HP V1910 Скачать руководство пользователя | Manualshive

Страница: 395 / 483

background image

383

PKI configuration

PKI overview

The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security

through public key technologies and digital certificates and verifying the identities of the digital certificate

owners.
PKI employs digital certificates, which are bindings of certificate owner identity information and public keys.
It allows users to obtain certificates, use certificates, and revoke certificates. By leveraging digital

certificates and relevant services like certificate distribution and blacklist publication, PKI supports

authenticating the entities involved in communication, and thus guaranteeing the confidentiality, integrity

and non-repudiation of data.

PKI terms

Digital certificate

A digital certificate is a file signed by a certificate authority (CA) that contains a public key and the related

user identity information. A simplest digital certificate contains a public key, an entity name, and a digital

signature from the CA. Generally, a digital certificate also includes the validity period of the key, the name

of the CA and the sequence number of the certificate. A digital certificate must comply with the international
standard of ITU-T_X.509. This document involves local certificate and CA certificate. A local certificate is a

digital certificate signed by a CA for an entity. A CA certificate, also known as a “root certificate”, is signed

by the CA for itself.

CRL

An existing certificate may need to be revoked when, for example, the user name changes, the private key

leaks, or the user stops the business. Revoking a certificate is to remove the binding of the public key with

the user identity information. In PKI, the revocation is made through certificate revocation lists (CRLs).
Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificates that have

been revoked. The CRLs contain the serial numbers of all revoked certificates and provide an effective way

for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing them

in a single CRL might degrade network performance.

CA policy

A CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revoking

certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practice

statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, and email.

As different CAs may use different methods to check the binding of a public key with an entity, make sure

that you understand the CA policy before selecting a trusted CA for certificate request.

Architecture of PKI

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in

a

.

«
...
393
394
395
396
397
...
»

Содержание V1910

Страница 1: ...1 HP V1910 Switch Series User Guide 5998 2238 Part number 5998 2238 Document version 2 ...

Страница 2: ...ARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein shou...

Страница 3: ...LI 20 CLI commands 21 initialize 21 ipsetup 21 password 22 ping 23 quit 23 reboot 24 summary 24 upgrade 25 Configuration example for upgrading the system software image at the CLI 26 Configuration wizard 28 Overview 28 Basic service setup 28 Entering the configuration wizard homepage 28 Configuring system parameters 28 Configuring management IP address 29 Finishing configuration wizard 31 IRF stac...

Страница 4: ...guration 56 Save configuration 57 Initialize 58 Device maintenance 59 Software upgrade 59 Device reboot 60 Electronic label 61 Diagnostic information 61 File management 63 File management configuration 63 Displaying file list 63 Downloading a file 64 Uploading a file 64 Removing a file 64 Port management configuration 65 Configuring a port 65 Setting operation parameters for a port 65 Viewing the ...

Страница 5: ...erval 91 Configuring storm constrain 92 RMON configuration 95 Working mechanism 95 RMON groups 96 Configuring RMON 97 Configuration task list 97 Configuring a statistics entry 99 Configuring a history entry 100 Configuring an event entry 101 Configuring an alarm entry 102 Displaying RMON statistics information 104 Displaying RMON history sampling information 106 Displaying RMON event logs 108 RMON...

Страница 6: ...OUI addresses 153 Voice VLAN assignment modes 153 Security mode and normal mode of voice VLANs 155 Configuring the voice VLAN 155 Configuration task list 155 Configuring voice VLAN globally 157 Configuring voice VLAN on a port 157 Adding OUI addresses to the OUI list 159 Voice VLAN configuration examples 160 Configuring voice VLAN on a port in automatic voice VLAN assignment mode 160 Configuring a...

Страница 7: ... 212 Link aggregation and LACP configuration example 214 Configuration guidelines 217 LLDP configuration 218 Background 218 Basic concepts 218 How LLDP works 222 Compatibility of LLDP with CDP 222 Protocols and standards 223 Configuring LLDP 223 LLDP configuration task list 223 Enabling LLDP on ports 224 Configuring LLDP settings on ports 225 Configuring global LLDP setup 229 Displaying LLDP infor...

Страница 8: ...ion 82 277 Protocols and standards 278 DHCP relay agent configuration 279 Introduction to DHCP relay agent 279 Application environment 279 Fundamentals 279 DHCP relay agent configuration task list 280 Enabling DHCP and configuring advanced parameters for the DHCP relay agent 281 Creating a DHCP server group 282 Enabling the DHCP relay agent on an interface 283 Configuring and displaying clients IP...

Страница 9: ...20 Controlled uncontrolled port and port authorization status 320 802 1X related protocols 321 Packet formats 321 EAP over RADIUS 323 Initiating 802 1X authentication 323 802 1X client as the initiator 323 Access device as the initiator 323 802 1X authentication procedures 324 A comparison of EAP relay and EAP termination 324 EAP relay 325 EAP termination 327 802 1X configuration 328 HP implementa...

Страница 10: ...ing RADIUS servers 369 Configuring RADIUS parameters 370 RADIUS configuration example 373 Configuration guidelines 378 Users 379 Configuring users 379 Configuring a local user 379 Configuring a user group 381 PKI configuration 383 PKI overview 383 PKI terms 383 Architecture of PKI 383 Applications of PKI 384 Operation of PKI 385 Configuring PKI 385 Configuration task list 385 Creating a PKI entity...

Страница 11: ...ountermeasures 422 End to end QoS 424 Traffic classification 424 Packet precedences 425 Queue scheduling 427 Line rate 429 Priority mapping 430 Introduction to priority mapping tables 431 QoS configuration 432 Configuration task lists 432 Creating a class 434 Configuring match criteria 435 Creating a traffic behavior 437 Configuring traffic mirroring and traffic redirecting for a traffic behavior ...

Страница 12: ... PoE ports 459 Configuring non standard PD detection 461 Displaying information about PSE and PoE ports 462 PoE configuration example 462 Support and other resources 465 Contacting HP 465 Related information 465 Conventions 465 Subscription service 466 Index 467 ...

Страница 13: ... and SNMP MIB These configuration methods are suitable for different application scenarios The web interface supports all V1910 Switch Series configurations The CLI provides some configuration commands to facilitate your operation To perform other configurations not supported by the CLI use the web interface ...

Страница 14: ... information You can use the default information to log in to the web interface 1 The default web login information Information needed at login Default value Username admin Password None IP address of the device VLAN interface 1 Default IP address of the device depending on the status of the network where the device resides Table 1 The device is not connected to the network or no DHCP server exist...

Страница 15: ...the device through the web interface Connect the device to a PC Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable by default all interfaces belong to VLAN 1 Configure an IP address for the PC and ensure that the PC and device can communicate with each other properly Select an IP address for the PC from network segment 169 254 0 0 16 except for the defa...

Страница 16: ...nterface Logging out of the web interface Click Logout in the upper right corner of the web interface as shown in a to quit the web console The system does not save the current configuration automatically Therefore it is recommended to save the current configuration before logout Introduction to the web interface The Web interface is composed of three parts navigation tree title area and body area...

Страница 17: ...troduction to the web based NM functions NOTE User level in 1 indicates that users of this level or users of a higher level can perform the corresponding operations 1 Description of Web based NM functions Function menu Description User level Wizard IP Setup Allows you to perform quick configuration of the device Management IRF Setup Displays global settings and port settings of a stack Configure A...

Страница 18: ... the next startup from the host of the current user to the device Management Save Allows you to save the current configuration to the configuration file to be used at the next startup Configure Initialize Allows you to restore the factory default settings Configure File Managem ent File Management Allows you to manage files on the device such as displaying the file list downloading a file uploadin...

Страница 19: ...ws you to create modify and remove the port traffic threshold Configure RMON Statistics Displays and allows you to create modify and clear RMON statistics Configure History Displays and allows you to create modify and clear RMON history sampling information Configure Alarm Allows you to view create modify and clear alarm entries Configure Event Allows you to view create modify and clear event entr...

Страница 20: ... you to remove VLANs Configure VLAN Interface Summary Displays information about VLAN interfaces by address type Monitor Create Allows you to create VLAN interfaces and configure IP addresses for them Configure Modify Allows you to modify the IP addresses and status of VLAN interfaces Configure Remove Allows you to remove VLAN interfaces Configure Voice VLAN Summary Displays voice VLAN information...

Страница 21: ... Setup Displays global LLDP configuration information Monitor Allows you to configure global LLDP parameters Configure Global Summary Displays global LLDP local information and statistics Monitor Neighbor Summary Displays global LLDP neighbor information Monitor IGMP Snooping Basic Displays global IGMP snooping configuration information or the IGMP snooping configuration information in a VLAN and ...

Страница 22: ...d remove ARP entries Configure Gratuitous ARP Displays the configuration information of gratuitous ARP Monitor Allows you to configure gratuitous ARP Configure ARP Anti Attack ARP Detection Displays ARP detection configuration information Monitor Allows you to configure ARP detection Configure Auth entic ation 802 1X 802 1X Displays 802 1X configuration information globally or on a port Monitor Al...

Страница 23: ...o view the contents of a certificate Monitor Allows you to generate a key pair destroy a key pair retrieve a certificate request a certificate and delete a certificate Configure CRL Displays the contents of the CRL Monitor Allows you to receive the CRL of a domain Configure Secu rity Port Isolate Group Summary Displays port isolation group information Monitor Modify Allows you to configure a port ...

Страница 24: ...ort Setup Allows you to configure traffic mirroring and traffic redirecting for a traffic behavior Configure Remove Allows you to delete a traffic behavior Configure QoS Policy Summary Displays QoS policy configuration information Monitor Create Allows you to create a QoS policy Configure Setup Allows you to configure the classifier behavior associations for a QoS policy Configure Remove Allows yo...

Страница 25: ...n of the current step and enter the next configuration step Generally present on the configuration wizard used to buffer but not apply the configuration of the current step and return to the previous configuration step Generally present on the configuration wizard used to apply the configurations of all configuration steps Generally present on the Operation column on a list used to enter the modif...

Страница 26: ...wn in a You can select Match case and whole word that is the item to be searched must completely match the keyword or you can select Search in previous results If you do not select exact search a fuzzy search is performed a Advanced search Sorting function On some list pages the web interface provides the sorting function to display the entries in a certain order As shown in a you can click the bl...

Страница 27: ...ce is performing the spanning tree calculation you cannot log in to or use the web interface The Windows firewall limits the number of TCP connections so when you use IE to log in to the web interface sometimes you may be unable to open the web interface To avoid this problem turn off the Windows firewall before login If the software version of the device changes when you log in to the device thro...

Страница 28: ...eration For example if you forget the IP address of VLAN interface 1 and cannot log in to the device through the web interface you can connect the console port of the device to a PC and reconfigure the IP address of VLAN interface 1 at the CLI This section describes using the CLI to manage the device Setting up the configuration environment To set up the configuration environment connect a termina...

Страница 29: ...er disconnecting the RJ 45 connector from the switch Setting terminal parameters To configure and manage the switch you must run a terminal emulator program on the console terminal for example a PC This section uses Windows XP HyperTerminal as an example The following are the required terminal settings Bits per second 38400 Data bits 8 Parity None Stop bits 1 Flow control None Emulation VT100 Foll...

Страница 30: ...lect the serial port to be used from the Connect using drop down list and click OK c Set the serial port used by the HyperTerminal connection Table 7 Set Bits per second to 38400 Data bits to 8 Parity to None Stop bits to 1 and Flow control to None and click OK ...

Страница 31: ...19 d Set the serial port parameters Table 8 Select File Properties in the HyperTerminal window e HyperTerminal window ...

Страница 32: ...ration is admin no password is required Usernames and passwords are case sensitive To log in to the CLI Table 10 Press Enter The Username prompt displays Login authentication Username Table 11 Enter your username at the Username prompt Username admin Table 12 Press Enter The Password prompt display Password The login information is verified and displays the following CLI menu HP V1910 Switch If th...

Страница 33: ...he main configuration file reboot View the summary information of the device summary Ping a specified destination ping host initialize Syntax initialize Parameters None Description Use the initialize command to delete the current configuration file and reboot the device with the default configuration file Use the command with caution because it deletes the configuration file to be used at the next...

Страница 34: ...ddress mask mask length command to assign an IP address to VLAN interface 1 By default the device automatically obtains its IP address through DHCP if fails it uses the assigned default IP address For more information see b If there is no VLAN interface 1 either command creates VLAN interface 1 first and then specifies its IP address Examples Create VLAN interface 1 and specify the interface to ob...

Страница 35: ...254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 4 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence 5 ttl 254 time 1 ms 1 1 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 41 205 ms The output shows that IP address 1 1 2 2 is reachable and the echo replies are all returned from the destination The minimum average and maximum roundtri...

Страница 36: ...e system will automatically use the backup configuration file at the next startup If you reboot the device when file operations are being performed the system does not execute the command to ensure security Examples If the configuration does not change reboot the device Sysname reboot Start to check configuration with next startup configuration file please wait DONE This command will reboot the de...

Страница 37: ...ett Packard Development Company L P HP V1910 24G PoE 365W Switch uptime is 0 week 0 day 6 hours 28 minutes HP V1910 24G PoE 365W Switch 128M bytes DRAM 128M bytes Nand Flash Memory Config Register points to Nand Flash Hardware Version is REV B CPLD Version is 002 Bootrom Version is 138 SubSlot 0 24GE 4SFP POE Hardware Version is REV B upgrade Syntax upgrade server address source filename bootrom r...

Страница 38: ...e as the startup configuration file Sysname upgrade 192 168 20 41 main bin bootrom Download software package file main bin from the TFTP server and use the system software image file in the package as the startup configuration file Sysname upgrade 192 168 20 41 main bin runtime Configuration example for upgrading the system software image at the CLI Network requirements As shown in a a V1910 switc...

Страница 39: ...ait TFTP 10262144 bytes received in 71 second s File downloaded successfully Download the software package file SwitchV1910 bin from the TFTP server to the switch and upgrade the Boot ROM image Switch upgrade 192 168 10 1 SwitchV1910 bin bootrom The file flash SwitchV1910 bin exists Overwrite it Y N y Verifying server file Deleting the old file please wait File will be transferred in binary mode D...

Страница 40: ...nagement IP address IP address of the VLAN interface Basic service setup Entering the configuration wizard homepage From the navigation tree select Wizard to enter the configuration wizard homepage as shown in a a Configuration wizard homepage Configuring system parameters In the wizard homepage click Next to enter the system parameter configuration page as shown in a ...

Страница 41: ...ystem You can also set the physical location in the setup page you enter by selecting Device SNMP For more information see the chapter SNMP configuration Syscontact Set the contact information for users to get in touch with the device vendor for help You can also set the contact information in the setup page you enter by selecting Device SNMP For more information see the chapter SNMP configuration...

Страница 42: ...es are those configured in the page you enter by selecting Network VLAN Interface and selecting the Create tab Admin Status Enable or disable the VLAN interface When errors occurred on the VLAN interface disable the interface and then enable the port to bring the port to work properly By default the VLAN interface is in the down state if all Ethernet ports in the VLAN are down The VLAN is in the u...

Страница 43: ... address and the mask length for the VLAN interface These two text boxes are configurable if Manual is selected MaskLen Finishing configuration wizard After finishing the management IP address configuration click Next as shown in a a Configuration finishes The page displays your configurations Review the configurations and if you want to modify the settings click Back to go back to the page Click ...

Страница 44: ...witch to create the stack and this switch becomes the master for the stack You then configure and monitor all other member switches on the master switch The ports that connect the stack member switches are called stack ports Configuring stack management Stack management configuration task list Perform the tasks in 1 to configure stack management 1 Stack management configuration task list Task Rema...

Страница 45: ...t the username password and access right you used to log on to the master switch are the same with those configured on the member switch otherwise the control panel of the member switch cannot be displayed Logging into a member switch from the master switch Optional Log in to the web interface of a member switch from the master switch IMPORTANT Before logging into a member switch you must ensure t...

Страница 46: ...ure that it can automatically allocate an available IP address to a member switch when the device joints the stack IMPORTANT When you configure a private IP address pool for a stack the number of IP addresses in the address pool needs to be equal to or greater than the number of switches to be added to the stack Otherwise some switches may not be able to join the stack automatically for lack of pr...

Страница 47: ... check box before a port name and click Enable to configure the port as a stack port Select the check box before a port name and click Disable to configure the port as a non stack port Return to Stack management configuration task list Displaying topology summary of a stack Select IRF from the navigation tree and click the Topology Summary tab to enter the page shown in a a Topology summary 2 Fiel...

Страница 48: ...on task list Logging into a member switch from the master switch Select IRF from the navigation tree click the Device Summary tab and click the tab of a member switch to enter the page shown in a Click the Configuring the Device hyperlink you can log on to the web interface of the member switch to manage and maintain the member switch directly a Device summary a member switch Return to Stack manag...

Страница 49: ...A to perform remote configurations a Network diagram for stack management Eth1 0 1 Eth1 0 3 Switch B Eth1 0 1 Eth1 0 1 Switch C Switch D Stack Eth1 0 1 Eth1 0 2 Switch A Master switch Configuration procedure Table 15 Configure the master switch Configure global parameters for the stack on Switch A Select IRF from the navigation tree of Switch A to enter the page of the Setup tab ...

Страница 50: ...meters for the stack on Switch A Type 192 168 1 1 in the text box of Private Net IP Type 255 255 255 0 in the text box of Mask Select Enable from the Build Stack drop down list Click Apply Now switch A becomes the master switch ...

Страница 51: ... the page of the Setup tab perform the following configurations as shown in c c Configure a stack port on Switch A In the Port Settings area select the check box before GigabitEthernet1 0 1 Click Enable Table 16 Configure the member switches ...

Страница 52: ...tch C and GigabitEthernet 1 0 3 connecting with Switch D as stack ports Select IRF from the navigation tree of Switch B to enter the page of the Setup tab d Configure stack ports on Switch B In the Port Settings area select the check boxes before GigabitEthernet1 0 1 GigabitEthernet1 0 2 and GigabitEthernet1 0 3 Click Enable ...

Страница 53: ...t GigabitEthernet 1 0 1 connecting with Switch B as a stack port Select IRF from the navigation tree of Switch C to enter the page of the Setup tabe e Configure a stack port on Switch C In the Port Settings area select the check box before GigabitEthernet1 0 1 Click Enable ...

Страница 54: ...17 Verify the configuration Display the stack topology on Switch A Select IRF from the navigation tree of Switch A and click the Topology Summary tab You can view the information as shown in f f Verify the configuration Configuration guidelines When configuring a stack note the following issues Table 18 If a switch is already configured as the stack master you are not allowed to modify the private...

Страница 55: ... you log in to the web interface the System Information tab appears by default as shown in a a System information If you select a certain time period the system refreshes the system information at the specified interval If you select Manual from the Refresh Period drop down list the system refreshes the information only when you click the Refresh button The system information tab is divided into t...

Страница 56: ...tem operation logs are generated Level Displays the severity of the system operation logs Description Displays the description of the system operation logs NOTE The Summary page displays up to five latest system operation logs about the login and logout events For more system operation logs click More to enter the Log List page You can also enter this page by selecting Device Syslog For more infor...

Страница 57: ...time period from the Refresh Period drop down list the system refreshes the information at the specified interval If you select Manual from the Refresh Period drop down list the system refreshes the information only when you click the Refresh button ...

Страница 58: ... web for security purpose after the configured period Configuring device basic information Configuring system name Select Device Basic from the navigation tree to enter the system name configuration page as shown in a a Configure system name 2 System name configuration item Item Description Sysname Set the system name Configuring idle timeout period Select Device Basic from the navigation tree and...

Страница 59: ...47 a Configure idle timeout period 2 Idle timeout period configuration item Item Description Idle timeout Set the idle timeout period for logged in users ...

Страница 60: ...ge amount of workload and cannot guarantee the clock precision Defined in RFC 1305 the Network Time Protocol NTP synchronizes timekeeping among distributed time servers and clients NTP allows quick clock synchronization within the entire network and ensures a high clock precision so that the devices can provide diverse applications based on the consistent time Configuring system time Select Device...

Страница 61: ...tication keys each of which is composed of a key ID and key string ID is the ID of a key Key string is a character string for MD5 authentication key Key 2 External Reference Source NTP Server 1 Reference Key ID Specify the IP address of an NTP server and configure the authentication key ID used for the association with the NTP server Only if the key provided by the server is the same with the spec...

Страница 62: ...erver of Switch B Select Device System Time from the navigation tree and then select the Net Time tab to perform the configurations as shown in b b Configure Device A as the NTP server of Switch B Select NTP Type 24 in the ID box and type aNiceKey in the Key String text box for key 1 Type 1 0 1 11 in the NTP Server 1 text box and type 24 in the Reference Key ID text box Click Apply Table 22 Verify...

Страница 63: ... been synchronized If the clock of a server has a stratum level higher than or equal to that of a client s clock the client does not synchronize its clock to the server s The synchronization process takes a period of time Therefore the clock status may be unsynchronized after your configuration In this case you can refresh the page to view the clock status and system time later on ...

Страница 64: ...nfiguring log management Configuration task list Perform the tasks in 1 to configure log management 1 Log management configuration task list Task Description Setting syslog related parameters Optional Set the number of logs that can be stored in the log buffer Set the refresh period of the log information displayed on the web interface Displaying syslog Display detailed information of system logs ...

Страница 65: ...n displayed on the web interface You can select manual refresh or automatic refresh Manual Click Refresh to refresh the Web interface when displaying log information Automatic Select a time period to refresh the Web interface every 1 minute 5 minutes or 10 minutes Return to Log management configuration task list Displaying syslog Select Device Syslog from the navigation tree to enter the syslog di...

Страница 66: ...ion Displays the contents of system logs 3 System logs severity level Severity level Description Value Emergency The system is unavailable 0 Alert Information that demands prompt reaction 1 Critical Critical information 2 Error Error information 3 Warning Warnings 4 Notification Normal information that needs to be noticed 5 Informational Informational information to be recorded 6 Debugging Informa...

Страница 67: ...Loghost tab to enter the loghost configuration page as shown in a a Set loghost 2 Loghost configuration item Item Description Loghost IP IP address of the loghost You can specify up to four loghosts You must input a valid IP address Return to Log management configuration task list ...

Страница 68: ... box appears You can select to view the cfg file or to save the file locally When you click the lower Backup button in this figure a file download dialog box appears You can select to view the xml file or to save the file locally Restore configuration Configuration restore provides the following functions Upload the cfg file on the host of the current user to the device for the next startup Upload...

Страница 69: ...he configuration file cfg file or xml file for the next startup CAUTION Saving the configuration takes some time The system does not support the operation of saving configuration of two or more consecutive users If such a case occurs the system prompts the latter users to try later You can save the configuration in one of the following ways Fast Click the Save button at the upper right of the auxi...

Страница 70: ...on file and reboots the device Select Device Configuration from the navigation tree and then click the Initialize tab to enter the initialize confirmation page as shown in a a Initialize confirmation dialog box Click the Restore Factory Default Settings button to restore the system to factory defaults ...

Страница 71: ...d performing any operation on the web interface during the upgrading procedure Otherwise the upgrade operation may be interrupted Select Device Device Maintenance from the navigation tree to enter the software upgrade configuration page as shown in a a Software upgrade configuration page 2 Software upgrade configuration items Item Description File Specifies the filename of the local system softwar...

Страница 72: ...fter device reboot When the device reboots you need to re log in to the web interface Select Device Device Maintenance from the navigation tree click the Reboot tab to enter the device reboot configuration page as shown in a a Device reboot page Click Apply to reboot the device You can check whether the current configuration has been saved to the startup configuration file If you select Check conf...

Страница 73: ...ation Each functional module has its own running information and generally you view the output information for each module one by one To receive as much information as possible in one operation during daily maintenance or when system failure occurs the diagnostic information module allows you to save the running statistics of multiple functional modules to a file named default diag This allows you...

Страница 74: ...e to the local host NOTE The generation of the diagnostic file takes some time During this process do not perform any operation on the web page After the diagnostic file is generated successfully you can view this file by selecting Device File Management or downloading this file to the local host For more information see the chapter File management configuration ...

Страница 75: ...t Downloading a file Uploading a file Removing a file File management configuration Displaying file list Select Device File Management from the navigation tree to enter the file management page as shown in a Select a disk from the Please select disk drop down list on the top of the page and the page then displays used space free space and capacity of the disk at the right of the drop down list and...

Страница 76: ...in a In the Upload File area select a disk from the Please select disk drop down list to save the file and then select the file path and filename by clicking Browse Click Apply to upload the file to the specified storage device CAUTION Uploading a file takes some time HP recommends you not to perform any operation on the web interface during the upgrading procedure Removing a file Select Device Fi...

Страница 77: ...t not limited to its state rate duplex mode link type PVID MDI mode flow control settings MAC learning limit and storm suppression ratios Configuring a port Setting operation parameters for a port Select Device Port Management from the navigation tree and then select the Setup tab on the page that appears to enter the page as shown in a a The Setup tab ...

Страница 78: ...ed to 10 100 or 1000 Mbps IMPORTANT SFP optical ports do not support the 10 or 100 option Duplex Set the duplex mode of the port Auto auto negotiation Full full duplex Half half duplex IMPORTANT Ethernet electrical ports whose transmission rate is configured as 1000 Mbps and SFP optical ports do not support the half option Link Type Set the link type of the current port which can be access hybrid ...

Страница 79: ...e the auto mode The other two modes are used only when the device cannot determine the cable type When straight through cables are used the local MDI mode must be different from the remote MDI mode When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto IMPORTANT SFP optical ports do not support this feature ...

Страница 80: ...multicast packets that can be forwarded on an Ethernet port per second When this option is selected you need to input a number in the box below kbps Sets the maximum number of multicast kilobits that can be forwarded on an Ethernet port per second When this option is selected you need to input a number in the box below IMPORTANT Do not configure this item if the storm constrain function for multic...

Страница 81: ...rt Select Device Port Management from the navigation tree The Summary tab is displayed by default Select the parameter you want to view by clicking the radio button before it to display the setting of this parameter for all the ports in the lower part of the page as shown in a a The Summary tab Select Device Port Management from the navigation tree select the Details tab on the page that appears a...

Страница 82: ...switch respectively The rates of the network adapters of these servers are all 1000 Mbps The switch connects to the external network through GigabitEthernet 1 0 4 whose rate is 1000 Mbps To avoid congestion at the egress port GigabitEthernet 1 0 4 configure the auto negotiation rate range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps a Network diagram for por...

Страница 83: ... GigabitEthernet 1 0 4 Select 1000 in the Speed dropdown list Select GigabitEthernet 1 0 4 on the chassis front panel Click Apply Batch configure the auto negotiation rate range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps Select Auto 100 in the Speed dropdown list on the page shown in b Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet ...

Страница 84: ...72 b Batch configure port rate Display the rate settings of ports Click the Summary tab Select the Speed option to display the rate information of all ports on the lower part of the page as shown in c ...

Страница 85: ...73 c Display the rate settings of ports ...

Страница 86: ...ugh local port mirroring groups The following subsections describe how local port mirroring is implemented Local port mirroring In local port mirroring all packets including protocol and data packets passing through a port can be mirrored Local port mirroring is implemented through a local mirroring group As shown in a packets on the mirroring port are mirrored to the monitor port for the data mon...

Страница 87: ...oring ports Required For more information see Configuring ports for a mirroring group During configuration you need to select the port type Mirror Port You can configure multiple mirroring ports for a mirroring group Configure the monitor port Required For more information see Configuring ports for a mirroring group During configuration you need to select the port type Monitor Port You can configu...

Страница 88: ...created Type Specify the type of the mirroring group to be created Local Creates a local mirroring group Return to Local port mirroring configuration task list Configuring ports for a mirroring group Select Device Port Mirroring from the navigation tree and click Modify Port to enter the page for configuring ports for a mirroring group as shown in a ...

Страница 89: ...ic monitored by the monitor port of the mirroring group This configuration item is available when Mirror Port is selected is the Port Type drop down list both Mirrors both received and sent packets on mirroring ports inbound Mirrors only packets received by mirroring port outbound Mirrors only packets sent by mirroring ports Select port s Click the ports to be configured on the chassis front panel...

Страница 90: ...c of Department 1 and Department 2 on the server To satisfy the requirement through local port mirroring perform the following configuration on Switch C Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as mirroring ports Configure GigabitEthernet 1 0 3 as the monitor port a Network diagram for local port mirroring configuration Configuration procedure Create a local mirroring group Select...

Страница 91: ...l mirroring group Type in mirroring group ID 1 Select Local in the Type drop down list Click Apply Configure the mirroring ports Click Modify Port to enter the page for configuring the mirroring group ports as shown in b ...

Страница 92: ...down list Select both in the Stream Orientation drop down list Select GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 on the chassis front panel Click Apply A configuration progress dialog box appears as shown in c c Configuration progress dialog box After the configuration process is complete click Close Configure the monitor port ...

Страница 93: ...hernet 1 0 3 on the chassis front panel Click Apply A configuration progress dialog box appears After the configuration process is complete click Close in the dialog box Configuration guidelines Consider the following points during local port mirroring configuration To ensure operation of your device do not enable STP MSTP or RSTP on the monitor port You can configure multiple mirroring ports but ...

Страница 94: ...s for each user Set the super password for non management level users to switch to the management level Switch to the management level from a lower level Managing users Adding a local user Select Device Users from the navigation tree and click the Create tab to add a local user as shown in a a Add a user 2 Local user configuration items Item Description Username Set a username for the user ...

Страница 95: ... Password Set the password for the user Confirm Password Input the same password again Otherwise the system will prompt that the two passwords are not consistent when you apply the configuration Password Display Mode Set the password displaying mode Options include Simple Saves the password in the configuration file in plain text so that the password is displayed in plain text Cipher Saves the pas...

Страница 96: ...ext Cipher Saves the password in the configuration file in cipher text so that the password is displayed in cipher text A plaintext password is not safe It is good practice to use the cipher mode Switching to the management level This function allows a user to switch from the current user level to the management level To switch to the management level a user must provide the correct super password...

Страница 97: ...p failure related to the functions of the port In an external loopback test a loopback plug is used on the port Packets forwarded by the port will be received by itself through the loopback plug The external loopback test can be used to check whether there is a hardware failure on the port Loopback operation Select Device Loopback from the navigation tree to enter the loopback test configuration p...

Страница 98: ...delines Note the following when performing a loopback test You can perform an internal loopback test but not an external loopback test on a port that is physically down but you can perform neither test on a port that is manually shut down The system does not allow Rate Duplex Cable Type and Port Status configuration on a port under a loopback test An Ethernet port works in full duplex mode when th...

Страница 99: ...t port on the device The check result is returned in less than 5 seconds The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable Testing cable status Select Device VCT from the navigation tree to enter the page for testing cable status Select the port you want to test in the chassis front panel and then click Test The test result is returned in ...

Страница 100: ...al abnormal abnormal open abnormal short or failure When a cable is normal the cable length displayed is the total length of the cable When a cable is not normal the cable length displayed is the length of the cable between the current port and the location where fault occurs IMPORTANT The error of the length detected is within 5 meters ...

Страница 101: ...in a a The page for setting the traffic statistics generating interval 2 Traffic statistics generating interval configuration items Item Remarks Interval for generating traffic statistics Set the interval for generating port traffic statistics Select ports Select ports from the chassis front panel to apply the interval to them Viewing port traffic statistics Select Device Flow interval from the na...

Страница 102: ...90 a Port traffic statistics ...

Страница 103: ...unction is configured in Device Port Management For more information see the chapter Port management configuration With storm constrain enabled on a port you can specify the system to act as follows when a certain type of traffic broadcast multicast or unicast exceeds the corresponding upper threshold Block Blocks the port The port is blocked and stops forwarding the traffic of this type until the...

Страница 104: ...ge traffic sending and receiving rates over a specific interval For network stability sake set the traffic statistics generating interval for the storm constrain function to the default or a greater value Configuring storm constrain Select Device Storm Constrain from the navigation tree to enter the page shown in a In the Port Storm Constrain area the configured port storm constrain settings are d...

Страница 105: ...It is normal that a period longer than one traffic statistics generating interval is waited for a control action to happen if you enable the function while the packet storm is present Nevertheless the action will be taken within two intervals Broadcast Threshold Set the broadcast multicast and unicast thresholds None Performs no storm constrain for the selected port or ports pps Specifies the stor...

Страница 106: ...d when the corresponding lower threshold is crossed after that Log Select or clear the option to enable or disable the system to output logs both when an upper threshold is crossed and when the corresponding lower threshold is crossed after that Select ports Select ports from the chassis front panel to apply the storm constrain settings to them ...

Страница 107: ...t contents RMON provides an efficient means of monitoring subnets and allows SNMP to monitor remote network devices in a more proactive effective way The RMON protocol defines an alarm threshold on the managed device and when that threshold is reached the managed device sends a trap to the management device automatically This method reduces the communication traffic between the management device a...

Страница 108: ...stics in the history record table ethernetHistoryTable for query convenience of the management device The statistics includes bandwidth utilization number of error packets and total number of packets A history group collects statistics on packets received on the interface during each period which can be configured through the command line interface CLI Alarm group The RMON alarm group monitors spe...

Страница 109: ...to the NMS None No action Configuring RMON Configuration task list Configuring the RMON statistics function RMON statistics function can be implemented by either the Ethernet statistics group or the history group but the objects of the statistics are different and you can configure a statistics group or a history group accordingly A statistics object of the Ethernet statistics group is a variable ...

Страница 110: ...ystem periodically samples the number of packets received sent on the current interface and saves the statistics as an instance under the leaf node of the etherHistoryEntry table IMPORTANT When you create an entry if the value of the specified sampling interval is identical to that of the existing history entry the system considers the configurations identical and the creation fails Configuring th...

Страница 111: ...unction you can view RMON running status and verify the configuration by performing tasks in 1 1 Display RMON running status Task Remarks Displaying RMON statistics information View the interface statistics during the period from the time the statistics entry is created to the time the page is displayed The statistics are cleared after the device reboots Displaying RMON history sampling informatio...

Страница 112: ...s entry is created Only one statistics entry can be created on one interface Owner Set the owner of the statistics entry Return to RMON statistics group configuration task list Configuring a history entry Select Device RMON from the navigation tree and click the History tab to enter the page as shown in a Click Add to enter the page for adding a history entry as shown in b ...

Страница 113: ... the table has reached the maximum number the system will delete the earliest entry to save the latest one The statistics include total number of received packets on the current interface total number of broadcast packets total number of multicast packets in a sampling period and so on Interval Set the sampling period Owner Set the owner of the entry Return to RMON history group configuration task...

Страница 114: ...em will log the event Trap The system will send a trap in the community name of null If both Log and Trap are selected the system will log the event and send a trap If none of them is selected the system will take no action Return to RMON alarm configuration task list Configuring an alarm entry Select Device RMON from the navigation tree and click the Alarm tab to enter the page as shown in a Clic...

Страница 115: ...onfiguration items Item Description Alarm variable Statics Item Set the traffic statistics that will be collected and monitored For more information see 2 Interface Name Set the name of the interface whose traffic statistics will be collected and monitored ...

Страница 116: ...n the alarm falling threshold the system will adopt the default action that is log and trap Rising Threshold Set the alarm rising threshold Rising Event Set the action that the system will take when the value of the alarm variable is higher than the alarm rising threshold If the Create Default Event check box is selected this option is not configurable Falling Threshold Set the alarm falling thres...

Страница 117: ...ceived Packets Total number of packets received by the interface corresponding to the MIB node etherStatsPkts Number of Received Broadcasting Packets Total number of broadcast packets received by the interface corresponding to the MIB node etherStatsBroadcastPkts Number of Received Multicast Packets Total number of multicast packets received by the interface corresponding to the MIB node etherStat...

Страница 118: ... corresponding to the MIB node etherStatsDropEvents Number of Received 64 Bytes Packets Total number of received packets with 64 octets on the interface corresponding to the MIB node etherStatsPkts64Octets Number of Received 65 to 127 Bytes Packets Total number of received packets with 65 to 127 octets on the interface corresponding to the MIB node etherStatsPkts65to127Octets Number of Received 12...

Страница 119: ... MIB node etherHistoryMulticastPkts CRCAlignErrors Number of packets received with CRC alignment errors during the sampling period corresponding to the MIB node etherHistoryCRCAlignErrors UndersizePkts Number of undersize packets received during the sampling period corresponding to the MIB node etherHistoryUndersizePkts OversizePkts Number of oversize packets received during the sampling period co...

Страница 120: ...cted to a remote NMS across the Internet Create an entry in the RMON Ethernet statistics table to gather statistics on Ethernet 1 0 1 and perform corresponding configurations so that the system will log the event when the number of bytes received on the interface exceed the specified threshold a Network diagram for RMON Configuration procedure Configure RMON to gather statistics for interface Ethe...

Страница 121: ...net1 0 1 from the Interface Name drop down box Type user1 rmon in the text box of Owner Click Apply Display RMON statistics for interface Ethernet 1 0 1 Click the icon corresponding to GigabitEthernet 1 0 1 You can view the information as shown in b ...

Страница 122: ...110 b Display RMON statistics Create an event to start logging after the event is triggered Click the Event tab click Add ...

Страница 123: ...to the page displaying the event entry and you can see that the entry index of the new event is 1 as shown in d d Display the index of a event entry Configure an alarm group to sample received bytes on Ethernet 1 0 1 When the received bytes exceed the rising or falling threshold logging is enabled Click the Alarm tab click Add ...

Страница 124: ...erface Name drop down box Type 10 in the text box of Interval Select Delta from the Simple Type drop down box Type 1 rmon in the text box of Owner Type 1000 in the text box of Rising Threshold Select 1 from the Rising Event drop down box Type 100 in the text box of Falling Threshold Select 1 from the Falling Event drop down box Click Apply ...

Страница 125: ...policy for the port a Energy saving configuration page 2 Configuration items for configuring energy saving on a port Item Description Time Range Set the time period when the port is in the state of energy saving IMPORTANT Up to five energy saving policies with different time ranges can be configured on a port Specify the start time and end time in units of 5 minutes such as 08 05 to 10 15 Otherwis...

Страница 126: ...NT If you configure the lowest speed limit on a port that does not support 10 Mbps the configuration cannot take effect Shutdown Shut down the port IMPORTANT An energy saving policy can have all the three energy saving schemes configured of which the shutdown scheme takes the highest priority ...

Страница 127: ...ceive and handle requests from the NMS and send traps to the NMS when some events such as interface state change occur Management Information Base MIB Specifies the variables such as interface status and CPU usage maintained by the SNMP agent for the SNMP manager to read and set a Relationship between an NMS agent and MIB A MIB stores variables called nodes or objects in a tree hierarchy and ident...

Страница 128: ...ation packets preventing access of unauthorized users The privacy function is used to encrypt packets between the NMS and agents preventing the packets from being intercepted USM ensures more secure communication between NMSs and agents by providing authentication and privacy functions Successful interaction between an NMS and the agents requires consistency of SNMP versions configured on them SNM...

Страница 129: ...sers to the group when creating the users Therefore you can realize centralized management of users in the group through the management of the group Configuring an SNMP Required Before creating an SNMP user you need to create the SNMP group to which the user belongs Configuring SNMP trap Optional Allows you to configure that the agent can send SNMP traps to the NMS and configure information about ...

Страница 130: ...e ID Configure the local engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent If the engine ID when the user is created is not identical to the current engine ID the user is invalid Maximum Packet Size Configure the maximum size of an SNMP packet that the agent can receive send ...

Страница 131: ... location of the device SNMP Version Set the SNMP version run by the system Return to SNMPv1 or SNMPv2c configuration task list or SNMPv3 configuration task list Configuring an SNMP view Select Device SNMP from the navigation tree and then click the View tab to enter the page as shown in a a View page Creating an SNMP view Table 23 Click Add the Add View window appears as shown in b Table 24 Type ...

Страница 132: ...e OID and subtree mask MIB Subtree OID Set the MIB subtree OID such as 1 4 5 3 1 or name such as system MIB subtree OID identifies the position of a node in the MIB tree and it can uniquely identify a MIB subtree Subtree Mask Set the subtree mask If no subtree mask is specified the default subtree mask all Fs will be used for mask OID matching Adding rules to an SNMP view Table 27 Click the icon c...

Страница 133: ... the view Return to SNMPv1 or SNMPv2c configuration task list or SNMPv3 configuration task list Configuring an SNMP community Table 29 Select Device SNMP from the navigation tree Table 30 Click the Community tab to enter the page as shown in b Table 31 Click Add to enter the Add SNMP Community page as shown in c b Configure an SNMP community c Create an SNMP Community ...

Страница 134: ... when it uses this community name to access the agent View Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS ACL Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified source IP address Return to SNMPv1 or SNMPv2c configuration task list Configuring an SNMP group Table 32 Select Dev...

Страница 135: ...ed the NMS cannot perform the write operations to all MIB objects on the device Notify View Select the notify view of the SNMP group that is the view that can send trap messages If no notify view is configured the agent does not send traps to the NMS ACL Associate a basic ACL with the group to restrict the source IP address of SNMP packets that is you can configure to allow or prohibit SNMP packet...

Страница 136: ...ser Item Description User Name Set the SNMP user name Security Level Select the security level for the SNMP group The following are the available security levels NoAuth NoPriv No authentication no privacy Auth NoPriv Authentication without privacy Auth Priv Authentication and privacy ...

Страница 137: ...Mode Select a privacy mode including DES56 AES128 and 3DES when the security level is Auth Priv Privacy Password Set the privacy password when the security level is Auth Priv The confirm privacy password must be the same with the privacy password Confirm Privacy Password ACL Associate a basic ACL with the user to restrict the source IP address of SNMP packets that is you can configure to allow or ...

Страница 138: ...cription Destination IP Address Set the destination IP address Select the IP address type IPv4 or IPv6 and then type the corresponding IP address in the text box according to the IP address type Security Name Set the security name which can be an SNMPv1 community name an SNMPv2c community name or an SNMPv3 user name ...

Страница 139: ...able security levels are no authentication no privacy authentication but no privacy and authentication and privacy When the security model is selected as v1 or v2c the security level is no authentication no privacy and cannot be modified Return to SNMPv1 or SNMPv2c configuration task list or SNMPv3 configuration task list SNMP configuration example Network requirements As shown in a the NMS connec...

Страница 140: ...Select the v3 radio box Click Apply Configure an SNMP view Click the View tab and then click Add to enter the page as shown in c c Create an SNMP view 1 Type view1 in the text box Click Apply to enter the SNMP rule configuration page as shown in d ...

Страница 141: ...OID interfaces Click Add Click Apply A configuration progress dialog box appears as shown in e e Configuration progress dialog box After the configuration process is complete click Close Configure an SNMP group Click the Group tab and then click Add to enter the page as shown in f ...

Страница 142: ...the Read View drop down box Select view1 from the Write View drop down box Click Apply Configure an SNMP user Click the User tab and then click Add to enter the page as shown in g g Create an SNMP user Type user1 in the text box of User Name Select group1 from the Group Name drop down box ...

Страница 143: ...ct the Enable SNMP Trap check box Click Apply Add the target hosts of SNMP traps Click Add to enter the page as shown in i i Add target hosts of SNMP traps Select the destination IP address type as IPv4 Type the destination address 1 1 1 2 Type the user name user1 Select v3 from the Security Model drop down box Click Apply Table 43 Configure NMS ...

Страница 144: ...ication password privacy mode privacy password and so on You must also configure the aging time and retry times After these configurations you can configure the device as needed through the NMS For more information about NMS configuration see the manual provided for NMS Configuration verification After the above configuration the NMS can establish an SNMP connection with the agent and query and re...

Страница 145: ... in a a Interface statistics display page 2 Details about the interface statistics Field Description InOctets Total octets of all packets received on the interface InUcastPkts Number of received unicast packets InNUcastPkts Number of received non unicast packets InDiscards Number of valid packets discarded in the inbound direction InErrors Number of received invalid packets InUnknownProtos Number ...

Страница 146: ...nicast packets sent through the interface OutNUcastPkts Number of non unicast packets sent through the interface OutDiscards Number of valid packets discarded in the outbound direction OutErrors Number of invalid packets sent through the interface ...

Страница 147: ...e LAN regardless of their physical locations VLAN technology delivers the following benefits Confining broadcast traffic within individual VLANs This reduces bandwidth waste and improves network performance Improving LAN security By assigning user groups to different VLANs you can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required Flexible virtua...

Страница 148: ...are encapsulated in canonical format A value of 1 indicates that the MAC addresses are encapsulated in a non standard format The value of the field is 0 by default The 12 bit VLAN ID field identifies the VLAN the frame belongs to The VLAN ID range is 0 to 4095 As 0 and 4095 are reserved a VLAN ID actually ranges from 1 to 4094 A network device handles an incoming frame depending on whether the fra...

Страница 149: ...D for a port as required Use the following guidelines when configuring the PVID on a port An access port can join only one VLAN The VLAN to which the access port belongs is the PVID of the port The PVID of the access port changes along with the VLAN to which the port belongs A trunk or hybrid port can join multiple VLANs and you can configure a PVID for the port The following table shows how ports...

Страница 150: ...ying modifying or removing a VLAN Modifying a VLAN Required Configure the untagged member ports and tagged member ports of the VLAN or remove the specified ports from the VLAN 2 VLAN configuration task list approach II Task Remarks Creating VLANs Required Create one or multiple VLANs Modifying ports Required Configure ports as the untagged members or tagged members of VLANs or remove ports from VL...

Страница 151: ...D of the VLAN to be modified in the list in the middle of the page Description Set the description string of the selected VLAN By default the description string of a VLAN is its VLAN ID such as VLAN 0001 Return to VLAN configuration task list approach I Return to VLAN configuration task list approach II Selecting VLANs Select Network VLAN from the navigation tree The Select VLAN tab is displayed b...

Страница 152: ...splay all VLANs Display all configured VLANs Display a subnet of all configured VLANs Type the VLAN IDs you want to display Display a subnet of all configured VLANs Return to VLAN configuration task list approach I Modifying a VLAN Select Network VLAN from the navigation tree and click the Modify VLAN tab to enter the page shown in a ...

Страница 153: ...e modified in the VLAN The options include Untagged Indicates that the port sends the traffic of the VLAN after removing the VLAN tag Tagged Indicates that the port sends the traffic of the VLAN without removing the VLAN tag Not A Member Remove the port from the VLAN Tagged Not A Member Select ports to be modified and assigned to this VLAN Select the ports to be modified in the selected VLAN Click...

Страница 154: ...s below the chassis front panel and you can select aggregate interfaces from this list Select membership type Untagged Set the member types of the selected ports to be modified in the specified VLANs The options include Untagged Assign the selected ports to the specified VLANs as untagged members After that the ports send the traffic of those VLANs after removing the VLAN tags Tagged Assign the se...

Страница 155: ...able when the PVID option is selected in the Select membership type area Delete Return to VLAN configuration task list approach II VLAN configuration example Network requirements As shown in a Trunk port GigabitEthernet 1 0 1 of Switch A is connected to trunk port GigabitEthernet 1 0 1 of Switch B The PVID of GigabitEthernet 1 0 1 is VLAN 100 GigabitEthernet 1 0 1 permits packets of VLAN 2 VLAN 6 ...

Страница 156: ...nk Type drop down list Select the PVID option and type 100 in the text box Select GigabitEthernet 1 0 1 on the chassis front device panel Click Apply Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 Select Network VLAN from the navigation tree and click the Create tab to enter the page shown in c ...

Страница 157: ... VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 Type VLAN IDs 2 6 50 100 Click Create Assign GigabitEthernet 1 0 1 to VLAN 100 as an untagged member Click Select VLAN to enter the page for selecting VLANs as shown in d ...

Страница 158: ...d Set a VLAN range Select the Display a subnet of all configured VLANs option and type 1 100 in the text box Click Select Click Modify VLAN to enter the page for modifying the ports in a VLAN as shown in e ...

Страница 159: ...Untagged option in the Select membership type area Select GigabitEthernet 1 0 1 on the chassis front device panel Click Apply A configuration progress dialog box appears as shown in f f Configuration progress dialog box After the configuration process is complete click Close Assign GigabitEthernet 1 0 1 to VLAN 2 and VLANs 6 through 50 as a tagged member ...

Страница 160: ...After the configuration process is complete click Close in the dialog box Table 45 Configure Switch B Configure Switch B as you configured Switch A Configuration guidelines When configuring the VLAN function follow these guidelines As the default VLAN VLAN 1 cannot be created or removed You cannot create or remove VLANs reserved for special purposes Dynamic VLANs cannot be removed on the page for ...

Страница 161: ...bnet different from that of the VLAN Configuring VLAN interfaces Configuration task list Perform the tasks in 1 to configure a VLAN interface 1 VLAN interface configuration task list Task Remarks Creating a VLAN interface Required Create a VLAN interface You can select to assign an IPv4 address to the VLAN interface in this step or in a separate step Before creating a VLAN interface for a VLAN cre...

Страница 162: ...ess by selecting the Manual option BOOTP Manual IPv4 Address Configure an IPv4 address for the VLAN interface This option is available after you select the Manual option Mask Length Select the subnet mask length This option is available after you select the Manual option Return to VLAN interface configuration task list Modifying a VLAN interface NOTE After you modify the IPv4 address for a selecte...

Страница 163: ...terface to be configured The VLAN interfaces available for selection in the drop down list are those created on the page for creating VLAN interfaces Modify IPv4 Address DHCP Configure the way in which the VLAN interface obtains an IPv4 address Allow the VLAN interface to obtain an IP address automatically by selecting the DHCP or BOOTP option or manually assign the VLAN interface an IP address by...

Страница 164: ...face By default a VLAN interface is down if all Ethernet ports in the VLAN are down and is up if one or more Ethernet ports in the VLAN are up IMPORTANT The current VLAN interface state in the Modify IPv4 Address area changes if the VLAN interface state is modified in the Admin Status drop down list The state of each port in the VLAN is independent of the VLAN interface state Return to VLAN interf...

Страница 165: ... B900 0000 Philips NEC phone 6 00E0 7500 0000 Polycom phone 7 00E0 BB00 0000 3Com phone NOTE In general as the first 24 bits of a MAC address in binary format an OUI address is a globally unique identifier assigned to a vendor by the IEEE OUI addresses mentioned in this document however are different from those commonly used In this document OUI addresses are used by the system to determine whethe...

Страница 166: ...of the PVID can pass through the port tagged Untagged voice traffic Not supported Not supported Not supported Manual mode Tagged voice traffic Not supported Supported but you must ensure that the PVID of the port has been created and is not the voice VLAN and the traffic of the PVID can pass through the port Supported but you must ensure that the PVID of the port has been created and is not the vo...

Страница 167: ...s not recommend you transmit both voice traffic and non voice traffic in a voice VLAN If you have to ensure that the voice VLAN security mode is disabled 1 How a voice VLAN enable port processes packets in security normal mode Voice VLAN mode Packet type Packet processing mode Security mode Untagged packets If the source MAC address of a packet matches an OUI address configured for the device it i...

Страница 168: ...orm the tasks described in 1 to configure the voice VLAN function on a port working in manual voice VLAN assignment mode 1 Configuration task list for a port in manual voice VLAN assignment mode Task Remarks Configuring voice VLAN globally Optional Configure the voice VLAN to operate in security mode and configure the aging timer Assigning the port to the voice VLAN Required After an access port i...

Страница 169: ...rity mode By default the voice VLANs operate in security mode Voice VLAN aging time Set the voice VLAN aging timer The voice VLAN aging timer applies only to a port in automatic voice VLAN assignment mode The voice VLAN aging timer starts as soon as the port is assigned to the voice VLAN If no voice packet has been received before the timer expires the port is removed from the voice VLAN Return to...

Страница 170: ...ate is set to Enable IMPORTANT The device supports only one voice VLAN Only an existing static VLAN can be configured as the voice VLAN Select ports Select the port on the chassis front panel You can select multiple ports to configure them in bulk The interface numbers of the selected ports will be displayed in the Ports selected for voice VLAN text box IMPORTANT To set the voice VLAN assignment m...

Страница 171: ... 2 OUI list configuration items Item Description OUI Address Set the source MAC address of voice traffic Mask Set the mask length of the source MAC address Description Set the description of the OUI address entry Return to Configuring voice VLAN on a port in automatic voice VLAN assignment mode Return to Configuring voice VLAN on a port working in manual voice VLAN assignment mode ...

Страница 172: ...the voice VLAN aging timer to 30 minutes Configure GigabitEthernet 1 0 1 to allow voice packets whose source MAC addresses match the OUI addresses specified by OUI address 0011 2200 0000 and mask FFFF FF00 0000 The description of the OUI address entry is test a Network diagram for automatic voice VLAN assignment mode configuration Switch A Switch B GE1 0 3 GE1 0 1 VLAN 2 VLAN 2 010 1001 OUI 0011 2...

Страница 173: ...61 a Create VLAN 2 Type VLAN ID 2 Click Create Configure GigabitEthernet 1 0 1 as a hybrid port Select Device Port Management from the navigation tree and click the Setup tab to enter the page shown in b ...

Страница 174: ...ct Hybrid from the Link Type drop down list Select GigabitEthernet 1 0 1 from the chassis front panel Click Apply Configure the voice VLAN function globally Select Network Voice VLAN from the navigation tree and click the Setup tab to enter the page shown in c ...

Страница 175: ...Apply Configure voice VLAN on GigabitEthernet 1 0 1 Click the Port Setup tab to enter the page shown in d d Configure voice VLAN on GigabitEthernet 1 0 1 Select Auto in the Voice VLAN port mode drop down list Select Enable in the Voice VLAN port state drop down list Type voice VLAN ID 2 Select GigabitEthernet 1 0 1 on the chassis front panel Click Apply Add OUI addresses to the OUI list Click the ...

Страница 176: ...tring test Click Apply Verify the configuration When the configurations are completed the OUI Summary tab is displayed by default as shown in a You can view information about the newly added OUI address a Current OUI list of the device Click the Summary tab to enter the page shown in b where you can view the current voice VLAN information ...

Страница 177: ...tagged voice traffic GigabitEthernet 1 0 1 operates in manual voice VLAN assignment mode and allows voice packets whose source MAC addresses match the OUI addresses specified by OUI address 0011 2200 0000 and mask FFFF FF00 0000 to pass through The description of the OUI address entry is test a Network diagram for manual voice VLAN assignment mode configuration Switch A Switch B GE1 0 3 GE1 0 1 VL...

Страница 178: ... and click the Create tab to enter the page shown in a a Create VLAN 2 Type VLAN ID 2 Click Create Configure GigabitEthernet 1 0 1 as a hybrid port and configure its PVID as VLAN 2 Select Device Port Management from the navigation tree and click the Setup tab to enter the page shown in b ...

Страница 179: ...down list Select the PVID option and type 2 in the text box Select GigabitEthernet 1 0 1 from the chassis front panel Click Apply Assign GigabitEthernet 1 0 1 to VLAN 2 as an untagged member Select Network VLAN from the navigation tree and click the Modify Port tab to enter the page shown in c ...

Страница 180: ...net 1 0 1 from the chassis front panel Select the Untagged option Type VLAN ID 2 Click Apply A configuration progress dialog box appears as shown in d d Configuration progress dialog box After the configuration process is complete click Close Configure voice VLAN on GigabitEthernet 1 0 1 ...

Страница 181: ... voice VLAN on GigabitEthernet 1 0 1 Select Manual in the Voice VLAN port mode drop down list Select Enable in the Voice VLAN port state drop down list Type voice VLAN ID 2 Select GigabitEthernet 1 0 1 on the chassis front panel Click Apply Add OUI addresses to the OUI list Click the OUI Add tab to enter the page shown in f ...

Страница 182: ...string test Click Apply Verify the configuration When the configurations are completed the OUI Summary tab is displayed by default as shown in a You can view information about the newly added OUI address a Current OUI list of the device Click the Summary tab to enter the page shown in b where you can view the current voice VLAN information ...

Страница 183: ...function requires hybrid ports to process untagged traffic Therefore if a VLAN is configured as the voice VLAN and a protocol based VLAN at the same time the protocol based VLAN cannot be associated with the port Only one VLAN is supported and only one existing static VLAN can be configured as the voice VLAN If Link Aggregation Control Protocol LACP is enabled on a port the voice VLAN function can...

Страница 184: ... 46 Checks the source MAC address MAC SOURCE for example of the frame Table 47 Looks up the source MAC address in the MAC address table If an entry is found the device updates the entry If no entry is found the device adds an entry for MAC SOURCE and Port A After learning the source MAC address when the device receives a frame destined for MAC SOURCE the device finds the MAC SOURCE entry in the MA...

Страница 185: ... configure and display MAC address entries and set the MAC address entry aging time Configuring a MAC address entry Select Network MAC from the navigation tree The system automatically displays the MAC tab which shows all the MAC address entries on the device as shown in a ...

Страница 186: ...174 a The MAC tab Click Add in the bottom to enter the page as shown in b b Create a MAC address entry ...

Страница 187: ...AC address entries manually configured Blackhole Blackhole MAC address entries Learned Dynamic MAC address entries learned by the device Other Other types of MAC address entries VLAN Set the ID of the VLAN to which the MAC address belongs Port Set the port to which the MAC address belongs Setting the aging time of MAC address entries Select Network MAC from the navigation tree and click the Setup ...

Страница 188: ...hernet 1 0 1 in VLAN 1 Configuration procedure Create a static MAC address entry Select Network MAC from the navigation tree to enter the MAC tab and then click Add The page shown in a appears a Create a static MAC address entry Type MAC address 00e0 fc35 dc71 Select static in the Type drop down list Select 1 in the VLAN drop down list Select GigabitEthernet1 0 1 in the Port drop down list Click A...

Страница 189: ...E 802 1d STP and various enhanced spanning tree protocols derived from that protocol STP protocol packets STP uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets STP enabled network devices exchange BPDUs to establish a spanning tree BPDUs contain sufficient information for the network devices to complete spanning tree calculation STP uses the followi...

Страница 190: ...gnated port of Device B is port AP1 on Device A Two devices are connected to the LAN Device B and Device C If Device B forwards BPDUs to the LAN the designated bridge for the LAN is Device B and the designated port for the LAN is the port BP2 on Device B a A schematic diagram of designated bridges and designated ports Path cost Path cost is a reference value used for link selection in STP STP calc...

Страница 191: ...PDU with itself as the root bridge in which the root path cost is 0 designated bridge ID is the device ID and the designated port is the local port Selection of the optimum configuration BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices The process of selecting the optimum configuration BPDU is as follows 1 Selection of the optimum configuration ...

Страница 192: ...d on the configuration BPDU and the path cost of the root port the device calculates a designated port configuration BPDU for each of its other ports The root bridge ID is replaced with that of the configuration BPDU of the root port The root path cost is replaced with that of the configuration BPDU of the root port plus the path cost of the root port The designated bridge ID is replaced with the ...

Страница 193: ...ort AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the received configuration BPDU Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is superior to the received configuration BPD...

Страница 194: ...ly Root port BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 Device C Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port 2 0 2 CP1 and updates the configuration BPDU of CP1 Port CP2 receives the configuration BPDU of port BP2 of Device B 1 0 1 BP2 before the configuration BPDU is upd...

Страница 195: ...bed in 4 a spanning tree with Device A as the root bridge is established and the topology is shown in a a The final calculated spanning tree NOTE This example shows a simplified spanning tree calculation process The configuration BPDU forwarding mechanism in STP The configuration BPDUs of STP are forwarded following these guidelines Upon network initiation every device regards itself as the root b...

Страница 196: ...ikely to occur For this reason as a mechanism for state transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network Hello time The device sends hello packets at the hello time interval to the neighboring devices to ensure that the pat...

Страница 197: ...load sharing mechanism for redundant links by allowing data flows of different VLANs to be forwarded along separate paths MSTP includes the following features MSTP supports mapping VLANs to MST instances MSTIs by means of a VLAN to MSTI mapping table MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI MSTP divides a switched network into multiple region...

Страница 198: ...e MST region configuration The same region name The same VLAN to MSTI mapping configuration VLAN 1 is mapped to MSTI 1 VLAN 2 to MSTI 2 and the rest to the common and internal spanning tree CIST that is MSTI 0 The same MSTP revision level not shown in the figure Multiple MST regions can exist in a switched network You can assign multiple devices to the same MST region VLAN to MSTI mapping table As...

Страница 199: ...or example multiple MSTIs can exist in each MST region each MSTI corresponding to the specified VLANs Regional root The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI Based on the topology different spanning trees in an MST region may have different regional roots In region D0 in a the regional root of MSTI 1 is device B while that of MSTI 2 is devic...

Страница 200: ...n two ports of the same MSTP device are interconnected so the device blocks one of the ports The blocked port acts as the backup A port can play different roles in different MSTIs a Port roles Connecting to the common root bridge Port 1 Port 2 Master port Alternate port Designated port Port 3 Port 4 Port 5 A B C D Port 6 Backup port MST region In a devices A B C and D constitute an MST region Port...

Страница 201: ...this process the device with the highest priority is elected as the root bridge of the CIST MSTP generates an IST within each MST region through calculation and at the same time MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation The CST and ISTs constitute the CIST of the entire network MSTI calculation Within an MST region MSTP generate...

Страница 202: ...o MSTI mappings By default the MST region related parameters adopt the default values and all VLANs in an MST region are mapped to MSTI 0 Configuring MSTP globally Required Enable MSTP globally and configure MSTP parameters By default MSTP is enabled globally and all MSTP parameters have default values Configuring MSTP on a port Optional Enable MSTP on a port and configure MSTP parameters By defau...

Страница 203: ...gion name is the bridge MAC address of the device by default Revision Level Revision level of the MST region Manual Instance ID Manually add VLAN to MSTI mappings Click Apply to add the VLAN to MSTI mapping entries to the list below VLAN ID Modulo Modulo Value The device automatically maps 4094 VLANs to the corresponding MSTIs based on the modulo value Return to MSTP configuration task list ...

Страница 204: ...TP globally 2 Configuration items of MSTP global configuration Item Description Enable STP Globally Globally enable or disable STP Other MSTP configurations take effect only after you globally enable STP BPDU Protection Enable or disable BPDU guard BPDU guard can protect the device from malicious BPDU attacks making the network topology stable ...

Страница 205: ...meter is effective only for the CIST not for MSTIs The bridge diameter cannot be configured together with the timers Timer Forward Delay Set the delay for the root and designated ports to transit to the forwarding state IMPORTANT The settings of hello time forward delay and max age must meet a certain formula Otherwise the network topology will not be stable HP recommends you set the network diame...

Страница 206: ...revent frequent flushing of forwarding address entries IMPORTANT HP does not recommend you to disable this function TC Protection Threshold Set the maximum number of immediate forwarding address entry flushes the device can perform within a certain period of time after receiving the first TC BPDU Return to MSTP configuration task list Configuring MSTP on a port Select Network MSTP from the navigat...

Страница 207: ... not the port is connected to a point to point link Auto The link type of the port is automatically detected Force False The link type for the port is not point to point link Force True The link type for the port is point to point link IMPORTANT If a port is configured as connecting to a point to point link the setting takes effect for the port in all MSTIs If the physical link to which the port c...

Страница 208: ...r than that of a root bridge which causes a new root bridge to be elected and network topology change to occur The root guard function is used to address such a problem Loop Protection Enable the loop guard function By keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports These BPDUs may get lost because of network congestion or u...

Страница 209: ...port belongs and the path cost and priority of the port in the MSTI 2 Fields in the displayed MSTP information of GigabitEthernet 1 0 16 in MSTI 0 Field Description FORWARDING The port is in forwarding state The port learns MAC addresses and forwards user traffic LEARNING The port is in learning state The port learns MAC addresses but does not forward user traffic DISCARDING The port is in discard...

Страница 210: ...e Protection Type Protection type on the port Root Root guard Loop Loop guard BPDU BPDU guard None No protection MST BPDU Format Format of the MST BPDUs that the port can send which can be legacy or 802 1s Config indicates the configured value Active indicates the actual value Port Config Digest Snooping Whether or not digest snooping is enabled on the port Rapid transition Whether or not the curr...

Страница 211: ...LAN 40 are forwarded along MSTI 1 MSTI 2 MSTI 3 and MSTI 0 respectively Switch A and Switch B operate at the distribution layer Switch C and Switch D operate at the access layer VLAN 10 and VLAN 20 are terminated on the distribution layer devices and VLAN 30 is terminated on the access layer devices so the root bridges of MSTI 1 and MSTI 2 are Switch A and Switch B respectively while the root brid...

Страница 212: ... option Select 1 in the Instance ID drop down list Type the VLAN ID 10 Click Apply to map VLAN 10 to MSTI 1 and add the VLAN to MSTI mapping entry to the VLAN to MSTI mapping list Repeat the previous steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN to MSTI mapping entries to the VLAN to MSTI mapping list Click Activate Configure MSTP globally ...

Страница 213: ... Enable in the Enable STP Globally drop down list Select MSTP in the Mode drop down list Select the Instance option Type the Instance ID 1 Select Primary in the Root Type drop down list Click Apply Table 49 Configure Switch B Configure an MST region The procedure is the same as that of configuring an MST region on Switch A Configure MSTP globally ...

Страница 214: ... of configuring an MST region on Switch A Configure MSTP globally Select Network MSTP from the navigation tree and click the Global tab to enter the page shown in d Select Enable in the Enable STP Globally drop down list Select MSTP in the Mode drop down list Select the Instance option Select 3 in the Instance ID drop down list Select Primary in the Root Type drop down list Click Apply Table 51 Co...

Страница 215: ...MSTP follow these guidelines Two devices belong to the same MST region only if they are interconnected through physical links and share the same region name the same MSTP revision level and the same VLAN to MSTI mappings If two or more devices have been designated to be root bridges of the same spanning tree instance MSTP will select the device with the lowest MAC address as the root bridge ...

Страница 216: ...converts into a non boundary port To restore its port role as a boundary port you need to restart the port Configure ports that are directly connected to terminals as boundary ports and enable BPDU guard for them These ports can rapidly transit to the forwarding state and the network security can be ensured ...

Страница 217: ...e For example when you create interface Bridge Aggregation 1 Layer 2 aggregation group 1 is created You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group and Layer 3 Ethernet interfaces only to a Layer 3 aggregation group NOTE The device supports Layer 2 aggregation groups only Aggregation states of member ports in an aggregation group A member port in an aggregation group...

Страница 218: ...nk hybrid or access and tag mode MAC address learning MAC address learning limit NOTE Some configurations are called class one configurations Such configurations for example MSTP can be configured on aggregate interfaces and member ports but are not considered during operational key calculation For more information about MSTP configuration on member ports of link aggregation groups or aggregate in...

Страница 219: ...gregation group the following rules apply A Selected port can receive and transmit LACPDUs An Unselected port can receive and send LACPDUs only if it is up and with the same configurations as those on the aggregate interface In a dynamic aggregation group the system sets the ports to Selected or Unselected state using the following workflow Table 52 The local system the actor negotiates with the r...

Страница 220: ... or class two configuration setting for a port with caution because the change may affect the aggregation state of member ports and interrupt services Load sharing mode of an aggregation group Every link aggregation group created on HP V1910 Switch Series operates in load sharing mode all the time even when it contains only one member port Configuring link aggregation and LACP Configuration task l...

Страница 221: ... view detailed information of an existing aggregation group Setting LACP priority Optional Perform the task to set LACP priority for the local system and link aggregation member ports Changes of LACP priorities affect the Selected Unselected state of link aggregation member ports The default port LACP priority and system LACP priority are both 32768 Displaying information of LACP enabled ports Opt...

Страница 222: ... page Specify Interface Type Set the type of the link aggregation interface to be created Static LACP Disabled Dynamic LACP Enabled Select port s for the link aggregation interface Select one or multiple ports to be assigned to the link aggregation group from the chassis front panel You can view the result in the Summary list box at the bottom of the page Return to Static aggregation group configu...

Страница 223: ... interface which can be static or dynamic Partner ID ID of the remote device including its LACP priority and MAC address Selected Ports Number of Selected ports in each link aggregation group Only Selected ports can transmit and receive user data Standby Ports Number of Unselected ports in each link aggregation group Unselected ports cannot transmit or receive user data Return to Static aggregatio...

Страница 224: ...ct port s to apply Port Priority Select the ports where the port LACP priority you set will apply on the chassis front panel You can set LACP priority not only on LACP enabled ports but also on LACP disabled ports System Priority Set the LACP priority of the local system Return to Dynamic aggregation group configuration task list Displaying information of LACP enabled ports Select Network LACP fro...

Страница 225: ...rtner port of a LACP enabled port select it in the port list and then click View Details Detailed information about the peer port will be displayed on the lower part of the page 2 Fields in the LACP enabled port summary table Field button Description Unit The ID of a device in a stack Port Port where LACP is enabled LACP State State of LACP on the port Port Priority LACP priority of the port ...

Страница 226: ...es that the sending system considers that distribution of outgoing frames is enabled on the link G indicates that the receive state machine of the sending system is using the default operational partner information H indicates that the receive state machine of the sending system is in the expired state Oper Key Operational key of the local port 3 describes the fields in the Partner Port Details ta...

Страница 227: ...gation group to achieve load balancing Table 54 Approach 1 Create a static link aggregation group Create static link aggregation group 1 Select Network Link Aggregation from the navigation tree and click the Create tab to enter the page as shown in b b Create static link aggregation group 1 Set the link aggregation interface ID to 1 ...

Страница 228: ...egation group Create dynamic link aggregation group 1 Select Network Link Aggregation from the navigation tree and click the Create tab to enter the page as shown in c c Create dynamic link aggregation group 1 Set the link aggregation interface ID to 1 Select the Dynamic LACP Enabled option as the aggregate interface type Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3...

Страница 229: ...high speed being the most preferred If two ports with the same duplex mode speed pair are present the one with the lower port number wins out Port attribute configuration includes the configuration of the port rate duplex mode and link state For more information about class two configurations see Class two configurations To guarantee a successful static aggregation ensure that the ports at the two...

Страница 230: ...e device information received in LLDPDUs sent from the LLDP neighbors in a standard management information base MIB It allows a network management system to quickly detect and identify Layer 2 network topology changes Basic concepts LLDPDUs LLDP sends device information in LLDPDUs LLDPDUs are encapsulated in Ethernet II or Subnetwork Access Protocol SNAP frames Table 56 Ethernet II encapsulated LL...

Страница 231: ...r the upper layer protocol It is 0xAAAA 0300 0000 88CC for LLDP Data LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame LLDPDUs LLDP uses LLDPDUs to exchange information An LLDPDU comprises multiple TLV sequences Each carries a specific type of device information as shown in a a LLDPDU encapsulation format An LLDPDU can carry up 28 type...

Страница 232: ...ries no LLDP MED TLVs the port ID TLV carries the port name Time To Live Life of the transmitted information on the receiving device End of LLDPDU Marks the end of the TLV sequence in the LLDPDU Port Description Port description of the sending port Optional System Name Assigned name of the sending device System Description Description of the sending device System Capabilities Identifies the primar...

Страница 233: ... TLVs and its device type Network Policy Allows a network device or MED endpoint to advertise LAN type and VLAN ID of the specific port and the Layer 2 and Layer 3 priorities for a specific set of applications Extended Power via MDI Allows a network device or MED endpoint to advertise power related information according to IEEE 802 3AF Hardware Revision Allows a MED endpoint device to advertise it...

Страница 234: ...network from being overwhelmed by LLDPDUs during times of frequent local device information change This interval is shortened to 1 second in either of the following cases A new neighbor is discovered A new LLDPDU is received carrying device information new to the local device The LLDP operating mode of the port changes from Disable Rx to TxRx or Tx This is the fast sending mechanism of LLDP This f...

Страница 235: ...s Make sure that LLDP is also enabled globally because LLDP can work on a port only when it is enabled both globally and on the port Configuring LLDP settings on ports Optional LLDP settings include LLDP operating mode packet encapsulation CDP compatibility device information polling trapping and advertised TLVs By default The LLDP operating mode is TxRx The encapsulation format is Ethernet II CDP...

Страница 236: ...urations made in Ethernet interface view takes effect only on the current port and those made in port group view takes effect on all ports in the current port group Enabling LLDP on ports Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in a This tab displays the LLDP status and operating mode on a port Select one or more ports and click Enable beneath the port lis...

Страница 237: ...Return to LLDP configuration task list Configuring LLDP settings on ports Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in a You can configure LLDP settings on ports individually or in batch ...

Страница 238: ...rt you are configuring On the page displayed as shown in a you can modify or view the LLDP settings of the port a The page for modifying LLDP settings on a port To bulk configure LLDP settings on ports select multiple ports and click Modify Selected The page shown in b appears ...

Страница 239: ... operating mode on the port or ports you are configuring TxRx Sends and receives LLDPDUs Tx Sends but not receives LLDPDUs Rx Receives but not sends LLDPDUs Disable Neither sends nor receives LLDPDUs Encapsulation Format Set the encapsulation for LLDPDUs ETHII Encapsulates outgoing LLDPDUs in Ethernet II frames and processes an incoming LLDPDU only if its encapsulation is Ethernet II SNAP Encapsul...

Страница 240: ...lobal Setup tab Base TLV Settings Port Description Select to include the port description TLV in transmitted LLDPDUs System Capabilities Select to include the system capabilities TLV in transmitted LLDPDUs System Description Select to include the system description TLV in transmitted LLDPDUs System Name Select to include the system name TLV in transmitted LLDPDUs Management Address Select to inclu...

Страница 241: ...emergency call number in the location identification TLV in transmitted LLDPDUs and set the emergency call number Address Select Address to encode the civic address information of the network connectivity device in the location identification TLV in transmitted LLDPDUs In addition set the device type which can be a DHCP server switch or LLDP MED endpoint country code and network device address Whe...

Страница 242: ...Fast LLDPDU Count Set the number of LLDPDUs sent each time fast LLDPDU transmission is triggered TTL Multiplier Set the TTL multiplier The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbo...

Страница 243: ...an LLDPDU transmit delay is introduced Thus after sending an LLDPDU the port must wait for the specified interval before it can send another one IMPORTANT LLDPDU transmit delay must be less than the TTL to ensure that the LLDP neighbors can receive LLDPDUs to update information about the device you are configuring before it is aged out Tx Interval Set the LLDPDU transmit interval IMPORTANT If the ...

Страница 244: ... assigned namely the local configuration Power port class The power over Ethernet port class PSE A power supply device PD A powered device Port power classification Port power classification of the PD Unknown Class 0 Class 1 Class 2 Class 3 Class 4 Media policy type Available options include Unknown Voice Voice signaling Guest voice Guest voice signaling Soft phone voice Videoconferencing Streamin...

Страница 245: ...he priority level 1 High The priority level 2 Low The priority level 3 a The Neighbor Information tab 3 LLDP neighbor information of an LLDP enabled port Field Description Chassis type Chassis ID type Chassis component Interface alias Port component MAC address Network address Interface name Locally assigned Local configuration Chassis ID Chassis ID depending on the chassis type which can be a MAC...

Страница 246: ...n enabled Link aggregation is enabled on the neighbor Aggregation port ID Link aggregation group ID It is 0 if the neighbor port is not assigned to any link aggregation group Maximum frame Size The maximum frame size supported on the neighbor port Device class MED device type Connectivity device An intermediate device that provide network connectivity Class I a generic endpoint device All endpoint...

Страница 247: ...sion of the neighbor FirmwareRev Firmware version of the neighbor SoftwareRev Software version of the neighbor SerialNum The serial number advertised by the neighbor Manufacturer name The manufacturer name advertised by the neighbor Model name The model name advertised by the neighbor Asset tracking identifier Asset ID advertised by the neighbor This ID is used for the purpose of inventory managem...

Страница 248: ...Status Information tab Return to LLDP configuration task list Displaying global LLDP information Select Network LLDP from the navigation tree and click the Global Summary tab to display global local LLDP information and statistics as shown in a ...

Страница 249: ...Chassis ID The local chassis ID depending on the chassis type defined System capabilities supported The primary network function advertised by the local device Bridge Router System capabilities enabled The enabled network function advertised by the local device Bridge Router ...

Страница 250: ...s of the IP communication system Providing all capabilities of generic and media endpoint devices Class III endpoint devices are used directly by end users Return to LLDP configuration task list Displaying LLDP information received from LLDP neighbors Select Network LLDP from the navigation tree and click the Neighbor Summary tab to display the LLDP neighbor information as shown in a a The Neighbo...

Страница 251: ...1 Configure Switch A Enable LLDP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 This step is optional because LLDP is enabled on Ethernet ports by default Set the LLDP operating mode to Rx on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in b Select port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 and click...

Страница 252: ...240 b The Port Setup tab ...

Страница 253: ...241 c The page for setting LLDP on multiple ports Select Rx from the LLDP Operating Mode drop down list Click Apply Enable global LLDP Click the Global Setup tab as shown in d ...

Страница 254: ... on port GigabitEthernet 1 0 1 Optional By default LLDP is enabled on Ethernet ports Set the LLDP operating mode to Tx on GigabitEthernet 1 0 1 Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in e Click the icon for port GigabitEthernet 1 0 1 The page shown in f is displayed e The Port Setup tab ...

Страница 255: ...om the LLDP Enable drop down list Click Apply Configuration verification Display the status information of port GigabitEthernet 1 0 2 on Switch A Select Network LLDP from the navigation tree to enter the Port Setup tab Click GigabitEthernet1 0 2 in the port list Click the Status Information tab at the lower half of the page The output shows that port GigabitEthernet 1 0 2 is connected to a non MED...

Страница 256: ...The Status Information tab displaying the updated port status information CDP compatible LLDP configuration example Network requirements As shown in a port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch A are each connected to a Cisco IP phone On Switch A configure VLAN 2 as a voice VLAN and enable CDP compatibility of LLDP to allow the Cisco IP phones to automatically configure the voi...

Страница 257: ...the navigation bar and click the Create tab to enter the page shown in a a The page for creating VLANs Type 2 in the VLAN IDs field Click Create Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as trunk ports Select Device Port Management from the navigation bar and click the Setup tab to enter the page shown in b ...

Страница 258: ...op down list Select port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 on the chassis front panel Click Apply Configure the voice VLAN function on the two ports Select Network Voice VLAN from the navigation bar and click the Port Setup tab to enter the page shown in c ...

Страница 259: ...ssis front panel Click Apply Enable LLDP on ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 If LLDP is enabled the default setting skip this step Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 Select Network LLDP from the navigation tree to enter the Port Setup tab Select ports GigabitEthernet 1 0 1 and GigabitEthe...

Страница 260: ...248 d The Port Setup tab ...

Страница 261: ...DP settings on ports Select TxRx from the LLDP Operating Mode drop down list Select TxRx from the CDP Operating Mode drop down list Click Apply Enable global LLDP and CDP compatibility of LLDP Click the Global Setup tab as shown in f ...

Страница 262: ...hernet 1 0 2 and obtained their device information Configuration guidelines When configuring LLDP follow these guidelines Table 63 To make LLDP take effect you must enable it both globally and on ports Table 64 When selecting TLVs to send in LLDPDUs note the following To advertise LLDP MED TLVs you must include the LLDP MED capabilities set TLV To remove the LLDP MED capabilities set TLV you must ...

Страница 263: ... at Layer 2 However when IGMP snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 a Multicast forwarding before and after IGMP snooping runs Multicast packet transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer 2 switch Multica...

Страница 264: ...2 of Switch B are member ports A switch registers all its member ports in the IGMP snooping forwarding table NOTE In this document a router port is a port on the switch that leads the switch to a Layer 3 multicast device rather than a port on a router Unless otherwise specified router ports and member ports in this document consist of dynamic and static ports An IGMP snooping enabled switch deems ...

Страница 265: ...ds a report message through a member port all the attached hosts listening to the reported multicast address will suppress their own reports after hearing this report according to the IGMP report suppression mechanism on them This will prevent the switch from knowing whether any hosts attached to that port are still active members of the reported multicast group When receiving a leave group messag...

Страница 266: ...o that group address The switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer expires IGMP snooping querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forward...

Страница 267: ...nfiguring IGMP snooping port functions Optional Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN IMPORTANT IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port IGMP snooping configured on a port takes effect only after IGMP snooping is enabled in the VLAN Display IGMP snooping multicast entry inform...

Страница 268: ... configuration 2 Items for configuring IGMP snooping in a VLAN Item Description VLAN ID This field displays the ID of the VLAN to be configured IGMP Snooping Enable or disable IGMP snooping in the VLAN You can proceed with the subsequent configurations only if Enable is selected here Version By configuring an IGMP snooping version you actually configure the versions of IGMP messages that IGMP snoo...

Страница 269: ... support IGMP To address this issue you can enable IGMP snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at data link layer thereby implementing IGMP querier related functions Query interval Configure the IGMP query interval General Query Source IP Specify the source IP address of general queries HP recommends you to configure a non all...

Страница 270: ...old the system deletes all the forwarding entries persistent on that port from the IGMP snooping forwarding table and the hosts on this port need to join the multicast groups again Fast Leave Enable or disable the fast leave function for the port With the fast leave function enabled on a port the switch when receiving an IGMP leave message on the port immediately deletes that port from the outgoin...

Страница 271: ...onfiguration example Network requirements As shown in a Router A connects to a multicast source Source through Ethernet 1 2 and to Switch A through Ethernet 1 1 The multicast source sends multicast data to group 224 1 1 1 Host A is a receiver of the multicast group IGMPv2 runs on Router A and IGMP snooping version 2 runs on Switch A The function of dropping unknown multicast packets is enabled on ...

Страница 272: ... omitted Table 66 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on Ethernet 1 1 The detailed configuration steps are omitted Table 67 Configure Switch A Create VLAN 100 and add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 Select Network VLAN in the navigation tree and click the Create tab to enter the configuration page shown in b...

Страница 273: ...261 b Create VLAN 100 Type the VLAN ID 100 Click Apply to complete the operation Click the Modify Port tab to enter the configuration page shown in c ...

Страница 274: ...Ethernet 1 0 3 in the Select Ports field Select the Untagged radio button for Select membership type Type the VLAN ID 100 Click Apply to complete the operation Enable IGMP snooping globally Select Network IGMP snooping in the navigation tree to enter the basic configuration page as shown in d ...

Страница 275: ...ropping unknown multicast data Click the icon corresponding to VLAN 100 to enter its configuration page and perform the following configurations as shown in e e Configure IGMP snooping in the VLAN Select the Enable radio button for IGMP snooping and 2 for Version Select the Enable radio button for Drop Unknown Select the Disable radio button for Querier ...

Страница 276: ...peration Configuration verification Display the IGMP snooping multicast entry information on Switch A Select Network IGMP Snooping in the navigation tree to enter the basic configuration page Click the plus sign in front of Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast entries as shown in a a IGMP snooping multicast entry information display...

Страница 277: ...265 b Details about an IGMP snooping multicast entry As shown above GigabitEthernet 1 0 3 of Switch A is listening to multicast streams destined for multicast group 224 1 1 1 ...

Страница 278: ... matching IP packet is to be forwarded Next hop Specifies the address of the next hop router on the path Preference of the route Routes to the same destination can be found by various routing protocols or manually configured routing protocols and static routes are assigned different preferences The route with the highest preference the smallest value is selected as the optimal route Static route S...

Страница 279: ...e navigation tree to enter the page shown in a a Active route table 2 Description of the fields of the active route table Field Description Destination IP Address Destination IP address of the route Mask Mask of the destination IP address Protocol Protocol that discovered the route Preference Preference value for the route The smaller the number the higher the preference Next Hop Next hop IP addre...

Страница 280: ...tted decimal notation Mask Specify the mask of the destination IP address Select a mask length number of consecutive 1s in the mask or a mask in dotted decimal notation from the drop down list Preference Type a preference value for the static route The smaller the number the higher the preference For example specifying the same preference for multiple static routes to the same destination enables ...

Страница 281: ...s Table 68 On Switch A configure a default route with Switch B as the next hop Table 69 On Switch B configure one static route with Switch A as the next hop and the other with Switch C as the next hop Table 70 On Switch C configure a default route with Switch B as the next hop Configuration procedure Table 71 Configure the IP addresses of the interfaces omitted Table 72 Configure IPv4 static route...

Страница 282: ...avigation tree of Switch B and then click the Create tab to enter the page shown in c Type 1 1 2 0 for Destination IP Address Select 24 255 255 255 0 from the Mask drop down list Type 1 1 4 1 for Next Hop Click Apply Type 1 1 3 0 for Destination IP Address Select 24 255 255 255 0 from the Mask drop down list Type 1 1 5 6 for Next Hop Click Apply ...

Страница 283: ...h B on Switch C Select Network IPv4 Routing from the navigation tree of Switch C and then click the Create tab to enter the page as shown in d Type 0 0 0 0 for Destination IP Address Select 0 0 0 0 0 from the Mask drop down list Type 1 1 5 5 for Next Hop Click Apply ...

Страница 284: ...from Host A assuming both hosts run Windows XP C Documents and Settings Administrator ping 1 1 3 2 Pinging 1 1 3 2 with 32 bytes of data Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Ping statistics for 1 1 3 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate rou...

Страница 285: ... default preference Table 74 The static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface such as a VLAN interface Table 75 If Null 0 interface is specified as the output interface the next hop address is not required If you want to specify a broadcast interface such as a VLAN interface as the output interface which ma...

Страница 286: ...ted configurations on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client A typical DHCP application as shown in a includes a DHCP server and multiple...

Страница 287: ...t accepts the first received offer and broadcasts it in a DHCP REQUEST message to request the IP address formally Table 80 All DHCP servers receive the DHCP REQUEST message but only the server from which the client accepts the offered IP address returns a DHCP ACK message to the client confirming that the IP address has been allocated to the client or a DHCP NAK unicast message denying the IP addr...

Страница 288: ...iaddr 4 giaddr 4 chaddr 16 sname 64 file 128 options variable op Message type defined in option field 1 REQUEST 2 REPLY htype hlen Hardware address type and length of a DHCP client hops Number of relay agents a request message traveled xid Transaction ID a random number chosen by the client to identify an IP address allocation secs Filled in by the client the number of seconds elapsed since the cl...

Страница 289: ...ion Option 53 DHCP message type option It identifies the type of the DHCP message Option 55 Parameter request list option It is used by a DHCP client to request specified configuration parameters The option contains values that correspond to the parameters requested by the client Option 66 TFTP server name option It specifies a TFTP server to be assigned to the client Option 67 Bootfile name optio...

Страница 290: ...is used on the device You can specify the code type for the sub options as ASCII or HEX The padding contents for sub options in the normal padding format are as follows Sub option 1 Padded with the VLAN ID and interface number of the interface that received the client s request a gives its format The value of the sub option type is 1 and that of the circuit ID type is 0 a Sub option 1 in normal pa...

Страница 291: ...r on another subnet to obtain configuration parameters Thus DHCP clients on different subnets can contact the same DHCP server and centralized management and cost reduction are achieved Fundamentals a shows a typical application of the DHCP relay agent a DHCP relay agent application IP network DHCP server DHCP relay agent DHCP client DHCP client DHCP client DHCP client No matter whether a relay ag...

Страница 292: ... relay agent Required Enable DHCP globally and configure advanced DHCP parameters By default global DHCP is disabled Creating a DHCP server group Required To improve reliability you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group When the interface receives requesting messages from clients the relay agent will forward ...

Страница 293: ...onfigure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses By default no static binding is created Enabling DHCP and configuring advanced parameters for the DHCP relay agent Select Network DHCP from the navigation tree to enter the default DHCP Relay page Enable or disable DHCP in the DHCP Service field Click Display Advanced Configuratio...

Страница 294: ...ast message to the DHCP server to relinquish its IP address In this case the DHCP relay agent simply conveys the message to the DHCP server thus it does not remove the IP address from dynamic client entries To solve this problem the periodic refresh of dynamic client entries feature is introduced With this feature the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP...

Страница 295: ...layed Click the icon of a specific interface to enter the page shown in a a Configure a DHCP relay agent interface 2 DHCP relay agent interface configuration items Item Description Interface Name This field displays the name of a specific interface DHCP Relay Enable or disable the DHCP relay agent on the interface Address Match Check Enable or disable IP address check With this function enabled th...

Страница 296: ...n b a Display clients IP to MAC bindings b Create a static IP to MAC binding 2 Static IP to MAC binding configuration items Item Description IP Address Type the IP address of a DHCP client MAC Address Type the MAC address of the DHCP client Interface Name Select the Layer 3 interface connected with the DHCP client IMPORTANT The interface of a static binding entry must be configured as a DHCP relay...

Страница 297: ... IP address is 10 1 1 1 24 The switch forwards messages between DHCP clients and the DHCP server a Network diagram for DHCP relay agent configuration DHCP server Switch A DHCP relay agent DHCP client DHCP client DHCP client DHCP client Vlan int2 10 1 1 2 24 Vlan int1 10 10 1 1 24 Configuration procedure Table 83 Specify IP addresses for interfaces omitted Table 84 Configure the DHCP relay agent En...

Страница 298: ... button next to DHCP Service Click Apply Configure a DHCP server group In the Server Group field click Add and then perform the following operations as shown in c c Add a DHCP server group Type 1 for Server Group ID Type 10 1 1 1 for IP Address ...

Страница 299: ...tions as shown in d d Enable the DHCP relay agent on an interface and correlate it with a server group Click on the Enable radio button next to DHCP Relay Select 1 for Server Group ID Click Apply NOTE Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing protocol to make them reachable to each other ...

Страница 300: ...rized DHCP servers Recording IP to MAC mappings of DHCP clients DHCP snooping reads DHCP REQUEST messages and DHCP ACK messages from trusted ports to record DHCP snooping entries including MAC addresses of clients IP addresses obtained by the clients ports that connect to DHCP clients and VLANs to which the ports belong Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If t...

Страница 301: ...ping devices the ports connected to other DHCP snooping devices should be configured as trusted ports To save system resources you can disable the trusted ports which are indirectly connected to DHCP clients from recording clients IP to MAC bindings upon receiving DHCP requests a Configure trusted ports in a cascaded network DHCP snooping Switch A DHCP snooping Switch C DHCP client Host D DHCP cli...

Страница 302: ...ports Option 82 it will handle a client s request according to the contents defined in Option 82 if any The handling strategies are described in the table below If a reply returned by the DHCP server contains Option 82 the DHCP snooping device will remove the Option 82 before forwarding the reply to the client If the reply contains no Option 82 the DHCP snooping device forwards it directly If a cl...

Страница 303: ...to the authorized DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses The trusted port and the port connected to the DHCP client must be in the same VLAN Displaying clients IP to MAC bindings Optional Display clients IP to MAC bindings recorded by DHCP snooping Enabling DHCP snooping Select Network DHCP from the navigation tree and then click the DHCP Snooping tab to ...

Страница 304: ...ration page To enable DHCP snooping click on the Enable radio button in the DHCP Snooping field To disable DHCP snooping click on the Disable radio button in the DHCP Snooping field Return to DHCP snooping configuration task list ...

Страница 305: ...r untrusted Option 82 Support Configure DHCP snooping to support Option 82 or not Option 82 Strategy Select the handling strategy for DHCP requests containing Option 82 The strategies include Drop The message is discarded if it contains Option 82 Keep The message is forwarded without its Option 82 being changed Replace The message is forwarded after its original Option 82 is replaced with the Opti...

Страница 306: ...Lease Time This field displays the remaining lease time of the IP address Return to DHCP snooping configuration task list DHCP snooping configuration example Network requirements As shown in a a DHCP snooping device Switch is connected to a DHCP server through GigabitEthernet 1 0 1 and to DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 Enable DHCP snooping on Switch and config...

Страница 307: ...1 0 1 Device DHCP server Switch DHCP snooping GE1 0 2 GE1 0 3 DHCP client DHCP client Configuration procedure Enable DHCP snooping Select Network DHCP from the navigation tree and then click the DHCP Snooping tab Perform the following operation as shown in a ...

Страница 308: ...radio button next to DHCP Snooping Configure DHCP snooping functions on GigabitEthernet 1 0 1 Click the icon of GigabitEthernet 1 0 1 on the interface list Perform the following operations on the DHCP Snooping Interface Configuration page shown in b ...

Страница 309: ...e DHCP Snooping Interface Configuration page shown in c c Configure DHCP snooping functions on GigabitEthernet 1 0 2 Click on the Untrust radio button for Interface State Click on the Enable radio button next to Option 82 Support Select Replace for Option 82 Strategy Click Apply Configure DHCP snooping functions on GigabitEthernet 1 0 3 Click the icon of GigabitEthernet 1 0 3 on the interface list...

Страница 310: ...re DHCP snooping functions on GigabitEthernet 1 0 3 Click on the Untrust radio button for Interface State Click on the Enable radio button next to Option 82 Support Select Replace for Option 82 Strategy Click Apply ...

Страница 311: ...ure in SSH2 0 SFTP uses the SSH connection to provide secure data transfer The device can serve as the SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a user to login from the device to a remote device for secure file transfer HTTP service The Hypertext Transfer Protocol HTTP is used for tr...

Страница 312: ...rmitted to use the FTP service You can view this configuration item by clicking the expanding button in front of FTP Telnet Enable Telnet service Specify whether to enable the Telnet service The Telnet service is disabled by default SSH Enable SSH service Specify whether to enable the SSH service The SSH service is disabled by default SFTP Enable SFTP service Specify whether to enable the SFTP ser...

Страница 313: ...ce The HTTPS service is disabled by default Port Number Set the port number for HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS IMPORTANT When you modify a port ensure that the port is not used by other service ACL Associate the HTTPS service with an ACL Only the clients that pass the ACL filtering are permitted to use the HTTPS service You can...

Страница 314: ...n delivering an IP packet from source to destination to check whether a network is available This is useful for identification of failed node s in the event of network failure a Trace route diagram The trace route function is implemented through ICMP as shown in a Table 89 The source Device A sends a packet with a TTL value of 1 to the destination Device D The UDP port of the packet is a port numb...

Страница 315: ...he destination and it can get the addresses of all the Layer 3 devices involved to get to the destination device 1 1 1 2 1 1 2 2 1 1 3 2 Diagnostic tool operations Ping operation NOTE The web interface supports the IPv4 ping operations only Select Network Diagnostic Tools from the navigation tree to enter the ping configuration page as shown in a a Ping configuration page Type in the IPv4 address ...

Страница 316: ...e execute the ip ttl expires enable command to enable the sending of ICMP timeout packets and on the destination device execute the ip unreachables enable command to enable the sending of ICMP destination unreachable packets Select Network Diagnostic Tools from the navigation tree and then select the Trace Route tab to enter the trace route configuration page as shown in a a Trace route configurat...

Страница 317: ...IP address or host name of the destination device in the Trace Route text box and click Start to execute the trace route command You will see the output in the Summary area as shown in b b Trace route operation result ...

Страница 318: ...cifies the type of the protocol address to be mapped The hexadecimal value 0x0800 represents IP Hardware address length and protocol address length They respectively specify the length of a hardware address and a protocol address in bytes For an Ethernet address the value of the hardware address length field is 6 For an IP v4 address the value of the protocol address length field is 4 OP Operation...

Страница 319: ...n IP address in the ARP request If they are the same Host B saves the source IP address and source MAC address in its ARP table encapsulates its MAC address into an ARP reply and unicasts the reply to Host A After receiving the ARP reply Host A adds the MAC address of Host B to its ARP table Meanwhile Host A encapsulates the IP packet and sends it out a ARP address resolution process If Host A is ...

Страница 320: ...rectly used to forward packets When configuring a long static ARP entry you must configure a VLAN and an outbound interface for the entry besides the IP address and the MAC address A short static ARP entry has only an IP address and a MAC address configured It cannot be directly used for forwarding data If a short static ARP entry matches an IP packet to be forwarded the device sends an ARP reques...

Страница 321: ...ess for the static ARP entry Advanced Options VLAN ID Type a VLAN ID and specify a port for the static ARP entry IMPORTANT The VLAN ID must be the ID of the VLAN that has already been created and the port must belong to the VLAN The corresponding VLAN interface must have been created Port Static ARP configuration example Network requirements As shown in a hosts are connected to Switch A which is c...

Страница 322: ...ion procedure Create VLAN 100 Select Network VLAN from the navigation tree click the Add tab and then perform the following operations as shown in a a Create VLAN 100 Type 100 for VLAN ID Click Create to complete the configuration Add GigabitEthernet 1 0 1 to VLAN 100 ...

Страница 323: ...100 Select interface GigabitEthernet 1 0 1 in the Select Ports field Click on the Untagged radio button in the Select membership type field Type 100 for VLAN IDs Click Apply A configuration progress dialog box appears as shown in c c Configuration progress dialog box After the configuration process is complete click Close ...

Страница 324: ...ype 100 for VLAN ID Select the Configure Primary IPv4 Address checkbox Click on the Manual radio botton Type 192 168 1 2 for IPv4 Address Select 24 255 255 255 0 for Mask Length Click Apply to complete the configuration Create a static ARP entry Select Network ARP Management from the navigation tree to enter the default ARP Table page Click Add Perform the following operations as shown in e ...

Страница 325: ...ress is already used by another device Informing other devices about the change of its MAC address so that they can update their ARP entries A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry exists in the cache An attacker sends spoofed gratuitous ARP packets to hosts on a network As a result tr...

Страница 326: ...ratuitous ARP packets sending settings Select interfaces for sending gratuitous ARP packets and type the sending period To add an interface to the Sending Interfaces Period list box select the interface from the Available Interfaces list box type the sending period and click the button To remove an interface from the Sending Interfaces Period list box select the interface from the list box and cli...

Страница 327: ...ng table This design reduces the ARP traffic on the network but also makes ARP spoofing possible As shown in a Host A communicates with Host C through a switch After intercepting the traffic between Host A and Host C a hacker Host B forwards forged ARP replies to Host A and Host C respectively Upon receiving the ARP replies the two hosts update the MAC address corresponding to the peer IP address ...

Страница 328: ...r a VLAN Upon receiving an ARP packet from an ARP untrusted port the device compares the ARP packet against the DHCP snooping entries If a match is found that is the parameters such as IP address MAC addresses port index and VLAN ID are consistent the ARP packet passes the check if not the ARP packet cannot pass the check Upon receiving an ARP packet from an ARP trusted port the device does not ch...

Страница 329: ...d on 802 1X security entries on your access device After that the access device uses mappings between IP addresses MAC addresses VLAN IDs and ports of 802 1X authentication clients for ARP detection If all the detection types are specified the system uses IP to MAC bindings first then DHCP snooping entries and then 802 1X security entries If an ARP packet fails to pass ARP detection based on stati...

Страница 330: ...rom the navigation tree to enter the default ARP Detection page shown in a a ARP Detection configuration page 2 ARP Detection configuration items Item Description VLAN Settings Select VLANs on which ARP detection is to be enabled To add VLANs to the Enabled VLAN list box select one or multiple VLANs from the Disabled VLAN list box and click the button To remove VLANs from the Enabled VLAN list box...

Страница 331: ...all ARP packets are considered to be invalid IMPORTANT Before enabling ARP detection based on DHCP snooping entries make sure that DHCP snooping is enabled Before enabling ARP detection based on 802 1X security entries make sure that 802 1X is enabled and the 802 1X clients are configured to upload IP addresses ARP Packet Validation Select ARP packet validity check modes including If the source MA...

Страница 332: ... is the entity that provides authentication services for the network access device It authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results for the network access device to make access decisions The authentication server is typically a Remote Authentication Dial in User Service RADIUS server In a small LAN you can also use the net...

Страница 333: ...ods including MD5 Challenge EAP Transport Layer Security EAP TLS and Protected EAP PEAP 802 1X defines EAP over LAN EAPOL for passing EAP packets between the client and the network access device over a wired or wireless LAN Between the network access device and the authentication server 802 1X delivers authentication information in one of the following methods Encapsulates EAP packets in RADIUS by...

Страница 334: ...ype Protocol type It takes the value 0x888E for EAPOL Protocol version The EAPOL protocol version used by the EAPOL packet sender Type Type of the EAPOL packet 2 lists the types of EAPOL packets that the HP implementation of 802 1X supports 2 Types of EAPOL packets Value Type Description 0x00 EAP Packet The client and the network access device uses EAP Packets to transport authentication informati...

Страница 335: ... calculated packet integrity checksum is different than the Message Authenticator attribute value The Message Authenticator prevents EAP authentication packets from being tampered with during EAP authentication a Message Authenticator attribute format Initiating 802 1X authentication Both the 802 1X client and the access device can initiate 802 1X authentication 802 1X client as the initiator The ...

Страница 336: ...nd EAP authentication methods EAP relay is defined in IEEE 802 1X In this mode the network device uses EAPoR packets to send authentication information to the RADIUS server as shown in a a EAP relay In EAP termination mode the network access device terminates the EAP packets received from the client encapsulates the client authentication information in standard RADIUS packets and uses Password Aut...

Страница 337: ...sponse MD5 challenge 4 RADIUS Access Request EAP Response Identity 5 RADIUS Access Challenge EAP Request MD5 challenge 9 RADIUS Access Accept EAP Success 8 RADIUS Access Request EAP Response MD5 challenge 11 EAP Request Identity 12 EAP Response Identity 13 EAPOL Logoff Client Device Authentication server Port authorized Port unauthorized 14 EAP Failure Table 97 When a user launches the 802 1X clie...

Страница 338: ...a RADIUS Access Accept packet to the network access device Table 106 Upon receiving the RADIUS Access Accept packet the network access device sends an EAP Success packet to the client and sets the controlled port in the authorized state so the client can access the network Table 107 After the client comes online the network access device periodically sends handshake requests to check whether the c...

Страница 339: ...tication procedure in EAP termination mode In EAP termination mode it is the network access device rather than the authentication server generates an MD5 challenge for password encryption see Step 4 The network access device then sends the MD5 challenge together with the username and encrypted password in a standard RADIUS packet to the RADIUS server ...

Страница 340: ...s the VLAN to the port as the default VLAN All subsequent 802 1X users can access the default VLAN without authentication When the user logs off the previous default VLAN restores and all other online users are logged off MAC based If the port is a hybrid port with MAC based VLAN enabled maps the MAC address of each user to the VLAN assigned by the authentication server The default VLAN of the por...

Страница 341: ...802 1X guest VLAN passes 802 1X authentication Assigns the VLAN specified for the user to the port as the default VLAN and removes the port from the 802 1X guest VLAN After the user logs off the user configured default VLAN restores If the authentication server assigns no VLAN the user configured default VLAN applies The user and all subsequent 802 1X users are assigned to the user configured defa...

Страница 342: ...d Required Enable 802 1X authentication on specified ports and configure 802 1X parameters for the ports By default 802 1X authentication is disabled on a port Configuring 802 1X globally From the navigation tree select Authentication 802 1X to enter the 802 1X configuration page In the 802 1X Configuration area you can view and configure the 802 1X feature globally a 802 1X configuration page 2 B...

Страница 343: ...AP relay and EAP termination see 802 1X authentication procedures Click Advanced to expand the advanced 802 1X configuration area as shown in a 3 Advanced 802 1X configuration page 4 Advanced 802 1X configuration items Item Description Quiet Specify whether to enable the quiet timer After an 802 1X user fails to be authenticated the device will keep quiet for a period of time defined by Quiet Peri...

Страница 344: ... old timer expires For information about how to enable periodic online user re authentication on a port see Configuring 802 1X on a port Supplicant Timeout Time Set the client timeout timer The timer starts when the access device sends an EAP Request MD5 Challenge packet to a client If no response is received when this timer expires the access device retransmits the request to the client TIP You c...

Страница 345: ...or Port Based Port Authorization Select the port authorization state for 802 1X Options include Auto Places the port initially in the unauthorized state to allow only EAPOL packets to pass and after a user passes authentication sets the port in the authorized state to allow access to the network You can use this option in most scenarios Force Authorized Places the port in the authorized state enab...

Страница 346: ...N Specify an existing VLAN as the guest VLAN For more information see Configuring an 802 1X guest VLAN Return to 802 1X configuration task list Configuring an 802 1X guest VLAN Table 111 Configuration guidelines You can configure only one 802 1X guest VLAN on a port The 802 1X guest VLANs on different ports can be different Assign different IDs for the voice VLAN default VLAN and 802 1X guest VLAN...

Страница 347: ...he device to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server and to send real time accounting packets to the accounting server every 15 minutes Specify the device to remove the domain name from the username before passing the username to the RADIUS server a Network diagram for 802 1X configuration Configura...

Страница 348: ...y to finish the operation Enable and configure 802 1X on port GigabitEthernet 1 0 1 In the Ports With 802 1X Enabled area click Add c 802 1X configuration of GigabitEthernet 1 0 1 Select port GigabitEthernet1 0 1 from the port drop down list Select the checkbox before Enable Re Authentication Click Apply to finish the operation ...

Страница 349: ...uthentication server configuration Select Authentication Server as the server type Enter the primary server IP address 10 1 1 1 Select active as the primary server s status Enter the secondary server IP address 10 1 1 2 Select active as the secondary server s status Click Apply Configure the RADIUS accounting servers e RADIUS accounting server configuration Select Accounting Server as the server t...

Страница 350: ... extended as the server type Select the Authentication Server Shared Key checkbox and enter name in the textbox Enter name again in the Confirm Authentication Shared Key textbox Select the Accounting Server Shared Key checkbox and enter money in the textbox Enter money again in the Confirm Accounting Shared Key textbox Enter 5 in the Timeout Interval textbox Enter 5 in the Timeout Retransmission T...

Страница 351: ...Select Enable to use the domain as the default domain Click Apply to finish the operation Configure the AAA authentication method for the ISP domain Select the Authentication tab h Configure the AAA authentication method for the ISP domain Select the domain name test ...

Страница 352: ... Configure the AAA authorization method for the ISP domain Select the Authorization tab j Configure the AAA authorization method for the ISP domain Select the domain name test Select the Default AuthZ checkbox and then select RADIUS as the authorization mode Select system from the Name drop down list to use it as the authorization scheme Click Apply A configuration progress dialog box appears Afte...

Страница 353: ...ork requirements As shown in a the switch and the RADIUS authentication servers iMC servers work together to authenticate the host that is to access the Internet An FTP server is on the Internet and its IP address is 10 0 0 1 Configure the authentication server to assign ACL 3000 Enable 802 1X on port GigabitEthernet 1 0 1 and configure ACL 3000 on the switch After a user passes 802 1X authenticat...

Страница 354: ...n tree select Authentication RADIUS The RADIUS server configuration page appears b RADIUS authentication server configuration Select Authentication Server as the server type Enter the primary server IP address 10 1 1 1 Enter the primary server UDP port number 1812 Select active as the primary server status Click Apply Configure the RADIUS accounting server c RADIUS accounting server configuration ...

Страница 355: ...guration page d RADIUS parameter configuration Select extended as the server type Select the Authentication Server Shared Key checkbox and enter abc in the textbox Enter abc again in the Confirm Authentication Shared Key textbox Select the Accounting Server Shared Key checkbox and enter abc in the textbox Enter abc again in the Confirm Accounting Shared Key textbox Select without domain as the use...

Страница 356: ... Select Enable to use the domain the default domain Click Apply to finish the operation Configure the AAA authentication method for the ISP domain Select the Authentication tab f Configure the AAA authentication method for the ISP domain Select the domain name test ...

Страница 357: ...AAA authorization method for the ISP domain Select the Authorization tab h Configure the AAA authorization method for the ISP domain Select the domain name test Select the Default AuthZ checkbox and then select RADIUS as the authorization mode Select system from the Name drop down list to use it as the authorization scheme Click Apply A configuration progress dialog box appears After the configura...

Страница 358: ... accounting mode Select system from the Name drop down list to use it as the accounting scheme Click Apply A configuration progress dialog box appears After the configuration process is complete click Close Table 120 Configure an ACL Create ACL 3000 that denies packets with destination IP address 10 0 0 1 From the navigation tree select QoS ACL IPv4 to enter the IPv4 ACL configuration page and the...

Страница 359: ... operation Configure the ACL to deny packets with destination IP address 10 0 0 1 Select the Advanced Setup tab k ACL rule configuration Select 3000 from the Select Access Control List ACL drop down list Select the Rule ID check box and enter 0 as the rule ID ...

Страница 360: ...sh the operation Table 121 Configure the 802 1X feature Enable the 802 1X feature globally From the navigation tree select Authentication 802 1X to enter the 802 1X configuration page l Global 802 1X globally Select the check box before Enable 802 1X Select the authentication method as CHAP Click Apply to finish the operation Enable 802 1X on port GigabitEthernet 1 0 1 In the Ports With 802 1X Ena...

Страница 361: ... Configuration verification After the user passes authentication and gets online use the ping command to test whether ACL 3000 takes effect From the navigation tree select Network Diagnostic Tools The ping page appears Enter the destination IP address 10 0 0 1 Click Start to start the ping operation a shows the ping operation summary ...

Страница 362: ...350 a Ping operation summary ...

Страница 363: ...also referred to as the access device The server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers See a a Network diagram for AAA When a user tries to log in to the NAS use the network resources or access other networks the NAS authenticates the user The NAS can transparently pass the user s authentication authorization and account...

Страница 364: ...e default methods are used See a a Determine the ISP domain of a user by the username Configuring AAA Configuration prerequisites To implement local user authentication authorization and accounting you must create local users and configure user attributes on the switch See the chapter User configuration To implement remote authentication authorization or accounting you must create the RADIUS schem...

Страница 365: ...P terminal access users and command users Configuring authorization methods for the ISP domain Optional Specify the authorization methods for various types of users By default all types of users use local authorization Configuring accounting methods for the ISP domain Required Specify the accounting methods for various types of users By default all types of users use local accounting Configuring a...

Страница 366: ... authentication methods for the ISP domain Select Authentication AAA from the navigation tree and then select the Authentication tab to enter the authentication method configuration page as shown in a a Authentication method configuration page 2 Authentication method configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods...

Страница 367: ...he authentication method and secondary authentication method for login users Options include Local Performs local authentication None All users are trusted and no authentication is performed Generally this mode is not recommended RADIUS Performs RADIUS authentication You must specify the RADIUS scheme to be used Not Set Uses the default authentication methods Name Secondary Method Return to Config...

Страница 368: ...erforms local authorization None All users are trusted and authorized A user gets the corresponding default rights of the system RADIUS Performs RADIUS authorization You must specify the RADIUS scheme to be used Not Set Uses the default authorization method Name Secondary Method Login AuthZ Configure the authorization method and secondary authorization method for login users Options include Local ...

Страница 369: ...condary accounting method for all types of users Options include Local Performs local accounting None Performs no accounting RADIUS Performs RADIUS accounting You must specify the RADIUS scheme to be used Not Set Restore the default that is local accounting Name Secondary Method LAN access Accounting Configure the accounting method and secondary accounting method for LAN access users Options inclu...

Страница 370: ... in a configure the switch to perform local authentication authorization and accounting for Telnet users a Network diagram for AAA configuration example Configuration procedure NOTE Enable the Telnet server function on the switch and configure the switch to use AAA for Telnet users The configuration steps are omitted Configure IP addresses for the interfaces Omitted Configure a local user Select D...

Страница 371: ...gement as the access level Enter abcd as the password Enter abcd to confirm the password Select Telnet Service as the service type Click Apply Configure ISP domain test Select Authentication AAA from the navigation tree The domain configuration page appears as shown in b ...

Страница 372: ... Select Authentication AAA from the navigation tree and then select the Authentication tab as shown in c c Configure the ISP domain to use local authentication Select the domain test Select the Login AuthN check box and select the authentication method Local Click Apply A configuration progress dialog box appears as shown in d ...

Страница 373: ...n tab as shown in e e Configure the ISP domain to use local authorization Select the domain test Select the Login AuthZ check box and select the authorization method Local Click Apply A configuration progress dialog box appears After the configuration progress is complete click Close Configure the ISP domain to use local accounting Select Authentication AAA from the navigation tree and then select...

Страница 374: ...counting check box and select the accounting method Local Click Apply A configuration progress dialog box appears After the configuration process is complete click Close Now if you telnet to the switch and enter username telnet test and password abcd you should be serviced as a user in domain test ...

Страница 375: ...model Client Generally the RADIUS client runs on the NASs located throughout the network It passes user information to designated RADIUS servers and acts on the responses for example rejects or accepts user access requests Server Generally the RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access ...

Страница 376: ...cess Request to the RADIUS server with the user password encrypted by using the Message Digest 5 MD5 algorithm and the shared key Table 124 The RADIUS server authenticates the username and password If the authentication succeeds the server sends back an Access Accept message containing the user s authorization information If the authentication fails the server returns an Access Reject message Tabl...

Страница 377: ...r Name attribute and can optionally contain the attributes of NAS IP Address User Password and NAS Port 2 Access Accept From the server to the client If all the attribute values carried in the Access Request are acceptable that is the authentication succeeds the server sends an Access Accept response 3 Access Reject From the server to the client If any attribute value carried in the Access Request...

Страница 378: ...onse This field may contain multiple attributes each with three sub fields Type Length and Value Type 1 byte long Indicates the type of the attribute It is in the range 1 to 255 Commonly used attributes for RADIUS authentication authorization and accounting are listed in 3 Length 1 byte long Indicates the length of the attribute in bytes including the Type Length and Value fields Value up to 253 b...

Страница 379: ...el Private Group id 35 Login LAT Node 82 Tunnel Assignment id 36 Login LAT Group 83 Tunnel Preference 37 Framed AppleTalk Link 84 ARAP Challenge Response 38 Framed AppleTalk Network 85 Acct Interim Interval 39 Framed AppleTalk Zone 86 Acct Tunnel Packets Lost 40 Acct Status Type 87 NAS Port Id 41 Acct Delay Time 88 Framed Pool 42 Acct Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Clie...

Страница 380: ... RFC 2865 Remote Authentication Dial In User Service RADIUS RFC 2866 RADIUS Accounting RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support RFC 2868 RADIUS Attributes for Tunnel Protocol Support RFC 2869 RADIUS Extensions Configuring RADIUS Configuration task list NOTE The RADIUS scheme configured through the web interface is named system If there is no RADIUS scheme named system i...

Страница 381: ...iguration 2 RADIUS server configuration Item Description Server Type Specify the type of the server to be configured which can be Authentication Server and Accounting Sever Primary Server IP Specify the IP address of the primary server If no primary server is specified the text box displays 0 0 0 0 To remove the previously configured primary server enter 0 0 0 0 in the text box The specified IP ad...

Страница 382: ...same as that of the primary server Secondary Server UDP Port Specify the UDP port of the secondary server If the IP address of the secondary server is not specified or the specified IP address is to be removed the port number is 1812 for authentication or 1813 for accounting Secondary Server Status Status of the secondary server including active The server is working normally blocked The server is...

Страница 383: ...thentication Server Shared Key Specify and confirm the shared key for the authentication server These two parameters must have the same values Confirm Authentication Shared Key Accounting Server Shared Key Specify and confirm the shared key for the accounting server These two parameters must have the same values Confirm Accounting Shared Key NAS IP Specify the source IP address for the device to u...

Страница 384: ...he maximum number of real time accounting request retransmission times Stop Accounting Buffer Enable or disable buffering stop accounting requests without responses in the device Stop Accounting Packet Retransmission Times Set the maximum number of transmission attempts if no response is received for the stop accounting packet Quiet Interval Specify the interval the primary server has to wait befo...

Страница 385: ...or iMC server using the default port for authentication and accounting the Telnet user s username and password and the shared key expert have been configured for packet exchange with the switch On the switch it is required to configure the shared key for packet exchange with the RADIUS server as expert and configure the system to remove the domain name of a username before sending it to the RADIUS...

Страница 386: ... 10 110 91 146 as the IP address of the primary authentication server Enter 1812 as the UDP port of the primary authentication server Select active as the primary server status Click Apply Configure the RADIUS accounting server c Configure the RADIUS accounting server Select Accounting Server as the server type Enter 10 110 91 146 as the IP address of the primary accounting server Enter 1813 as th...

Страница 387: ...ication Server Shared Key check box and enter expert in the text box Enter expert in the Confirm Authentication Shared Key text box Select the Accounting Server Shared Key check box and enter expert in the text box Enter expert in the Confirm Accounting Shared Key text box Select without domain for Username Format Click Apply Table 138 Configure AAA Create an ISP domain From the navigation tree se...

Страница 388: ...r the ISP domain Select the Authentication tab f Configure the AAA authentication method for the ISP domain Select the domain name test Select the Default AuthN checkbox and then select RADIUS as the authentication mode Select system from the Name drop down list to use it as the authentication scheme Click Apply A configuration progress dialog box appears as shown in g ...

Страница 389: ...e ISP domain Select the domain name test Select the Default AuthZ checkbox and then select RADIUS as the authorization mode Select system from the Name drop down list to use it as the authorization scheme Click Apply A configuration progress dialog box appears After the configuration process is complete click Close Configure the AAA accounting method for the ISP domain and enable accounting option...

Страница 390: ...ines When you modify the parameters of the RADIUS scheme the system does not check whether the scheme is being used by users After accounting starts update accounting and stop accounting packets will be sent to the designated server and no primary secondary server switchover will take place even if the designated server fails Such a switchover can take place only during AAA session establishment I...

Страница 391: ... and has a set of local user attributes You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group All local users in a user group inherit the user attributes of the group but if you configure user attributes for a local user the settings of the local user take precedence over the settings for the user group By d...

Страница 392: ...ssing through the Ethernet such as 802 1x users and SSH IMPORTANT If you do not specify any service type for a local user who uses local authentication the user cannot pass authentication and therefore cannot log in Expire time Specify an expiration time for the local user in the format HH MM SS YYYY MM DD When authenticating a local user with the expiration time argument configured the access dev...

Страница 393: ...he access device to restrict the access of the local user after the user passes authentication User profile Specify the user profile for the local user NOTE HP V1910 Switch Series does not support user profile configuration Configuring a user group Select Authentication Users from the navigation tree and then select the User Group tab to display the existing user groups as shown in a Then click Ad...

Страница 394: ...ment in ascending order of priority VLAN Specify the VLAN to be authorized to users of the user group after the users pass authentication ACL Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication User profile Specify the user profile for the user group NOTE HP V1910 Switch Series does not support user profile configurat...

Страница 395: ... digital certificate signed by a CA for an entity A CA certificate also known as a root certificate is signed by the CA for itself CRL An existing certificate may need to be revoked when for example the user name changes the private key leaks or the user stops the business Revoking a certificate is to remove the binding of the public key with the user identity information In PKI the revocation is ...

Страница 396: ... management to achieve higher security of application systems PKI repository A PKI repository can be a Lightweight Directory Access Protocol LDAP server or a common database It stores and manages information like certificate requests certificates keys CRLs and logs and it provides a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user infor...

Страница 397: ... digital signature approves the application and issues a certificate Table 142 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfully issued Table 143 The entity retrieves the certificate With the certificate the entity can communicate with other entities safely through encryption ...

Страница 398: ... key pair Required Generate a local RSA key pair By default no local RSA key pair exists Generating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user and the public key is transferred to the CA along with some other information IMPORTANT If a local certificate already exists you must remove the certi...

Страница 399: ...ir you need to destroy the existing key pair Otherwise the retrieving operation will fail Retrieving a certificate Optional Retrieve an existing certificate Retrieving and displaying a CRL Optional Retrieve a CRL and display its contents Requesting a Certificate Automatically Perform the tasks in 1 to configure the PKI system to request a certificate automatically 1 Configuration task list for req...

Страница 400: ... retrieving operation will fail Retrieving a certificate Optional Retrieve an existing certificate Retrieving and displaying a CRL Optional Retrieve a CRL and display its contents Creating a PKI entity Select Authentication PKI from the navigation tree The PKI entity list page is displayed by default as shown in a Click Add on the page to enter the PKI entity configuration page as shown in b a PKI...

Страница 401: ...pe the country or region code for the entity State Type the state or province for the entity Locality Type the locality for the entity Organization Type the organization name for the entity Organization Unit Type the unit name for the entity Return to Configuration task list for requesting a certificate manually Return to Configuration task list for requesting a certificate automatically Creating ...

Страница 402: ...ribution and revocation and query In offline mode this item is optional while in other modes this item is required Entity Name Select the local PKI entity When submitting a certificate request to a CA an entity needs to show its identity information Available PKI entities are those that have been configured Institution Select the authority for certificate request CA Indicates that the entity reque...

Страница 403: ...ot match the one configured for the PKI domain the entity will reject the root certificate IMPORTANT The fingerprint of the CA root certificate is required when the certificate request mode is Auto and can be omitted when the certificate request mode is Manual When it is omitted no CA root certificate verification occurs automatically and you need to verify the CA server by yourself Fingerprint Po...

Страница 404: ...o enter RSA key pair parameter configuration page as shown in b a Certificate configuration page b Key pair parameter configuration page 2 Configuration item for generating an RSA key pair Item Description Key Length Type the length of the RSA keys Return to Configuration task list for requesting a certificate manually Destroying the RSA key pair Select Authentication PKI from the navigation tree ...

Страница 405: ...thentication PKI from the navigation tree and then select the Certificate tab to enter the page displaying existing PKI certificates as shown in a Click Retrieve Cert to enter PKI certificate retrieval page as shown in a a PKI certificate retrieval page 2 Configuration items for retrieving a PKI certificate Item Description Domain Name Select the PKI domain for the certificate Certificate Type Sel...

Страница 406: ...ion of the device for saving the file Password Enter the password for protecting the private key which was specified when the certificate was exported After retrieving a certificate you can click View Cert corresponding to the certificate from the PKI certificates list to display the contents of the certificate as shown in a a Certificate details Return to Configuration task list for requesting a ...

Страница 407: ...em Description Domain Name Select the PKI domain for the certificate Password Type the password for certificate revocation Enable Offline Mode Select this check box to request a certificate in offline mode that is by an out of band means like FTP disk or e mail If you select the offline mode and click Apply the offline certificate request information page appears as shown in a Submit the informati...

Страница 408: ...shown in a a CRL page Click Retrieve CRL to retrieve the CRL of a domain Then click View CRL for the domain to display the contents of the CRL as shown in b b CRL details 2 Description about some fields of the CRL details Field Description Version CRL version number Signature Algorithm Signature algorithm that the CRL uses Issuer CA that issued the CRL ...

Страница 409: ... software The Switch acquires CRLs for certificate verification a Network diagram for configuring a PKI entity to request a certificate from a CA Configuration procedure Table 145 Configure the CA server Create a CA server named myca In this example you need to configure the basic attributes of Nickname and Subject DN on the CA server at first Nickname Name of the trusted CA Subject DN DN informat...

Страница 410: ...request certificates and retrieve CRLs properly Table 146 Configure Switch Create a PKI entity Select Authentication PKI from the navigation tree The PKI entity list page is displayed by default Click Add on the page as shown in b and then perform the following configurations as shown in c b PKI entity list c Configure a PKI entity Type aaa as the PKI entity name Type ac as the common name Click A...

Страница 411: ...ttp 4 4 4 133 446 c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request The URL must be in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is the hexadecimal string generated on the CA Select Manual as the certificate request mode Click Display Advanced Config to display the advanced configuration items Select the Enable CRL Checking check b...

Страница 412: ...ue Click OK Generate an RSA key pair Select the Certificate tab and then click Create Key as shown in f and perform the configuration as shown in g f Certificate list g Generate an RSA key pair Click Apply to generate an RSA key pair Retrieve the CA certificate Select the Certificate tab and then click Retrieve Cert as shown in h and then perform the following configurations as shown in i ...

Страница 413: ... Select torsa as the PKI domain Select CA as the certificate type Click Apply Request a local certificate Select the Certificate tab and then click Request Cert as shown in j and then perform the following configurations as shown in k j Certificate list ...

Страница 414: ...ty period of certificates will be abnormal The Windows 2000 CA server has some restrictions on the data length of a certificate request If the PKI entity identity information in a certificate request goes beyond a certain limit the server will not respond to the certificate request The SCEP plug in is required when you use the Windows Server as the CA In this case you need to specify RA as the aut...

Страница 415: ...ion group 1 You can neither remove the isolation group nor create other isolation groups on such devices There is no restriction on the number of ports assigned to an isolation group Usually Layer 2 traffic cannot be forwarded between ports from different VLANs However Layer 2 data transmission between ports within and outside the isolation group is supported Configuring a port isolation group Sel...

Страница 416: ...Network requirements Campus network users Host A Host B and Host C are connected to GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch Switch is connected to the Internet through GigabitEthernet 1 0 1 GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 belong to the same VLAN Configure Host A Host B and Host C to access the Inter...

Страница 417: ...ick Apply A configuration progress dialog box appears After the configuration process is complete click Close in the dialog box View information about the isolation group Click Summary The page shown in b appears b Information about port isolation group 1 As shown on the page port isolation group 1 contains these isolated ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 ...

Страница 418: ...he authorized IP configuration page as shown in a a Authorized IP configuration page 2 Authorized IP configuration items Item Description Telnet IPv4 ACL Associate the Telnet service with an IPv4 ACL You can configure the IPv4 ACL to be selected by selecting QoS ACL IPv4 IPv6 ACL Not Supported Associate the Telnet service with an IPv6 ACL You can configure the IPv6 ACL to be selected by selecting ...

Страница 419: ...elnet and HTTP requests from Host B a Network diagram for authorized IP Configuration procedure Create an ACL Select QoS ACL IPv4 from the navigation tree and then click the Create tab to enter the ACL configuration page shown in a Type 2001 for ACL Number Click Apply a Create an ACL Configure an ACL rule to permit Host B Click the Basic Setup tab to enter the page shown in b ...

Страница 420: ...10 1 1 3 Type 0 0 0 0 in the Source Wildcard text box Click Add b Configure an ACL rule to permit Host B Configure authorized IP Select Security Authorized IP from the navigation tree and then click the Setup tab to enter the authorized IP configuration page shown in c Select 2001 for IPv4 ACL in the Telnet field Select 2001 for IPv4 ACL in the Web HTTP field Click Apply ...

Страница 421: ...409 c Configure authorized IP ...

Страница 422: ...egory ACL number Match criteria Basic IPv4 ACL 2000 to 2999 Source IP address Advanced IPv4 ACL 3000 to 3999 Source IP address destination IP address protocol carried over IP and other Layer 3 or Layer 4 protocol header information Ethernet frame header ACL 4000 to 4999 Layer 2 protocol header fields such as source MAC address destination MAC address 802 1p precedence and link layer protocol type ...

Страница 423: ... the same compare packets against the rule configured first Ethernet frame header ACL 8 Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask 9 If two rules are present with the same number of ones in their source MAC address masks look at the destination MAC address masks Then compare packets against the rule conf...

Страница 424: ...r For example with a step of five if the biggest number is 28 the newly defined rule will get a number of 30 If the ACL has no rule defined already the first defined rule will get a number of 0 Another benefit of using the step is that it allows you to insert new rules between existing ones as needed For example after creating four rules numbered 0 5 10 and 15 in an ACL with a step of five you can...

Страница 425: ...e periodic time range You can define both a periodic time range and an absolute time range to create a compound time range This compound time range recurs on the day or days End Time Set the end time of the periodic time range The end time must be greater than the start time Sun Mon Tue Wed Thu Fri and Sat Select the day or days of the week on which the periodic time range is valid You can select ...

Страница 426: ... shown in a a The page for creating an IPv4 ACL 2 describes the configuration items for creating an IPv4 ACL 2 IPv4 ACL configuration items Item Description ACL Number Set the number of the IPv4 ACL Match Order Set the match order of the ACL Available values are Config Compare packets against ACL rules in the order that the rules are configured Auto Compares packets against ACL rules in the depth ...

Страница 427: ... one automatically Operation Select the operation to be performed for IPv4 packets matching the rule Permit Allows matched packets to pass Deny Drops matched packets Check Fragment Select this option to apply the rule to only non first fragments If you do no select this option the rule applies to all fragments and non fragments Check Logging Select this option to keep a log of matched IPv4 packets...

Страница 428: ...ch the rule takes effect Available time ranges are those that have been configured Return to IPv4 ACL configuration task list Configuring a rule for an advanced IPv4 ACL Select QoS ACL IPv4 from the navigation tree and then select the Advanced Setup tab to enter the rule configuration page for an advanced IPv4 ACL as shown in a ...

Страница 429: ...417 a The page for configuring an advanced IPv4 ACL 2 describes the configuration items for creating a rule for an advanced IPv4 ACL ...

Страница 430: ...he Source IP Address option and type a source IPv4 address and a source wildcard mask in dotted decimal notation Source Wildcard Destination IP Address Select the Source IP Address option and type a source IP address and a source wildcard mask in dotted decimal notation Destination Wildcard Protocol Select the protocol to be carried by IP If you select 1 ICMP you can configure the ICMP message typ...

Страница 431: ... To Port Precedence Filter DSCP Specify the DSCP priority IMPORTANT If you specify the ToS precedence or IP precedence when you specify the DSCP precedence the specified ToS or IP precedence does not take effect TOS Specify the ToS precedence Precedence Specify the IP precedence Time Range Select the time range during which the rule takes effect Available time ranges are those that have been confi...

Страница 432: ...hernet frame header IPv4 ACLs that have been configured Rule ID Select the Rule ID option and type a number for the rule If you do not specify the rule number the system will assign one automatically Operation Select the operation to be performed for packets matching the rule Permit Allows matched packets to pass Deny Drops matched packets MAC Address Filter Source MAC Address Select the Source MA...

Страница 433: ...k Indicates the protocol mask Protocol Mask Time Range Select the time range during which the rule takes effect Available time ranges are those that have been configured Return to IPv4 ACL configuration task list Configuration guidelines When configuring an ACL follow these guidelines Table 147 When defining rules in an ACL you do not necessarily assign them numbers the system can do this automati...

Страница 434: ...are experiencing new services such as tele education telemedicine video telephone videoconference and Video on Demand VoD Enterprise users expect to connect their regional branches together with VPN technologies to carry out operational applications for instance to access the database of the company or to monitor remote devices through Telnet These new applications have one thing in common that is...

Страница 435: ...ular exhaustion and even system breakdown It is obvious that congestion hinders resource assignment for traffic and degrades service performance Congestion is unavoidable in switched networks and multi user application environments To improve the service performance of your network you must address the congestion issues Countermeasures A simple solution for congestion is to increase network bandwi...

Страница 436: ...gestion management is usually applied in the outbound direction of a port Congestion avoidance monitors the usage status of network resources and is usually applied in the outbound direction of a port As congestion becomes worse it actively reduces the amount of traffic by dropping packets Among these QoS technologies traffic classification is the basis for providing differentiated services Traffi...

Страница 437: ... and ToS bytes As shown in b the ToS field of the IP header contains eight bits the first three bits 0 to 2 represent IP precedence from 0 to 7 the subsequent four bits 3 to 6 represent a ToS value from 0 to 15 According to RFC 2474 the ToS field of the IP header is redefined as the differentiated services DS field where a DSCP value is represented by the first six bits 0 to 5 and is in the range ...

Страница 438: ...l IP network traffic belongs to this class by default 3 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110...

Страница 439: ...nce decimal 802 1p precedence binary Description 0 000 best effort 1 001 background 2 010 spare 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management Queue scheduling In general congestion management adopts queuing technology The system uses a certain queuing algorithm for traffic classification and then uses a certain precedence algorithm to send the traffi...

Страница 440: ...ity queue to ensure that they are always served first and common service such as Email packets to the low priority queues to be transmitted when the high priority queues are empty The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if there are packets in the higher priority queues This may cause lower priority traffic to never be transmitted WRR queui...

Страница 441: ... group is empty the other queues are scheduled by WRR Line rate Line rate is a traffic control method using token buckets The line rate of a physical interface specifies the maximum rate for forwarding packets including critical packets Line rate can limit all the packets passing a physical interface Traffic evaluation and token bucket A token bucket can be considered as a container holding a cert...

Страница 442: ...ion management In this way the traffic passing the physical interface is controlled a Line rate implementation With a token bucket used for traffic control when tokens are available in the token bucket the bursty packets can be transmitted if no tokens are available packets cannot be transmitted until new tokens are generated in the token bucket In this way the traffic rate is restricted to the ra...

Страница 443: ...rity mapping tables The device provides various types of priority mapping table as listed below CoS to DSCP 802 1p to DSCP priority mapping table CoS to Queue 802 1p to local priority mapping table DSCP to CoS DSCP to 802 1p priority mapping table which is applicable to only IP packets DSCP to DSCP DSCP to DSCP priority mapping table which is applicable to only IP packets DSCP to Queue DSCP to loc...

Страница 444: ... all the criteria to match the class If the operator is OR a packet matches the class if it matches any of the criteria in the class A traffic behavior defines a set of QoS actions to take on packets such as priority marking and redirect By associating a traffic behavior with a class in a QoS policy you apply the specific set of QoS actions to the class of traffic You can apply a QoS policy to a p...

Страница 445: ...c behavior in a QoS policy Associating a class that is already associated with a traffic behavior will overwrite the old association Apply the policy Applying a policy to a port Required Apply the QoS policy to a port Configuring queue scheduling Perform the task in 1 to configure queue scheduling 1 Queue scheduling configuration task list Task Remarks Configuring queue scheduling on a port Option...

Страница 446: ...ode of a port Creating a class Select QoS Classifier from the navigation tree and click Create to enter the page for creating a class as shown in a a The page for creating a class 2 shows the configuration items of creating a class 2 Configuration items of creating a class Item Description Classifier Name Specify a name for the classifier to be created Operator Specify the operator for the match c...

Страница 447: ...ing a class as shown in a a The page for configuring match criteria 2 shows the configuration items of configuring match criteria 2 Configuration items of configuring match criteria Item Description Please select a classifier Select an existing classifier in the drop down list Any Define a match criterion to match all packets Select the option to match all packets ...

Страница 448: ...entical 802 1p precedence values are specified the system considers them as one The relationship between different 802 1p precedence values is OR After such configurations all the 802 1p precedence values are automatically arranged in ascending order MAC Source MAC Define a match criterion to match a source MAC address If multiple such match criteria are configured for a class the new configuratio...

Страница 449: ...ted Specify a combination of individual VLAN IDs and VLAN ID ranges such as 3 5 7 10 You can specify up to eight VLAN IDs in this way ACL IPv4 Define an IPv4 ACL based match criterion The ACLs available for selection are existing IPv4 ACLs Return to QoS policy configuration task list Creating a traffic behavior Select QoS Behavior from the navigation tree and click the Create tab to enter the page...

Страница 450: ...rroring and traffic redirecting configuration items 2 Traffic mirroring and traffic redirecting configuration items Item Description Please select a behavior Select an existing behavior in the drop down list Redirect Set the action of redirecting traffic to the specified destination port Please select a port Specify the port to be configured as the destination port of traffic mirroring or traffic ...

Страница 451: ...g other actions for a traffic behavior 2 Configuration items of configuring other actions for a traffic behavior Item Description Please select a behavior Select an existing behavior in the drop down list Filter Configure the packet filtering action After selecting the Filter option select one item in the following drop down list Permit Forwards the packet Deny Drops the packet Not Set Cancels the...

Страница 452: ...es the configuration items of creating a policy 2 Configuration items of creating a policy Item Description Policy Name Specify a name for the policy to be created Return to QoS policy configuration task list Configuring classifier behavior associations for the policy Select QoS QoS Policy from the navigation tree and click Setup to enter the page for setting a policy as shown in a ...

Страница 453: ...Classifier Name Select an existing classifier in the drop down list The classifiers available for selection are created on the page for creating a classifier Behavior Name Select an existing behavior in the drop down list The behaviors available for selection are created on the page for creating a behavior Return to QoS policy configuration task list Applying a policy to a port Select QoS Port Pol...

Страница 454: ...ction in which the policy is to be applied Inbound Applies the policy to the incoming packets of the specified ports Please select port s Click to select ports to which the QoS policy is to be applied on the chassis front panel Return to QoS policy configuration task list Configuring queue scheduling on a port Select QoS Queue from the navigation tree and click Setup to enter the queue scheduling ...

Страница 455: ... reserved Group Specify the group the current queue is to be assigned to This drop down list is available after you select a queue ID The following groups are available for selection SP Assigns a queue to the SP group 1 Assigns a queue to WRR group 1 2 Assigns a queue to WRR group 2 Weight Set a weight for the current queue This option is available when group 1 or group 2 is selected Please select...

Страница 456: ...ction in which the line rate is to be applied Inbound Limits the rate of packets received on the specified port Outbound Limits the rate of packets sent by the specified port Both Limits the rate of packets received on and sent by the specified port CIR Set the committed information rate CIR the average traffic rate Please select port s Specify the ports to be configured with line rate Click the p...

Страница 457: ...to enter the page shown in 2 Input Priority Value Set the output priority value for an input priority value Output Priority Value Restore Click Restore to display the default settings of the current priority mapping table on the page To restore the priority mapping table to the default click Apply a The page for configuring DSCP to DSCP mapping table Return to Priority mapping table configuration ...

Страница 458: ... Description Interface The interface to be configured Priority Set a local precedence value for the port Trust Mode Select a priority trust mode for the port Untrust Not trusts the packet priority CoS Trusts the 802 1p precedence of the incoming packets and uses it for priority mapping DSCP Trusts the DSCP precedence of the incoming packets and uses it for priority mapping ...

Страница 459: ...n task list Configuration guidelines When an ACL is referenced to implement QoS the actions defined in the ACL rules deny or permit do not take effect actions to be taken on packets matching the ACL depend on the traffic behavior definition in QoS ...

Страница 460: ...ing the FTP server from 8 00 to 18 00 every day Table 152 Create an ACL to prohibit the hosts from accessing the FTP server from 8 00 to 18 00 every day Table 153 Configure a QoS policy to drop the packets matching the ACL Table 154 Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 b Network diagram for ACL QoS configuration Configuration procedure Table 155 Configure the time...

Страница 461: ...elect the Periodic Time Range option set the Start Time to 8 00 and the End Time to 18 00 and then select the checkboxes Sun through Sat Click Apply Table 156 Define an IPv4 ACL for traffic to the FTP server Create an advanced IPv4 ACL Select QoS ACL IPv4 from the navigation tree and click Create ...

Страница 462: ...450 c Create an advanced IPv4 ACL Type the ACL number 3000 Click Apply Define an ACL rule for traffic to the FTP server Click Advanced Setup ...

Страница 463: ...t Select the Rule ID option and type rule ID 2 Select Permit in the Operation drop down list Select the Destination IP Address option and type IP address 10 1 1 1 and destination wildcard mask 0 0 0 0 Select test time in the Time Range drop down list Click Add Table 157 Configure a QoS policy ...

Страница 464: ...452 Create a class Select QoS Classifier from the navigation tree and click Create e Create a class Type the class name class1 Click Create Define match criteria Click Setup ...

Страница 465: ...match criteria Select the class name class1 in the drop down list Select the ACL IPv4 option and select ACL 3000 in the following drop down list Click Apply A configuration progress dialog box appears as shown in g ...

Страница 466: ...ion is complete click Close on the dialog box Create a traffic behavior Select QoS Behavior from the navigation tree and click Create h Create a traffic behavior Type the behavior name behavior1 Click Create Configure actions for the traffic behavior Click Setup ...

Страница 467: ...ect the Filter option and then select Deny in the following drop down list Click Apply A configuration progress dialog box appears After the configuration is complete click Close on the dialog box Create a policy Select QoS QoS Policy from the navigation tree and click the Create tab ...

Страница 468: ... k Configure classifier behavior associations for the policy Select policy1 Select class1 in the Classifier Name drop down list Select behavior1 in the Behavior Name drop down list Click Apply Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 Select QoS Port Policy from the navigation tree and click the Setup tab ...

Страница 469: ...t 1 0 1 Select policy1 in the Please select a policy drop down list Select Inbound in the Direction drop down list Select port GigabitEthernet 1 0 1 Click Apply A configuration progress dialog box appears After the configuration is complete click Close on the dialog box ...

Страница 470: ...IEEE 802 3af and a globally uniform power interface is adopted Promising It can be applied to IP telephones wireless LAN access points APs portable chargers card readers web cameras and data collectors Composition As shown in a a PoE system consists of PoE power PSE power interface PI and PD a PoE system diagram PoE power The whole PoE system is powered by the PoE power PSE A PSE is a device suppl...

Страница 471: ... for transmitting data in a category 3 5 twisted pair cable to supply DC power while transmitting data to PDs Over spare wires The PSE uses the pairs 4 5 7 8 not transmitting data in a category 3 5 twisted pair cable to supply DC power to PDs NOTE HP V1910 24G PoE 365W Switch JE007A and HP V1910 24G PoE 170W Switch JE008A only support the signal mode PD A PD is a device accepting power from the PS...

Страница 472: ...E port will not result in PoE power overload otherwise you are not allowed to enable PoE for the PoE port By default PoE is disabled on a PoE port IMPORTANT PSE power overload When the sum of the power consumption of all ports exceeds the maximum power of PSE the system considers the PSE is overloaded Power Max Set the maximum power for the PoE port The maximum PoE port power is the maximum power ...

Страница 473: ...guard band is reserved for each PoE port on the device to prevent a PD from being powered off because of a sudden increase of the PD power When the remaining power of the PSE is lower than 19 watts the port with a higher priority can preempt the power of the port with a lower priority to ensure the normal working of the higher priority port If the sudden increase of the PD power results in PSE pow...

Страница 474: ...and power information are displayed in the lower part of the page as shown in a a PoE summary with GigabitEthernet 1 0 1 selected PoE configuration example Network requirements As shown in a GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 are connected to IP telephones GigabitEthernet 1 0 11 is connected to the AP whose maximum power does not exceed 9000 milliwatts The IP telephones have a higher ...

Страница 475: ...g configurations as shown in a a Configure the PoE ports supplying power to the IP telephones Click to select ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel Select Enable from the Power State drop down list Select Critical from the Power Priority drop down list Click Apply Enable PoE on GigabitEthernet 1 0 11 and configure the maximum power of the port to 9000 m...

Страница 476: ... port GigabitEthernet 1 0 11 from the chassis front panel Select Enable from the Power State drop down list Select the check box before Power Max and type 9000 Click Apply After the configuration takes effect the IP telephones and AP are powered and can work properly ...

Страница 477: ...e Bold text represents commands and keywords that you enter literally as shown italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices ...

Страница 478: ...hat calls attention to essential information NOTE An alert that contains additional or supplementary information TIP An alert that provides helpful information Network topology icons Represents a generic network device such as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a route...

Страница 479: ...467 Index A B C D E F G H I L M O P Q R S T V W ...

Страница 480: ... 421 Configuration guidelines 81 Configuration guidelines 402 Configuration guidelines 447 Configuration guidelines 250 Configuration guidelines 51 Configuration guidelines 15 Configuration guidelines 171 Configuration guidelines 148 Configuration guidelines 86 Configuration guidelines 42 Configuring 802 1X 329 Configuring a port 65 Configuring a port isolation group 403 Configuring a VLAN 138 Con...

Страница 481: ...t and port authorization status 320 Creating a DHCP server group 282 D Device reboot 60 DHCP address allocation 274 DHCP message format 276 DHCP options 277 DHCP relay agent configuration example 285 DHCP relay agent configuration task list 280 DHCP snooping configuration example 294 DHCP snooping configuration task list 290 DHCP snooping overview 288 Diagnostic information 61 Diagnostic tool oper...

Страница 482: ...troduction to the web interface 4 Introduction to the web based NM functions 5 L Link aggregation and LACP configuration example 214 LLDP configuration examples 238 Logging in to the web interface 2 Logging out of the web interface 4 Loopback operation 85 M MAC address configuration example 176 Managing ARP entries 308 Managing users 82 Monitoring port traffic statistics 89 MSTP 185 MSTP configura...

Страница 483: ... configuration example 373 Restore configuration 56 RMON configuration example 108 RSTP 184 S Save configuration 57 SNMP configuration 1 16 SNMP configuration example 127 Software upgrade 59 Stack configuration example 36 Static route configuration example 269 STP 177 System time configuration example 49 T Testing cable status 87 V VLAN configuration example 143 Voice VLAN configuration examples 1...

Отзывы:

Нет отзывов

Похожие инструкции для V1910

Бренд: H3C Страницы: 38

Бренд: H3C Страницы: 36

Бренд: H3C Страницы: 9

Бренд: H3C Страницы: 36

S12500X-AF Series

Бренд: H3C Страницы: 21

S12500X-AF Series

Бренд: H3C Страницы: 42

Бренд: H3C Страницы: 16

Бренд: H-Tronic Страницы: 32

Бренд: Kathrein Страницы: 8

Бренд: Nayar Systems Страницы: 21

Бренд: Kathrein Страницы: 24

Бренд: Kasia Страницы: 5

Бренд: D-Link Страницы: 17

Бренд: Panio Страницы: 5

Бренд: Hansen Страницы: 4

Бренд: Open Mesh Страницы: 2

Бренд: XtendLan Страницы: 24

Бренд: 3onedata Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды