 772: ...examples z Single VRRP Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Group Configuration Example Single VRRP Group Configuration Example Network requirem...

Страница 773: ...address to be 202 38 160 111 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set Switch B to work in preemptive mode The preemption delay is five seconds SwitchB Vlan interface2 vrrp vri...

Страница 774: ...n Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Del...

Страница 775: ...11 Configure the priority of Switch A in the VRRP group to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Configure the authentication mode of the VRRP group as simple and authentication key as...

Страница 776: ...g Pri 110 Preempt Mode Yes Delay Time 0 Auth Type Simple Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 VRRP Track Information Track Interface Vlan3 State Up Pri...

Страница 777: ...rface2 VRID 1 Adver Timer 5 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 0 Auth Type Simple Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Ma...

Страница 778: ...vlan 2 SwitchA vlan2 port gigabitethernet 1 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 128 Create a VRRP group 1 and set its...

Страница 779: ...p 2 to 110 SwitchB Vlan interface3 vrrp vrid 2 priority 110 3 Verify the configuration You can use the display vrrp verbose command to verify the configuration Display detailed information of the VRRP...

Страница 780: ...the Internet through Switch A in VRRP group 2 Switch A is the backup Switch B is the master and hosts with the default gateway of 202 38 160 200 25 accesses the Internet through Switch B Troubleshooti...

Страница 781: ...t their configurations are consistent in terms of number of virtual IP addresses virtual IP addresses advertisement interval and authentication Symptom 3 Frequent VRRP state transition Analysis The VR...

Страница 782: ...een the Management Device and the Member Devices Within a Cluster 1 11 Configuring Cluster Management Protocol Packets 1 11 Cluster Member Management 1 12 Configuring the Member Devices 1 13 Enabling...

Страница 783: ...configuration and management tasks By configuring a public IP address on one device you can configure and manage a group of devices without the trouble of logging in to each device separately z Provid...

Страница 784: ...r A member device becomes a candidate device after it is removed from the cluster How a Cluster Works Cluster management is implemented through HW Group Management Protocol version 2 HGMPv2 which cons...

Страница 785: ...NDP information of all the devices in a specific network range as well as the connection information of all its neighbors The information collected will be used by the management device or the network...

Страница 786: ...Disconnect Connect z After a cluster is created a candidate device is added to the cluster and becomes a member device the management device saves the state information of its member device and identi...

Страница 787: ...vice and the member candidate devices including the cascade ports Therefore z If the packets from the management VLAN cannot pass a port the device connected with the port cannot be added to the clust...

Страница 788: ...Enabling NDP Optional Enabling NTDP Optional Manually Collecting Topology Information Optional Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cl...

Страница 789: ...ndp enable Use either command By default NDP is enabled globally and also on all ports You are recommended to disable NDP on the port which connects with the devices that do not need to join the clust...

Страница 790: ...om adding the device which needs not to join the cluster and collecting the topology information of this device Configuring NTDP Parameters By configuring the maximum hops for collecting topology info...

Страница 791: ...s the request according to the delays Manually Collecting Topology Information The management device collects topology information periodically after a cluster is created In addition you can configure...

Страница 792: ...tem view system view Specify the management VLAN management vlan vlan id Optional By default VLAN 1 is the management VLAN Enter cluster view cluster Configure the private IP address range for member...

Страница 793: ...ter Configure the interval to send handshake packets timer interval Optional 10 seconds by default Configure the holdtime of a device holdtime hold time Optional 60 seconds by default Configuring Clus...

Страница 794: ...date device to a cluster or remove a member device from a cluster If a member device needs to be rebooted for software upgrade or configuration update you can remotely reboot it through the management...

Страница 795: ...er device from the cluster undo administrator address Required Configuring Access Between the Management Device and Its Member Devices After having successfully configured NDP NTDP and cluster you can...

Страница 796: ...ication failure z If the member specified in this command does not exist the system prompts error when you execute the command if the switching succeeds your user level on the management device is ret...

Страница 797: ...e are usually newly added nodes whose identities are to be confirmed by the administrator You can back up and restore the whitelist in the following two ways z Backing them up on the FTP server shared...

Страница 798: ...eraction for a cluster To do Use the command Remarks Enter system view system view Enter cluster view cluster Configure the FTP server shared by the cluster ftp server ip address user name username pa...

Страница 799: ...d by a cluster is ViewDefault and a cluster can access the ISO subtree Add a user for the SNMPv3 group shared by a cluster cluster snmp agent usm user v3 user name group name authentication mode md5 s...

Страница 800: ...splay ntdp device list verbose Display the detailed NTDP information of a specified device display ntdp single device mac address mac address Display information of the cluster to which the current de...

Страница 801: ...or in the cluster The LED displays S The current device is a member of the cluster Unit Steady green The LED displays c The current device is a candidate of the cluster Cluster Management Configuratio...

Страница 802: ...terface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As th...

Страница 803: ...to forward topology collection request packets on the first port as 15 ms SwitchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Con...

Страница 804: ...for the cluster abc_0 SwitchB cluster ftp server 63 172 55 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Ad...

Страница 805: ...Configuring the Master Device of a Stack 1 3 Configuring a Private IP Address Pool for a Stack 1 3 Configuring Stack Ports 1 3 Creating a Stack 1 3 Configuring Stack Ports of a Slave Device 1 4 Loggi...

Страница 806: ...stack management can help reduce customer investments and simplify network management Introduction to Stack A stack is a management domain that comprises several network devices connected to one anoth...

Страница 807: ...ices as stack ports z The master device automatically adds the slave devices into the stack and assigns a number for each stack member z The administrator can log in to any slave device from the maste...

Страница 808: ...the number of devices to be added to the stack Otherwise some devices may not be able to join the stack automatically for lack of private IP addresses Configuring Stack Ports On the master device con...

Страница 809: ...t After a device joins a stack and becomes a slave device of the stack the prompt changes to stack_n Sysname where n is the stack number assigned by the master device and Sysname is the system name of...

Страница 810: ...s Description Unit Steady green The LED displays the specific numbers The member ID of the device Stack Configuration Example Stack Configuration Example Network requirements z As shown in Figure 1 2...

Страница 811: ...tethernet 1 0 52 On Switch C configure local port Ten GigabitEthernet 1 0 51 and Ten GigabitEthernet 1 0 52 as a stack port SwitchC system view SwitchC stack stack port 2 port ten gigabitethernet 1 0...

Страница 812: ...1 7 Role Slave Sysname stack_3 DeviceD Device type S5810 50S MAC address 000f e200 1003...

Страница 813: ...l Networking of Automatic Configuration 1 1 How Automatic Configuration Works 1 2 Work Flow of Automatic Configuration 1 2 Obtaining the IP Address of an Interface and Related Information Through DHCP...

Страница 814: ...rs can save the configuration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical...

Страница 815: ...IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the configuration file...

Страница 816: ...nformation for example the configuration file name domain name and IP address of the TFTP server and DNS server needed for obtaining the automatic configuration files that the device can obtain from t...

Страница 817: ...re an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters to the client You can configure an address all...

Страница 818: ...z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and th...

Страница 819: ...its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and...

Страница 820: ...to the specified TFTP server if the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed...

Результаты поиска

Содержание S5810 Series

Отзывы:

Похожие инструкции для S5810 Series

Бренды по названию

Популярные бренды

H3C S5810 Series, Руководство по эксплуатации

Результаты поиска

Содержание S5810 Series

Отзывы:

Похожие инструкции для S5810 Series

Бренды по названию

Популярные бренды