HP Compaq Presario,Presario 1910 Скачать руководство пользователя страница 463 | Manualshive

Страница: 463 / 578

HP Compaq Presario,Presario 1910 Скачать руководство пользователя страница 463

450

Figure 432

PKI architecture

•

PKI entity

—A PKI entity is an end user or host using PKI certificates. The PKI entity can be an

operator, an organization, a device like a router or a switch, or a process running on a computer.

•

CA

—A CA is a trusted authority that issues and manages digital certificates. A CA issues

certificates, defines the certificate validity periods, and revokes certificates by publishing CRLs.

•

RA

—A registration authority (RA) is an extended part of a CA or an independent authority. An RA

can implement functions including identity authentication, CRL management, key pair generation

and key pair backup. It only examines the qualifications of users; it does not sign certificates.

Sometimes, a CA assumes the registration management responsibility and no independent RA

exists. The PKI standard recommends that an independent RA be used for registration management

to achieve higher security of application systems.

•

Repository

—A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a

common database. It stores and manages information like certificate requests, certificates, keys,

CRLs and logs, and it provides a simple query function.

LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service.

From an LDAP server, an entity can retrieve digital certificates of its own and other entities.

PKI applications

The PKI technology can meet the security requirements of online transactions. As an infrastructure, PKI

has a wide range of applications. Here are some application examples.

•

VPN

—A VPN is a private data communication network built on the public communication

infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies for confidentiality.

•

Secure emails

—PKI can address the email requirements for confidentiality, integrity, authentication,

and non-repudiation. A common secure email protocol is Secure/Multipurpose Internet Mail

Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with

signature.

•

Web

security

—The SSL protocol can be used to establish a secure connection between a client and

a Web server. During the SSL handshake, both parties can use PKI to identity the peer identity by
digital certificates.

«
...
461
462
463
464
465
...
»

Содержание Compaq Presario,Presario 1910

Страница 1: ...HP 1910 Gigabit Ethernet Switch Series User Guide Part number 5998 2269 Software version Release 1513 Document version 6W100 20130830 ...

Страница 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Страница 3: ...switch at the CLI 23 Getting started with the CLI 23 Setting up the configuration environment 23 Setting terminal parameters 24 Logging in to the CLI 27 CLI commands 27 initialize 28 ipsetup 28 ipsetup ipv6 29 password 29 ping 30 ping ipv6 30 quit 31 reboot 32 summary 32 telnet 33 upgrade 34 upgrade ipv6 35 Configuration example for upgrading the system software image at the CLI 35 Configuration w...

Страница 4: ...nic label 60 Displaying diagnostic information 60 Configuring system time 62 Overview 62 Displaying the current system time 62 Manually configuring the system time 62 Configuring the system time by using NTP 63 System time configuration example 64 Network requirements 64 Configuring the system time 65 Verifying the configuration 65 Configuration guidelines 65 Configuring syslog 67 Overview 67 Disp...

Страница 5: ...ure 90 Managing users 94 Adding a local user 94 Setting the super password 95 Switching to the management level 96 Configuring a loopback test 97 Overview 97 Configuration restrictions and guidelines 97 Configuration procedure 97 Configuring VCT 99 Overview 99 Testing cable status 99 Configuring the flow interval 100 Overview 100 Setting the traffic statistics generating interval 100 Viewing port ...

Страница 6: ...isplaying interface statistics 144 Overview 144 Configuration procedure 144 Configuring VLANs 146 Overview 146 VLAN fundamentals 146 VLAN types 147 Port based VLAN 148 Recommended VLAN configuration procedures 149 Assigning an access port to a VLAN 149 Assigning a trunk port to a VLAN 150 Assigning a hybrid port to a VLAN 150 Creating VLANs 151 Configuring the link type of a port 152 Setting the P...

Страница 7: ...TP 190 STP 190 STP protocol packets 190 Basic concepts in STP 190 How STP works 191 RSTP 197 MSTP 198 MSTP features 198 MSTP basic concepts 198 How MSTP works 202 MSTP implementation on devices 203 Protocols and standards 203 Configuration restrictions and guidelines 203 Recommended MSTP configuration procedure 203 Configuring an MST region 204 Configuring MSTP globally 205 Configuring MSTP on a p...

Страница 8: ... 263 ARP table 264 Gratuitous ARP 265 Configuring ARP entries 265 Displaying ARP entries 265 Creating a static ARP entry 266 Removing ARP entries 267 Configuring gratuitous ARP 267 Static ARP configuration example 268 Network Requirements 268 Configuring Switch A 268 Configuring ARP attack protection 272 Overview 272 User validity check 272 ARP packet validity check 272 Configuring ARP detection 2...

Страница 9: ...ents 310 Configuration considerations 310 Configuration procedure 310 Verifying the configuration 313 Configuration guidelines 314 IPv6 management 315 Enabling IPv6 service 315 DHCP overview 316 DHCP address allocation 316 Allocation mechanisms 316 Dynamic IP address allocation process 317 IP address lease extension 317 DHCP message format 318 DHCP options 319 Common DHCP options 319 Relay agent o...

Страница 10: ...ed protocols 348 Packet formats 349 EAP over RADIUS 350 Initiating 802 1X authentication 350 802 1X authentication procedures 351 802 1X timers 355 Using 802 1X authentication with other features 356 Configuration prerequisites 358 Recommended configuration procedure 358 Configuring 802 1X globally 358 Configuring 802 1X on a port 360 Configuration guidelines 360 Configuration procedure 360 Config...

Страница 11: ...yer 2 portal authentication 407 Configuring direct portal authentication 415 Configuring cross subnet portal authentication 421 Configuring RADIUS 428 Overview 428 Client Server model 428 Security and authentication mechanisms 429 Basic RADIUS message exchange process 429 RADIUS packet format 430 Extended RADIUS attributes 432 Protocols and standards 433 Recommended RADIUS configuration procedure ...

Страница 12: ...s 477 Recommended ACL configuration procedures 477 Recommended IPv4 ACL configuration procedure 477 Recommended IPv6 ACL configuration procedure 478 Configuring a time range 478 Adding an IPv4 ACL 479 Configuring a rule for a basic IPv4 ACL 480 Configuring a rule for an advanced IPv4 ACL 482 Configuring a rule for an Ethernet frame header ACL 484 Adding an IPv6 ACL 486 Configuring a rule for a bas...

Страница 13: ...ty mapping tables 515 Configuring priority trust mode on a port 516 Configuration guidelines 517 ACL and QoS configuration example 518 Network requirements 518 Configuring Switch 518 Configuring PoE 527 Restrictions and prerequisites 527 Configuring PoE ports 527 Configuring non standard PD detection 529 Displaying information about PSE and PoE ports 530 PoE configuration example 530 Network requi...

Страница 14: ...ace and SNMP MIB These configuration methods are suitable for different application scenarios The Web interface supports all 1910 Switch Series configurations The CLI provides configuration commands to facilitate your operation To perform other configurations not supported by the CLI use the Web interface ...

Страница 15: ...rewall The Windows firewall limits the number TCP connections When the limit is reached you cannot log in to the Web interface Web browser requirements The device supports the following Web browsers Google Chrome 2 0 174 0 or higher Microsoft Internet Explorer 6 0 SP2 or higher Mozilla Firefox 3 0 or higher If you are using a Microsoft Internet Explorer browser you must enable the security setting...

Страница 16: ...re the target Website resides as shown in Figure 2 Figure 2 Internet Explorer settings 1 3 Click Custom Level 4 In the Security Settings dialog box enable Run ActiveX controls and plug ins Script ActiveX controls marked safe for scripting and Active scripting ...

Страница 17: ...lorer settings 2 5 Click OK to save your settings Enabling JavaScript in a Firefox browser 1 Launch the Firefox browser and select Tools Options 2 In the Options dialog box click the Content icon and select Enable JavaScript ...

Страница 18: ...click the verification code displayed on the Web login page you can get a new verification code Up to 5 users can concurrently log in to the device through the Web interface After logging in to the Web interface you can select Device Users from the navigation tree create a new user and select Wizard or Network VLAN interface to configure the IP address of the VLAN interface acting as the managemen...

Страница 19: ...the device through the console port and execute the summary command to view the information about its default IP address Sysname summary Select menu option Summary IP Method DHCP IP address 10 153 96 86 Subnet mask 255 255 255 0 Default gateway 0 0 0 0 Omitted Assuming that the default IP address of the device is 169 254 52 86 to log in to the Web interface of the device from a PC 1 Connect the Gi...

Страница 20: ...eating an admin user 3 Set a username and password Select Management from the access level list Select at least one service type 4 Click Apply 5 Click Save in the upper right corner of the page and click OK 6 Click Logout in the upper right corner of the page NOTE Set a password with high complexity Make sure you remember the username and password ...

Страница 21: ... to the Web interface 1 Open the browser type the address and press Enter 2 Enter the username password and the verification code and click Login as shown in Figure 6 NOTE Up to 5 users can concurrently log in to the device through the Web interface You can log in to the Web interface through HTTP or HTTPS To use HTTPS enable it and enter a URL starting with https For more information see Managing...

Страница 22: ...y area The area where you can configure and display a function Title area On the left displays the path of the current configuration interface in the navigation area on the right provides the Save button to quickly save the current configuration the Help button to display the Web related help information and the Logout button to log out of the Web interface Web user level Web user levels ranging f...

Страница 23: ...onitor Device Information Display the port information about the device Monitor Devi ce Basic System Name Display and configure the system name Configure Web Idle Timeout Display and configure the idle timeout period for logged in users Configure Device Maintenanc e Software Upgrade Upload upgrade file from local host and upgrade the system software Management Reboot Reboot the device Management E...

Страница 24: ... a mirroring group Configure Users Summary Display the brief information about FTP and Telnet users Monitor Super Password Configure a password for a lower level user to switch from the current access level to the management level Management Create Create an FTP or Telnet user Management Modify Modify FTP or Telnet user information Management Remove Remove an FTP or a Telnet user Management Switch...

Страница 25: ...ity Display SNMP community information Monitor Create modify and delete an SNMP community Configure Group Display SNMP group information Monitor Create modify and delete an SNMP group Configure User Display SNMP user information Monitor Create modify and delete an SNMP user Configure Trap Display the status of the SNMP trap function and information about target hosts Monitor Enable or disable the ...

Страница 26: ... VLAN Configure Port Setup Configure a voice VLAN on a port Configure OUI Summary Display the addresses of the OUIs that can be identified by voice VLAN Monitor OUI Add Add the address of an OUI that can be identified by voice VLAN Configure OUI Remove Remove the address of an OUI that can be identified by voice VLAN Configure MAC MAC Display MAC address information Monitor Create and remove MAC a...

Страница 27: ...ay ARP detection configuration information Monitor Configure ARP detection Configure IGMP Snooping Basic Display global IGMP snooping configuration information or the IGMP snooping configuration information in a VLAN and the IGMP snooping multicast entry information Monitor Configure IGMP snooping globally or in a VLAN Configure Advanced Display the IGMP snooping configuration information on a por...

Страница 28: ...or disabled Configure Enable disable services and set related parameters Management Diagnostic Tools IPv4 Ping Ping an IPv4 address Visitor IPv6 Ping Ping an IPv6 address Visitor IPv4 Traceroute Perform IPv4 trace route operations Visitor IPv6 Traceroute Perform IPv6 trace route operations Visitor ARP Manageme nt ARP Table Display ARP table information Monitor Add modify and remove ARP entries Con...

Страница 29: ...rs Local User Display configuration information about local users Monitor Create modify and remove a local user Management User Group Display configuration information about user groups Monitor Create modify and remove a user group Management PKI Entity Display information about PKI entities Monitor Add modify and delete a PKI entity Configure Domain Display information about PKI domains Monitor A...

Страница 30: ...about a port Monitor Setup Configure a queue on a port Configure Line Rate Summary Display line rate configuration information Monitor Setup Configure the line rate Configure Classifier Summary Display classifier configuration information Monitor Create Create a class Configure Setup Configure the classification rules for a class Configure Remove Delete a class or its classification rules Configur...

Страница 31: ... Function Applies the configuration on the current page Cancels the configuration on the current page and returns to the corresponding list page or the Device Info page Refreshes the current page Clears all entries in a list or all statistics Adds an item Removes the selected items Selects all the entries in a list or selects all ports on the device panel Clears all the entries in a list or clears...

Страница 32: ...page and view the contents on the first previous next and last pages or go to any page that you want to check Figure 10 Content display by pages Search function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria Basic search As shown in Figure 10 input the keyword in the text box above the list select a ...

Страница 33: ...itEthernet1 0 19 and IP address range being 192 168 1 50 to 192 168 1 59 follow these steps 1 Click the Advanced Search link specify the search criteria on the advanced search page as shown in Figure 13 and click Apply The ARP entries with interface being GigabitEthernet1 0 19 are displayed Figure 13 Advanced search function example I 2 Click the Advanced Search link specify the search criteria on...

Страница 34: ...ions to display entries in certain orders On a list page you can click the blue heading item of each column to sort the entries based on the heading item you selected After your clicking the heading item is displayed with an arrow beside it as shown in Figure 16 The upward arrow indicates the ascending order and the downward arrow indicates the descending order ...

Страница 35: ...22 Figure 16 Sort display based on MAC address in the ascending order ...

Страница 36: ...device through the Web interface you can connect the console port of the device to a PC and reconfigure the IP address of VLAN interface 1 at the CLI Setting up the configuration environment CAUTION Identify the mark on the console port to make sure you are connecting to the correct port To set up the configuration environment connect a terminal a PC in this example to the console port on the swit...

Страница 37: ...ters To configure and manage the switch you must run a terminal emulator program on the console terminal The following are the required terminal settings Bits per second 38 400 Data bits 8 Parity None Stop bits 1 Flow control None Emulation VT100 To set terminal parameters for example on a Windows XP HyperTerminal 1 Select Start All Programs Accessories Communications HyperTerminal The Connection ...

Страница 38: ...by the HyperTerminal connection 4 Set Bits per second to 38400 Data bits to 8 Parity to None Stop bits to 1 and Flow control to None and click OK Figure 20 Setting the serial port parameters 5 Select File Properties in the HyperTerminal window ...

Страница 39: ...6 Figure 21 HyperTerminal window 6 Click the Settings tab set the emulation to VT100 and click OK in the Switch Properties dialog box Figure 22 Setting terminal emulation in Switch Properties dialog box ...

Страница 40: ...LAN interface 1 to obtain an IPv4 address through DHCP or manual configuration ipsetup dhcp ip address ip address mask mask length default gateway ip address Configure VLAN interface 1 to obtain an IPv6 address through the autoconfiguration function or manual configuration ipsetup ipv6 auto address ipv6 address prefix length ipv6 address prefix length default gateway ipv6 address Modify the login ...

Страница 41: ...es an IPv4 address for VLAN interface 1 in dotted decimal notation mask Subnet mask in dotted decimal notation mask length Subnet mask length the number of consecutive ones in the mask in the range of 0 to 32 default gateway ip address Specifies the IPv4 address of the default gateway If you specify this option the command not only assigns an IPv4 address to the interface but also specifies a defa...

Страница 42: ... command not only assigns an IPv6 address to the interface but also specifies a default route for the device Description Use ipsetup ipv6 auto to enable the stateless address autoconfiguration function so a global unicast address and link local address can be automatically generated Use ipsetup ipv6 address ipv6 address prefix length ipv6 address prefix length default gateway ipv6 address to manua...

Страница 43: ...ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 3 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 4 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 5 ttl 254 time 1 ms 1 1 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 41 205 ms The output shows that IP address 1 1 2 2 is reachable and the echo replies are all returned ...

Страница 44: ...ng statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2 8 15 ms The output shows that IPv6 address 2001 4 is reachable and the echo replies are all returned from the destination The minimum average and maximum roundtrip intervals are 2 milliseconds 8 milliseconds and 15 milliseconds respectively quit Syntax quit Parameters None Description Use quit to log...

Страница 45: ...mand to ensure security Examples If the configuration does not change reboot the device Sysname reboot Start to check configuration with next startup configuration file please wait DONE This command will reboot the device Continue Y N y Now rebooting please wait If the configuration changes reboot the device Sysname reboot Start to check configuration with next startup configuration file please wa...

Страница 46: ...PLD Version is 001 Bootrom Version is 156 SubSlot 0 8GE 1SFP POE Hardware Version is REV A telnet Syntax telnet remote host service port source interface interface type interface number ip ip address Parameters remote host IPv4 address or host name of a remote host a case insensitive string of 1 to 20 characters service port TCP port number of the Telnet service on the remote host It is in the ran...

Страница 47: ...ackage file is not applicable the original Boot ROM image is used Use upgrade server address source filename poe to upgrade the PoE software Use upgrade server address source filename runtime to upgrade the system software image file If the system software image file in the downloaded software package file is not applicable the original system software image file is used To validate the downloaded...

Страница 48: ...oftware package file reboot the device NOTE The HP 1910 Switch Series does not provide an independent Boot ROM image It integrates the Boot ROM image with the system software image file together in a software package file with the extension name of bin Examples Download software package file main bin from the TFTP server to upgrade the Boot ROM image Sysname upgrade ipv6 2001 2 main bin bootrom Do...

Страница 49: ... system software image in the package Switch upgrade 192 168 10 1 Switch1910 bin runtime File will be transferred in binary mode Downloading file from remote TFTP server please wait TFTP 10262144 bytes received in 71 second s File downloaded successfully Download the software package file Switch1910 bin on the TFTP server to the switch and upgrade the Boot ROM image Switch upgrade 192 168 10 1 Swi...

Страница 50: ...eters including the system name the system location the contact information and the management IP address Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree Figure 24 Configuration wizard homepage Configuring system parameters 1 On the wizard homepage click Next ...

Страница 51: ...e physical location of the system You can also set the physical location in the setup page you enter by selecting Device SNMP For more information see Configuring SNMP Syscontact Set the contact information for users to get in touch with the device vendor for help You can also set the contact information in the setup page you enter by selecting Device SNMP For more information see Configuring SNMP...

Страница 52: ...device You can configure a VLAN interface and its IP address in the page that you enter by selecting Network VLAN Interface For more information see Configuring VLAN interfaces Admin status Enable or disable the VLAN interface When errors occurred in the VLAN interface disable the interface and then enable the port to bring the port to operate correctly By default the VLAN interface is down if no ...

Страница 53: ...evice needs to connect to the Internet MaskLen Gateway Configure IPv6 link local address Auto Configure how the VLAN interface obtains an IPv6 link local address Auto Specifies the device to automatically generate an link local address based on the link local address prefix FE80 64 and the link layer address of the interface Manual Allows you to specify an IPv6 address Manual IPv6 address Specify ...

Страница 54: ...41 Figure 27 Configuration finishes ...

Страница 55: ...ports that connect the stack member switches are called stack ports Configuration task list Task Remarks Configuring the master device of a stack Configuring global stack parameters Required Configure a private IP address pool and set up the stack By default no IP address pool is configured for a stack and no stack is set up Configuring stack ports Required Configure the ports connected to member ...

Страница 56: ...e Logging in to a member device from the master Optional Log in to the web network management interface of a member device from the master device IMPORTANT To successfully log in to a member device from the master device make sure the user account you are logged in with to the master has also been created on the member device You can configure the user account by selecting Device and then clicking...

Страница 57: ...The master device automatically picks an IP address from this pool for each member device for intra stack communication IMPORTANT Make sure the number of IP addresses in the address pool is equal to or greater than the number of devices to be added to the stack If not some devices cannot automatically join the stack for lack of private IP addresses ...

Страница 58: ...to configure the port as a stack port Select the box before a port name and click Disable to configure the port as a non stack port Displaying topology summary of a stack Select Stack from the navigation tree and click the Topology Summary tab to enter the page shown in Figure 30 Figure 30 Topology Summary tab Table 6 describes the fields of topology summary Table 6 Field description Fields Descri...

Страница 59: ... tree 2 Click the Device Summary tab 3 Click a member device ID tab 4 On the page in Figure 32 click the Configuring the Device link Figure 32 Device Summary tab on a member device Stack configuration example Network requirements As shown in Figure 33 create a stack that comprises Switch A Switch B Switch C and Switch D Use Switch A as the master device so an administrator can log in to any other ...

Страница 60: ...he Setup tab and then perform the following configurations as shown in Figure 34 b Type 192 168 1 1 in the field of Private Net IP c Type 255 255 255 0 in the field of Mask d Select Enable from the Build Stack list e Click Apply Switch B Slave device Slave device Switch C Switch D Slave device Stack Eth1 0 1 Switch A Master device Eth1 0 1 Eth1 0 1 Eth1 0 1 Eth1 0 2 Eth1 0 3 ...

Страница 61: ...34 Configuring global stack parameters on Switch A Switch A becomes the master device 2 Configure the stack port on Switch A a On the Setup tab select GigabitEthernet1 0 1 in the Port Settings area b Click Enable ...

Страница 62: ...d to Switch A GigabitEthernet 1 0 1 connected to Switch C and GigabitEthernet 1 0 3 connected to Switch D as stack ports a Select Stack from the navigation tree of Switch B b On the Setup tab select GigabitEthernet1 0 1 GigabitEthernet1 0 2 and GigabitEthernet1 0 3 in the Port Settings area c Click Enable ...

Страница 63: ...ack ports on Switch B 4 On Switch C configure port GigabitEthernet 1 0 1 as a stack port a Select Stack from the navigation tree of Switch C b On the Setup tab select GigabitEthernet1 0 1 in the Port Settings area c Click Enable ...

Страница 64: ...1 as a stack port a Select Stack from the navigation tree of Switch D b On the Setup tab select GigabitEthernet1 0 1 in the Port Settings area c Click Enable Verifying the configuration Select Stack from the navigation tree and click the Topology Summary tab to display the stack topology on Switch A ...

Страница 65: ...on guidelines If a device is already configured as a stack master device you cannot modify the private IP address pool on the device If a device is already configured as a stack member device the Global Settings area on the member device is not available ...

Страница 66: ...formation system resource state and recent system logs Figure 39 System information Displaying basic system information Table 7 Field description Item Description Device Name Display the device name Product Information Display the description about the device Device Location Display the device location which you can configure on the page you enter by selecting Device SNMP Setup ...

Страница 67: ... Red Alarm Displaying recent system logs Table 8 Field description Field Description Time Display the time when the system logs were generated Level Display the severity of the system logs Description Display the description of the system logs The System Information page displays up to five the most recent system logs about the login and logout events To display more system logs click More to ente...

Страница 68: ...yed if the port is added to an aggregation group For the description about the port number and its color see Figure 40 Similarly you can also view the power type and operating status and the fan operating status Figure 40 Device information To set the interval for refreshing device information select one of the following options from the Refresh Period list If you select a certain period the syste...

Страница 69: ...ogged in users The system logs an idle user off the Web for security purpose after the specified period Configuring system name 1 Select Device Basic from the navigation tree The system name configuration page appears Figure 41 Configuring system name 2 Enter the system name 3 Click Apply Configuring idle timeout period 1 Select Device Basic from the navigation tree 2 Click the Web Idle Timeout ta...

Страница 70: ...57 Figure 42 Configuring idle timeout period 3 Set the idle timeout period for logged in users 4 Click Apply ...

Страница 71: ... to be used at the next reboot In addition you can select whether to reboot the device to bring the upgrade software into effect To upgrade software 1 Select Device Device Maintenance from the navigation tree The page for upgrading software appears Figure 43 Software upgrade configuration page 2 Configure software upgrade parameters as described in Table 9 3 Click Apply Table 9 Configuration items...

Страница 72: ... the device To reboot the device 1 Select Device Device Maintenance from the navigation tree 2 Click the Reboot tab The device reboot page appears Figure 44 Device reboot page 3 Clear the box next to Check whether the current configuration is saved in the next startup configuration file or keep it selected If you select the box the system will examine the configuration before rebooting the device ...

Страница 73: ...ying diagnostic information Each functional module has its own running information and generally you can view the output information for each module one by one To receive as much information as possible in one operation during daily maintenance or when system failure occurs the diagnostic information module allows you to save the running statistics of multiple functional modules to a file named de...

Страница 74: ...lick Click to Download The File Download dialog box appears Figure 47 Downloading the diagnostic information file 5 Open this file to display diagnostic information or save it to the local host After the diagnostic file is successfully generated you can view this file or download it to the local host on the page you enter by selecting Device File Management For more information see Managing files ...

Страница 75: ...ted time servers and clients NTP can keep consistent timekeeping among all clock dependent devices within the network and ensure a high clock precision so that the devices can provide diverse applications based on consistent time Displaying the current system time To view the current system date and time select Device System Time from the navigation tree to enter the System Time page Figure 48 Sys...

Страница 76: ...ate configuration and the time setting does not change Select the year month date and time and then click OK 4 Click Apply on the system time configuration page to save your configuration Configuring the system time by using NTP 1 Select Device System Time from the navigation tree 2 Click the Network Time Protocol tab The page for configuring the system time through NTP appears Figure 50 NTP confi...

Страница 77: ...tion You can set two authentication keys each of which has a key ID and key string ID ID of a key Key string A character string for MD5 authentication key Key 2 External Reference Source NTP Server 1 Reference Key ID Specify the IP address of an NTP server and configure the authentication key ID used for the association with the NTP server Only if the key provided by the server is the same with th...

Страница 78: ...the Key String field for key 1 enter 1 0 1 11 in the NTP Server 1 field and enter 24 in the Reference Key ID field d Click Apply Figure 52 Configuring Device A as the NTP server of Switch B Verifying the configuration After the configuration verify that Device A and Switch B have the same system time Configuration guidelines When you configure the system time follow these guidelines A device can a...

Страница 79: ...an refresh the page to view the clock status and system time later on If the system time of the NTP server is ahead of the system time of the device and the time gap exceeds the web idle time specified on the device all online web users are logged out because of timeout after the synchronization finishes In this case you can log in to the device again ...

Страница 80: ...ministrators can take corresponding actions against network problems and security problems The system can send system logs to various destinations such as a log host or the Web interface Displaying syslogs The Web interface provides abundant search and sorting functions You can view syslogs through the Web interface conveniently To display syslogs 1 Select Device Syslog from the navigation tree Th...

Страница 81: ...stem information levels The information is classified into eight levels by severity Emergency The system is unavailable Alert Action must be taken immediately Critical Critical conditions Error Error conditions Warning Warning conditions Notification Normal but significant condition Information Informational messages Debug Debug level messages Digest Displays the brief description of system logs D...

Страница 82: ...he IPv4 IPv6 address of the log host 4 Click Apply Setting buffer capacity and refresh interval 1 Select Device Syslog from the navigation tree 2 Click the Log Setup tab The syslog configuration page appears Figure 55 Syslog configuration page ...

Страница 83: ...ogs that can be stored in the log buffer of the Web interface Refresh Interval Set the refresh period on the log information displayed on the Web interface You can select manual refresh or automatic refresh Manual Click Refresh to refresh the Web interface when displaying log information Automatic Select to refresh the Web interface every 1 minute 5 minutes or 10 minutes ...

Страница 84: ...r host To back up the configuration 1 Select Device Configuration from the navigation tree to enter the configuration backup page Figure 56 Backing up the configuration 2 Click the upper Backup button The file download dialog box appears 3 View the cfg file or save the file locally Restoring the configuration You can upload the cfg file from your host to the device for the next startup The restore...

Страница 85: ...ter a software upgrade the device loads by default the next startup configuration file specified before the software upgrade when it starts up When you save the running configuration after changing the configuration the device automatically backs up the next startup configuration file before saving the running configuration For example if the next startup configuration file specified before the so...

Страница 86: ...e Current Settings Resetting the configuration Resetting the configuration restores the system to the factory defaults deletes the current configuration file and reboots the device To reset the configuration 1 Select Device Configuration from the navigation tree 2 Click the Initialize tab 3 Click Restore Factory Default Settings Figure 59 Resetting the configuration ...

Страница 87: ...File management page 2 Select a medium from the Please select disk list The following information is displayed Medium Information including the used space free space and the capacity of the medium File information including all files on the medium and the file sizes Downloading a file 1 Select Device File Management from the navigation tree to enter the file management page See Figure 60 2 From th...

Страница 88: ...ment from the navigation tree to enter the file management page See Figure 60 2 In the Upload File area select the medium for saving the file from the Please select disk list 3 Click Browse to navigate to the file to be uploaded 4 Click Apply Removing a file 1 Select Device File Management from the navigation tree to enter the file management page See Figure 60 2 Click the icon of a file to remove...

Страница 89: ...e link type PVID MDI mode flow control settings MAC learning limit and storm suppression ratios For an aggregate interface these operation parameters include its state and MAC learning limit Setting operation parameters for a port 1 Select Device Port Management from the navigation tree 2 Click the Setup tab to enter the page as shown in Figure 61 Figure 61 The Setup tab 3 Set the operation parame...

Страница 90: ...00 Autonegotiated to 10 or 1000 Mbps Auto 100 1000 Autonegotiated to 100 or 1000 Mbps Auto 10 100 1000 Autonegotiated to 10 100 or 1000 Mbps Duplex Set the duplex mode of the port Auto Autonegotiation Full Full duplex Half Half duplex Link Type Set the link type of the current port which can be access hybrid or trunk For more information see Configuring VLANs To change the link type of a port from...

Страница 91: ...elines Typically use the auto mode The other two modes are used only when the device cannot determine the cable type When straight through cables are used the local MDI mode must be different from the remote MDI mode When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto Flow Control Enable or disable flow c...

Страница 92: ...umber of kilobits of multicast traffic that can be forwarded on an Ethernet port per second When you select this option you must enter a number in the box below IMPORTANT Do not configure this item if the storm constrain function for multicast traffic is enabled on the port Otherwise the suppression result is not determined To set storm constrain for multicast traffic on a port select Device Storm...

Страница 93: ...ort Management from the navigation tree to enter the Summary page by default 2 Select the option for a parameter you want to view The parameter information for all the ports is displayed in the lower part of the page as shown in Figure 62 Figure 62 The Summary tab Displaying all the operation parameters for a port 1 Select Device Port Management from the navigation tree 2 Click the Detail tab 3 Se...

Страница 94: ...Server B and Server C are connected to GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the switch respectively The rates of the network adapters of these servers are all 1000 Mbps The switch connects to the external network through GigabitEthernet 1 0 4 whose rate is 1000 Mbps To avoid congestion at the egress port GigabitEthernet 1 0 4 configure the autonegotiation rate r...

Страница 95: ...bitEthernet 1 0 4 to 1000 Mbps a Select Device Port Management from the navigation tree b Click the Setup tab to enter the page as shown in Figure 65 c Select 1000 from the Speed list d Select 4 on the chassis front panel 4 represents port GigabitEthernet 1 0 4 e Click Apply ...

Страница 96: ...igabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps a On the Setup tab select Auto 100 from the Speed list as shown in Figure 66 b Select 1 2 and 3 on the chassis front panel 1 2 and 3 represent ports GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 c Click Apply ...

Страница 97: ...Batch configuring the port rate 3 Display the rate settings of ports a Click the Summary tab b Click the Speed button to display the rate information of all ports on the lower part of the page as shown in Figure 67 ...

Страница 98: ...85 Figure 67 Displaying the rate settings of ports ...

Страница 99: ...acket in some cases because it can monitor multiple mirroring sources For example assume that Port 1 is monitoring bidirectional traffic on Port 2 and Port 3 on the same device If a packet travels from Port 2 to Port 3 two duplicates of the packet will be received on Port 1 Mirroring direction The mirroring direction indicates that the inbound outbound or bidirectional traffic can be copied on a m...

Страница 100: ...to make sure the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and other forwarded traffic Recommended configuration procedures Step Remarks 1 Configure a local mirroring group Required For more information see Configuring a mirroring group Select the mirroring group type local in the Type list 2 Configure source ports for the mirrorin...

Страница 101: ... the mirroring group to be added The range of the mirroring group ID varies with devices Type Specify the type of the mirroring group to be added as Local which indicates adding a local mirroring group Configuring ports for the mirroring group 1 From the navigation tree select Device Port Mirroring 2 Click Modify Port to enter the page for configuring ports for a mirroring group ...

Страница 102: ...ring group ID to configure ports for the local mirroring group Port Type Monitor Port Configures the monitor ports for the local mirroring group Mirror Port Configures mirroring ports for the local mirroring group Stream Orientation Set the direction of the traffic monitored by the monitor port of the mirroring group both Mirrors both received and sent packets on mirroring ports inbound Mirrors on...

Страница 103: ...h A so the server can monitor the packets received and sent by the Marketing department and Technical department Figure 71 Network diagram Configuration procedure Adding a local mirroring group 1 From the navigation tree select Device Port Mirroring 2 Click Add to enter the page for adding mirroring groups as shown in Figure 72 ...

Страница 104: ...Configuring GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as the source ports 1 Click Modify Port 2 Select 1 Local from the Mirroring Group ID list 3 Select Mirror Port from the Port Type list 4 Select both from the Stream Orientation list 5 Select 1 GigabitEthernet 1 0 1 and 2 GigabitEthernet 1 0 2 on the chassis front panel ...

Страница 105: ...ox appears 7 After the success notification appears click Close Configuring GigabitEthernet 1 0 3 as the monitor port 1 Click Modify Port 2 Select 1 Local from the Mirroring Group ID list 3 Select Monitor Port from the Port Type list 4 Select 3 GigabitEthernet 1 0 3 on the chassis front panel ...

Страница 106: ...93 Figure 74 Configuring the monitor port 5 Click Apply A configuration progress dialog box appears 6 After the success notification appears click Close ...

Страница 107: ...sword for non management level users to switch to the management level Switch to the management level from a lower level Adding a local user 1 Select Device Users from the navigation tree 2 Click the Create tab Figure 75 Creating a user 3 Configure a local user as described in Table 16 4 Click Apply Table 16 Configuration items Item Description Username Set a username for the user ...

Страница 108: ...ment Management level users can perform any operations on the device Password Set the password for the user Confirm Password Enter the same password again Password Encryption Select the password encryption mode Reversible Uses a reversible algorithm to encrypt the password before saving the password Irreversible Uses an irreversible algorithm to encrypt the password before saving the password Serv...

Страница 109: ...rd before saving the password Irreversible Uses an irreversible algorithm to encrypt the password before saving the password Switching to the management level A non management level user must provide the correct super password to switch to the management level The access level switching is valid only for the current login The switching does not change the access level setting for the user When the...

Страница 110: ...n be used to check whether there is a hardware failure on the port Configuration restrictions and guidelines When you configure a loopback test follow these restrictions and guidelines When a port is physically down you cannot perform an external loopback test on the port After a port is shut down manually you can perform neither internal test nor external test on the port When a port is under a l...

Страница 111: ... External or Internal for loopback test type 3 Select an Ethernet interface from the chassis front panel 4 Click Test After the test is complete the system displays the loopback test result as shown in Figure 79 Figure 79 Loopback test result ...

Страница 112: ... from the navigation tree to enter the page for testing cable status 2 Select the port you want to test on the chassis front panel 3 Click Test The test result is returned within 5 seconds and displayed in the Result field Figure 80 Testing the status of the cable connected to an Ethernet port The result displays the cable status and length The cable status can be normal abnormal abnormal open abn...

Страница 113: ...ting interval 3 Set the traffic statistics generating interval as described in Table 18 4 Click Apply Table 18 Configuration items Item Description Interval for generating traffic statistics Set the interval for generating port traffic statistics Select ports Select ports from the chassis front panel to apply the interval to them Viewing port traffic statistics 1 Select Device Flow interval from t...

Страница 114: ...101 Figure 82 Port traffic statistics NOTE When the bandwidth utilization is lower than 1 1 is displayed ...

Страница 115: ...d the traffic Shuts down automatically The port shuts down automatically and stops forwarding all types of traffic The port cannot automatically restore even when the blocked traffic drops down below the lower threshold To bring up the port select Device Port Management to configure the port see Managing ports or cancel the storm constrain setting on the port Alternatively you can configure the st...

Страница 116: ...r the storm constrain function to the default or a greater value Configuring storm constrain 1 Select Device Storm Constrain from the navigation tree 2 In the Port Storm Constrain area click Add Figure 84 Adding storm constrain settings for ports 3 Set the storm constraint function as described in Table 19 4 Click Apply ...

Страница 117: ...hreshold and lower threshold in percentage of received packets to the transmission capability of each selected port kbps Specifies the storm constrain upper threshold and lower threshold in kilobits per second kbps NOTE On a port you can set the thresholds for broadcast multicast and unknown unicast traffic at the same time To set storm constrain on a port successfully you must specify the thresho...

Страница 118: ...twork resources By using this method NMSs can obtain all RMON MIB information RMON agents embedded in network devices NMSs exchange data with RMON agents by using basic SNMP operations to gather network management information This method consumes the resources of managed network devices and most RMON agent implementations only provide four groups of MIB information alarm event history and statisti...

Страница 119: ...NMP GET operation Trap Sends a trap to notify the occurrence of this event to the network management station NMS Log Trap Logs event information in the event log table and sending a trap to the NMS None No action Alarm group The RMON alarm group monitors alarm variables such as the count of incoming packets etherStatsPkts on an interface After you define an alarm entry the system gets the value of...

Страница 120: ...ntry is created on an interface the system collects various traffic statistics on the interface including network collisions CRC alignment errors undersize oversize packets broadcasts multicasts bytes received and packets received The statistics are cleared at a reboot IMPORTANT Only one statistics entry can be created for one interface Table 21 RMON history group configuration task list Task Rema...

Страница 121: ...e rising threshold and falling threshold are identical to those of an existing entry in the system Configuring an alarm entry Required You can create up to 60 alarm entries for an alarm table With an alarm entry created the specified alarm event will be triggered when an abnormity occurs and the alarm event defines how to deal with the abnormity IMPORTANT An entry cannot be created if the values o...

Страница 122: ... a statistics entry 1 Select Device RMON from the navigation tree The Statistics tab page appears Figure 86 Statistics tab 2 Click Add Figure 87 Adding a statistics entry 3 Configure a statistic entry as described in Table 24 4 Click Apply Table 24 Configuration items Item Description Interface Name Select the name of the interface on which the statistics entry is created Only one statistics entry...

Страница 123: ...Buckets Granted Set the capacity of the history record list corresponding to this history entry namely the maximum number of records that can be saved in the history record list If the current number of the entries in the table has reached the maximum number the system will delete the earliest entry to save the latest one The statistics include total number of received packets on the current inter...

Страница 124: ... 26 Configuration items Item Description Description Set the description for the event Owner Set the owner of the entry Event Type Set the actions that the system will take when the event is triggered Log The system will log the event Trap The system will send a trap in the community name of null If both Log and Trap are selected the system will log the event and send a trap If none of them is sel...

Страница 125: ... tab Figure 92 Alarm tab 3 Click Add Figure 93 Adding an alarm entry 4 Configure an alarm entry as described in Table 27 5 Click Apply Table 27 Configuration items Item Description Alarm variable Static Item Set the traffic statistics that will be collected and monitored see Table 28 for details ...

Страница 126: ...select to create the default event And when the value of the alarm variable is higher than the alarm rising threshold or lower than the alarm falling threshold the system will adopt the default action log and trap Rising Threshold Set the alarm rising threshold Rising Event Set the action that the system will take when the value of the alarm variable is higher than the alarm rising threshold If th...

Страница 127: ...ith CRC errors received on the interface corresponding to the MIB node etherStatsCRCAlignErrors Number of Received Packets Smaller Than 64 Bytes Total number of undersize packets shorter than 64 octets received by the interface corresponding to the MIB node etherStatsUndersizePkts Number of Received Packets Larger Than 1518 Bytes Total number of oversize packets longer than 1518 octets received by...

Страница 128: ...al number of received packets with 128 to 255 octets on the interface corresponding to the MIB node etherStatsPkts128to255Octets Number of Received 256 to 511 Bytes Packets Total number of received packets with 256 to 511 octets on the interface corresponding to the MIB node etherStatsPkts256to511Octets Number of Received 512 to 1023 Bytes Packets Total number of received packets with 512 to 1023 ...

Страница 129: ...ber of packets received with CRC alignment errors during the sampling period corresponding to the MIB node etherHistoryCRCAlignErrors UndersizePkts Number of undersize packets received during the sampling period corresponding to the MIB node etherHistoryUndersizePkts OversizePkts Number of oversize packets received during the sampling period corresponding to the MIB node etherHistoryOversizePkts F...

Страница 130: ...tics on GigabitEthernet 1 0 1 with the sampling interval being ten seconds and perform corresponding configurations so that the system will log the event when the number of bytes received on the interface more than 1000 or less than 100 Figure 97 Network diagram Configuration procedure 1 Configure RMON to gather statistics for interface GigabitEthernet 1 0 1 a Select Device RMON from the navigatio...

Страница 131: ...s shown in Figure 99 Figure 99 Displaying RMON statistics 3 Create an event to start logging after the event is triggered a Click the Event tab b Click Add The page in Figure 100 appears c Type user1 rmon in the Owner field select the box before Log and click Apply d The page displays the event entry and you can see that the entry index of the new event is 1 as shown in Figure 101 ...

Страница 132: ... Click the Alarm tab b Click Add The page in Figure 102 appears c Select Number of Received Bytes from the Static Item list select GigabitEthernet1 0 1 from the Interface Name list enter 10 in the Interval field select Delta from the Simple Type list enter user1 in the Owner field enter 1000 in the Rising Threshold field select 1 from the Rising Event list enter 100 in the Falling Threshold field ...

Страница 133: ...iew the log information about event 1 on the web interface 1 Select Device RMON from the navigation tree 2 Click the Log tab The log page appears The log in this example indicates that event 1 generated one log which was triggered because the alarm value 22050 exceeded the rising threshold 1000 The sampling type is absolute Figure 103 Log tab ...

Страница 134: ...Configure an energy saving policy for the port as described in Table 30 4 Click Apply Table 30 Configuration items Item Description Time Range Set the time period when the port is in the state of energy saving IMPORTANT Up to five energy saving policies with different time ranges can be configured on a port Specify the start time and end time in units of 5 minutes such as 08 05 to 10 15 Otherwise ...

Страница 135: ...NT If you configure the lowest speed limit on a port that does not support 10 Mbps the configuration cannot take effect Shutdown Shut down the port IMPORTANT An energy saving policy can have all the three energy saving schemes configured of which the shutdown scheme takes the highest priority ...

Страница 136: ...n a managed device to receive and handle requests from the NMS and send traps to the NMS when some events such as interface state change occur Management Information Base MIB Specifies the variables for example interface status and CPU usage maintained by the SNMP agent for the SNMP manager to read and set Figure 105 Relationship between an NMS agent and MIB A MIB stores variables called nodes or ...

Страница 137: ...cation You can configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for integrity authenticity and confidentiality Recommended configuration procedure SNMPv3 differs from SNMPv1 and SNMPv2c in many aspects Their configuration procedures are described in separate sections Table 31 SNMPv1 or SNMPv2c configuration task list Task Remarks 1 Enabling SNMP agent Requir...

Страница 138: ...nt of the group 4 Configuring an SNMP user Required Before creating an SNMP user you need to create the SNMP group to which the user belongs IMPORTANT After you change the local engine ID the existing SNMPv3 users become invalid and you must re create the SNMPv3 users For more information about engine ID see Enabling SNMP agent 5 Configuring the SNMP trap function Optional Allows you to configure ...

Страница 139: ...ID when the user is created is not identical to the current engine ID the user is invalid Maximum Packet Size Configure the maximum size of an SNMP packet that the agent can receive send Contact Set a character string to describe the contact information for system maintenance If the device is faulty the maintainer can contact the manufacture factory according to the contact information of the devi...

Страница 140: ...SNMP view Creating an SNMP view 1 Select Device SNMP from the navigation tree 2 Click the View tab The View tab appears Figure 108 View tab 3 Click Add The Add View window appears Figure 109 Creating an SNMP view 1 4 Type the view name 5 Click Apply The page in Figure 110 appears ...

Страница 141: ...ree OID and subtree mask MIB Subtree OID Set the MIB subtree OID such as 1 4 5 3 1 or name such as system MIB subtree OID identifies the position of a node in the MIB tree and it can uniquely identify a MIB subtree Subtree Mask Set the subtree mask a hexadecimal string Its length must be an even number in the range of 2 to 32 If no subtree mask is specified the default subtree mask all Fs will be ...

Страница 142: ...ick Apply To modify a view click the icon for the view on the View tab see Figure 108 Configuring an SNMP community 1 Select Device SNMP from the navigation tree 2 Click the Community tab The Community tab appears Figure 112 Configuring an SNMP community 3 Click Add The Add SNMP Community page appears ...

Страница 143: ...ame to access the agent Read and write The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent View Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS ACL Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified source ...

Страница 144: ...roup its security level cannot be modified Read View Select the read view of the SNMP group Write View Select the write view of the SNMP group If no write view is configured the NMS cannot perform the write operations to all MIB objects on the device Notify View Select the notify view the view that can send trap messages of the SNMP group If no notify view is configured the agent does not send tra...

Страница 145: ...Device SNMP from the navigation tree 2 Click the User tab The User tab appears Figure 116 User tab 3 Click Add The Add SNMP User page appears Figure 117 Creating an SNMP user 4 Configure the SNMP user as described in Table 37 5 Click Apply ...

Страница 146: ...luding MD5 and SHA when the security level is Auth NoPriv or Auth Priv Authentication Password Set the authentication password when the security level is Auth NoPriv or Auth Priv Confirm authentication password must be the same with the authentication password Confirm Authentication Password Privacy Mode Select a privacy mode including DES56 AES128 and 3DES when the security level is Auth Priv Pri...

Страница 147: ...target host of SNMP traps 6 Configure the settings for the target host as described in Table 38 7 Click Apply Table 38 Configuration items Item Description Destination IP Address Select the IPv4 or IPv6 option and enter the specific type of destination IP address Security Name Set the security name which can be an SNMPv1 community name an SNMPv2c community name or an SNMPv3 user name ...

Страница 148: ... the SNMP version For the NMS to receive traps make sure the SNMP version is the same with that on the NMS Security Level Set the authentication and privacy mode for SNMP traps when the security model is selected as v3 The available security levels are no authentication no privacy authentication but no privacy and authentication and privacy When the security model is selected as v1 or v2c the secu...

Страница 149: ...work diagram Configuring the agent 1 Enable SNMP a Select Device SNMP from the navigation tree The SNMP configuration page appears b Select the Enable option and select the v1 and v2c options c Set Hewlett Packard Development Company L P as the contact person and HP as the physical location d Click Apply Figure 122 Configuring the SNMP agent 2 Configure a read only community a Click the Community ...

Страница 150: ...a read and write community a Click Add on the Community tab page The Add SNMP Community page appears b Enter private in the Community Name field and select Read and write from the Access Right list c Click Apply Figure 124 Configuring an SNMP read and write community 4 Enable SNMP traps a Click the Trap tab The Trap tab page appears b Select Enable SNMP Trap c Click Apply ...

Страница 151: ...elect v1 from the Security Model list c Click Apply Figure 126 Adding a trap target host Configuring the NMS To avoid communication failures make sure the NMS use the same SNMP settings as the agent To configure the NMS 1 Configure the SNMP version for the NMS as v1 or v2c 2 Create a read only community and name it public 3 Create a read and write community and name it private For information abou...

Страница 152: ...e AP the agent at 1 1 1 1 24 and the AP automatically sends traps to report events to the NMS The NMS and the agent perform authentication when they set up an SNMP session The authentication algorithm is MD5 and the authentication key is authkey The NMS and the AP also encrypt the SNMP packets between them by using the DES56 algorithm and the privacy key prikey Figure 127 Network diagram Configuri...

Страница 153: ...NMP view appears c Type view1 in the View Name field d Click Apply The page in Figure 130 appears e Select the Included option type the MIB subtree OID interfaces and click Add f Click Apply A configuration progress dialog box appears g Click Close after the configuration process is complete Figure 129 Creating an SNMP view 1 ...

Страница 154: ...rom the Read View list select view1 from the Write View list d Click Apply Figure 131 Creating an SNMP group 4 Configure an SNMP user a Click the User tab b Click Add The page in Figure 132 appears c Type user1 in the User Name field select Auth Priv from the Security Level list select group1 from the Group Name list select MD5 from the Authentication Mode list type authkey in the ...

Страница 155: ...rom the Privacy Mode list and type prikey in the Privacy Password and Confirm Privacy Password fields d Click Apply Figure 132 Creating an SNMP user 5 Enable SNMP traps a Click the Trap tab The Trap tab page appears b Select Enable SNMP Trap c Click Apply Figure 133 Enabling SNMP traps ...

Страница 156: ...settings as the agent To configure the NMS 1 Specify the SNMP version for the NMS as v3 2 Create an SNMP user user1 3 Enable both authentication and privacy functions 4 Use MD5 for authentication and DES56 for encryption 5 Set the authentication key to authkey and the privacy key to prikey For information about configuring the NMS see the NMS manual Verifying the configuration After the above conf...

Страница 157: ...eld Description InOctets Total octets of all packets received on the interface InUcastPkts Number of received unicast packets InNUcastPkts Number of received non unicast packets InDiscards Number of valid packets discarded in the inbound direction InErrors Number of received invalid packets InUnknownProtos Number of received unknown protocol packets OutOctets Total octets of all packets sent throu...

Страница 158: ...145 Field Description OutErrors Number of invalid packets sent through the interface ...

Страница 159: ... Confining broadcast traffic within individual VLANs This reduces bandwidth waste and improves network performance Improving LAN security By assigning user groups to different VLANs you can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regar...

Страница 160: ...rmat The value of the field is 0 by default VLAN ID The 12 bit VLAN ID field identifies the VLAN the frame belongs to The VLAN ID range is 0 to 4095 Because 0 and 4095 are reserved a VLAN ID actually ranges from 1 to 4094 A network device handles an incoming frame depending on whether the frame is VLAN tagged and the value of the VLAN tag if any The Ethernet II encapsulation format is used in this...

Страница 161: ...ID of the port A trunk or hybrid port can join multiple VLANs and you can configure a PVID for the port You can use a nonexistent VLAN as the PVID for a hybrid or trunk port but not for an access port After you delete the VLAN that an access port resides in the PVID of the port changes to VLAN 1 Deleting the VLAN specified as the PVID of a trunk or hybrid port however does not affect the PVID sett...

Страница 162: ...g the link type of a port Optional Configure the link type of the port as access By default the link type of a port is access 3 Setting the PVID for a port Configure the PVID of the access port Required An access port has only one untagged VLAN and the untagged VLAN is its PVID The three operations produce the same result and the latest operation takes effect By default an access port is an untagg...

Страница 163: ...uring related operations Configure a subset of all existing VLANs This step is required before you perform operations on the Detail Modify VLAN and Modify Port tabs b Modifying a VLAN Configure the trunk port as an untagged member of the specified VLANs N A 5 Modifying ports Configure the untagged VLAN of the trunk port 6 Configure the trunk port as a tagged member of the specified VLANs a Selecti...

Страница 164: ...red A hybrid port can have multiple untagged VLANs Repeat these steps to configure multiple untagged VLANs for a hybrid port By default the untagged VLAN of a hybrid port is VLAN 1 5 Modifying ports Configure the untagged VLAN of the hybrid port 6 Configure the hybrid port as a tagged member of the specified VLAN a Selecting VLANs Specify the range of VLANs available for selection during related o...

Страница 165: ... description string of the selected VLAN By default the description string of a VLAN is its VLAN ID such as VLAN 0001 Configuring the link type of a port 1 Select Network VLAN from the navigation tree 2 Click the Modify Port tab 3 Select the port that you want to configure on the chassis front panel 4 Select the Link Type option 5 Set the link type which can be access hybrid or trunk 6 Click Apply...

Страница 166: ... Select the port that you want to configure on the chassis front panel 4 Select the PVID option The option allows you to modify the PVID of the port 5 Set a PVID for the port By selecting the Delete box you can restore the PVID of the port to the default which is VLAN 1 The PVID of an access port must be an existing VLAN 6 Click Apply A progress dialog box appears 7 Click Close on the progress dia...

Страница 167: ...gure the PVID of a port on the Setup tab of Device Port Management For more information see Managing ports Selecting VLANs 1 Select Network VLAN from the navigation tree The Select VLAN tab is displayed by default for you to select VLANs Figure 142 Selecting VLANs ...

Страница 168: ... member ports of a VLAN as described in Table 41 4 Click Apply A progress dialog box appears 5 Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds Table 41 Configuration items Item Description Please select a VLAN to modify Select the VLAN to be modified The VLANs available for selection are existing VLANs selected on the page for selecting VLANs Modi...

Страница 169: ...d assigned to this VLAN Select the ports to be modified in the selected VLAN NOTE When you configure an access port as a tagged member of a VLAN the link type of the port is automatically changed into hybrid Modifying ports 1 Select Network VLAN from the navigation tree 2 Click Modify Port to enter the page for modifying ports Figure 144 Modifying ports 3 Modify the VLANs of a port as described in...

Страница 170: ...in bulk the link type of the port is automatically changed into hybrid You can configure a hybrid port as a tagged or untagged member of a VLAN only if the VLAN is an existing static VLAN VLAN configuration example Network requirements As shown in Figure 145 trunk port GigabitEthernet 1 0 1 of Switch A is connected to trunk port GigabitEthernet 1 0 1 of Switch B Configure the PVID of GigabitEthern...

Страница 171: ...rnet 1 0 1 as a trunk port and its PVID as 100 2 Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 a Select Network VLAN from the navigation tree b Click Create to enter the page for creating VLANs c Enter VLAN IDs 2 6 50 100 d Click Apply ...

Страница 172: ... b Select the option before Display a subnet of all configured VLANs and enter 1 100 in the field c Click Select Figure 148 Setting a VLAN range d Click Modify VLAN to enter the page for modifying the ports in a VLAN e Select 100 VLAN 0100 in the Please select a VLAN to modify list select the Untagged option and select GigabitEthernet 1 0 1 on the chassis front device panel f Click Apply ...

Страница 173: ...ernet 1 0 1 to VLAN 2 and VLAN 6 through VLAN 50 as a tagged member a Click Modify Port to enter the page for modifying the VLANs to which a port belongs b Select GigabitEthernet 1 0 1 on the chassis front device panel select the Tagged option and enter VLAN IDs 2 6 50 c Click Apply A configuration progress dialog box appears d After the configuration process is complete click Close in the dialog ...

Страница 174: ...re Switch B in the same way Switch A is configured Configuration guidelines Follow these guidelines when you configure VLANs As the default VLAN VLAN 1 can be neither created nor removed manually You cannot manually create or remove VLANs reserved for special purposes Dynamic VLANs cannot be removed on the page for removing VLANs ...

Страница 175: ...c can be routed to other IP subnets Creating a VLAN interface IMPORTANT Before creating a VLAN interface you must create the corresponding VLAN in Network VLAN For more information see Configuring VLANs When creating a VLAN interface you can select to assign an IPv4 address and an IPv6 link local address to the VLAN interface in this step or in a separate step If you do not select to configure an ...

Страница 176: ...terface gets an IPv4 address Allow the VLAN interface to obtain an IP address automatically by selecting the DHCP or BOOTP option or manually assign the VLAN interface an IP address by selecting the Manual option These items are available after you select the Configure Primary IPv4 Address box BOOTP Manual IPv4 Address Configure an IPv4 address for the VLAN interface This field is available after ...

Страница 177: ...ess Configure an IPv6 link local address for the VLAN interface This field is available after you select the Manual option The prefix of the IPv6 link local address you enter must be FE80 64 Modifying a VLAN interface By modifying a VLAN interface you can assign an IPv4 address an IPv6 link local address and an IPv6 site local address or global unicast address to the VLAN interface and shut down o...

Страница 178: ...In the latter case you need to set the mask length or enter a mask in dotted decimal notation format BOOTP Manual Admin Status Select Up or Down in the Admin Status list to bring up or shut down the selected VLAN interface When the VLAN interface fails you can shut down and then bring up the VLAN interface which might restore the VLAN interface By default a VLAN interface is down if all Ethernet p...

Страница 179: ...prefix of the IPv6 site local address you enter must be FEC0 10 EUI 64 Specify to generate IPv6 site local addresses or global unicast addresses in the EUI 64 format If the EUI 64 box is not specified manually configured IPv6 site local addresses or global unicast addresses are used After you modify the IPv4 address and status or the IPv6 address and status or add an IPv6 unicast address for a sel...

Страница 180: ...f you first adopt the manual assignment and then the automatic generation the automatically generated link local address will not take effect and the link local address of the interface is still the manually assigned one But if you remove the manually assigned one the one automatically generated takes effect ...

Страница 181: ...ress of a received packet matches an organizationally unique identifier OUI in the voice device OUI list referred to as the OUI list in this document maintained by the switch the packet is regarded as a voice packet You can add OUI addresses to the OUI list maintained by the device or use the default OUI list shown in Table 45 for voice traffic identification Table 45 The default OUI list Number O...

Страница 182: ... in automatic voice VLAN assignment mode to the voice VLAN after the reboot making sure existing voice connections can work correctly In this case voice traffic streams do not trigger port assignment to the voice VLAN Figure 153 PCs and IP phones connected in series access the network Manual mode You must assign the port to a voice VLAN manually Then the system matches the source MAC addresses in ...

Страница 183: ...red configurations on ports of different link types for them to support tagged voice traffic Port link type Voice VLAN assignment mode supported for untagged voice traffic Configuration requirements Access Manual Configure the PVID of the port as the voice VLAN Trunk Manual Configure the PVID of the port as the voice VLAN and assign the port to the voice VLAN Hybrid Manual Configure the PVID of th...

Страница 184: ... voice packets and non voice packets in a voice VLAN If you have to first make sure that the voice VLAN security mode is disabled Table 48 How a voice VLAN enable port processes packets in security normal mode Voice VLAN operating mode Packet type Packet processing mode Security mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device it is forwa...

Страница 185: ... security mode and configure the aging timer 2 Assigning the port to the voice VLAN Required After an access port is assigned to the voice VLAN the voice VLAN automatically becomes the PVID of the access port For more information see Configuring VLANs 3 Configuring the voice VLAN as the PVID of a hybrid or trunk port Optional This task is required if the incoming voice traffic is untagged and the ...

Страница 186: ...ANs operate in security mode Voice VLAN aging time Set the voice VLAN aging timer The voice VLAN aging timer setting only applies to a port in automatic voice VLAN assignment mode The voice VLAN aging timer starts as soon as the port is assigned to the voice VLAN If no voice packet has been received before the timer expires the port is removed from the voice VLAN Configuring voice VLAN on ports 1 ...

Страница 187: ...the voice VLAN port state is set to Enable Select Ports Select the port on the chassis front panel You can select multiple ports to configure them in bulk The numbers of the selected ports will be displayed in the Ports selected for voice VLAN field NOTE To set the voice VLAN assignment mode of a port to automatic you must make sure that the link type of the port is trunk or hybrid and that the po...

Страница 188: ...g only voice traffic to pass through The IP phone connected to hybrid port GigabitEthernet 1 0 1 sends untagged voice traffic GigabitEthernet 1 0 1 operates in automatic VLAN assignment mode Set the voice VLAN aging timer to 30 minutes Configure GigabitEthernet 1 0 1 to allow voice packets whose source MAC addresses match the OUI addresses specified by OUI address 001 1 2200 0000 and mask ffff ff0...

Страница 189: ...figure GigabitEthernet 1 0 1 as a hybrid port a Select Device Port Management from the navigation tree b Click the Setup tab c Select Hybrid from the Link Type list d Select GigabitEthernet 1 0 1 from the chassis front panel e Click Apply ...

Страница 190: ...LAN from the navigation tree b Click the Setup tab c Select Enable in the Voice VLAN security list d Set the voice VLAN aging timer to 30 minutes e Click Apply Figure 161 Configuring the voice VLAN function globally 4 Configure voice VLAN on GigabitEthernet 1 0 1 a Click the Port Setup tab b Select Auto in the Voice VLAN port mode list ...

Страница 191: ...assis front panel f Click Apply Figure 162 Configuring voice VLAN on GigabitEthernet 1 0 1 5 Add OUI addresses to the OUI list a Click the OUI Add tab b Enter OUI address 0011 2200 0000 c Select FFFF FF00 0000 in the Mask list d Enter description string test e Click Apply Figure 163 Adding OUI addresses to the OUI list ...

Страница 192: ...he newly added OUI address Figure 164 Displaying the current OUI list of the device 2 Click the Summary tab where you can view the current voice VLAN information Figure 165 Displaying voice VLAN information Configuring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 166 Configure VLAN 2 as a voice VLAN that carries only voice traffic ...

Страница 193: ...OUI address 001 1 2200 0000 and mask ffff ff00 0000 to pass through The description of the OUI address entry is test Figure 166 Network diagram Configuring Switch A 1 Create VLAN 2 a Select Network VLAN from the navigation tree b Click the Create tab c Enter VLAN ID 2 d Click Create Figure 167 Creating VLAN 2 2 Configure GigabitEthernet 1 0 1 as a hybrid port and configure its PVID as VLAN 2 a Sel...

Страница 194: ...uring GigabitEthernet 1 0 1 as a hybrid port 3 Assign GigabitEthernet 1 0 1 to VLAN 2 as an untagged member a Select Network VLAN from the navigation tree b Click the Modify Port tab c Select GigabitEthernet 1 0 1 from the chassis front panel d Select the Untagged option e Enter VLAN ID 2 f Click Apply A configuration progress dialog box appears g After the configuration process is complete click ...

Страница 195: ... GigabitEthernet 1 0 1 a Select Network Voice VLAN from the navigation tree b Click the Port Setup tab c Select Manual in the Voice VLAN port mode list d Select Enable in the Voice VLAN port state list e Enter 2 in the VLAN IDs field f Select GigabitEthernet 1 0 1 on the chassis front panel g Click Apply ...

Страница 196: ...1 2200 0000 c Select FFFF FF00 0000 as the mask d Enter description string test e Click Apply Figure 171 Adding OUI addresses to the OUI list Verifying the configuration 1 When the preceding configurations are complete the OUI Summary tab is displayed by default as shown in Figure 172 You can view the information about the newly added OUI address ...

Страница 197: ...configure the voice VLAN function follow these guidelines To remove a VLAN functioning as a voice VLAN disable its voice VLAN function first Only one VLAN is supported and only an existing static VLAN can be configured as the voice VLAN Do not enable the voice VLAN function on a link aggregation group member port After you assign a port operating in manual voice VLAN assignment mode to the voice V...

Страница 198: ...hen a frame arrives at a port for example Port A the device performs the following tasks 1 Verifies the source MAC address for example MAC SOURCE of the frame 2 Looks up the source MAC address in the MAC address table If an entry is found the device updates the entry If no entry is found the device adds an entry for MAC SOURCE and Port A 3 When the device receives a frame destined for MAC SOURCE a...

Страница 199: ...try can overwrite a dynamic MAC address entry but not vice versa To adapt to network changes and prevent inactive entries from occupying table space an aging mechanism is adopted for dynamic MAC address entries Each time a dynamic MAC address entry is learned or created an aging timer starts If the entry has not updated when the aging timer expires the device deletes the entry If the entry has upd...

Страница 200: ...lays the following types of MAC address entries Config static Static MAC address entries manually configured by the users Config dynamic Dynamic MAC address entries manually configured by the users Blackhole Blackhole MAC address entries Learned Dynamic MAC address entries learned by the device Other Other types of MAC address entries VLAN Set the ID of the VLAN to which the MAC address belongs Po...

Страница 201: ... example Network requirements Use the Web based NMS to configure the MAC address table of the device Add a static MAC address 00e0 fc35 dc71 under GigabitEthernet 1 0 1 in VLAN 1 Creating a static MAC address entry 1 Select Network MAC from the navigation tree By default the MAC tab is displayed 2 Click Add The page shown in Figure 177 appears 3 Configure a MAC address entry a Enter MAC address 00...

Страница 202: ...189 Figure 177 Creating a static MAC address entry ...

Страница 203: ...1d STP in the broad sense STP refers to the IEEE 802 1d STP and various enhanced spanning tree protocols derived from that protocol STP protocol packets STP uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets STP enabled network devices exchange BPDUs to establish a spanning tree BPDUs contain sufficient information for the network devices to complete...

Страница 204: ... CP2 are ports on Device A Device B and Device C respectively If Device A forwards BPDUs to Device B through AP1 the designated bridge for Device B is Device A and the designated port of Device B is port AP1 on Device A If Device B forwards BPDUs to the LAN the designated bridge for the LAN is Device B and the designated port for the LAN is the port BP2 on Device B Figure 178 Designated bridges an...

Страница 205: ...tialization of a device each port generates a BPDU with the port as the designated port the device as the root bridge 0 as the root path cost and the device ID as the designated bridge ID 2 Root bridge selection Initially each STP enabled device on the network assumes itself to be the root bridge with its own device ID as the root bridge ID By exchanging configuration BPDUs the devices compare the...

Страница 206: ...ower the device discards the received configuration BPDU and keeps the configuration BPDU the port generated If the former priority is higher the device replaces the content of the configuration BPDU generated by the port with the content of the received configuration BPDU 2 The device compares the configuration BPDUs of all the ports and chooses the optimum configuration BPDU The following are th...

Страница 207: ...each configuration BPDU contains the following fields root bridge ID root path cost designated bridge ID and designated port ID Table 56 Initial state of each device Device Port name BPDU of port Device A AP1 0 0 0 AP1 AP2 0 0 0 AP2 Device B BP1 1 0 1 BP1 BP2 1 0 1 BP2 Device C CP1 2 0 2 CP1 CP2 2 0 2 CP2 5 Configuration BPDUs comparison on each device In Table 57 each configuration BPDU contains ...

Страница 208: ... BPDU of the local port 1 0 1 BP2 is superior to the received configuration BPDU and it discards the received configuration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BPDU Then it uses BP1 as the root port the configuration BPDUs of which will not be changed Based on the ...

Страница 209: ... does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 After comparison Because the root path cost of CP2 9 root path cost of the BPDU 5 plus path cost corresponding to CP2 4 is smaller than the root path cost of CP1 10 root path cost of the BPDU 0 path cost corresponding to CP2 10 the BPDU of CP2 is elected as the optimum BPDU and CP2 is elected as the root port the messa...

Страница 210: ...s Forward delay The delay time for device state transition A path failure can cause spanning tree recalculation to adapt the spanning tree structure to the change However the resulting new configuration BPDU cannot propagate throughout the network immediately If the newly elected root ports and designated ports start to forward data immediately a temporary loop is likely to occur For this reason a...

Страница 211: ...hanism for redundant links by allowing data flows of different VLANs to be forwarded along separate paths MSTP provides the following features MSTP supports mapping VLANs to MST instances MSTIs by means of a VLAN to instance mapping table MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI MSTP divides a switched network into multiple regions each conta...

Страница 212: ... topology of MST region 3 MST region A multiple spanning tree region MST region consists of multiple devices in a switched network and the network segments among them All these devices have the following characteristics A spanning tree protocol enabled Same region name ...

Страница 213: ...a single spanning tree that connects all MST regions in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP The blue lines in Figure 181 represent the CST IST An internal spanning tree IST is a spanning tree that runs in an MST region It is also called MSTI 0 a special MSTI to which all VLANs are mapped by default ...

Страница 214: ...ort The backup port of a designated port When the designated port is invalid the backup port becomes the new designated port A loop occurs when two ports of the same spanning tree device are interconnected so the device blocks one of the ports The blocked port acts as the backup Edge port An edge port does not connect to any network device or network segment but directly connects to a user host Ma...

Страница 215: ...ed MSTIs are calculated Among these MSTIs MSTI 0 is the CIST Similar to RSTP MSTP uses configuration BPDUs to calculate spanning trees An important difference is that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent CIST calculation The calculation of a CIST tree is also the process of configuration BPDU comparison During this process the device with the highes...

Страница 216: ...ly if they are configured to have the same MST region name MST region level and the same VLAN to instance mapping entries in the MST region and they are connected through a physical link If two or more devices are selected as the root bridge in a spanning tree at the same time the device with the lowest MAC address is chosen If BPDU guard is disabled a port set as an edge port becomes a non edge p...

Страница 217: ...rt and configure MSTP parameters By default MSTP is enabled on a port and all MSTP parameters adopt the default values 4 Displaying MSTP information of a port Optional Display MSTP information of a port in MSTI 0 the MSTI to which the port belongs and the path cost and priority of the port Configuring an MST region 1 From the navigation tree select Network MSTP By default the Region tab is display...

Страница 218: ... bridge MAC address of the device Revision Level Revision level of the MST region Manual Instance ID and VLAN ID Manually add VLAN to instance mappings Click Apply to add the VLAN to instance mapping entries to the list Modulo The device automatically maps 4094 VLANs to the corresponding MSTIs based on the modulo value 4 Click Activate Configuring MSTP globally 1 From the navigation tree select Ne...

Страница 219: ...pply Table 60 Configuration items Item Description Enable STP Globally Select whether to enable STP globally Other MSTP configurations take effect only after you enable STP globally BPDU Guard Select whether to enable BPDU guard BPDU guard can protect the device from malicious BPDU attacks making the network topology stable ...

Страница 220: ...T not on other MSTIs The bridge diameter cannot be configured together with the timers Timers Configure the timers Forward Delay Set the delay for the root and designated ports to transit to the forwarding state Hello Time Set the interval at which the device sends hello packets to the surrounding devices to make sure the paths are fault free Max Age Set the maximum length of time a configuration ...

Страница 221: ...n you can prevent frequent flushing of forwarding address entries NOTE HP recommends not disabling this function tc protection threshold Set the maximum number of immediate forwarding address entry flushes the device can perform within a certain period of time after receiving the first TC BPDU Configuring MSTP on a port 1 From the navigation tree select Network MSTP 2 Click the Port Setup tab Figu...

Страница 222: ...oint to point link Auto Configure the device to automatically detect whether or not the link type of the port is point to point Force False The link type for the port is not point to point link Force True The link type for the port is point to point link IMPORTANT If a port is configured as connecting to a point to point link the setting takes effect on the port in all MSTIs If the physical link t...

Страница 223: ... keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports These BPDUs might get lost because of network congestion or unidirectional link failures The device will re elect a root port and blocked ports might transit to the forwarding state causing loops in the network The loop guard function is used to address such a problem Displayi...

Страница 224: ...l Whether STP is enabled on the port Port Role Port role which can be Alternate Backup Root Designated Master or Disabled Port Priority Port priority Port Cost Legacy Path cost of the port The field in the bracket indicates the standard used for port path cost calculation which can be legacy dot1d 1998 or dot1t Config indicates the configured value and Active indicates the actual value Desg Bridge...

Страница 225: ...ns to the forwarding state Num of Vlans Mapped Number of VLANs mapped to the current MSTI PortTimes Major parameters for the port Hello Hello timer MaxAge Max Age timer FwDly Forward delay timer MsgAge Message Age timer Remain Hop Remaining hops BPDU Sent Statistics on sent BPDUs BPDU Received Statistics on received BPDUs Protocol Status Whether MSTP is enabled Protocol Std MSTP standard Version M...

Страница 226: ...STI 2 are Switch A and Switch B respectively and the root bridge of MSTI 3 is Switch C Figure 189 Network diagram NOTE Permit next to a link in the figure is followed by the VLANs the packets of which are permitted to pass this link Configuration procedure Configuring Switch A 1 Configure an MST region a From the navigation tree select Network MSTP By default the Region tab is displayed b Click Mo...

Страница 227: ...o MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN to instance mapping entries to the VLAN to instance mapping list j Click Activate Figure 191 Configuring an MST region 2 Configure MSTP globally a From the navigation tree select Network MSTP b Click the Global tab c Select Enable from the Enable STP Globally list d Select MSTP from the Mode list e Select the box before Instance f Set the Instance ID...

Страница 228: ...e MST region is configured on Switch A 2 Configure MSTP globally a From the navigation tree select Network MSTP b Click the Global tab c Select Enable from the Enable STP Globally list d Select MSTP from the Mode list e Select the box before Instance f Set the Instance ID field to 2 g Set the Root Type field to Primary h Click Apply ...

Страница 229: ...list d Select MSTP from the Mode list e Select the box before Instance f Set the Instance ID field to 3 g Set the Root Type field to Primary h Click Apply Configuring Switch D 1 Configure an MST region on the switch in the same way the MST region is configured on Switch A 2 Configure MSTP globally a From the navigation tree select Network MSTP b Click Global c Select Enable from the Enable STP Glo...

Страница 230: ...217 Figure 193 Configuring MSTP globally on Switch D ...

Страница 231: ...ate interface equals the total rate of its member ports in Selected state and its duplex mode is the same as that of the selected member ports For more information about the states of member ports in an aggregation group see Static aggregation mode and Dynamic aggregation mode LACP The Link Aggregation Control Protocol LACP is defined in IEEE 802 3ad It uses link aggregation control protocol data ...

Страница 232: ... even if they are different from those on the aggregate interface For example MSTP can be configured on aggregate interfaces and member ports However class one configurations do not take effect in operational key calculation Link aggregation modes Based on the link aggregation procedure link aggregation operates in one of the following modes Static aggregation mode Dynamic aggregation mode Static ...

Страница 233: ...port A port ID comprises a port priority and a port number The port with the lower priority value is chosen If two ports have the same aggregation priority the system compares their port numbers The port with the smaller port number becomes the reference port 3 If a port in up state is with the same port attributes and class two configuration as the reference port and the peer port of the port is ...

Страница 234: ...atically created LACP is enabled automatically on all the member ports By default no link aggregation group exists 2 Optional Displaying aggregate interface Display detailed information of an existing aggregation group 3 Optional Setting LACP priority Set LACP priority for the local system and link aggregation member ports Changes of LACP priorities affect the aggregation state of the member ports...

Страница 235: ...egation interface to be created Static LACP is disabled Dynamic LACP is enabled Select port s for the link aggregation interface Select one or multiple ports to be assigned to the link aggregation group from the chassis front panel You can view the result in the Summary area at the bottom of the page Displaying aggregate interface information 1 From the navigation tree select Network Link Aggregat...

Страница 236: ... static or dynamic Partner ID ID of the remote device including its LACP priority and MAC address Selected Ports Number of Selected ports in each link aggregation group Only Selected ports can send and receive user data Standby Ports Number of Unselected ports in each link aggregation group Unselected ports cannot send or receive user data Member Port A member port of the link aggregation group co...

Страница 237: ...iority Choose the ports where the port LACP priority you set will apply on the chassis front panel You can set LACP priority on both LACP enabled ports and LACP disabled ports 5 In the Set global LACP parameters area set the system priority 6 Click Apply in the area Displaying LACP enabled port information 1 From the navigation tree select Network LACP The Summary tab is displayed by default as sh...

Страница 238: ...ort Port where LACP is enabled LACP State State of LACP on the port Port Priority LACP priority of the port State Aggregation state of the port If a port is Selected this filed also displays the ID of the aggregation group it belongs to Inactive Reason Reason code indicating why a port is Unselected for receiving or sending user data For more information about the reason codes see the bottom of th...

Страница 239: ...eld Description Unit Number of the remote system Port Name of the remote port Partner ID LACP priority and MAC address of the remote system Partner Port Priority LACP priority of the remote port Partner Oper Key Operational key of the remote port Link aggregation and LACP configuration example Network requirements As shown in Figure 198 aggregate the ports on each device to form a link aggregation...

Страница 240: ...tic link aggregation group 1 Method 2 Create dynamic link aggregation group 1 1 From the navigation tree select Network Link Aggregation 2 Click Create to enter the page as shown in Figure 200 3 Configure dynamic aggregation group 1 a Enter link aggregation interface ID 1 b Select the Dynamic LACP Enabled option for aggregate interface type c Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and ...

Страница 241: ...configurations as the aggregate interface The candidate ports are sorted in the following order Full duplex high speed Full duplex low speed Half duplex high speed Half duplex low speed If two ports with the same duplex mode speed pair are present the one with the lower port number is chosen Port attribute configuration includes the configuration of the port rate duplex mode and link state For mor...

Страница 242: ...s aggregated at one end are also aggregated The two ends can automatically negotiate the aggregation state of each member port Removing a Layer 2 aggregate interface also removes its aggregation group and causes all member ports to leave the aggregation group ...

Страница 243: ...ime the device stores the device information received in LLDPDUs sent from the LLDP neighbors in a standard management information base MIB For more information about MIBs see Configuring SNMP LLDP enables a network management system to quickly detect and identify Layer 2 network topology changes Basic concepts LLDPDU formats LLDP sends device information in LLDP data units LLDPDUs LLDPDUs are enc...

Страница 244: ...is 0xAAAA 0300 0000 88CC for LLDP Data LLDP data unit FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame LLDPDUs LLDP uses LLDPDUs to exchange information An LLDPDU comprises multiple type length and value TLV sequences each carrying a type of device information as shown in Figure 203 Figure 203 LLDPDU encapsulation format An LLDPDU can carry ...

Страница 245: ...equence in the LLDPDU Port Description Specifies the port description of the sending port Optional System Name Specifies the assigned name of the sending device System Description Specifies the description of the sending device System Capabilities Identifies the primary functions of the sending device and the primary functions that have been enabled Management Address Specifies the management addr...

Страница 246: ... including the power type of the PSE PD PoE sourcing receiving priority and PoE sourcing receiving power NOTE The Power Stateful Control TLV is defined in IEEE P802 3at D1 0 The later versions no longer support this TLV HP devices send this type of TLVs only after receiving them 4 LLDP MED TLVs LLDP MED TLVs provide multiple advanced applications for voice over IP VoIP such as basic configuration ...

Страница 247: ... TLV Operating modes of LLDP LLDP can operate in one of the following modes TxRx mode A port in this mode can send and receive LLDPDUs Tx mode A port in this mode can only send LLDPDUs Rx mode A port in this mode can only receive LLDPDUs Disable mode A port in this mode cannot send or receive LLDPDUs Each time the LLDP operating mode of a port changes its LLDP protocol state machine re initializes...

Страница 248: ...red on the device This can cause a requesting Cisco IP phone to send voice traffic untagged to your device disabling your device to differentiate voice traffic from other types of traffic By configuring CDP compatibility you can enable LLDP on your device to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN configuration TLV for the IP phon...

Страница 249: ... the local LLDP information neighbor information statistics and status information of a port where The local LLDP information refers to the TLVs to be advertised by the local device to neighbors The neighbor information refers to the TLVs received from neighbors 5 Displaying global LLDP information Optional You can display the local global LLDP information and statistics 6 Displaying LLDP informat...

Страница 250: ... single port and set LLDP parameters for multiple ports in batch Setting LLDP parameters for a single port 1 Select Network LLDP from the navigation tree By default the Port Setup tab is displayed 2 Click the icon for the port you are configuring On the page as shown in Figure 205 the LLDP settings of the port are displayed ...

Страница 251: ...Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Table 76 Configuration items Item Description Interface Name Displays the name of the port or ports you are configuring DLDP State Displays the LLDP enabling status on the port you are configuring This field is not available when you batch configure ports ...

Страница 252: ... interval is set LLDP polling is disabled With the polling mechanism LLDP periodically detects local configuration changes If a configuration change is detected an LLDPDU is sent to inform the LLDP neighbors of the change LLDP Trapping Set the enable status of the LLDP trapping function on the port or ports LLDP trapping is used to report to the network management station critical events such as n...

Страница 253: ... TLV in transmitted LLDPDUs Network Policy Select to include the network policy TLV in transmitted LLDPDUs Extended Power via MDI Capability Select to include the extended power via MDI TLV in transmitted LLDPDUs Emergency Number Select to encode the emergency call number in the location identification TLV in transmitted LLDPDUs and set the emergency call number Address Select Address to encode th...

Страница 254: ...n batch 4 Set the LLDP settings for these ports as described in Table 76 5 Click Apply A progress dialog box appears 6 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Configuring LLDP globally 1 Select Network LLDP from the navigation tree 2 Click the Global Setup tab ...

Страница 255: ...ect from the list to enable or disable CDP compatibility of LLDP IMPORTANT To enable LLDP to be compatible with CDP on a port you must set the CDP operating mode on the port to TxRx in addition to enabling CDP compatibility on the Global Setup tab Because the maximum TTL allowed by CDP is 255 seconds you must make sure that the product of the TTL multiplier and the LLDPDU transmit interval is less...

Страница 256: ...DP from being initialized too frequently at times of frequent operating mode change initialization delay is introduced With this delay mechanism a port must wait for the specified interval before it can initialize LLDP after the LLDP operating mode changes Tx Delay Set LLDPDU transmit delay With LLDP enabled a port advertises LLDPDUs to its neighbors both periodically and when the local configurat...

Страница 257: ...y assigned Locally defined port ID type other than those listed above Power port class The power over Ethernet port class PSE Power supply device PD Powered device Port power classification Port power classification of the PD Unknown Class0 Class1 Class2 Class3 Class4 Power type The PoE type is Type 2 PSE which supplies power from 0 to 30 W a voltage from 50 to 57 V and a maximum current of 600 mA...

Страница 258: ...oft phone voice Videoconferencing Streaming video Video signaling PoE PSE power source The type of PSE power source advertised by the local device Primary Backup Port PSE priority PSE priority of the port Unknown Unknown priority Critical Priority level 1 High Priority level 2 Low Priority level 3 3 Click the Neighbor Information tab to display the LLDP neighbor information Table 79 describes the ...

Страница 259: ...tion of the system Repeater Bridge Router System capabilities enabled The network function enabled on the system Repeater Bridge Router Auto negotiation supported The support of the neighbor for auto negotiation Auto negotiation enabled The enable status of auto negotiation on the neighbor OperMau Current speed and duplex mode of the neighbor Power type Power type Type 1 PD This type requires powe...

Страница 260: ...uire the discovery service of LLDP belong to this category Class II A media endpoint device The class II endpoint devices support the media stream capabilities in addition to the capabilities of generic endpoint devices Class III A communication endpoint device The class III endpoint devices directly support end users of the IP communication system Providing all capabilities of generic and media e...

Страница 261: ... purpose of inventory management and asset tracking PoE PSE power source Type of PSE power source advertised by the neighbor Primary Backup Port PSE priority PSE priority of the port Unknown The PSE priority of the port is unknown Critical Priority level 1 High Priority level 2 Low Priority level 3 4 Click the Statistics Information tab to display the LLDP statistics Figure 210 The Statistic Infor...

Страница 262: ...ying global LLDP information 1 Select Network LLDP from the navigation tree 2 Click the Global Summary tab to display global local LLDP information and statistics as shown in Figure 212 Table 80 describes the fields Figure 212 The Global Summary tab ...

Страница 263: ...device All endpoints that require the discovery service of LLDP belong to this category Class II A media endpoint device The class II endpoint devices support the media stream capabilities in addition to the capabilities of generic endpoint devices Class III A communication endpoint device The class III endpoint devices directly support end users of the IP communication system Providing all capabi...

Страница 264: ...e link between Switch A and MED and the link between Switch A and Switch B Figure 214 Network diagram Configuring Switch A 1 Enable LLDP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 Optional By default LLDP is enabled on Ethernet ports 2 Set the LLDP operating mode to Rx on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a Select Network LLDP from the navigation tree By default the Port Setu...

Страница 265: ...fy Selected The page shown in Figure 216 appears Figure 215 The Port Setup tab d Select Rx from the LLDP Operating Mode list 3 Click Apply A progress dialog box appears 4 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Страница 266: ... LLDP a Click the Global Setup tab b Select Enable from the LLDP Enable list 6 Click Apply A progress dialog box appears 7 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Figure 217 Enabling global LLDP ...

Страница 267: ...e list 3 Click Apply A progress dialog box appears 4 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Figure 218 Setting the LLDP operating mode to Tx 5 Enable global LLDP a Click the Global Setup tab b Select Enable from the LLDP Enable list 6 Click Apply A progress dialog box appears 7 Click Close on the progress dialog box when the prog...

Страница 268: ...tEthernet1 0 2 on Switch A a Click the GigabitEthernet1 0 2 port name in the port list b Click the Status Information tab at the lower half of the page The output shows that port GigabitEthernet 1 0 2 is connected to a non MED neighbor device Switch B Figure 220 Viewing the status of port GigabitEthernet 1 0 2 3 Tear down the link between Switch A and Switch B 4 Click Refresh to display the status...

Страница 269: ...gure CDP compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN confining their voice traffic within the voice VLAN to be separate from other types of traffic Figure 222 Network diagram Configuring Switch A 1 Create VLAN 2 a Select Network VLAN from the navigation tree b Click Create to enter the page for creating VLANs c Enter 2 in the VLAN IDs field d Click Creat...

Страница 270: ...t 1 0 2 as trunk ports a Select Device Port Management from the navigation tree b Click the Setup tab to enter the page for configuring ports c Select Trunk in the Link Type list d Select port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel e Click Apply ...

Страница 271: ...tion tree b Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports c Select Auto in the Voice VLAN port mode list select Enable in the Voice VLAN port state list enter the voice VLAN ID 2 and select port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel d Click Apply ...

Страница 272: ...abled the default 5 Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a Select Network LLDP from the navigation tree By default the Port Setup tab is displayed b Select port GigabitEthernet1 0 1 and GigabitEthernet1 0 2 c Click Modify Selected The page shown in Figure 227 is displayed ...

Страница 273: ...TxRx from the LLDP Operating Mode list and select TxRx from the CDP Operating Mode list e Click Apply A progress dialog box appears f Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Страница 274: ...ility of LLDP a Click the Global Setup tab b Select Enable from the LLDP Enable list c Select Enable from the CDP Compatibility list d Click Apply A progress dialog box appears e Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Страница 275: ... enable it both globally and at port level To advertise LLDP MED TLVs other than the LLDP MED capabilities TLV you must include the LLDP MED capabilities TLV To remove the LLDP MED capabilities TLV you must remove all other LLDP MED TLVs To remove the MAC PHY configuration TLV remove the LLDP MED capabilities set TLV first When the advertising of LLDP MED capabilities TLV and MAC PHY configuration...

Страница 276: ...address length and protocol address length Length in bytes of a hardware address and a protocol address in bytes For an Ethernet address the value of the hardware address length field is 6 For an IPv4 address the value of the protocol address length field is 4 OP Operation code The type of the ARP message The value 1 represents an ARP request and 2 represents an ARP reply Sender hardware address H...

Страница 277: ...t B a Adds the sender IP address and sender MAC address to its ARP table b Encapsulates its MAC address into an ARP reply c Unicasts the ARP reply to Host A 4 After receiving the ARP reply Host A a Adds the MAC address of Host B to its ARP table b Encapsulates the MAC address in the IP packet and sends it to Host B Figure 230 ARP address resolution process If Host A and Host B are not on the same ...

Страница 278: ...ackets In a gratuitous ARP packet the sender IP address and the target IP address are the IP address of the sending device A device sends a gratuitous ARP packet for either of the following purposes Determine whether its IP address is already used by another device If the IP address is already used the device will be informed of the conflict by an ARP reply Inform other devices of a MAC address ch...

Страница 279: ...ration page Creating a static ARP entry 1 From the navigation tree select Network ARP Management The ARP Table page appears as shown in Figure 231 2 Click Add The New Static ARP Entry page appears Figure 232 Adding a static ARP entry ...

Страница 280: ...ent The ARP Table page appears as shown in Figure 231 2 Remove ARP entries To remove specific ARP entries select the boxes of target ARP entries and click Del Selected To remove all static and dynamic ARP entries click Delete Static and Dynamic To remove all static ARP entries click Delete Static To remove all dynamic ARP entries click Delete Dynamic Configuring gratuitous ARP 1 From the navigatio...

Страница 281: ...m another network segment Static ARP configuration example Network Requirements As shown in Figure 234 hosts are connected to Switch A and Switch A is connected to Router B through GigabitEthernet 1 0 1 in VLAN 100 To ensure secure communications between Switch A and Router B configure a static ARP entry on Switch A for Router B Figure 234 Network diagram Configuring Switch A 1 Create VLAN 100 a F...

Страница 282: ... VLAN 100 a Click the Modify Port tab b Select interface GigabitEthernet 1 0 1 in the Select Ports area c Select the Untagged option in the Select membership type area d Enter 100 for VLAN Ids e Click Apply f After the configuration process is complete click Close ...

Страница 283: ... 100 a From the navigation tree select Network VLAN Interface b Click the Create tab c Enter 100 for VLAN ID d Select the Configure Primary IPv4 Address box e Select the Manual option f Enter 192 168 1 2 for IPv4 Address and enter 24 or 255 255 255 0 for Mask Length g Click Apply ...

Страница 284: ...tree select Network ARP Management The ARP Table page appears b Click Add c Enter 192 168 1 1 for IP Address enter 00e0 fc01 0000 for MAC Address d Select the Advanced Options box e Enter 100 for VLAN ID f Select GigabitEthernet1 0 1 for Port g Click Apply Figure 238 Creating a static ARP entry ...

Страница 285: ...et validity check This feature does not check ARP packets received from ARP trusted ports It checks ARP packets received from ARP untrusted ports based on the following objects src mac Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header If they are identical the packet is forwarded otherwise the packet is discarded dst mac Checks ...

Страница 286: ...button To remove ports from the Trusted Ports list select one or multiple ports from the list and click the button ARP Packet Validity Check Select ARP packet validity check modes Discard the ARP packet whose sender MAC address is different from the source MAC address in the Ethernet header Discard the ARP packet whose target MAC address is all 0s all 1s or inconsistent with the destination MAC ad...

Страница 287: ...not enabled the Layer 2 switch floods multicast packets to all hosts When IGMP snooping is enabled the Layer 2 switch forwards multicast packets of known multicast groups to only the receivers of the multicast groups Figure 240 Multicast forwarding before and after IGMP snooping is enabled Basic IGMP snooping concepts This section describes the basic IGMP snooping concepts IGMP snooping related po...

Страница 288: ...ding table Unless otherwise specified router ports and member ports in this document include both dynamic and static ports NOTE When IGMP snooping is enabled all ports that receive PIM hello messages or IGMP general queries with the source addresses other than 0 0 0 0 are considered dynamic router ports Aging timers for dynamic ports in IGMP snooping Timer Description Message received before the t...

Страница 289: ...ddress of the reported multicast group The switch also performs the following actions If no forwarding entry matches the group address the switch creates a forwarding entry for the group adds the receiving port as a dynamic member port to the forwarding entry and starts an aging timer for that port If a forwarding entry matches the group address but the receiving port is not in the forwarding entr...

Страница 290: ...pecific query the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group The switch also performs one of the following actions for the port that received the IGMP leave message If the port assuming that it is a dynamic member port receives any IGMP report in response to the group specific query before its aging timer expires it indicates that some...

Страница 291: ...snooping enabled on a port takes effect only after IGMP snooping is enabled for the VLAN 4 Displaying IGMP snooping multicast forwarding entries Optional Enabling IGMP snooping globally 1 Select Network IGMP snooping from the navigation tree 2 Click Enable for IGMP snooping 3 Click Apply Figure 242 Enabling IGMP snooping globally Configuring IGMP snooping in a VLAN 1 Select Network IGMP snooping f...

Страница 292: ...s IGMPv1 IGMPv2 and IGMPv3 messages IMPORTANT If you change the IGMPv3 snooping to IGMPv2 snooping the system clears all IGMP snooping forwarding entries that are dynamically added Drop Unknown Enable or disable the function of dropping unknown multicast packets Unknown multicast data refers to multicast data for which no entries exist in the IGMP snooping forwarding table If the function of dropp...

Страница 293: ...port IGMP To address this issue you can enable IGMP snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at data link layer for correct multicast traffic forwarding at data link layer Query interval Configure the IGMP general query interval General Query Source IP Specify the source IP address of general queries Special Query Source IP Spec...

Страница 294: ...om the IGMP snooping forwarding table The hosts on this port need to join the multicast groups again Fast Leave Enable or disable fast leave processing on the port When a port that is enabled with the IGMP snooping fast leave processing feature receives an IGMP leave message the switch immediately removes that port from the forwarding entry for the multicast group specified in the message When the...

Страница 295: ...member ports IGMP snooping configuration example Network requirements As shown in Figure 247 IGMPv2 runs on Router A and IGMPv2 snooping runs on Switch A Router A acts as the IGMP querier Perform the configuration so that Host A can receive the multicast data destined for the multicast group 224 1 1 1 and Switch A drops the unknown multicast data rather than flooding it in the VLAN Figure 247 Netw...

Страница 296: ... VLAN from the navigation tree b Click the Create tab c Enter 100 as the VLAN ID d Click Apply Figure 248 Creating VLAN 100 2 Assign GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 a Click the Modify Port tab b Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 in the Select Ports field c Select Untagged for Select membership type d Enter 100 as the VLAN I...

Страница 297: ...Enable IGMP snooping globally a Select Network IGMP snooping from the navigation tree b Select Enable c Click Apply Figure 250 Enabling IGMP snooping globally 4 Enable IGMP snooping and the function of dropping unknown multicast data for VLAN 100 ...

Страница 298: ...00 Verifying the configuration 1 Select Network IGMP snooping from the navigation tree 2 Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast forwarding entries Figure 252 Displaying IGMP snooping multicast forwarding entries 3 Click the icon for the multicast entry 0 0 0 0 224 1 1 1 to view detailed information about this entry ...

Страница 299: ...286 Figure 253 Displaying detailed information about the entry The output shows that GigabitEthernet 1 0 3 of Switch A is listening to multicast streams destined for the multicast group 224 1 1 1 ...

Страница 300: ... when MLD snooping is not enabled the Layer 2 switch floods IPv6 multicast packets to all hosts When MLD snooping is enabled the Layer 2 switch forwards multicast packets of known IPv6 multicast groups to only the receivers of the multicast groups Figure 254 IPv6 multicast forwarding before and after MLD snooping is enabled Basic MLD snooping concepts MLD snooping related ports As shown in Figure ...

Страница 301: ...ernet 1 0 3 of Switch A and GigabitEthernet1 0 2 of Switch B are member ports A switch records all local member ports in its MLD snooping forwarding table Unless otherwise specified router ports and member ports in this document include both dynamic and static ports NOTE When MLD snooping is enabled all ports that receive IPv6 PIM hello messages or MLD general queries with source addresses other t...

Страница 302: ...dynamic router port in the router port list the switch restarts the aging timer for the router port If the receiving port is not in the router port list the switch adds the port as a dynamic router port to the router port list and starts an aging timer for the port MLD report A host sends an MLD report to the MLD querier for the following purposes Responds to queries if the host is an IPv6 multica...

Страница 303: ...group Instead the switch resets the aging timer for that port After receiving the MLD done message the MLD querier resolves the IPv6 multicast group address in the message and sends an MLD multicast address specific query to that IPv6 multicast group through the port that received the MLD done message After receiving the MLD multicast address specific query the switch forwards it through all its r...

Страница 304: ...nfiguring MLD snooping port functions Optional Configure the maximum number of IPv6 multicast groups allowed and fast leave processing on a port of the specified VLAN IMPORTANT Enable MLD snooping globally before you enable it on a port MLD snooping enabled on a port takes effect only after MLD snooping is enabled for the VLAN 4 Displaying MLD snooping multicast forwarding entries Optional Enablin...

Страница 305: ...in the VLAN You can proceed with the subsequent configurations only if Enable is selected here Version By configuring an MLD snooping version you actually configure the versions of MLD messages that MLD snooping can process MLDv1 snooping can process MLDv1 messages but it floods MLDv2 messages in the VLAN instead of processing them MLDv2 snooping can process MLDv1 and MLDv2 messages IMPORTANT If y...

Страница 306: ...ns MLD a Layer 3 device is elected as the MLD querier to send MLD queries so that all Layer 3 multicast devices can establish and maintain IPv6 multicast forwarding entries ensuring correct IPv6 multicast traffic forwarding at the network layer On an IPv6 network without Layer 3 multicast devices MLD querier cannot work because a Layer 2 device does not support MLD To address this issue you can en...

Страница 307: ...ion calculations Features configured on a member port of the aggregate group does not take effect until the port leaves the aggregate group VLAN ID Specify a VLAN in which port functions are to be configured The configurations made in a VLAN take effect on the ports only in this VLAN Multicast Group Limit Configure the maximum number of IPv6 multicast groups on a port With this feature you can reg...

Страница 308: ...bled dropping unknown IPv6 multicast data for the VLAN to which the port or the switch belongs Otherwise if a host on the port leaves an IPv6 multicast group the other hosts attached to the port in the same IPv6 multicast group cannot receive the IPv6 multicast data for the group Displaying MLD snooping multicast forwarding entries 1 Select Network MLD snooping from the navigation tree 2 Click Sho...

Страница 309: ...eive the IPv6 multicast packets destined for the IPv6 multicast group FF1E 101 and Switch A drops the unknown IPv6 multicast packets rather than flooding them in the VLAN Figure 261 Network diagram Configuration procedure Configuring Router A Enable IPv6 multicast routing assign IPv6 address to each interface enable IPv6 PIM DM on each interface and enable MLD on Ethernet 1 1 Details not shown Con...

Страница 310: ... 1 through GigabitEthernet 1 0 3 to VLAN 100 a Click the Modify Port tab b Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 in the Select Ports field c Select Untagged for Select membership type d Enter 100 as the VLAN ID e Click Apply ...

Страница 311: ...elect Network MLD snooping from the navigation tree b Select Enable c Click Apply Figure 264 Enabling MLD snooping globally 4 Enable MLD snooping and the function of dropping unknown IPv6 multicast data for VLAN 100 a Click the icon for VLAN 100 b Select Enable for MLD snooping ...

Страница 312: ... 1 Select Network MLD snooping from the navigation tree 2 Click Show Entries in the basic VLAN configuration page to display information about MLD snooping multicast forwarding entries Figure 266 Displaying MLD snooping forwarding multicast entries 3 Click the icon for the multicast entry FF1E 101 to display detailed information about this entry ...

Страница 313: ...300 Figure 267 Displaying detailed information about the entry The output shows that GigabitEthernet 1 0 3 of Switch A is listening to multicast streams destined for the IPv6 multicast group FF1E 101 ...

Страница 314: ...ly configure the routes again whenever the network topology changes Dynamic routes Routes that are discovered dynamically by routing protocols Each entry in the FIB table specifies a physical interface that packets destined for a certain address should go out to reach the next hop the next router or the directly connected destination A route entry includes the following items Destination IP addres...

Страница 315: ...ou can configure default routes in the Web interface in the following ways Configure an IPv4 static default route and specify both its destination IP address and mask as 0 0 0 0 Configure an IPv6 static default route and specify both its destination IP address and prefix as 0 Displaying the IPv4 active route table Select Network IPv4 Routing from the navigation tree to enter the page Figure 268 IP...

Страница 316: ...the navigation tree 2 Click the Create tab The page for configuring an IPv4 static route appears Figure 269 Creating an IPv4 static route 3 Create an IPv4 static route as described in Table 91 4 Click Apply Table 91 Configuration items Item Description Destination IP Address Enter the destination host or network IP address in dotted decimal notation Mask Enter the mask of the destination IP addres...

Страница 317: ...lect any available Layer 3 interface for example a virtual interface of the device If you select NULL 0 the destination IP address is unreachable Displaying the IPv6 active route table Select Network IPv6 Routing from the navigation tree to enter the page Figure 270 IPv6 active route table Table 92 Field description Field Description Destination IP Address Destination IP address and prefix length ...

Страница 318: ... route appears Figure 271 Creating an IPv6 static route 3 Create an IPv6 static route as described in Table 93 4 Click Apply Table 93 Configuration items Item Description Destination IP Address Enter the destination host or network IP address in the X X X X format The 128 bit destination IPv6 address is a hexadecimal address with eight parts separated by colons Each part is represented by a 4 digi...

Страница 319: ...ress is unreachable IPv4 static route configuration example Network requirements As shown in Figure 272 configure IPv4 static routes on Switch A Switch B and Switch C for any two hosts to communicate with each other Figure 272 Network diagram Configuration considerations On Switch A configure a default route with Switch B as the next hop On Switch B configure one static route with Switch A as the ...

Страница 320: ...e to Switch A and Switch C on Switch B a Select Network IPv4 Routing from the navigation tree of Switch B b Click the Create tab The page for configuring a static route appears c Enter 1 1 2 0 for Destination IP Address 24 for Mask and 1 1 4 1 for Next Hop d Click Apply ...

Страница 321: ... 24 for Mask and enter 1 1 5 6 for Next Hop f Click Apply 3 Configure a default route to Switch B on Switch C a Select Network IPv4 Routing from the navigation tree of Switch C b Click the Create tab c Enter 0 0 0 0 for Destination IP Address 0 for Mask and 1 1 5 5 for Next Hop d Click Apply ...

Страница 322: ... from Host A assuming both hosts run Windows XP C Documents and Settings Administrator ping 1 1 3 2 Pinging 1 1 3 2 with 32 bytes of data Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Ping statistics for 1 1 3 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate ro...

Страница 323: ... and the other with Switch C as the next hop On Switch C configure a default route with Switch B as the next hop Configuration procedure 1 Configure a default route to Switch B on Switch A a Select Network IPv6 Routing from the navigation tree of Switch A b Click the Create tab c Enter for Destination IP Address select 0 from the Prefix Length list and enter 4 2 for Next Hop d Click Apply Vlan int...

Страница 324: ... A and Switch C on Switch B a Select Network IPv6 Routing from the navigation tree of Switch B b Click the Create tab The page for configuring a static route appears c Enter 1 for Destination IP Address select 64 from the Prefix Length list and enter 4 1 for Next Hop d Click Apply ...

Страница 325: ...Length list and enter 5 1 for Next Hop f Click Apply 3 Configure a default route to Switch B on Switch C a Select Network IPv6 Routing from the navigation tree of Switch C b Click the Create tab c Enter for Destination IP Address select 0 from the Prefix Length list and enter 5 2 for Next Hop d Click Apply ...

Страница 326: ...g Host C from Switch A SwitchA system view SwitchA ping ipv6 3 2 PING 3 2 56 data bytes press CTRL_C to break Reply from 3 2 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 4 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Sequence 5 hop limit 254 t...

Страница 327: ...default preference If you specify the next hop address first and then configure it as the IP address of a local interface such as a VLAN interface the static route does not take effect When you specify the output interface note the following If the output interface is Null 0 no next hop address is required If the output interface is a broadcast interface such as a VLAN interface which might have m...

Страница 328: ...t difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits To configure basic IPv6 settings enable the IPv6 service function first Enabling IPv6 service 1 From the navigation tree select Network IPv6 Management 2 On the IPv6 Service tab select Enable Figure 280 Enabling IPv6 service ...

Страница 329: ... client on an interface For more information about the DHCP client configuration see Configuring VLAN interfaces Figure 281 A typical DHCP application DHCP address allocation Allocation mechanisms DHCP supports the following mechanisms for IP address allocation Static allocation The network administrator assigns an IP address to a client like a WWW server and DHCP conveys the assigned address to t...

Страница 330: ...t receives the DHCP ACK message it broadcasts a gratuitous ARP packet to verify whether the IP address assigned by the server is in use If the client receives no response within the specified time the client uses this IP address Otherwise the client sends a DHCP DECLINE message to the server and requests an IP address again IP address lease extension The dynamically assigned IP address has a lease...

Страница 331: ...he leftmost bit is defined as the BROADCAST B flag If this flag is set to 0 the DHCP server sent a reply back by unicast if this flag is set to 1 the DHCP server sent a reply back by broadcast The remaining bits of the flags field are reserved for future use ciaddr Client IP address yiaddr Your client IP address assigned by the server siaddr Server IP address from which the clients obtained config...

Страница 332: ...t Option 6o Vendor class identifier option A client uses this option to identify the vendor to which it belongs With this option the DHCP server can determine the vendor a client belongs to and assign an IP address within a specific range Option 66 TFTP server name option It specifies a TFTP server to be assigned to the client Option 67 Bootfile name option It specifies the bootfile name to be ass...

Страница 333: ...b option 1 Contains the VLAN ID and interface number of the interface that received the client s request The following figure gives its format The value of the sub option type is 1 and that of the circuit ID type is 0 Figure 285 Sub option 1 in normal padding format Sub option 2 Contains the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received ...

Страница 334: ...nt interact with each other in the same way see DHCP overview For more information about DHCP packet exchange see Dynamic IP address allocation process The following describes the forwarding process on the DHCP relay agent 1 After receiving a DHCP DISCOVER or DHCP REQUEST broadcast message from a DHCP client the DHCP relay agent fills the giaddr field of the message with its IP address and forward...

Страница 335: ...of the group 3 Enabling the DHCP relay agent on an interface Required Enable the DHCP relay agent on an interface and correlate the interface with a DHCP server group With DHCP enabled interfaces operate in the DHCP server mode by default IMPORTANT The DHCP relay agent works on interfaces with IP addresses manually configured only 4 Configuring and displaying clients IP to MAC bindings Optional Cr...

Страница 336: ...he navigation tree to enter the DHCP Relay page 2 Click Display Advanced Configuration to expand the advanced DHCP relay agent configuration area Figure 289 DHCP relay agent configuration page 3 Enable DHCP service and configure advanced parameters for DHCP relay agent as described in Table 94 4 Click Apply ...

Страница 337: ...o relinquish its IP address In this case the DHCP relay agent simply conveys the message to the DHCP server thus it does not remove the IP address from dynamic client entries To solve this problem the periodic refresh of dynamic client entries feature is introduced With this feature the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay agent interface to period...

Страница 338: ...gent interface 3 Configure the DHCP relay agent on the interface as shown in Table 96 4 Click Apply Table 96 Configuration items Item Description Interface Name Displays the name of a specific interface DHCP Relay Enable or disable the DHCP relay agent on the interface If the DHCP relay agent is disabled the DHCP server is enabled on the interface Address Match Check Enable or disable IP address c...

Страница 339: ...or creating a static IP to MAC binding Figure 293 Creating a static IP to MAC binding 4 Configure the static IP to MAC binding as described in Table 97 5 Click Apply Table 97 Configuration items Item Description IP Address Enter the IP address of a DHCP client MAC Address Enter the MAC address of the DHCP client Interface Name Select the Layer 3 interface connected with the DHCP client IMPORTANT T...

Страница 340: ...er whose IP address is 10 1 1 1 24 The switch forwards messages between DHCP clients and the DHCP server Figure 294 Network diagram Configuring Switch A 1 Enable DHCP a Select Network DHCP from the navigation tree to enter the DHCP Relay page b Select the Enable option next to DHCP Service c Click Apply DHCP server Switch A DHCP relay agent DHCP client DHCP client DHCP client DHCP client Vlan int2...

Страница 341: ...Group area click Add b On the page that appears enter 1 for Server Group ID and enter 10 1 1 1 for IP Address c Click Apply Figure 296 Adding a DHCP server group 3 Enable the DHCP relay agent on VLAN interface 1 a In the Interface Config field click the icon for VLAN interface 1 ...

Страница 342: ...Server Group ID c Click Apply Figure 297 Enabling the DHCP relay agent on an interface and correlate it with a server group NOTE Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing protocol to make them reachable to each other ...

Страница 343: ...ted An untrusted port discards received DHCP ACK and DHCP OFFER messages to prevent unauthorized servers from assigning IP addresses DHCP snooping reads DHCP ACK messages received from trusted ports and DHCP REQUEST messages to create DHCP snooping entries A DHCP snooping entry includes the MAC and IP addresses of a client the port that connects to the DHCP client and the VLAN Application of trust...

Страница 344: ...GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 Switch C GigabitEthernet 1 0 1 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 GigabitEthernet 1 0 2 DHCP snooping support for Option 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting For more in...

Страница 345: ...ing functions on an interface Required Specify an interface as trusted and configure DHCP snooping to support Option 82 By default an interface is untrusted and DHCP snooping does not support Option 82 IMPORTANT You need to specify the ports connected to the authorized DHCP servers as trusted to make sure that DHCP clients can obtain valid IP addresses The trusted port and the port connected to th...

Страница 346: ...etwork DHCP from the navigation tree 2 Click the DHCP Snooping tab to enter the page shown in Figure 300 3 Click the icon for a specific interface in the Interface Config area Figure 301 DHCP snooping interface configuration page 4 Configure DHCP snooping on the interface as described in Table 100 5 Click Apply ...

Страница 347: ...Network DHCP from the navigation tree 2 Click the DHCP Snooping tab to enter the page shown in Figure 300 3 Click User Information to enter the DHCP snooping user information page Table 101 describes the fields of DHCP snooping entries Figure 302 DHCP snooping user information Table 101 Field description Field Description IP Address Displays the IP address assigned by the DHCP server to the client...

Страница 348: ... for DHCP requests containing Option 82 as replace Enable GigabitEthernet 1 0 1 to forward DHCP server responses disable GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 from forwarding DHCP server responses Configure Switch B to record clients IP to MAC address bindings in DHCP REQUEST messages and DHCP ACK messages received from a trusted port Figure 303 Network diagram Configuring Switch B 1 Ena...

Страница 349: ... next to Interface State c Click Apply Figure 305 Configuring DHCP snooping functions on GigabitEthernet 1 0 1 3 Configure DHCP snooping functions on GigabitEthernet 1 0 2 a Click the icon for GigabitEthernet 1 0 2 on the interface list b Select the Untrust option for Interface State select the Enable option next to Option 82 Support and select Replace for Option 82 Strategy c Click Apply ...

Страница 350: ...n GigabitEthernet 1 0 3 a Click the icon for GigabitEthernet 1 0 3 on the interface list b Select the Untrust option for Interface State select the Enable option next to Option 82 Support and select Replace for Option 82 Strategy c Click Apply Figure 307 Configuring DHCP snooping functions on GigabitEthernet 1 0 3 ...

Страница 351: ...SFTP service The secure file transfer protocol SFTP is a new feature in SSH2 0 SFTP uses the SSH connection to provide secure data transfer The device can serve as the SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a user to login from the device to a remote device for secure file transfer...

Страница 352: ...e or disable the FTP service The FTP service is disabled by default ACL Associate the FTP service with an ACL Only the clients that pass the ACL filtering are permitted to use the FTP service You can view this configuration item by clicking the expanding button in front of FTP Telnet Enable Telnet service Enable or disable the Telnet service The Telnet service is disabled by default SSH Enable SSH...

Страница 353: ...PS Enable HTTPS service Enable or disable the HTTPS service The HTTPS service is disabled by default Port Number Set the port number for the HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS IMPORTANT When you modify a port make sure that the port is not used by any other service ACL Associate the HTTPS service with an ACL Only the clients that p...

Страница 354: ...ICMP echo replies within the timeout time it displays Number of bytes for each echo reply Message sequence number Time to Live TTL Response time Ping statistics Ping statistics include Number of echo requests sent Number of echo replies received Percentage of echo replies not received Minimum average and maximum response time Traceroute Traceroute retrieves the IP addresses of Layer 3 devices in t...

Страница 355: ...esponds with a port unreachable ICMP message to the source In this way the source device gets the IP address of the destination device Ping operation IPv4 ping operation 1 From the navigation tree select Network Diagnostic Tools The IPv4 ping configuration page appears Figure 309 IPv4 ping configuration page 2 Enter the IPv4 address or the host name of the destination device in the Destination IP ...

Страница 356: ...ols 2 Click the IPv6 Ping tab The IPv6 ping configuration page appears Figure 311 IPv6 ping configuration page 3 Enter the IPv6 address or the host name of the destination device in the Destination IPv6 address or host name field 4 Click Start to execute the ping command 5 View the operation result in the Summary area ...

Страница 357: ...p ttl expires enable command on intermediate devices Enable sending of ICMP destination unreachable packets by executing the ip unreachables enable command on the destination device IPv4 traceroute operation 1 From the navigation tree select Network Diagnostic Tools 2 Click the IPv4 Traceroute tab The IPv4 traceroute configuration page appears Figure 313 IPv4 traceroute configuration page ...

Страница 358: ...igure 314 IPv4 traceroute operation result IPv6 traceroute operation 1 From the navigation tree select Network Diagnostic Tools 2 Click the IPv6 Traceroute tab The IPv6 traceroute configuration page appears Figure 315 IPv6 traceroute configuration page 3 Enter the IPv6 address or host name of the destination device in the Destination IPv6 address or host name field 4 Click Start to execute the tra...

Страница 359: ...346 5 View the operation result in the Summary area Figure 316 IPv6 traceroute operation result ...

Страница 360: ...uses an authentication server to perform authentication Authentication server Provides authentication services for the network access device The authentication server authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results to the network access device to make access decisions The authentication server is typically a RADIUS server In...

Страница 361: ...fic from the client The device supports only unidirectional traffic control 802 1X related protocols 802 1X uses the Extensible Authentication Protocol EAP to transport authentication information for the client the network access device and the authentication server EAP is an authentication framework that uses the client server model It supports a variety of authentication methods including MD5 Ch...

Страница 362: ...nd type 4 MD5 challenge are two examples for the type field EAPOL packet format Figure 320 shows the EAPOL packet format Figure 320 EAPOL packet format PAE Ethernet type Protocol type It takes the value 0x888E for EAPOL Protocol version The EAPOL protocol version used by the EAPOL packet sender Type Type of the EAPOL packet Table 103 lists the types of EAPOL packets supported by HP implementation ...

Страница 363: ...Message Authenticator RADIUS includes the Message Authenticator attribute in all packets that have an EAP Message attribute to check their integrity The packet receiver drops the packet if the calculated packet integrity checksum is different than the Message Authenticator attribute value The Message Authenticator prevents EAP authentication packets from being tampered with during EAP authenticati...

Страница 364: ...X authentication procedures 802 1X provides the following methods for authentication EAP relay EAP termination You choose either mode depending on the support of the RADIUS server for EAP packets and EAP authentication methods EAP relay mode EAP relay is defined in IEEE 802 1X In this mode the network device uses EAPOR packets to send authentication information to the RADIUS server as shown in Fig...

Страница 365: ... use EAP relay Packet exchange method Benefits Limitations EAP relay Supports various EAP authentication methods The configuration and processing is simple on the network access device The RADIUS server must support the EAP Message and Message Authenticator attributes and the EAP authentication method used by the client EAP termination Works with any RADIUS server that supports PAP or CHAP authent...

Страница 366: ... to the authentication server 5 The authentication server uses the identity information in the RADIUS Access Request to search its user database If a matching entry is found the server uses a randomly generated challenge EAP Request MD5 challenge to encrypt the password in the entry and sends the challenge in a RADIUS Access Challenge packet to the network access device 6 The network access device...

Страница 367: ... handshake attempts fail the device logs off the client 12 Upon receiving a handshake request the client returns a response If the client fails to return a response after a certain number of consecutive handshake attempts two by default the network access device logs off the client This handshake mechanism enables timely release of the network resources used by 802 1X users that have abnormally go...

Страница 368: ... the device sends an EAP Request Identity packet to a client in response to an authentication request If the device receives no response before this timer expires it retransmits the request The timer also sets the interval at which the network device sends multicast EAP Request Identity packets to detect clients that cannot actively request authentication Client timeout timer Starts when the acces...

Страница 369: ...the VLAN to the port as the port VLAN PVID The authenticated 802 1X user and all subsequent 802 1X users can access the VLAN without authentication When the user logs off the previous PVID restores and all other online users are logged off MAC based If the port is an access trunk or hybrid port the device assigns the first authenticated user s VLAN to the port as the PVID If a different VLAN is as...

Страница 370: ...ember Auth Fail VLAN You can configure an Auth Fail VLAN to accommodate users that have failed 802 1X authentication because of the failure to comply with the organization security strategy such as using a wrong password Users in the Auth Fail VLAN can access a limited set of network resources such as a software server to download anti virus software and system patches The Auth Fail VLAN does not ...

Страница 371: ... 802 1X users For more information see Configuring AAA and Configuring RADIUS If RADIUS authentication is used create user accounts on the RADIUS server If local authentication is used create local user accounts on the access device and specify the LAN access service for the user accounts For more information see Configuring users and user groups Recommended configuration procedure Step Remarks 1 ...

Страница 372: ...nation and use PAP to communicate with the RADIUS server EAP Sets the access device to relay EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server For more information about EAP relay and EAP termination see Comparing EAP relay and EAP termination 4 Click Advanced The advanced 802 1X configuration area is expanded as shown in Figure 328 Figure 328 802...

Страница 373: ...t how to enable the online user handshake function see Configuring 802 1X on a port Re Authentication Period Set the periodic online user re authentication timer For information about how to enable periodic online user re authentication on a port see Configuring 802 1X on a port Supplicant Timeout Time Set the client timeout timer Server Timeout Time Set the server timeout timer NOTE You can set t...

Страница 374: ... state to allow access to the network You can use this option in most scenarios Force Authorized Places the specified or all ports in the authorized state enabling users on the ports to access the network without authentication Force Unauthorized Places the specified or all ports in the unauthorized state denying any access requests from users on the ports Max Number of Users Set the maximum numbe...

Страница 375: ...enable 802 1X multicast trigger at the CLI 802 1X multicast trigger is enabled by default Configuration guidelines When you configure an 802 1X guest VLAN follow these restrictions and guidelines You can configure only one 802 1X guest VLAN on a port The 802 1X guest VLANs on different ports can be different Assign different IDs to the voice VLAN the PVID and the 802 1X guest VLAN on a port so the...

Страница 376: ...ssign all users to the ISP domain test Configure the shared key as name for packets between the access device and the authentication server and the shared key as money for packets between the access device and the accounting server Exclude the ISP domain name from the username sent to the RADIUS servers Specify the device to try up to 5 times at an interval of 5 seconds in transmitting a packet to...

Страница 377: ...X Enabled area click Add b Select GigabitEthernet1 0 1 from the Port list select the Enable Re Authentication box and click Apply Figure 332 Configuring 802 1X for GigabitEthernet 1 0 1 Configuring a RADIUS scheme 1 From the navigation tree select Authentication RADIUS The RADIUS server configuration page appears ...

Страница 378: ...ring the RADIUS authentication servers 3 Click the RADIUS Setup tab 4 Configure a RADIUS scheme a Select the server type extended b Select the Authentication Server Shared Key box enter name in the field next to the box and the Confirm Authentication Shared Key field c Select the Accounting Server Shared Key box enter name in the field next to the box and the Confirm Accounting Shared Key field d ...

Страница 379: ...iguring a RADIUS scheme Configuring AAA 1 From the navigation tree select Authentication AAA The Domain Setup page appears 2 Enter test in the Domain Name field and select Enable from the Default Domain list 3 Click Apply ...

Страница 380: ... test select the Default AuthN box select the authentication method RADIUS select the authentication scheme system from the Name list and click Apply Figure 336 Configuring the AAA authentication method for the ISP domain A configuration progress dialog box appears as shown in Figure 337 ...

Страница 381: ...ion method RADIUS select the authorization scheme system from the Name list and click Apply Figure 338 Configuring the AAA authorization method for the ISP domain 7 After the configuration process is complete click Close 8 On the Accounting tab select the domain name test select the Default Accounting box select the accounting method RADIUS select the accounting scheme system from the Name list an...

Страница 382: ...ver Assign an ACL to GigabitEthernet 1 0 1 to deny the access of 802 1X users to the FTP server at 10 0 0 1 24 Figure 340 Network diagram Configuring IP addresses Assign an IP address to each interface as shown in Figure 340 Details not shown Configuring a RADIUS scheme 1 From the navigation tree select Authentication RADIUS The RADIUS server configuration page appears 2 Configure the RADIUS prima...

Страница 383: ... the server type Accounting Server b Enter the IP address 10 1 1 2 enter the port number 1813 and select the primary server status active c Click Apply Figure 342 Configuring the RADIUS primary accounting server 4 Click the RADIUS Setup tab 5 Configure a RADIUS scheme a Select the server type extended b Select the Authentication Server Shared Key box and enter abc in the field next to the box and ...

Страница 384: ...g Shared Key field d Select with domain from the Username Format list e Click Apply Figure 343 Configuring a RADIUS scheme Configuring AAA 1 From the navigation tree select Authentication AAA The Domain Setup page appears 2 Enter test in the Domain Name field and select Enable from the Default Domain list 3 Click Apply ...

Страница 385: ...t select the Default AuthN box select the authentication method RADIUS as mode select the authentication scheme system from the Name list and click Apply Figure 345 Configuring the AAA authentication method for the ISP domain A configuration progress dialog box appears as shown in Figure 346 ...

Страница 386: ...horization scheme system from the Name list and click Apply Figure 347 Configuring the AAA authorization method for the ISP domain 7 After the configuration process is complete click Close 8 On the Accounting tab select the domain name test select the Accounting Optional box select Enable from the list select the Default Accounting box select the accounting method RADIUS select the accounting sche...

Страница 387: ... the Create tab enter the ACL number 3000 and click Apply Figure 349 Creating ACL 3000 3 On the Advanced Setup tab configure an ACL rule a Select 3000 from the ACL list b Select the Rule ID box enter the rule ID 0 and select the action Deny c In the IP Address Filter area select the Destination IP Address box enter 10 0 0 1 in the field and enter 0 0 0 0 in the Destination Wildcard field d Click A...

Страница 388: ... rule configuration Configuring the 802 1X feature 1 Configure 802 1X globally a From the navigation tree select Authentication 802 1X b Select the Enable 802 1X box c Select the authentication method CHAP d Click Apply ...

Страница 389: ... click Add b Select GigabitEthernet1 0 1 from the Port list c Click Apply Figure 352 Configuring 802 1X for GigabitEthernet 1 0 1 Verifying the configuration After the user passes authentication and gets online use the ping command to test whether ACL 3000 takes effect 1 From the navigation tree select Network Diagnostic Tools ...

Страница 390: ...377 The ping page appears 2 Enter the destination IP address 10 0 0 1 3 Click Start to start the ping operation Figure 353 shows the ping operation summary Figure 353 Ping operation summary ...

Страница 391: ...t only provides the information required for charging but also allows for network security surveillance AAA can be implemented through multiple protocols The switch series supports RADIUS the most commonly used protocol in practice For more information about RADIUS see Configuring RADIUS AAA usually uses a client server model The client runs on the network access server NAS and the server maintain...

Страница 392: ...n for login users to enhance security With this function configured the NAS has every single command entered by a login user verified by the authorization server to restrict the user to execute only authorized commands Recommended AAA configuration procedure Before configuring AAA complete the following tasks To implement local authentication configure local users on the access device as described...

Страница 393: ...sers By default all types of users use local accounting Configuring an ISP domain 1 Select Authentication AAA from the navigation tree The Domain Setup page appears Figure 356 Domain Setup page 2 Create an ISP domain as described in Table 106 3 Click Apply Table 106 Configuration items Item Description Domain Name Enter the ISP domain name which is for identifying the domain You can enter a new do...

Страница 394: ...ecomes a non default domain Configuring authentication methods for the ISP domain 1 Select Authentication AAA from the navigation tree 2 Click the Authentication tab Figure 357 Authentication method configuration page 3 Select the ISP domain and specify authentication methods for the domain as described in Table 107 4 Click Apply 5 Click Close in the success message dialog box that appears Table 1...

Страница 395: ...al Performs local authentication None All users are trusted and no authentication is performed Generally do not use this mode RADIUS Performs RADIUS authentication You must specify the RADIUS scheme to be used Not Set Uses the default authentication methods Login AuthN Name Secondary Method Configure the authentication method and secondary authentication method for login users Options include HWTA...

Страница 396: ...rms authorization based on an HWTACACS scheme The switch series does not support this option Local Performs local authorization None All users are trusted and authorized A user gets the default rights of the system RADIUS Performs RADIUS authorization You must specify the RADIUS scheme to be used Not Set Restores the default local authorization LAN access AuthZ Name Secondary Method Configure the ...

Страница 397: ...IUS authorization You must specify the RADIUS scheme to be used Not Set Uses the default authorization methods Configuring accounting methods for the ISP domain 1 Select Authentication AAA from the navigation tree 2 Click the Accounting tab Figure 359 Accounting method configuration page 3 Select the ISP domain and specify accounting methods for the ISP domain as described in Table 109 4 Click App...

Страница 398: ...US scheme to be used Not Set Restores the default local accounting LAN access Accounting Name Secondary Method Configure the accounting method and secondary accounting method for LAN access users Options include Local Performs local accounting None No accounting is performed RADIUS Performs RADIUS accounting You must specify the RADIUS scheme to be used Not Set Uses the default accounting methods ...

Страница 399: ...Users from the navigation tree b Click the Create tab c Enter the username telnet d Select the access level Management e Enter the password abcd and confirm the password f Select the password encryption method Irreversible g Select the service type Telnet h Click Apply Figure 361 Configuring a local user 4 Configure ISP domain test a Select Authentication AAA from the navigation tree The domain co...

Страница 400: ...igation tree b Click the Authentication tab c Select the domain test d Select Login AuthN and select the authentication method Local Figure 363 Configuring the ISP domain to use local authentication e Click Apply A configuration progress dialog box appears as shown in Figure 364 f After the configuration process is complete click Close ...

Страница 401: ...d Local e Click Apply A configuration progress dialog box appears f After the configuration progress is complete click Close Figure 365 Configuring the ISP domain to use local authorization 7 Configure the ISP domain to use local accounting a Select Authentication AAA from the navigation tree b Click the Accounting tab c Select the domain test d Select Login Accounting and select the accounting me...

Страница 402: ...s is complete click Close Figure 366 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet test and password abcd You should be serviced as a user in domain test ...

Страница 403: ...ample present advertisements and deliver community and personalized services In this way broadband network providers equipment vendors and content service providers form an industrial ecological system Extended portal functions By forcing patching and anti virus policies extended portal functions help users to defend against viruses Portal authentication supports the following extended functions S...

Страница 404: ...passed identity authentication and security check to access granted Internet resources Portal server A portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device It provides free portal services and pushes Web authentication pages to users A portal server can be an entity independent of the access device or an...

Страница 405: ...erver for security check If the client passes security check the security policy server authorizes the user to access the Internet resources NOTE To implement security check use the HP iNode client Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client When the portal authentication client is on a private network but the portal server is on a pub...

Страница 406: ...r 3 interfaces that connect authentication clients Portal authentication performed on a Layer 3 interface can be direct authentication or cross subnet authentication In direct authentication no Layer 3 forwarding devices exist between the authentication client and the access device In cross subnet authentication Layer 3 forwarding devices may exist between the authentication client and the access ...

Страница 407: ...rtal client Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication Layer 2 portal authentication process Figure 370 Local Layer 2 portal authentication process The process of local Layer 2 portal authentication is as follows 1 The portal authentication client sends an HTTP or HTTPS request Upon receiving the HTTP request the access device redirects it to th...

Страница 408: ... portal server if it is destined for other websites The portal server provides a Web page for the user to enter the username and password 2 The portal server and the access device exchange Challenge Handshake Authentication Protocol CHAP messages For Password Authentication Protocol PAP authentication this step is skipped 3 The portal server assembles the username and password into an authenticati...

Страница 409: ...ed to the local portal server which then pushes a Web authentication page for the user to enter the username and password The listening IP address of the local portal server is the IP address of a Layer 3 interface on the access device that can communicate with the portal authentication client 2 The access device and the RADIUS server exchange RADIUS packets to authenticate the user 3 If the user ...

Страница 410: ...t that the EAP request types vary with the EAP authentication phases 7 After the authentication client passes the EAP authentication the RADIUS server sends an authentication reply to the access device This reply carries the EAP Success message in the EAP Message attribute 8 The access device sends an authentication reply to the portal server This reply carries the EAP Success message in the EAP M...

Страница 411: ...uthentication Optional Configure Web proxy server ports an auto redirection URL the time that the device must wait before redirecting an authenticated user to the auto redirection URL and the portal user moving function 3 Configuring a portal free rule Optional Configure a portal free rule specifying the source and destination information for packet filtering A portal free rule allows specified us...

Страница 412: ...ied external websites without portal authentication Packets matching a portal free rule will not trigger portal authentication and the users can directly access the specified external websites By default no portal free policy is configured Configuring the Layer 2 portal service 1 Select Authentication Portal from the navigation tree The portal server configuration page appears Figure 374 Portal se...

Страница 413: ...guration items Item Description Interface Select the Layer 2 interface to be enabled with portal authentication Authentication Domain Specify the authentication domain for Layer 2 portal users After you specify an authentication domain on a Layer 2 interface the device uses the authentication domain for authentication authorization and accounting AAA of the portal users on the interface ignoring t...

Страница 414: ...thentication page access failures caused by interface failures A loopback interface does not forward the received packets to any network avoiding impact on system performance when there are many network access requests Protocol Select the protocol to be used for communication between the portal client and local portal server Available protocols are HTTP and HTTPS PKI Domain Specify the PKI domain ...

Страница 415: ... server and apply the portal server to the Layer 3 interface For configuration details see Table 1 12 Enable Local Server If you select this option from the drop down list the local portal service configuration area see Figure 378 will be displayed at the lower part of the page You can configure the parameters for the Layer 3 local portal service For configuration details see Table 1 13 Method Spe...

Страница 416: ...omain for authentication authorization and accounting AAA of the portal users on the interface ignoring the domain names carried in the usernames You can specify different authentication domains for different interfaces as needed The available authentication domains are those specified on the page you enter by selecting Authentication AAA from the navigation tree For more information see Configuri...

Страница 417: ...le when you select HTTPS The available PKI domains are those specified on the page you enter by selecting Authentication PKI from the navigation tree For more information see Configuring PKI IMPORTANT The service management and portal authentication modules always reference the same PKI domain Changing the referenced PKI domain in either module also changes that referenced in the other module Conf...

Страница 418: ... Wait Time Set the time that the device must wait before redirecting an authenticated portal user to the auto redirection URL Enable Support for Portal User Moving Specify whether to enable support for portal user moving In scenarios where there are hubs Layer 2 switches or APs between users and the access devices if an authenticated user moves from an access port to another Layer 2 portal authent...

Страница 419: ...e for adding a new portal free rule appears Figure 381 Adding a portal free rule 4 Configure a portal free rule as described in Table 115 5 Click Apply Table 115 Configuration items Item Description Number Specify a sequence number for the portal free rule Source interface Specify a source interface for the portal free rule Source IP address Specify a source IP address and mask for the portal free...

Страница 420: ...ress and mask of the portal free rule Mask Portal authentication configuration examples Configuring Layer 2 portal authentication Network requirements As shown in Figure 382 a host is directly connected to a switch The switch performs Layer 2 portal authentication for users connected to port GigabitEthernet 1 0 1 Configure the switch to perform the following functions Uses IMC as the remote RADIUS...

Страница 421: ... Add Ethernet ports to VLANs and assign IP addresses to the VLAN interfaces Details not shown 2 Configure the RADIUS authentication server a Select Authentication RADIUS from the navigation tree The RADIUS server configuration page appears as shown in Figure 383 b Select Authentication Server as the server type enter the IP address 1 1 1 2 and port number 1812 select active from the Primary Server...

Страница 422: ... b Select extended as the server type c Select the Authentication Server Shared Key box enter the key expert and then enter the key again in the Confirm Authentication Shared Key field d Select the Accounting Server Shared Key box enter the key expert and then enter the key again in the Confirm Accounting Shared Key field e Select without domain as the username format f Click Apply ...

Страница 423: ...85 Configuring the RADIUS scheme 5 Configure AAA a Select Authentication AAA from the navigation tree b On the Domain Setup tab enter the domain name test select Enable for the Default Domain field and click Apply ...

Страница 424: ... select RADIUS from the Default AuthN list select system from the Name list to use it as the authentication scheme and click Apply A configuration progress dialog box appears as shown in Figure 388 d After the configuration process is complete click Close Figure 387 Configuring the authentication method for the ISP domain ...

Страница 425: ...tion progress dialog box appears f After the configuration process is complete click Close Figure 389 Configuring the authorization method for the ISP domain g On the Accounting tab select ISP domain test select the Default Accounting box select RADIUS from Default Accounting list select system from the Name list to use it as the accounting scheme and click Apply The configuration progress dialog ...

Страница 426: ...d for the ISP domain 6 Configure DHCP relay a Select Network DHCP from the navigation tree b Click the DHCP Relay tab c Select Enable for the DHCP Service field d Click Apply Figure 391 Enabling the DHCP service e In the Server Group area click Add ...

Страница 427: ...e for DHCP Relay and select 1 for Server Group ID i Click Apply Figure 393 Configuring VLAN interface 8 to work in the DHCP relay mode 7 Configure Layer 2 portal authentication a Select Authentication Portal from the navigation tree The Portal Server tab appears b In the Portal Application Layer 2 Interfaces area click Add c On the page that appears select interface GigabitEthernet1 0 1 enter the ...

Страница 428: ... correct username and password to pass portal authentication and can access Internet resources Configuring direct portal authentication Network requirements As shown in Figure 395 the host is assigned a public network IP address either manually or through DHCP Configure the switch to perform direct portal authentication for users on the host Before passing portal authentication users can access on...

Страница 429: ...re 395 and make sure they can reach each other Make sure the RADIUS server is correctly configured to provide authentication and accounting functions Configuring the switch 1 Configure the RADIUS authentication server a Select Authentication RADIUS from the navigation tree The RADIUS server configuration page appears as shown in Figure 396 b Select Authentication Server as the server type enter th...

Страница 430: ... scheme system for exchanges between the device and the RADIUS servers a Click the RADIUS Setup tab b Select extended as the server type c Select the Authentication Server Shared Key box enter the key expert and then enter the key again in the Confirm Authentication Shared Key field d Select the Accounting Server Shared Key box enter the key expert and then enter the key again in the Confirm Accou...

Страница 431: ...98 Configuring the RADIUS scheme 4 Configure AAA a Select Authentication AAA from the navigation tree b On the Domain Setup tab enter the domain name test select Enable for the Default Domain field and click Apply ...

Страница 432: ... progress dialog box appears d After the configuration process is complete click Close Figure 400 Configuring the authentication method for the ISP domain e On the Authorization tab select the ISP domain test select the Default AuthZ box select RADIUS from the Default AuthZ list select system from the Name list to use it as the authorization scheme and click Apply A configuration progress dialog b...

Страница 433: ...unting method for the ISP domain 5 Configure Layer 3 portal authentication a From the navigation tree select Authentication Portal The portal server configuration page appears b In the Portal Application Layer 3 Interfaces area click Add c On the page that appears select the interface Vlan interface100 select Add for Portal Server to add a portal server select the Direct portal authentication mode...

Страница 434: ...rtal authentication the host can access only the portal server After passing portal authentication the host can access Internet resources Use the IMC server as the RADIUS server for user authentication authorization and accounting Figure 404 Network diagram Switch A Host Vlan int4 20 20 20 1 24 Portal server 192 168 0 111 24 RADIUS server 192 168 0 112 24 Vlan int2 192 168 0 100 24 Switch B Vlan i...

Страница 435: ...on and accounting functions for users Configuring Switch A 1 Configure the RADIUS authentication server a Select Authentication RADIUS from the navigation tree The RADIUS server configuration page appears as shown in Figure 405 b Select Authentication Server as the server type enter the IP address 192 168 0 112 and port number 1812 select active from the Primary Server Status list and click Apply ...

Страница 436: ...ect extended as the server type c Select the Authentication Server Shared Key box enter the key expert and then enter the key again in the Confirm Authentication Shared Key field d Select the Accounting Server Shared Key box enter the key expert and then enter the key again in the Confirm Accounting Shared Key field e Select without domain as the username format f Click Apply ...

Страница 437: ...07 Configuring the RADIUS scheme 4 Configure AAA a Select Authentication AAA from the navigation tree b On the Domain Setup tab enter the domain name test select Enable for the Default Domain field and click Apply ...

Страница 438: ... progress dialog box appears d After the configuration process is complete click Close Figure 409 Configuring the authentication method for the ISP domain e On the Authorization tab select the ISP domain test select the Default AuthZ box select RADIUS from the Default AuthZ list select system from the Name list to use it as the authorization scheme and click Apply A configuration progress dialog b...

Страница 439: ...ounting method for the ISP domain 5 Configure Layer 3 portal authentication a Select Authentication Portal from the navigation tree The portal server configuration page appears b In the Portal Application Layer 3 Interfaces area click Add c On the page that appears select the interface Vlan interface4 select Add for Portal Server to add a portal server select the Layer3 portal authentication mode ...

Страница 440: ...427 Figure 412 Applying the portal server to a Layer 3 interface Configuring Switch B Configure a default route to subnet 192 168 0 0 24 with the next hop as 20 20 20 1 Details not shown ...

Страница 441: ...s accounting function collects and records network resource usage information Client Server model The RADIUS client runs on the NASs located throughout the network It passes user information to RADIUS servers and acts on the responses to for example reject or accept user access requests The RADIUS server runs on the computer or workstation at the network center and maintains information related to...

Страница 442: ...exchange process RADIUS operates in the following manner 1 The host initiates a connection request that carries the user s username and password to the RADIUS client 2 Having received the username and password the RADIUS client sends an authentication request Access Request to the RADIUS server with the user password encrypted by using the MD5 algorithm and the shared key 3 The RADIUS server authe...

Страница 443: ...ype carries user information for the server to authenticate the user It must contain the User Name attribute and can optionally contain the attributes of NAS IP Address User Password and NAS Port 2 Access Accept From the server to the client If all the attribute values carried in the Access Request are acceptable the authentication succeeds and the server sends an Access Accept response 3 Access R...

Страница 444: ...s each with three sub fields Type 1 byte long Type of the attribute It is in the range of 1 to 255 Commonly used RADIUS attributes are defined in RFC 2865 RFC 2866 RFC 2867 and RFC 2868 Table 1 17 shows a list of the attributes Length 1 byte long Length of the attribute in bytes including the Type Length and Value sub fields Value Up to 253 bytes Value of the attribute Its format and content depen...

Страница 445: ...Network 85 Acct Interim Interval 39 Framed AppleTalk Zone 86 Acct Tunnel Packets Lost 40 Acct Status Type 87 NAS Port Id 41 Acct Delay Time 88 Framed Pool 42 Acct Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vendor Specific an attribu...

Страница 446: ...matically creates the scheme when you select Authentication RADIUS to enter the RADIUS module Step Remarks 1 Configuring RADIUS authentication servers Required Configure the primary and secondary RADIUS authentication servers By default no RADIUS authentication server is configured For more information about the configuration procedure see Configuring RADIUS servers 2 Configuring RADIUS accounting...

Страница 447: ...ed the field displays 0 0 0 0 To remove the previously configured primary server enter 0 0 0 0 The specified IP address of the primary server cannot be the same as that of the secondary server Primary Server UDP Port Specify the UDP port of the primary server If the IP address of the primary server is not specified or the specified IP address is to be removed the port number is 1812 for authentica...

Страница 448: ...dress of the secondary server is not specified or the specified IP address is to be removed the port number is 1812 for authentication or 1813 for accounting Secondary Server Status Status of the secondary server including Active The server is correctly operating Blocked The server is down If the IP address of the secondary server is not specified or the specified IP address is to be removed the s...

Страница 449: ... proprietary RADIUS protocol and packet format Standard Specifies a standard RADIUS server The RADIUS client and RADIUS server communicate using the standard RADIUS protocol and packet format defined in RFC 2138 2139 or later Authentication Server Shared Key Confirm Authentication Shared Key Specify and confirm the shared key for the authentication server These two parameters must have the same va...

Страница 450: ...e value if the number of users is equal to or larger than 1000 Table 120 shows the relationship between the interval value and the number of users Realtime Accounting Packet Retransmission Times Set the maximum number of real time accounting request retransmission times Stop Accounting Buffer Enable or disable buffering stop accounting requests without responses in the switch Stop Accounting Packe...

Страница 451: ... and uses the default authentication port default accounting port and the shared key expert for packet exchange with the switch Configure the switch to implements RADIUS authentication and online time accounting for Telnet users and to remove the domain name of a username before sending it to the RADIUS server Figure 419 Network diagram Configuration procedure 1 Enable the Telnet server function a...

Страница 452: ...ion server Configure the RADIUS accounting server a Select Authentication RADIUS from the navigation tree The RADIUS server configuration page appears b Configure the following parameters as shown in Figure 421 Select Accounting Server as the server type Enter 10 110 91 146 as the IP address of the primary accounting server Enter 1813 as the UDP port of the primary accounting server Select active ...

Страница 453: ...ey box and enter expert Enter expert in the Confirm Authentication Shared Key field Select the Accounting Server Shared Key box and enter expert Enter expert in the Confirm Accounting Shared Key field Select without domain for Username Format c Click Apply Figure 422 Configuring RADIUS communication parameters 4 Configure AAA Create an ISP domain a Select Authentication AAA from the navigation tre...

Страница 454: ...ab b Configure the following parameters as shown in Figure 424 Select the domain name test Select the Default AuthN box and then select RADIUS as the authentication mode Select system from the Name list to use it as the authentication scheme c Click Apply A configuration progress dialog box appears as shown in Figure 425 d After the configuration process is complete click Close Figure 424 Configur...

Страница 455: ...list to use it as the authorization scheme c Click Apply A configuration progress dialog box appears d After the configuration process is complete click Close Figure 426 Configuring the authorization method for the ISP domain Configure the accounting method for the ISP domain a Select Authentication AAA from the navigation tree and then click the Accounting tab b Configure the following parameters...

Страница 456: ...y server and secondary server are in the same state the switch communicates with the primary server If both the primary server and secondary server are in active state the switch communicates with the primary server When the primary server becomes unreachable the switch sets the server s status to block and turns to the secondary server for communication When the quiet timer expires the switch cha...

Страница 457: ...primary server s status to active To use the secondary server for communication you need to manually change the status of the secondary server to active otherwise no primary secondary server switchover will take place ...

Страница 458: ...f a group of local users and has a set of local user attributes You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group All local users in a user group inherit the user attributes of the group but if you configure user attributes for a local user the settings of the local user take precedence over the settings...

Страница 459: ... type Select the service types for the local user to use FTP Telnet Portal LAN Access SSH or WEB The LAN Access service primarily represents Ethernet users such as 802 1X users The switch series does not support PPP IMPORTANT If you do not specify any service type for a user who uses local authentication the user cannot pass authentication Expire time Specify an expiration time for the local user ...

Страница 460: ...tion This option takes effect on only LAN and portal users User profile User profile for the local user The switch series does not support this option Configuring a user group 1 Select Authentication Users from the navigation tree 2 Click the User Group tab to display the existing user groups Figure 430 User group list 3 Click Add The page for configuring a user group appears Figure 431 User group...

Страница 461: ...figure or Management in ascending order of priority VLAN Specify the VLAN to be authorized to users of the user group after the users pass authentication ACL Specify the ACL to be used by the NAS to control the access of users of the user group after the users pass authentication User profile User profile for the user group The switch series does not support this option ...

Страница 462: ...te is a digital certificate signed by a CA for an entity A CA certificate also known as a root certificate is signed by the CA for itself CRL An existing certificate might need to be revoked when for example the user name changes the private key leaks or the user stops the business Revoking a certificate will remove the binding of the public key with the user identity information In PKI the revoca...

Страница 463: ...ficates keys CRLs and logs and it provides a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service From an LDAP server an entity can retrieve digital certificates of its own and other entities PKI applications The PKI technology can meet the sec...

Страница 464: ...ce supports the following PKI certificate request modes Manual In manual mode you need to retrieve a CA certificate generate a local RSA key pair and submit a local certificate request for an entity Auto In auto mode an entity automatically requests a certificate through the Simple Certification Enrollment Protocol SCEP when it has no local certificate or the present certificate is about to expire...

Страница 465: ...ecurity domain for improved query efficiency and reduced query count Prepare for certificate verification IMPORTANT If a local CA certificate already exists you cannot perform the CA certificate retrieval operation This will avoid possible mismatch between certificates and registration information resulting from relevant changes To retrieve the CA certificate you need to remove the CA certificate ...

Страница 466: ...settings of an entity must be compliant to the CA certificate issue policy Otherwise the certificate request might be rejected 2 Creating a PKI domain Required Create a PKI domain setting the certificate request mode to Auto Before requesting a PKI certificate an entity needs to be configured with some enrollment information which is referred to as a PKI domain A PKI domain is intended only for co...

Страница 467: ...ter the common name for the entity IP Address Enter the IP address of the entity FQDN Enter the fully qualified domain name FQDN for the entity An FQDN is a unique identifier of an entity on the network It consists of a host name and a domain name and can be resolved to an IP address For example www whatever com is an FQDN where www indicates the host name and whatever com the domain name Country ...

Страница 468: ...anization Enter the organization name for the entity Organization Unit Enter the unit name for the entity Creating a PKI domain 1 Select Authentication PKI from the navigation tree 2 Click the Domain tab Figure 435 PKI domain list 3 Click Add 4 Click Advanced Configuration to display the advanced configuration items ...

Страница 469: ...f the trusted CA An entity requests a certificate from a trusted CA The trusted CA takes the responsibility of certificate registration distribution and revocation and query In offline mode this item is optional In other modes this item is required Entity Name Select the local PKI entity When submitting a certificate request to a CA an entity needs to show its identity information Available PKI en...

Страница 470: ...e root certificate does not match the one configured for the PKI domain the entity will reject the root certificate If you specify MD5 as the hash algorithm enter an MD5 fingerprint The fingerprint must a string of 32 characters in hexadecimal notation If you specify SHA1 as the hash algorithm enter an SHA1 fingerprint The fingerprint must a string of 40 characters in hexadecimal notation IMPORTAN...

Страница 471: ... acquire the CA certificate and a local certificate and then acquire a CRL through SCEP Creating an RSA key pair 1 Select Authentication PKI from the navigation tree 2 Click the Certificate tab Figure 437 Certificate configuration page 3 Click Create Key 4 Set the key length 5 Click Apply Figure 438 Key pair parameter configuration page ...

Страница 472: ...you must retrieve a certificate by an out of band means like FTP disk email and then import it into the local PKI system By default the retrieved certificate is saved in a file under the root directory of the device and the filename is domain name_ca cer for the CA certificate or domain name_local cer for the local certificate To retrieve a certificate 1 Select Authentication PKI from the navigati...

Страница 473: ... From Device and then specify the path and name of the file on the device If no file is specified the system by default gets the file domain name_ca cer for the CA certificate or domain name_local cer for the local certificate under the root directory of the device If the certificate file is saved on a local PC select Get File From PC and then specify the path and name of the file and specify the ...

Страница 474: ...gure 441 Certificate information Requesting a local certificate 1 Select Authentication PKI from the navigation tree 2 Click the Certificate tab 3 Click Request Cert Figure 442 Local certificate request page ...

Страница 475: ...gives a prompt that certificate request has been submitted In this case click OK to finish the operation If you select the offline mode the offline certificate request information page appears In this case you must submit the information by an out of band way to the CA to request a local certificate Figure 443 Offline certificate request information page Retrieving and displaying a CRL 1 Select Au...

Страница 476: ... Authority Key Identifier Identifier of the CA that issued the certificate and the certificate version X509v3 keyid Pubic key identifier A CA might have multiple key pairs and this field identifies which key pair is used for the CRL signature No Revoked Certificates No certificates are revoked Revoked Certificates Information about the revoked certificates Serial Number Serial number of the revoke...

Страница 477: ...tes After configuring the basic attributes you need to perform configuration on the Jurisdiction Configuration page of the CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure the CRL publishing behavior After completing the configuration you need to perform CRL related configurations ...

Страница 478: ...or certificate request the URL must be in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is the hexadecimal string generated on the CA and select Manual as the certificate request mode d Click the collapse button before Advanced Configuration e In the advanced configuration area click the Enable CRL Checking box and enter http 4 4 4 133 447 myca crl as the CRL U...

Страница 479: ...b Click Create Key c Enter 1024 as the key length and click Apply to generate an RSA key pair Figure 449 Generating an RSA key pair 4 Retrieve the CA certificate a Click the Certificate tab b Click Retrieve Cert c Select torsa as the PKI domain select CA as the certificate type and click Apply ...

Страница 480: ...as the PKI domain select Password and enter challenge word as the password d Click Apply The system displays Certificate request has been submitted e Click OK to finish the operation Figure 451 Requesting a local certificate 6 Retrieve the CRL a Click the CRL tab b Click Retrieve CRL of the PKI domain of torsa Figure 452 Retrieving the CRL ...

Страница 481: ...e validity period of certificates will be abnormal The Windows 2000 CA server has some restrictions on the data length of a certificate request If the PKI entity identity information in a certificate request goes beyond a certain limit the server will not respond to the certificate request The SCEP plug in is required when you use the Windows Server as the CA In this case you need to specify RA as...

Страница 482: ...age Figure 453 Authorized IP configuration page 3 Configure authorized IP as described in Table 128 4 Click Apply Table 128 Configuration items Item Description Telnet IPv4 ACL Associate the Telnet service with an IPv4 ACL You can configure the IPv4 ACL to be selected by selecting QoS ACL IPv4 IPv6 ACL Associate the Telnet service with an IPv6 ACL You can configure the IPv6 ACL to be selected by s...

Страница 483: ...net and HTTP requests from Host B Figure 454 Network diagram Configuration procedure 1 Create an ACL a Select QoS ACL IPv4 from the navigation tree b Click the Create tab c Enter 2001 for ACL Number d Click Apply Figure 455 Creating an ACL 2 Configure an ACL rule to permit Host B a Click the Basic Setup tab The page for configuring an ACL rule appears ...

Страница 484: ... field c Click Add Figure 456 Configuring an ACL rule to permit Host B 3 Configure authorized IP a Select Security Authorized IP from the navigation tree b Click the Setup tab The authorized IP configuration page appears c Select 2001 for IPv4 ACL in the Telnet field and select 2001 for IPv4 ACL in the Web HTTP field d Click Apply Figure 457 Configuring authorized IP ...

Страница 485: ...ither remove the isolation group nor create other isolation groups on the switches There is no restriction on the number of ports assigned to the isolation group Layer 2 traffic is isolated between ports from different VLANs Within the same VLAN Layer 2 data transmission between ports within and outside the isolation group is supported Configuring the isolation group 1 Select Security Port Isolate...

Страница 486: ...work requirements As shown in Figure 459 Campus network users Host A Host B and Host C are connected to GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch Switch is connected to the external network through GigabitEthernet 1 0 1 GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 belong to the same VLAN Configure Host A Host B an...

Страница 487: ... group a Click Apply A configuration progress dialog box appears b After the configuration process is complete click Close Viewing information about the isolation group 1 Click Summary The page shown in Figure 461 appears 2 Display port isolation group 1 which contains isolated ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 Figure 461 Displaying information about port ...

Страница 488: ...nation IPv6 address protocol number and other Layer 3 and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 N A Layer 2 header fields such as source and destination MAC addresses 802 1p priority and link layer protocol type Match order The rules in an ACL are sorted in certain order When a packet matches a rule the device stops the match process and performs the action defined in the r...

Страница 489: ...don t care bits If the do care bits in an IP address are identical to the do care bits in an IP address criterion the IP address matches the criterion All don t care bits are ignored The 0s and 1s in a wildcard mask can be noncontiguous For example 0 255 0 255 is a valid wildcard mask Rule numbering ACL rules can be manually numbered or automatically numbered This section describes how automatic A...

Страница 490: ...Ls Traditional packet filtering matches only first fragments of IPv4 packets and allows all subsequent non first fragments to pass through Attackers can fabricate non first fragments to attack networks To avoid the risks the HP ACL implementation does the follows Filters all fragments by default including non first fragments Allows for matching criteria modification for example filters non first f...

Страница 491: ...ended IPv6 ACL configuration procedure Step Remarks 1 Configuring a time range Optional Add a time range A rule referencing a time range takes effect only during the specified time range 2 Adding an IPv6 ACL Required Add an IPv6 ACL The category of the added IPv6 ACL depends on the ACL number that you specify 3 Configuring a rule for a basic IPv6 ACL Required Complete one of the tasks according to...

Страница 492: ...eriodic time range The end time must be greater than the start time Sun Mon Tue Wed Thu Fri and Sat Select the day or days of the week on which the periodic time range is valid You can select any combination of the days of the week Absolute Time Range From Set the start time and date of the absolute time range The time of the day is in the hh mm format 24 hour clock and the date is in the MM DD YY...

Страница 493: ...L Match Order Set the match order of the ACL Config Packets are compared against ACL rules in the order that the rules are configured Auto Packets are compared against ACL rules in the depth first match order Configuring a rule for a basic IPv4 ACL 1 Select QoS ACL IPv4 from the navigation tree 2 Click the Basic Setup tab The rule configuration page for a basic IPv4 ACL appears ...

Страница 494: ...perations modify the configuration of the rule Action Select the action to be performed for IPv4 packets matching the rule Permit Allows matched packets to pass Deny Drops matched packets Check Fragment Select this box to apply the rule to only non first fragments If you do no select this box the rule applies to all fragments and non fragments Check Logging Select this box to keep a log of matched...

Страница 495: ...nge Select the time range during which the rule takes effect Configuring a rule for an advanced IPv4 ACL 1 Select QoS ACL IPv4 from the navigation tree 2 Click the Advance Setup tab The rule configuration page for an advanced IPv4 ACL appears Figure 465 Configuring an advanced IPv4 ACL ...

Страница 496: ...stination address source destination port number and number of matched packets IP Address Filter Source IP Address Select the Source IP Address box and enter a source IPv4 address and a source wildcard mask in dotted decimal notation Source Wildcard Destination IP Address Select the Source IP Address box and enter a source IP address and a source wildcard mask in dotted decimal notation Destinatio...

Страница 497: ...e Other values The first port number field must be configured and the second must not Port Destination Operator Port Precedence Filter DSCP Specify the DSCP value IMPORTANT If you specify the ToS precedence or IP precedence when you specify the DSCP value the specified TOS or IP precedence does not take effect TOS Specify the ToS preference Precedence Specify the IP precedence Time Range Select th...

Страница 498: ...escription ACL Select the Ethernet frame header IPv4 ACL for which you want to configure rules Available ACLs are Ethernet frame header IPv4 ACLs Rule ID Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one automatically NOTE If the rule number you specify already exists the following operations modify the configuration of the rule...

Страница 499: ...he LSAP Type box and specify the DSAP and SSAP fields in the LLC encapsulation by configuring the following items LSAP Type Frame encapsulation format LSAP Mask LSAP mask LSAP Mask Protocol Type Select the Protocol Type box and specify the link layer protocol type by configuring the following items Protocol Type Frame type It corresponds to the type code field of Ethernet_II and Ethernet_SNAP fram...

Страница 500: ...pared against ACL rules in the depth first match order Configuring a rule for a basic IPv6 ACL 1 Select QoS ACL IPv6 from the navigation tree 2 Click the Basic Setup tab The rule configuration page for a basic IPv6 ACL appears Figure 468 Configuring a rule for a basic IPv6 ACL 3 Add a rule for a basic IPv6 ACL 4 Click Add Table 137 Configuration items Item Description Select Access Control List AC...

Страница 501: ...ect this box to keep a log of matched IPv6 packets A log entry contains the ACL rule number operation for the matched packets protocol number source destination address source destination port number and number of matched packets Source IP Address Select the Source IP Address box and enter a source IPv6 address and prefix length The IPv6 address must be in a format like X X X X An IPv6 address con...

Страница 502: ... want to configure rules Rule ID Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one automatically IMPORTANT If the rule number you specify already exists the following operations modify the configuration of the rule Operation Select the operation to be performed for IPv6 packets matching the rule Permit Allows matched packets to ...

Страница 503: ...d from its neighboring fields by colon Destination Prefix Protocol Select the protocol number If you select 58 ICMPv6 you can configure the ICMP message type and code if you select 6 TCP or 17 UDP you can configure the TCP or UDP specific items ICMPv6 Type Named ICMPv6 Type Specify the ICMPv6 message type and code These items are available only when you select 58 ICMPv6 from the Protocol list If y...

Страница 504: ...hnologies Besides traditional applications such as WWW email and FTP network users are experiencing new services such as tele education telemedicine video telephone videoconference and Video on Demand VoD Enterprise users expect to connect their regional branches together with VPN technologies to carry out operational applications for instance to access the database of the company or to monitor re...

Страница 505: ...hput and resource use efficiency Network resource memory in particular exhaustion and even system breakdown It is obvious that congestion hinders resource assignment for traffic and degrades service performance Congestion is unavoidable in switched networks and multi user application environments To improve the service performance of your network you must address the congestion issues Countermeasu...

Страница 506: ...of a port Congestion avoidance monitors the usage status of network resources and is usually applied in the outbound direction of a port As congestion becomes worse it actively reduces the amount of traffic by dropping packets Among these QoS technologies traffic classification is the basis for providing differentiated services Traffic policing traffic shaping congestion management and congestion ...

Страница 507: ...performed on packets when they flow out of the node queue scheduling is performed when congestion happens congestion avoidance measures are taken when the congestion deteriorates Packet precedences IP precedence and DSCP values Figure 472 ToS field and DS field As shown in Figure 472 the ToS field of the IP header contains 8 bits the first 3 bits 0 to 2 represent IP precedence from 0 to 7 the subs...

Страница 508: ...rity 802 1p priority lies in Layer 2 packet headers and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 473 An Ethernet frame with an 802 1Q tag header As shown in Figure 473 the 4 byte 802 1Q tag header consists of the tag protocol identifier TPID 2 bytes in length whose value is 0x8100 and the tag control information TCI 2 bytes in lengt...

Страница 509: ...m to send the traffic Each queuing algorithm handles a particular network traffic problem and has significant impacts on bandwidth resource assignment delay and jitter In this section two common hardware queue scheduling algorithms Strict Priority SP queuing and Weighted Round Robin WRR queuing are introduced SP queuing SP queuing is designed for mission critical applications which require prefere...

Страница 510: ...with the second highest priority and so on You can assign mission critical packets to the high priority queue to make sure that they are always served first and common service such as Email packets to the low priority queues to be transmitted when the high priority queues are empty The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if the higher prior...

Страница 511: ...plement SP WRR queue scheduling on a port by assigning some queues on the port to the SP scheduling group when you configure WRR Packets in the SP scheduling group are scheduled preferentially by SP When the SP scheduling group is empty the other queues are scheduled by WRR Traffic shaping Traffic shaping shapes the outbound traffic Generic traffic shaping GTS limits the outbound traffic rate by b...

Страница 512: ...Evaluate traffic with the token bucket The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding If the number of tokens in the bucket is enough to forward the packets usually one token is associated with a 1 bit forwarding authority the traffic conforms to the specification and the traffic is called conforming traffi...

Страница 513: ...sical interface is controlled Figure 480 Rate limit implementation With a token bucket used for traffic control when the token bucket has tokens the bursty packets can be transmitted if no tokens are available packets cannot be transmitted until new tokens are generated in the token bucket In this way the traffic rate is restricted to the rate for generating tokens the traffic rate is limited and ...

Страница 514: ...ping process Introduction to priority mapping tables The device provides the following types of priority mapping tables CoS to DSCP 802 1p to DSCP mapping table CoS to Queue 802 1p to local mapping table DSCP to CoS DSCP to 802 1p mapping table which applies to only IP packets DSCP to DSCP DSCP to DSCP mapping table which applies to only IP packets DSCP to Queue DSCP to local mapping table which a...

Страница 515: ... A class is identified by a class name and contains some match criteria You can define a set of match criteria to classify packets The relationship between criteria can be and or or and The device considers a packet belongs to a class only when the packet matches all the criteria in the class or The device considers a packet belongs to a class as long as the packet matches one of the criteria in t...

Страница 516: ...ssociations for the policy Required Associate the traffic behavior with the class in the QoS policy A class can be associated with only one traffic behavior in a QoS policy Associating a class already associated with a traffic behavior will overwrite the old association 7 Applying a policy to a port Required Apply the QoS policy to a port Recommended queue scheduling configuration procedure Step R...

Страница 517: ...4 Click Create Table 145 Configuration items Item Description Classifier Name Specify a name for the classifier to be added Operator Specify the logical relationship between rules of the classifier and Specifies the relationship between the rules in a class as logic AND The device considers a packet belongs to a class only when the packet matches all the rules in the class or Specifies the relatio...

Страница 518: ... a class Figure 483 Configuring classification rules 3 Configure classification rules for a class as described in Table 146 4 Click Apply Table 146 Configuration items Item Description Please select a classifier Select an existing classifier from the list Any Define a rule to match all packets Select the box to match all packets ...

Страница 519: ...configure up to eight 802 1p priority values each time If multiple identical 802 1p priority values are specified the system considers them as one The relationship between different 802 1p priority values is OR After such configurations all the 802 1p priority values are arranged in ascending order automatically Customer 802 1p Define a rule to match the customer 802 1p priority values If multiple...

Страница 520: ...mer VLAN Define a rule to match customer VLAN IDs If multiple such rules are configured for a class the new configuration does not overwrite the previous one You can configure multiple VLAN IDs each time If the same VLAN ID is specified multiple times the system considers them as one The relationship between different VLAN IDs is logical OR You can specify VLAN IDs in either of the following ways ...

Страница 521: ... the port setup page for a traffic behavior Figure 485 Port setup page for a traffic behavior 3 Configure traffic redirecting as described in Table 148 4 Click Apply Table 148 Configuration items Item Description Please select a behavior Select an existing behavior in the list Redirect Set the action of redirecting traffic to the specified destination port Please select a port Specify the port to ...

Страница 522: ...2 Click Setup to enter the page for setting a traffic behavior Figure 486 Setting a traffic behavior 3 Configure other actions for a traffic behavior as described in Table 149 4 Click Apply Table 149 Configuration items Item Description Please select a behavior Select an existing behavior in the list ...

Страница 523: ...cal Precedence box and then select the local precedence value to be marked for packets in the following list Select Not Set to cancel the action of marking local precedence DSCP Configure the action of marking DSCP value for packets Select the DSCP box and then select the DSCP value to be marked for packets in the following list Select Not Set to cancel the action of marking DSCP value Filter Conf...

Страница 524: ...gure 488 Setting a policy 3 Configure a classifier behavior association for a policy as described in Table 151 4 Click Apply Table 151 Configuration items Item Description Please select a policy Select an existing policy in the list Classifier Name Select an existing classifier in the list Behavior Name Select an existing behavior in the list Applying a policy to a port 1 Select QoS Port Policy fr...

Страница 525: ...to be applied Inbound means to apply the policy to the incoming packets of the specified ports Please select port s Click to select ports to which the QoS policy is to be applied on the chassis front panel Configuring queue scheduling on a port 1 Select QoS Queue from the navigation tree 2 Click Setup to enter the queue scheduling configuration page Figure 490 Configuring queue scheduling 3 Config...

Страница 526: ... The following groups are available for selection SP Assigns a queue to the SP group 1 Assigns a queue to WRR group 1 2 Assigns a queue to WRR group 2 Weight Set a weight for the current queue This list is available when group 1 or group 2 is selected Please select port s Click to select ports to be configured with queuing on the chassis front panel Configuring GTS on a port 1 Select QoS GTS from ...

Страница 527: ... rate CBS Set the committed burst size CBS If the field is not set the switch automatically calculates an appropriate CBS value based on the CIR value 5 Click the Summary tab and select the configured port to view the GTS configuration result as shown in Figure 492 Figure 492 GTS configuration result Configuring rate limit on a port 1 Select QoS Line rate from the navigation tree 2 Click the Setup...

Страница 528: ...ion to which the rate limit is to be applied Inbound Limits the rate of packets received on the specified port Outbound Limits the rate of packets sent by the specified port CIR Set the committed information rate CIR the average traffic rate Please select port s Specify the ports to be configured with rate limit Click the ports to be configured with rate limit in the port list You can select one o...

Страница 529: ...to Queue DSCP to CoS DSCP to DSCP DSCP to Queue Input Priority Value Set the output priority value for an input priority value Output Priority Value Restore Click Restore to display the default settings of the current priority mapping table on the page To restore the priority mapping table to the default click Apply Configuring priority trust mode on a port 1 Select QoS Port Priority from the navi...

Страница 530: ...the port Trust Mode Select a priority trust mode for the port Untrust Packet priority is not trusted CoS 802 1p priority of the incoming packets is trusted and used for priority mapping DSCP DSCP value of the incoming packets is trusted and used for priority mapping Configuration guidelines If an ACL is referenced by a QoS policy for defining traffic classification rules packets matching the refer...

Страница 531: ...hosts from accessing the FTP server from 8 00 to 18 00 every day 2 Configure a QoS policy to drop the packets matching the ACL 3 Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 Figure 497 Network diagram Configuring Switch 1 Define a time range to cover the time range from 8 00 to 18 00 every day a Select QoS Time Range from the navigation tree b Click the Create tab c Enter...

Страница 532: ...00 to 18 00 every day 2 Add an advanced IPv4 ACL a Select QoS ACL IPv4 from the navigation tree b Click the Create tab c Enter the ACL number 3000 d Click Apply Figure 499 Adding an advanced IPv4 ACL 3 Define an ACL rule for traffic to the FTP server ...

Страница 533: ...elect Permit from the Action list e Select the Destination IP Address box and enter IP address 10 1 1 1 and destination wildcard 0 0 0 0 f Select test time from the Time Range list g Click Add Figure 500 Defining an ACL rule for traffic to the FTP server 4 Add a class a Select QoS Classifier from the navigation tree ...

Страница 534: ...nter the class name class1 d Click Add Figure 501 Adding a class 5 Define classification rules a Click the Setup tab b Select the class name class1 from the list c Select the ACL IPv4 box and select ACL 3000 from the following list ...

Страница 535: ... 502 Defining classification rules d Click Apply A progress dialog box appears as shown in Figure 503 e Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Страница 536: ...r name behavior1 d Click Create Figure 504 Adding a traffic behavior 7 Configure actions for the traffic behavior a Click the Setup tab b Select behavior1 from the list c Select the Filter box and then select Deny from the following list d Click Apply A progress dialog box appears e Click Close when the progress dialog box prompts that the configuration succeeds ...

Страница 537: ...524 Figure 505 Configuring actions for the behavior 8 Add a policy a Select QoS QoS Policy from the navigation tree b Click the Add tab c Enter the policy name policy1 d Click Add ...

Страница 538: ... Behavior Name list e Click Apply Figure 507 Configuring classifier behavior associations for the policy 10 Apply the QoS policy in the inbound direction of interface GigabitEthernet 1 0 1 a Select QoS Port Policy from the navigation tree b Click the Setup tab c Select policy1 from the Please select a policy list d Select Inbound from the Direction list e Select port GigabitEthernet 1 0 1 f Click ...

Страница 539: ...onfiguration progress dialog box appears g Click Close when the progress dialog box prompts that the configuration succeeds Figure 508 Applying the QoS policy in the inbound direction of GigabitEthernet 1 0 1 ...

Страница 540: ...cable as shown in Figure 509 In this figure PI represents PoE Ethernet interfaces Figure 509 PoE system If a PD does not accept power over data pairs the switch cannot supply power to it Restrictions and prerequisites PoE is available only for PoE switches For non PoE switches PoE related fields and tabs are not available or configurable To configure PoE and make the PoE setting take effect make s...

Страница 541: ... for a PoE port if the PoE port will not result in PoE power overload otherwise you are not allowed to enable PoE for the PoE port By default PoE is disabled on a PoE port IMPORTANT PSE power overload When the sum of the power consumption of all ports exceeds the maximum power of PSE the system considers the PSE is overloaded Power Max Set the maximum power for the PoE port Maximum PoE port power ...

Страница 542: ...g to other PoE ports will have an opportunity of being powered By default the power priority of a PoE port is low IMPORTANT 19 watts guard band is reserved for each PoE port on the device to prevent a PD from being powered off because of a sudden increase of the PD power When the remaining power of the PSE is lower than 19 watts the port with a higher priority can preempt the power of the port wit...

Страница 543: ...ion tree to enter the Summary tab The upper part of the page displays the PSE summary 2 To view the configuration and power information click a port on the chassis front panel Figure 512 Summary tab with GigabitEthernet 1 0 1 selected PoE configuration example Network requirements As shown in Figure 513 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 are connected to IP telephones GigabitEthernet ...

Страница 544: ...et 1 0 2 from the chassis front panel select Enable from the Power State list and select Critical from the Power Priority list d Click Apply Figure 514 Configuring the PoE ports supplying power to the IP telephones 2 Enable PoE on GigabitEthernet 1 0 3 and set the maximum power of the port to 9000 milliwatts a Click the Setup tab b On the tab click to select port GigabitEthernet 1 0 3 from the cha...

Страница 545: ...532 c Click Apply Figure 515 Configuring the PoE port supplying power to AP After the configuration takes effect the IP telephones and the AP are powered and can work correctly ...

Страница 546: ...ing you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complete list ...

Страница 547: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Страница 548: ... 2 features Represents an access controller a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point Represents a security product such as a firewall a UTM or a load balancing or security card that is installed in a device Represents a security card such as a firewall card a load balancing card or a NetStream card Port numbering in examples The ...

Страница 549: ...tication with other features 356 VLAN assignment 356 802 x 802 1 LLDPDU TLV types 231 802 3 LLDPDU TLV types 231 A AAA configuration 378 385 ISP domain accounting methods configuration 384 ISP domain authentication methods configuration 381 ISP domain authorization methods configuration 382 ISP domain configuration 380 RADIUS implementation 428 438 absolute time range configuration ACL 478 access ...

Страница 550: ...heck 272 assigning 802 1X ACL 358 VLAN 802 1X 356 voice VLAN assignment mode 169 attribute AAA RADIUS extended attributes 432 local user and user group configuration 445 security 802 1X RADIUS EAP Message 350 security 802 1X RADIUS Message Authentication 350 authenticating AAA configuration 378 385 AAA ISP domain authentication methods configuration 381 local user and user group configuration 445 ...

Страница 551: ... port MST 201 basic ACL 475 basic management LLDPDU TLV types 231 bidirectional NMM port mirroring 86 blackhole entry MAC address table 186 boundary port MST 201 BPDU STP BPDU forwarding 197 bridge MST common root bridge 200 200 MST regional root 200 STP designated bridge 191 STP root bridge 190 buttons on webpage 18 C CA PKI local certificate request 461 security PKI architecture 449 security PKI...

Страница 552: ...2 component portal system 392 configuration guideline LLDP 262 static routing 314 configuration guidelines ACL 477 configuration wizard basic service setup 37 configuring 802 1X ACL assignment 369 802 1X Auth Fail VLAN 362 802 1X guest VLAN 362 AAA 378 385 AAA accounting methods for ISP domain 384 AAA authentication methods for ISP domain 381 AAA authorization methods for ISP domain 382 AAA ISP do...

Страница 553: ...mirroring group source ports 91 NMM RMON 105 1 17 NMM RMON alarm function 107 NMM RMON statistics function 107 NMM SNMP 123 PoE 527 530 PoE ports 527 port isolation 472 473 port link type 152 portal authentication 390 397 407 portal free rule 406 port based VLAN 148 PVID 153 RADIUS 428 438 RADIUS common parameter 435 RADIUS server 434 RSTP 190 security 802 1X 347 358 security 802 1X global 358 sec...

Страница 554: ...pair 459 detecting security ARP detection configuration 272 device access portal authentication 391 authentication accounting server portal authentication 391 basic settings configuration 56 CLI configuration 23 creating admin user on Web interface 7 deleting default username on Web interface 8 DHCP overview 316 DHCP relay agent configuration 327 idle timeout period configuration 56 LLDP basic con...

Страница 555: ...16 IP address lease extension 317 message format 318 Option 319 See also Option Option 121 319 Option 150 319 Option 3 Option 003 319 Option 33 Option 033 319 Option 51 Option 051 319 Option 53 Option 053 319 Option 55 Option 055 319 Option 6 Option 006 319 Option 60 Option 060 319 Option 66 Option 066 319 Option 67 Option 067 319 Option 82 relay agent Option 082 relay agent 319 options 319 option...

Страница 556: ... PKI domain configuration 455 voice VLAN configuration 168 done message IPv6 multicast MLD snooping 290 downloading Web file 74 dst mac validity check ARP 272 dynamic ARP table entry 265 DHCP address allocation 316 Ethernet link aggregation dynamic mode 220 Ethernet link aggregation mode 219 Ethernet link dynamic aggregation group configuration 221 IP multicast IGMP snooping dynamic port 275 IPv6 ...

Страница 557: ... ARP attack protection configuration 272 VLAN configuration 146 157 VLAN frame encapsulation 146 VLAN type 147 voice VLAN configuration 168 Ethernet frame header ACL category 475 configuration 484 Ethernet link aggregation aggregate interface 218 222 aggregation group 218 basic concepts 218 configuration 218 226 dynamic group configuration 221 dynamic mode 220 group configuration 221 group creatio...

Страница 558: ... creation 221 Ethernet link aggregation LACP 218 Ethernet link aggregation member port state 218 Ethernet link dynamic aggregation group configuration 221 Ethernet link static aggregation group configuration 221 NMM local port mirroring group monitor port 92 NMM local port mirroring group port 88 NMM local port mirroring group source port 91 NMM port mirroring group 86 NMM RMON 105 NMM RMON alarm ...

Страница 559: ...ntry removal 267 IPv6 service enable 315 security ARP attack protection configuration 272 traceroute 341 voice VLAN OUI address 168 IP routing configuration IPv4 301 configuration IPv6 301 displaying active route table IPv4 302 displaying active route table IPv6 304 routing table 301 static route 301 static route creation IPv4 303 static route creation IPv6 305 static routing configuration IPv4 30...

Страница 560: ...ts 390 IST MST region 200 K key Ethernet link aggregation operational key 218 L LACP configuration 218 226 Ethernet link aggregation 218 LACP enabled port Ethernet link aggregation 224 LAN VLAN configuration 146 157 Layer 2 Ethernet link aggregation and LACP configuration 218 Ethernet link aggregation group configuration 221 Ethernet link aggregation group creation 221 Ethernet link dynamic aggreg...

Страница 561: ...ration 251 LLDP configuration 230 251 management address TLV 234 receiving 235 235 TLV basic management types 231 TLV LLDP MED types 231 TLV organization specific types 231 transmitting 234 local security PKI digital certificate 449 local port mirroring adding local group 90 configuration 87 local group monitor port 92 local group port 88 local group source port 91 NMM 86 logging member device fro...

Страница 562: ...cket learning 265 IP multicast IGMP snooping leave 276 IPv6 multicast MLD snooping done 290 security ARP attack protection configuration 272 method 802 1X access control 347 MIB LLDP basic configuration 251 LLDP configuration 230 251 SNMP 123 mirroring port See port mirroring MLD snooping aging timer for dynamic port 288 basic concepts 287 configuration 287 configuring 296 configuring port functio...

Страница 563: ...MP snooping globally 278 enabling IGMP snooping in a VLAN 278 IGMP snooping configuration 274 IGMP snooping port function configuration 280 security 802 1X multicast trigger mode 351 multiport unicast entry MAC address table 186 N NAS AAA configuration 378 network ACL configuration advanced 482 488 ACL configuration basic 480 487 ACL configuration Ethernet frame header 484 ACL configuration IPv4 4...

Страница 564: ...5 security PKI entity configuration 453 security PKI operation 451 security policy server portal authentication 392 setting traffic statistics generating interval 102 specified operation parameter for all ports 80 stack global parameters configuration 43 STP algorithm calculation 192 STP designated bridge 191 STP designated port 191 STP path cost 191 STP root bridge 190 STP root port 191 VLAN type...

Страница 565: ...uration 139 static route creation IPv4 303 static route creation IPv6 305 static routing 301 static routing configuration IPv4 306 static routing configuration IPv6 310 static routing default route 302 STP configuration 190 switching to management level 96 syslog configuration 67 traceroute 341 upgrading software 58 user management 94 VLAN configuration 146 157 voice VLAN configuration 168 Web dev...

Страница 566: ...2 1X EAPOL format 349 security 802 1X format 349 security ARP packet validity check 272 STP BPDU protocol packets 190 STP TCN BPDU protocol packets 190 packet filtering ACL configuration 475 ACL configuration Ethernet frame header 484 parameter terminal 24 peer security PKI digital certificate 449 periodic time range configuration ACL 478 ping address reachability determination 341 342 342 343 sys...

Страница 567: ... See port isolation LLDP basic configuration 251 LLDP configuration 230 251 LLDP disable operating mode 234 LLDP enable 236 LLDP parameter setting for a single port 237 LLDP parameter setting for ports in batch 240 LLDP Rx operating mode 234 LLDP Tx operating mode 234 LLDP TxRx operating mode 234 LLDPDU reception 235 235 LLDPDU transmission 234 234 loopback test configuration 97 97 MAC address lea...

Страница 568: ...rnet link aggregation LACP 218 port LACP priority 224 procedure adding local user 94 adding NMM local port mirroring group 90 adding OUI address to OUI list 174 adding rules to SNMP view 128 authenticating with security 802 1X EAP relay 352 authenticating with security 802 1X EAP termination 354 backing up Web device configuration 71 configuring 802 1X ACL assignment 369 configuring 802 1X Auth Fa...

Страница 569: ...iguring NMM RMON statistics function 107 configuring PoE 530 configuring PoE ports 527 configuring port link type 152 configuring portal authentication 397 configuring portal free rule 406 configuring PVID for port 153 configuring RADIUS common parameters 435 configuring RADIUS server 434 configuring security 802 1X 358 configuring security 802 1X global 358 configuring security 802 1X port specif...

Страница 570: ...splaying stack topology summary 45 displaying syslogs 67 displaying system information 53 displaying system resource state 54 displaying Web file 74 downloading Web file 74 enabling DHCP 323 enabling DHCP relay agent on interface 325 enabling DHCP snooping 332 enabling IGMP snooping globally 278 enabling IGMP snooping in a VLAN 278 enabling IPv6 service 315 enabling LLDP globally 241 enabling LLDP...

Страница 571: ...153 PVID port based VLAN 148 Q QoS ACL configuration 475 ACL configuration Ethernet frame header 484 querying IGMP snooping general query 276 MLD snooping general query 289 R RA security PKI architecture 449 security PKI certificate 449 RADIUS AAA implementation 428 438 client server model 428 common parameter configuration 435 configuration 428 438 configuration guidelines 443 extended attributes...

Страница 572: ...ration IPv4 306 static routing configuration IPv6 310 static routing default route 302 router IGMP snooping router port 274 MLD snooping router port 287 routing ACL configuration 475 ACL configuration advanced 482 488 ACL configuration basic 480 487 ACL configuration Ethernet frame header 484 ACL configuration IPv4 479 ACL configuration IPv6 486 configuring IGMP snooping 282 configuring MLD snoopi...

Страница 573: ...I local certificate request 461 461 PKI operation 451 PKI terminology 449 policy server portal authentication 392 protocols and standards RADIUS 433 RADIUS configuration 428 438 RSA key pair creation 458 RSA key pair destruction 459 voice VLAN mode 170 seleting VLAN 154 server authentication accounting portal authentication 391 portal authentication 391 portal system components 390 security 802 1X...

Страница 574: ...eb configuration 45 stack topology summary displaying 45 state Ethernet link aggregation member port state 218 static ARP configuration 268 DHCP address allocation 316 Ethernet link aggregation mode 219 Ethernet link aggregation static mode 219 Ethernet link static aggregation group configuration 221 MAC address table entry 186 static ARP table entry 265 static routing configuration IPv4 306 confi...

Страница 575: ...n 23 configuration wizard 37 creating admin user on Web interface 7 deleting default username on Web interface 8 device idle timeout period configuration 56 device system name configuration 56 IPv6 management 315 ping 341 setting super password 95 switching to management level 96 traceroute 341 341 user management 94 Web common page features 18 Web device configuration backup 71 Web device configu...

Страница 576: ...TCN BPDU protocol packets 190 traceroute IP address retrieval 341 344 344 345 node failure detection 341 344 344 345 system maintenance 341 traffic ACL configuration 475 ACL configuration Ethernet frame header 484 NMM RMON configuration 105 transmitting LLDPDUs 234 type IP subnet VLAN 147 MAC address VLAN 147 policy VLAN 147 port type VLAN 147 protocol VLAN 147 U UDP AAA RADIUS packet format 430 R...

Страница 577: ...M local port mirroring group monitor port 92 NMM local port mirroring group port 88 NMM local port mirroring group source port 91 NMM port mirroring configuration 86 policy type VLAN 147 port isolation configuration 472 473 port link type 148 port type 147 port type VLAN 147 port based configuration 148 port based VLAN frame handling 148 protocol type VLAN 147 PVID 148 selection 154 voice VLAN ass...

Страница 578: ...shing configuration wizard 40 icons on webpage 18 interface 9 interface HTTP login 6 8 interface logout 8 IPv6 management 315 Layer 2 portal authentication configuration 407 local portal server 392 login restrictions and guidelines 2 management IP address configuration 38 modifying port 156 modifying VLAN 155 modifying VLAN interface 164 page display functions 19 portal authentication configuratio...

Отзывы:

Нет отзывов

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды