HPE OfficeConnect 1950 Series Скачать руководство пользователя страница 129

Страница: 129 / 182

121

Static IPv4 source guard configuration example

Network requirements

As shown in

Figure 40

, all hosts use static IP addresses.

Configure static IPv4 source guard entries on Device A and Device B to meet the following
requirements:

•

GigabitEthernet 1/0/2 of Device A allows only IP packets from Host C to pass.

•

GigabitEthernet 1/0/1 of Device A allows only IP packets from Host A to pass.

•

GigabitEthernet 1/0/2 of Device B allow only IP packets from Host A to pass.

•

GigabitEthernet 1/0/1 of Device B allows only IP packets from Host B to pass.

Figure 40 Network diagram

Configuration procedure

Configure Device A:

Configure IP addresses for the interfaces. (Details not shown.)

From the navigation tree, select

Security

Packet Filter

IP Source Guard

Add an IP source guard entry for Host A.

The entry contains interface GigabitEthernet 1/0/1, IP address 192.168.0.1, and MAC
address 00-01-02-03-04-06.

Add an IP source guard entry for Host C.

The entry contains interface GigabitEthernet 1/0/2, IP address 192.168.0.3, and MAC
address 00-01-02-03-04-05.

Configure Device B:

Configure IP addresses for the interfaces. (Details not shown.)

From the navigation tree, select

Security

Packet Filter

IP Source Guard

Add an IP source guard entry for Host B.

The entry contains interface GigabitEthernet 1/0/1, IP address 192.168.0.2, and MAC
address 00-01-02-03-04-07.

Add an IP source guard entry for Host A.

The entry contains interface GigabitEthernet 1/0/2, IP address 192.168.0.1, and MAC
address 00-01-02-03-04-06.

Verifying the configuration

From the navigation tree, select

Security

Packet Filter

IP Source Guard

on Device A.

Verify that the static IPv4 source guard entries are configured successfully on the IP source
guard configuration page.

IP: 192.168.0.3/24
MAC : 0001-0203-0405

IP: 192.168.0.1/24
MAC: 0001-0203-0406

Host A

IP: 192.168.0.2/24
MAC: 0001-0203-0407

Host B

Host C

GE1/0/2

GE1/0/1

GE1/0/2

GE1/0/1

Device A

Device B

Содержание OfficeConnect 1950 Series

Страница 1: ...HPE OfficeConnect 1950 Switch Series User Guide Part number 5998 8111 Document version 6W103 20160825 ...

Страница 2: ... and 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterpris...

Страница 3: ...s of a table entry 9 Rebooting the device 10 Feature navigator 11 Dashboard menu 11 Device menu 11 Network menu 12 Resources menu 16 QoS menu 17 Security menu 17 PoE menu 18 Log menu 18 Device management 19 Settings 19 System time sources 19 Clock synchronization protocols 19 NTP SNTP operating modes 19 NTP SNTP time source authentication 20 Administrators 20 User account management 21 Role based ...

Страница 4: ...ty 38 DHCP snooping 38 IP 39 IP address classes 39 Subnetting and masking 39 IP address configuration methods 40 MTU for an interface 40 ARP 40 Types of ARP table entries 40 Gratuitous ARP 41 ARP attack protection 41 DNS 44 Dynamic domain name resolution 44 Static domain name resolution 45 DNS proxy 45 DDNS 45 IPv6 46 IPv6 address formats 46 IPv6 address types 46 EUI 64 address based interface ide...

Страница 5: ...8 Applying a QoS policy 68 Hardware queuing 68 SP queuing 69 WRR queuing 69 WFQ queuing 70 Queue scheduling profile 71 Priority mapping 71 Port priority 71 Priority map 72 Rate limit 72 Security features 73 Packet filter 73 IP source guard 73 Overview 73 Interface specific static IPv4SG bindings 73 802 1X 73 802 1X architecture 73 802 1X authentication methods 74 Access control methods 74 Port aut...

Страница 6: ...ation example 105 Dynamic DNS configuration example 106 DDNS configuration example with www 3322 org 107 Static IPv6 address configuration example 108 ND configuration example 109 Port mirroring configuration example 110 IPv4 static route configuration example 111 IPv4 local PBR configuration example 112 IGMP snooping configuration example 112 MLD snooping configuration example 114 DHCP configurat...

Страница 7: ...144 password 145 ping 145 ping ipv6 146 poe update 146 quit 147 reboot 147 summary 148 telnet 150 telnet ipv6 151 transceiver phony alarm disable 151 upgrade 152 xtd cli mode 154 Document conventions and icons 156 Conventions 156 Network topology icons 157 Support and other resources 158 Accessing Hewlett Packard Enterprise Support 158 Accessing updates 158 Websites 159 Customer self repair 159 Re...

Страница 8: ...ow to manage the device from the CLI Appendix A Managing the device from the CLI This user guide does not include step by step configuration procedures because the webpages are task oriented by design A configuration page typically provides links to any pages that are required to complete the task Users do not have to navigate to multiple pages For tasks that require navigation to multiple pages t...

Страница 9: ...G960A HPE OfficeConnect 1950 24G 2SFP 2XGT Switch Release 3111P02 Release 3113P05 JG961A HPE OfficeConnect 1950 48G 2SFP 2XGT Switch JG962A HPE OfficeConnect 1950 24G 2SFP 2XGT PoE 370W Switch JG963A HPE OfficeConnect 1950 48G 2SFP 2XGT PoE 370W Switch JH295A HPE OfficeConnect 1950 12XGT 4SFP Switch Release 5103P03 ...

Страница 10: ...sure correct display of webpage contents after software upgrade or downgrade clear data cached by the browser before you log in Enable active scripting or JavaScript depending on the Web browser If you are using a Microsoft Internet Explorer browser you must enable the following security settings Run ActiveX controls and plug ins Script ActiveX controls marked safe for scripting Default login sett...

Страница 11: ...dress Find the MAC address label on the device and use the following rules to determine the last two bytes for the IP address Last two bytes of the MAC address Last two bytes for the IP address All 0s 0 1 All Fs 255 1 Not all 0s or all Fs Decimal values of the last two bytes of the MAC address For example MAC address IP address 08004E080000 169 254 0 1 08004E08FFFF 169 254 255 1 08004E082A3F 169 2...

Страница 12: ...he login information To change the password of the login user admin at the first login click the Admin icon To add new user accounts and assign access permissions to different users select Device Maintenance Administrators Logging out of the Web interface IMPORTANT For security purposes log out of the Web interface immediately after you finish your tasks You cannot log out by closing the browser T...

Страница 13: ... save the configuration 2 Navigation tree Organizes feature menus in a tree 3 Content pane Displays information and provides an area for you to configure features Depending on the content in this pane the webpages include the following types Feature page Contains functions or features that a feature module can provide see Using a feature page Table page Displays entries in a table see Using a tabl...

Страница 14: ... in Figure 2 a feature page contains information about a feature module including its table entry statistics features and functions From a feature page you can configure features provided by a feature module Figure 2 Sample feature page Using a table page As shown in Figure 3 a table page displays entries in a table To sort entries by a field in ascending or descending order click the field For ex...

Страница 15: ...st be configured on another page the configuration page typically provides a link You do not need to navigate to the destination page For example you must use an ACL when you configure a packet filter If no ACLs are available when you perform the task you can click the Add icon to create an ACL In this situation you do not need to navigate to the ACL management page ...

Страница 16: ...ounter icon Counter Identify the total number of table entries Navigation icon Next Access the lower level page to display information or configure settings Status control icon Status control Control the enable status of the feature If ON is displayed the feature is enabled To disable the feature click the button If OFF is displayed the feature is disabled To enable the feature click the button Se...

Страница 17: ...ctor Select fields to be displayed Advanced settings icon Advanced settings Access the configuration page to configure settings Performing basic tasks This section describes the basic tasks that must be frequently performed when you configure or manage the device Saving the configuration Typically settings take effect immediately after you create them However the system does not automatically save...

Страница 18: ...he device Reboot is required for some settings for example the stack setup to take effect To reboot the device 1 Save the configuration 2 Select Device Maintenance Reboot 3 On the reboot page click the reboot button ...

Страница 19: ...urces ACL IPv4 from the navigation tree NOTE In the navigator tables a menu is in boldface if it has submenus Dashboard menu The dashboard menu provides an overview of the system and its running status including System logs System utilization System info This menu does not contain submenus Device menu Use Table 3 to navigate to the tasks you can perform from the Device menu Table 3 Device menu nav...

Страница 20: ...nostics Collect diagnostic information used for system diagnostics and troubleshooting Reboot Reboot the device About Display basic device information including Device name Serial number Version information Electronic label Legal statement Virtualization IRF Configure the following settings to set up an HPE OfficeConnect 1950 stack Member ID Priority Domain ID Stack port bindings Display the stack...

Страница 21: ...es dynamic MAC entries and blackhole MAC entries Display existing MAC entries STP Enable or disable STP globally Enable or disable STP on interfaces Configure the STP operating mode as STP RSTP PVST or MSTP Configure instance priorities Configure MST regions LLDP Enable or disable LLDP Modify the LLDP operating mode Modify the interface mode Configure LLDP to advertise the specified TLVs DHCP Snoo...

Страница 22: ... aging time for stale ND entries Minimize link local ND entries Configure hop limit Configure RA prefix attributes including Address prefix Prefix length Valid lifetime Preferred lifetime Configure RA settings for an interface including RA message suppression Maximum and minimum intervals for sending RA messages Hop limit M flag O flag Router lifetime NS retransmission interval Router preference N...

Страница 23: ... operate in the DHCP server mode Configure DHCP address pools Configure the IP address conflict detection Configure DHCP relay agent functions including Configure DHCP services Configure the DHCP relay agent mode Configure the IP address of the DHCP server Configure settings for DHCP relay entry include Recording of DHCP relay entries Periodic refreshing of DHCP relay entries Interval for refreshi...

Страница 24: ... menu navigator Menus Tasks ACLs IPv4 Create modify or delete an IPv4 basic ACL Create modify or delete an IPv4 advanced ACL IPv6 Create modify or delete an IPv6 basic ACL Create modify or delete an IPv6 advanced ACL Ethernet Create modify or delete an Ethernet frame header ACL Time Range Time Range SSL SSL Create modify or delete an SSL client policy Create modify or delete an SSL server policy P...

Страница 25: ...gate to the tasks you can perform from the Security menu Table 7 Security menu navigator Menus Tasks Packet Filter Packet Filter Create modify or delete a packet filter for an interface a VLAN or the system Configure the default action for the packet filter IP Source Guard Configure an interface specific static IPv4 source guard binding Access Control 802 1X Enable or disable 802 1X Configure the ...

Страница 26: ...oE menu navigator Menus Tasks PoE Configure the maximum PoE power and power alarm threshold for the device Enable or disable PoE on an interface Configure the maximum PoE power power supply priority PD description and fault description for an interface Log menu Use Table 9 to navigate to the tasks you can perform from the Log menu Table 9 Log menu navigator Menus Tasks Log System Log Display log i...

Страница 27: ...ates the system time The system time calculated by using the UTC time from a time source is more precise Make sure the time zone and daylight saving setting are the same as the parameters of the place where the device resides If the system time does not change accordingly when the daylight saving period ends refresh the Web interface Clock synchronization protocols The device supports the followin...

Страница 28: ...ed to multiple time servers it selects an optimal clock and synchronizes its local clock to the optimal reference source You must specify the IP address of the symmetric passive peer on the symmetric active peer A symmetric active peer and a symmetric passive peer can be synchronized to each other If both of them are synchronized the peer with a higher stratum is synchronized to the peer with a lo...

Страница 29: ...to VLANs You can perform the following tasks on an accessible interface VLAN Create or remove the interface or VLAN Configure attributes for the interface or VLAN Apply the interface or VLAN to other parameters Predefined user roles The system provides predefined user roles These user roles have access to all system resources interfaces and VLANs Their access permissions differ If the predefined u...

Страница 30: ...mbination of characters from the following types Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters See Table 11 Table 11 Special characters Character name Symbol Character name Symbol Ampersand sign Apostrophe Asterisk At sign Back quote Back slash Blank space N A Caret Colon Comma Dollar sign Dot Equal sign Exclamation point Left angle bracket Left brace Left brac...

Страница 31: ...ce the last change is less than this interval the system denies the request For example if you set this interval to 48 hours a user cannot change the password twice within 48 hours The set minimum interval is not effective when a user is prompted to change the password at the first login or after its password aging time expires Password expiration Password expiration imposes a lifecycle on a user ...

Страница 32: ...TP and VTY users It does not take effect on the following types of users Nonexistent users users not configured on the device Users logging in to the device through console ports If a user fails to use a user account to log in after making the maximum number of consecutive attempts login attempt limit takes the following actions Adds the user account and the user s IP address to the password contr...

Страница 33: ...stack port you must bind a minimum of one physical interface to it The physical interfaces assigned to a stack port automatically form an aggregate stack link When you connect two neighboring stack members connect the physical interfaces of IRF port 1 on one member to the physical interfaces of IRF port 2 on the other Stack physical interfaces Stack physical interfaces connect stack member devices...

Страница 34: ... united Member priority Member priority determines the possibility of a member device to be elected the master A member with higher priority is more likely to be elected the master The default member priority is 1 You can change the member priority of a device to affect the master election result ...

Страница 35: ...ace 1 Layer 2 aggregation group 1 is created You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group The port rate of an aggregate interface equals the total rate of its Selected member ports Its duplex mode is the same as that of the Selected member ports Aggregation states of member ports in an aggregation group A member port in an aggregation group can be in any of the fo...

Страница 36: ... the reference port A Selected port must have the same operational key and attribute configurations as the reference port The system chooses a reference port from the member ports that are in up state and have the same attribute configurations as the aggregate interface The candidate ports are sorted in the following order a Highest port priority b Full duplex high speed c Full duplex low speed d ...

Страница 37: ...stem chooses a reference port from the member ports that are in up state and have the same attribute configurations as the aggregate interface A Selected port must have the same operational key and attribute configurations as the reference port The local system the actor and the peer system the partner negotiate a reference port by using the following workflow a The two systems compare their syste...

Страница 38: ...rt If ports have the same priority the system proceeds to the next step The system compares their port numbers The smaller the port number the smaller the port ID The port with the smallest port number and the same attribute configurations as the aggregate interface is chosen as the reference port After the reference port is chosen the system with the smaller system ID sets the state of each membe...

Страница 39: ...s when monitored traffic meets one of the following conditions Exceeds the upper threshold Drops below the lower threshold Port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs Ports in an isolation group cannot communicate with each other However they can communicate with ports outside the isolation group VLAN The Virtual Local Area N...

Страница 40: ...ets destined for another IP subnet Voice VLAN A voice VLAN is used for transmitting voice traffic The device can configure QoS parameters for voice packets to ensure higher transmission priority of the voice packets OUI addresses A device identifies voice packets based on their source MAC addresses A packet whose source MAC address complies with an Organizationally Unique Identifier OUI address of...

Страница 41: ...ng their MAC addresses If the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode the port forwards all the received untagged packets in the voice VLAN Security mode The port uses the source MAC addresses of the received packets to match the OUI addresses of the device Packets that fail the match will be dropped MAC An Ethernet device uses a MAC address table to...

Страница 42: ...ods and possibly affect the device performance To reduce floods on a stable network set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out Reducing floods improves the network performance Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations MAC address learning MAC address learning...

Страница 43: ... mode automatically transits to the STP mode when it receives STP BPDUs from a peer device The port does not transit to the RSTP mode when it receives RSTP BPDUs from a peer device MSTP basic concepts MSTP divides a switched network into multiple spanning tree regions MST regions MSTP maintains multiple independent spanning trees in an MST region and each spanning tree is mapped to specific VLANs ...

Страница 44: ...rt states Disabled Blocking Listening Learning and Forwarding The Disabled Blocking and Listening states correspond to the Discarding state in RSTP and MSTP LLDP The Link Layer Discovery Protocol LLDP operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information as TLV type length and value triplets in LLDP Data ...

Страница 45: ...er restarts When the aging timer decreases to zero the saved information ages out By setting the TTL multiplier you can configure the TTL of locally sent LLDPDUs The TTL is expressed by using the following formula TTL Min 65535 TTL multiplier LLDP frame transmission interval 1 As the expression shows the TTL can be up to 65535 seconds TTLs greater than 65535 will be rounded down to 65535 seconds L...

Страница 46: ...lter ARP packets from unauthorized clients Backs up DHCP snooping entries automatically The auto backup function saves DHCP snooping entries to a backup file and allows the DHCP snooping device to download the entries from the backup file at device reboot The entries on the DHCP snooping device cannot survive a reboot The auto backup helps some other features provide services if these features mus...

Страница 47: ...artup for temporary communication This address is never a valid destination address Addresses starting with 127 are reserved for loopback test Packets destined to these addresses are processed locally as input packets rather than sent to the link B 128 0 0 0 to 191 255 255 255 N A C 192 0 0 0 to 223 255 255 255 N A D 224 0 0 0 to 239 255 255 255 Multicast addresses E 240 0 0 0 to 255 255 255 255 R...

Страница 48: ...et an appropriate MTU for an interface based on the network environment to avoid fragmentation ARP ARP resolves IP addresses into MAC addresses on Ethernet networks Types of ARP table entries An ARP table stores dynamic and static ARP entries Dynamic ARP entry ARP automatically creates and updates dynamic entries A dynamic ARP entry is removed when its aging timer expires or the output interface g...

Страница 49: ...timely manner This feature can implement the following functions Prevent gateway spoofing Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network The traffic destined for the gateway from the hosts is sent to the attacker instead As a result the hosts cannot access the external network To prevent such gateway spoofing attacks you c...

Страница 50: ...able regardless of whether the attack packets have the same source addresses ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body This feature allows the gateway to learn correct ARP entries ARP active acknowledgement Configure this feature on gat...

Страница 51: ...U An ARP detection enabled device will send all received ARP packets to the CPU for inspection Processing excessive ARP packets will make the device malfunction or even crash To solve this problem configure the ARP packet rate limit Configure this feature when ARP detection is enabled or when ARP flood attacks are detected If logging for ARP packet rate limit is enabled the device sends the highes...

Страница 52: ...nterfaces and have passed user validity check as follows If the packets are ARP requests they are forwarded through the trusted interface If the packets are ARP replies they are forwarded according to their destination MAC address If no match is found in the MAC address table they are forwarded through the trusted interface ARP does not have security mechanisms and is vulnerable to network attacks...

Страница 53: ... static DNS mapping for a device so that you can Telnet to the device by using the domain name After a user specifies a name the device checks the static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution To improve efficiency you can put frequently queried name to IP address...

Страница 54: ...ddress can be represented in the shortest format as 2001 0 130F 9C0 876A 130B An IPv6 address consists of an address prefix and an interface ID which are equivalent to the network ID and the host ID of an IPv4 address An IPv6 address prefix is written in IPv6 address prefix length notation The prefix length is a decimal number indicating how many leftmost bits of the IPv6 address are in the addres...

Страница 55: ...Anycast addresses use the unicast address space and have the identical structure of unicast addresses N A EUI 64 address based interface identifiers An interface identifier is 64 bit long and uniquely identifies an interface on a link Interfaces generate EUI 64 address based interface identifiers differently On an IEEE 802 interface such as a VLAN interface the interface identifier is derived from...

Страница 56: ...to the link local address prefix FE80 10 and the EUI 64 address based interface identifier Manual assignment An IPv6 link local address is manually configured An interface can have only one link local address As a best practice use the automatic generation method to avoid link local address conflicts If both methods are used manual assignment takes precedence If you first use automatic generation ...

Страница 57: ...tions and flag bits Redirect 137 Informs the source host of a better next hop on the path to a particular destination Neighbor entries A neighbor entry stores information about a neighboring node on the link Neighbor entries can be dynamically configured through NS and NA messages or manually configured You can configure a static neighbor entry by using one of the following methods Method 1 Associ...

Страница 58: ...s flag Specifies unlimited hops in RA messages M flag Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address If the M flag is set the host uses stateful autoconfiguration for example from a DHCPv6 server to obtain an IPv6 address If the flag is not set the host uses stateless autoconfiguration to generate an IPv6 address according to its link layer address and the pref...

Страница 59: ...o obtain Host B s MAC address However Host B cannot receive the NS message because they belong to different broadcast domains To solve this problem enable common ND proxy on Interface A and Interface B of the Device The Device replies to the NS message from Host A and forwards packets from other hosts to Host B Local ND proxy As shown in Figure 8 Host A belongs to VLAN 2 and Host B belongs to VLAN...

Страница 60: ...irrored packets are transmitted by the remote probe VLAN from the source device to the destination device Static routing Static routes are manually configured If a network s topology is simple you only need to configure static routes for the network to work correctly Static routes cannot adapt to network topology changes If a fault or a topological change occurs in the network the network administ...

Страница 61: ...vice as an IPv6 multicast constraining mechanism It creates Layer 2 IPv6 multicast forwarding entries from MLD packets that are exchanged between the hosts and the Layer 3 device The Layer 2 device forwards multicast data based on Layer 2 IPv6 multicast forwarding entries A Layer 2 IPv6 multicast forwarding entry contains the VLAN IPv6 multicast group address IPv6 multicast source address and host...

Страница 62: ...n address pool depending on the client location Client on the same subnet as the server The DHCP server compares the IP address of the receiving interface with the subnets of all address pools If a match is found the server selects the address pool with the longest matching subnet Client on a different subnet than the server The DHCP server compares the IP address in the giaddr field of the DHCP r...

Страница 63: ...ess the DHCP server pings the IP address If the server receives a response within the specified period it selects and pings another IP address If it does not receive a response the server continues to ping the IP address until a specific number of ping packets are sent If it still does not receive a response the server assigns the IP address to the requesting client DHCP relay agent The DHCP relay...

Страница 64: ...TP or HTTPS to prevent unauthorized Web access If you does not specify an ACL for HTTP or HTTPS or the specified ACL does not exist or does not have rules the device permits all HTTP or HTTPS logins If the specifies ACL has rules only users permitted by the ACL can log in to the Web interface through HTTP or HTTPS SSH SSH is not available in Release 3111P02 Secure Shell SSH is a network security p...

Страница 65: ...e value is in the range of 1 to 15 A smaller value represents a higher accuracy If the devices in a network cannot synchronize to an authoritative time source you can perform the following tasks Select a device that has a relatively accurate clock from the network Use the local clock of the device as the reference clock to synchronize other devices in the network You can configure the local clock ...

Страница 66: ...termined by the subtree OID 1 3 6 1 6 1 2 1 and the subtree mask 0xDB 11011011 in binary includes all the nodes under the subtree OID 1 3 1 6 2 1 where represents any number NOTE If the number of bits in the subtree mask is greater than the number of nodes of the OID the excessive bits of the subtree mask will be ignored during subtree mask OID matching If the number of bits in the subtree mask is...

Страница 67: ... the NMS uses Create an SNMPv3 group and assign the username to the group The user has the same access right as the group When you create the group specify one or more MIB views for the group The MIB views include read only MIB view read write MIB view or notify MIB view You can specify only one MIB view of a type for a group Read only MIB view only allows the group to read the values of the objec...

Страница 68: ...ons depend on the modules that use ACLs ACL types and match criteria Table 15 shows the ACL types available on the switch and the fields that can be used to filter or match traffic Table 15 ACL types and match criteria Type ACL number IP version Match criteria Basic ACLs 2000 to 2999 IPv4 Source IPv4 address IPv6 Source IPv6 address Advanced ACLs 3000 to 3999 IPv4 Source IPv4 address Destination I...

Страница 69: ... earlier Ethernet frame header ACL 1 More 1s in the source MAC address mask more 1s means a smaller MAC address 2 More 1s in the destination MAC address mask 3 Rule configured earlier NOTE A wildcard mask also called an inverse mask is a 32 bit binary number represented in dotted decimal notation In contrast to a network mask the 0 bits in a wildcard mask represent do care bits and the 1 bits repr...

Страница 70: ... can include multiple periodic statements and absolute statements The active period of a time range is calculated as follows 1 Combining all periodic statements 2 Combining all absolute statements 3 Taking the intersection of the two statement sets as the active period of the time range SSL Secure Sockets Layer SSL is a cryptographic protocol that provides communication security for TCP based appl...

Страница 71: ... device is replaced The local certificate has expired Managing peer public keys To encrypt information sent to a peer device or authenticate the digital signature of the peer device you must configure the peer device s public key on the local device You can import view and delete peer public keys on the local device Table 17 describes the peer public key configuration methods Table 17 Peer public ...

Страница 72: ...The chain of these certificates forms a chain of trust Local certificate Digital certificate issued by a CA to a PKI entity which contains the entity s public key CRL A certificate revocation list CRL is a list of serial numbers for certificates that have been revoked A CRL is created and signed by the CA that originally issued the certificates The CA publishes CRLs periodically to revoke certific...

Страница 73: ...I domain nor contained in the certificate to be imported When you import local certificates follow these guidelines If the certificate to be imported contains the CA certificate chain you also import the CA certificate by importing the local certificate You can directly import the local certificate if its associated CA certificate already exists on the device If the certificate file to be imported...

Страница 74: ... group Contains multiple attribute rules each defining a matching criterion for an attribute in the certificate issuer name subject name or alternative subject name field If a certificate matches all attribute rules in a certificate attribute group associated with an access control rule the system determines that the certificate matches the access control rule In this scenario the match process st...

Страница 75: ...ins the specified attribute value equ The DN is the same as the specified attribute value Any FQDN or IP address is the same as the specified attribute value nequ The DN is not the same as the specified attribute value None of the FQDNs or IP addresses are the same as the specified attribute value A certificate matches an attribute rule only if it contains an attribute that matches the criterion d...

Страница 76: ...erface The QoS policy applied to the outgoing traffic on an interface does not regulate local packets Local packets refer to critical protocol packets sent by the local system for operation maintenance The most common local packets include link maintenance packets VLAN The QoS policy takes effect on the traffic sent or received on all ports in the VLAN QoS policies cannot be applied to dynamic VLA...

Страница 77: ... queue with the second highest priority and so on You can assign mission critical packets to a high priority queue to make sure they are always serviced first Common service packets can be assigned to low priority queues to be transmitted when high priority queues are empty The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if packets exist in the hig...

Страница 78: ...s empty round robin queue scheduling is performed for group 2 On an interface enabled with group based WRR queuing you can assign queues to the SP group Queues in the SP group are scheduled with SP The SP group has higher scheduling priority than the WRR groups Only group based WRR queuing is supported in the current software version and only WRR group 1 is supported WFQ queuing Figure 11 WFQ queu...

Страница 79: ...and queue 2 are scheduled according to their weights WRR group 2 is scheduled when queue 7 queue 6 queue 5 queue 4 and queue 3 are all empty Queue 0 has the lowest priority and it is scheduled when all other queues are empty Priority mapping When a packet arrives a device assigns values of priority parameters to the packet for the purpose of queue scheduling and congestion control Priority mapping...

Страница 80: ...generation rate while bursty traffic is allowed A token bucket has the following configurable parameters Mean rate at which tokens are put into the bucket which is the permitted average rate of traffic It is typically set to the committed information rate CIR Burst size or the capacity of the token bucket It is the maximum traffic size permitted in each burst It is typically set to the committed b...

Страница 81: ...or scenarios where a few hosts exist on a LAN and their IP addresses are manually configured For example you can configure a static IPv4SG binding on an interface that connects to a server This binding allows the interface to receive packets only from the server Static IPv4SG bindings on an interface implements the following functions Filter incoming IPv4 packets on the interface Cooperate with AR...

Страница 82: ...tocol to support MAC based access control Port based access control Once an 802 1X user passes authentication on a port all subsequent users can access the network through the port without authentication When the authenticated user logs off all other users are logged off MAC based access control Each user is separately authenticated on a port When a user logs off no other online users are affected...

Страница 83: ...e 802 1X authentication Auth Fail VLAN The 802 1X Auth Fail VLAN on a port accommodates users who have failed 802 1X authentication because of the failure to comply with the organization s security strategy For example the VLAN accommodates users who have entered a wrong password The Auth Fail VLAN does not accommodate 802 1X users who have failed authentication for authentication timeouts or netw...

Страница 84: ...the user logs off the initial PVID of the port is restored If the authentication server does not authorize a VLAN the initial PVID applies The user and all subsequent 802 1X users are assigned to the initial port VLAN After the user logs off the port VLAN remains unchanged NOTE The initial PVID of an 802 1X enabled port refers to the PVID used by the port before the port is assigned to any 802 1X ...

Страница 85: ...access resources only in the 802 1X Auth Fail VLAN A user who has passed authentication fails reauthentication because all the RADIUS servers are unreachable and the user is logged out of the device The device assigns the 802 1X critical VLAN to the port as the PVID Mandatory authentication domain You can place all 802 1X users in a mandatory authentication domain for authentication authorization ...

Страница 86: ...ollowing order the port specific domain the global domain and the default domain Offline detect timer This timer sets the interval that the device waits for traffic from a user before the device regards the user idle If a user connection has been idle within the interval the device logs the user out and stops accounting for the user Quiet timer This timer sets the interval that the device must wai...

Страница 87: ...rver model When no server is reachable for MAC reauthentication the device keeps the MAC authentication users online or logs off the users depending on the keep online feature configuration on the device Keep online By default the device logs off online MAC authentication users if no server is reachable for MAC reauthentication The keep online feature keeps authenticated MAC authentication users o...

Страница 88: ...upports the following categories of security modes MAC learning control Includes two modes autoLearn and secure MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode Authentication Security modes in this category implement MAC authentication 802 1X authentication or a combination of these two authentication methods Upon receiving a frame the port in a security m...

Страница 89: ...rt in secure mode A port in secure mode allows only frames sourced from the following MAC addresses to pass Secure MAC addresses Manually configured static and dynamic MAC addresses Perform 802 1X authentication userLogin A port in this mode performs 802 1X authentication and implements port based access control The port can service multiple 802 1X users Once an 802 1X user passes authentication o...

Страница 90: ...dressElseUserLoginSecure mode except that this mode supports multiple 802 1X and MAC authentication users as the Ext keyword implies Port security features Intrusion protection mode The intrusion protection feature checks the source MAC addresses in inbound frames for illegal frames and takes one of the following actions in response to illegal frames Block MAC Adds the source MAC addresses of ille...

Страница 91: ...ticky MAC addresses and you can manually configure sticky MAC addresses Authorization information ignore A port can be configured to ignore the authorization information received from the server local or remote after an 802 1X or MAC authentication user passes authentication Max users This function specifies the maximum number of secure MAC addresses that port security allows on a port The maximum...

Страница 92: ...s this problem the access device needs to be able to detect the reachability changes of the portal server quickly and take corresponding actions to deal with the changes With the detection feature enabled the device periodically detects portal login logout or heartbeat packets sent by a portal authentication server to determine the reachability of the server If the device receives a portal packet ...

Страница 93: ...l authentication process cannot complete if the communication between the access device and the portal Web server is broken To address this problem you can enable portal Web server detection on the access device With the portal Web server detection feature the access device simulates a Web access process to initiate a TCP connection to the portal Web server If the TCP connection can be established...

Страница 94: ...luding the page elements that the authentication pages will use for example back jpg for authentication page Logon htm Follow the authentication page customization rules when you edit the authentication page files File name rules The names of the main authentication page files are fixed see Table 20 You can define the names of the files other than the main authentication page files File names and ...

Страница 95: ...Authentication pages logonSuccess htm and online htm must contain the logoff Post request The following example shows part of the script in page online htm form action logon cgi method post p input type SUBMIT value Logoff name PtButton style width 60px form Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file The name o...

Страница 96: ...nable fail permit for both a portal authentication server and a portal Web server on an interface the interface performs the following operations Disables portal authentication when either server is unreachable Resumes portal authentication when both servers are reachable After portal authentication resumes unauthenticated users must pass portal authentication to access the network Users who have ...

Страница 97: ...The device supports the following authentication methods No authentication This method trusts all users and does not perform authentication For security purposes do not use this method Local authentication The device authenticates users by itself based on the locally configured user information including the usernames passwords and attributes Local authentication allows high speed and low cost but...

Страница 98: ...ferent ISPs The device supports multiple ISP domains including a system defined ISP domain named system One of the ISP domains is the default domain If a user does not provide an ISP domain name for authentication the device considers the user belongs to the default ISP domain The device chooses an authentication domain for each user in the following order The authentication domain specified for t...

Страница 99: ...ADIUS server considers them to be online You can configure the interval for which the device waits to resend the accounting on packet and the maximum number of retries The RADIUS server must run on IMC to correctly log out users when a card reboots on the distributed device to which the users connect Session control A RADIUS server running on IMC can use session control packets to inform disconnec...

Страница 100: ...wer module fails or the fan tray fails 3 Error Error condition For example the link state changes or a storage card is unplugged 4 Warning Warning condition For example an interface is disconnected or the memory resources are used up 5 Notification Normal but significant condition For example a terminal logs in to the device or the device reboots 6 Informational Informational message For example a...

Страница 101: ...ress of the NTP server select the unicast server mode and enter the authentication key ID 2 Configure the NTP server On the NTP server enable the NTP service and configure NTP authentication on the NTP server For more information about the configuration procedure see the NTP server documentation Details not shown Verifying the configuration Verify that the system clock is in synchronized state and...

Страница 102: ...work admin user role Select HTTP as the permitted access type 3 Enable the HTTP and HTTPS services a From the navigation tree select Network Service HTTP HTTPS b Enable the HTTP service c Enable the HTTPS service Verifying the configuration 1 Verify that the administrator account is successfully added Details not shown 2 Enter http 192 168 1 20 in the address bar to verify the following items You ...

Страница 103: ...ndings link and then access the details page for IRF port 1 to assign XGE 1 0 49 and XGE 1 0 50 to IRF port 1 d Click the advanced link to perform the following tasks Set the domain ID to 10 If the software version is Release 3111P02 save the running configuration and then reboot the device If the software version is Release 5103P03 activate IRF port configuration save the running the configuratio...

Страница 104: ...navigation tree select Device Virtualization IRF 3 Access the topology information page to verify the following items The stack contains member device 2 Switch A and member device 3 Switch B The stack ports are connected NTP configuration example Network requirements As shown in Figure 15 Configure the local clock of Device A as a reference source with the stratum level 2 Set Device B to client mo...

Страница 105: ...access all nodes in the default MIB view Configure an IPv4 basic ACL to allow only the SNMPv2c NMS at 1 1 1 2 24 to use community name readandwrite to access the device e Enable traps and set the destination host to 1 1 1 2 with the security string readandwrite and security model v2c 2 Configure the SNMP NMS a Specify SNMPv2c b Create read and write community readandwrite For information about con...

Страница 106: ...tEthernet 1 0 3 to the tagged port list 3 Configure Switch B in the same way Switch A is configured Details not shown Verifying the configuration 1 Access the link aggregation page and verify that ports GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 have been assigned to the link aggregation group Details not shown 2 Verify that Host A can ping Host B Details not shown 3 Verify that Host A ca...

Страница 107: ...ts As shown in Figure 19 Host A and Host C belong to Department A VLAN 100 is assigned to Department A Host B and Host D belong to Department B VLAN 200 is assigned to Department B Configure VLANs so that only hosts in the same department can communicate with each other Figure 19 Network diagram Configuration procedure 1 Configure Switch A a From the navigation tree select Network Links VLAN b Cre...

Страница 108: ... neither of them can ping Host A or Host C Details not shown Voice VLAN configuration example Network requirements As shown in Figure 20 IP phone A sends and recognizes only untagged voice packets To enable GigabitEthernet 1 0 1 to transmit only voice packets perform the following tasks on Switch A Create VLAN 2 This VLAN will be used as a voice VLAN Add GigabitEthernet 1 0 1 to VLAN 2 Add the OUI...

Страница 109: ...dd a blackhole MAC address entry for Host B Set the aging timer to 500 seconds for dynamic MAC address entries Figure 21 Network diagram Configuration procedure 1 From the navigation tree select Network Links MAC 2 Add a static MAC address entry for the MAC address 000f e235 dc71 The outgoing interface is GigabitEthernet 1 0 1 and the VLAN is 1 3 Add a blackhole MAC address entry for the MAC addre...

Страница 110: ...t c Configure VLANs on Switch C From the navigation tree select Network Links VLAN Create VLAN 10 Access the details page for VLAN 10 Add ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to the tagged port list d Configure VLANs on Switch D From the navigation tree select Network Links VLAN Create VLAN 30 Access the details page for VLAN 30 Add ports GigabitEthernet 1 0 1 and GigabitEthernet ...

Страница 111: ...frames Then Switch A can discover neighbors 2 Configure LLDP on Switch B a From the navigation tree select Network Links LLDP b Enable LLDP globally on Switch B c Access the interface status page and enable LLDP on GigabitEthernet 1 0 1 d Access interface configuration page of advanced settings to perform the following tasks Enable the nearest bridge agent function on GigabitEthernet 1 0 1 Configu...

Страница 112: ...nterface that connects to the client to record DHCP snooping entries 4 Access the advanced settings page to perform the following tasks Save the DHCP snooping entries to a remote server Specify the URL as ftp 10 1 1 1 database dhcp Specify the username and password for logging into the remote server Verifying the configuration 1 Verify that the DHCP client can obtain an IP address and configuratio...

Страница 113: ...a From the navigation tree select Network IP ARP b Access the page for adding a static ARP entry to perform the following tasks Configure the IP as 192 168 1 1 Configure the MAC address as 10 e0 fc 01 00 01 Configure VLAN 10 for the entry Select GigabitEthernet 1 0 1 for the entry Verifying the configuration Verify that the static ARP entry is successfully added Details not shown Static DNS config...

Страница 114: ...s The switch can use static domain name resolution to resolve domain name host com into IP address 10 1 1 2 Dynamic DNS configuration example Network requirements As shown in Figure 27 the DNS server at 2 1 1 2 16 has a com domain that stores the mapping between domain name host and IP address 3 1 1 1 16 Configure dynamic DNS and the DNS suffix com on the device that acts as a DNS client The devic...

Страница 115: ...er and the DDNS server can update the mapping on the DNS server Configure DNS on the switch so that the switch can resolve www 3322 org into the IP address 61 160 239 78 Figure 28 Network diagram Configuration procedure 1 On the DDNS server create an account Access the website at http www 3322 org and set the account name to abc and the password to 123 Details not shown 2 On the DNS server create ...

Страница 116: ...Network IP DNS d Configure the IP address of the DNS server as 1 1 1 1 Verifying the configuration 1 Change the IP address of the VLAN interface 10 on the switch to 2 1 1 2 24 2 After a period ping the domain name whatever 3322 org from the host to verify that the domain name is resolved to the IP address 2 1 1 2 Static IPv6 address configuration example Network requirements As shown in Figure 29 ...

Страница 117: ...on Switch A generates an IPv6 global unicast addresses through stateless address autoconfiguration Figure 30 Network diagram Configuration procedure 1 Configure Switch B a From the navigation tree select Network Links VLAN b Create VLAN 10 c Access the details page for VLAN 10 to perform the following tasks Add GigabitEthernet 1 0 2 to the tagged port list Create VLAN interface 10 Assign the IP ad...

Страница 118: ...FF FE5A 2AC8 and the address prefix is the same as that advertised by Switch B Port mirroring configuration example Network requirements As shown in Figure 31 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of the switch are connected to the marketing department and the technical department respectively The switch is connected to the server through GigabitEthernet 1 0 3 Configure local port mirror...

Страница 119: ...igation tree select Network Routing Static Routing b Configure the route Set the destination address to 0 0 0 0 Set the mask length to 0 Set the next hop address to 1 1 4 2 Switch B NOTE If the switch has only one uplink port you only need to configure a default route that points to the upstream device 2 On Switch B configure static routes to reach Host A and Host C a Configure a static route to t...

Страница 120: ...er 5 b Set the match mode to permit c Select the IPv4 ACL match criterion d Create an IPv4 advanced ACL 3001 and configure a rule to permit TCP packets e Select IPv4 ACL 3001 as the match criterion for the policy pbr f Set the next hop address to 1 1 2 2 for matching packets 4 Click Forwarding policy of locally generated IP packets and choose pbr to apply the policy to the local device Verifying t...

Страница 121: ...e the source IP address of IGMP queries as a non zero IP address Figure 34 Network diagram Configuration procedure 1 Configure Switch A a From the navigation tree select Network Multicast IGMP Snooping b Enable IGMP snooping for VLAN 1 c Specify the IGMP snooping version as 2 d Enable dropping unknown multicast data e Enable the switch to act as the IGMP querier f Set the source IP address to 192 ...

Страница 122: ...snooping configuration example Network requirements As shown in Figure 35 The network is a Layer 2 only network Host A and Host B are receivers of IPv6 multicast group FF1E 101 All host receivers run MLDv1 and all switches run MLDv1 snooping Switch A which is close to the multicast source acts as the MLD querier To prevent the switches from flooding unknown packets in the VLAN enable all the switc...

Страница 123: ...ntries to check that the forwarding entry for the IPv6 multicast group exists DHCP configuration example Network requirements As shown in Figure 36 the DHCP client and the DHCP server are on different subnets Configure the DHCP relay agent on switch B so that the DHCP client can obtain IP addresses through DHCP Figure 36 Network diagram Configuration procedure 1 Configure the DHCP server a From th...

Страница 124: ...service Configure VLAN interface 10 to operate in DHCP relay agent mode Specify the IP address of the DHCP server as 10 1 1 1 g Access the advanced settings page to perform the following tasks Enable the DHCP relay agent to record client information Enable the relay agent to fresh relay entries periodically Set the refresh internal to 100 seconds 3 Configure the DHCP client a From the navigation t...

Страница 125: ... Enable the Stelnet service 3 Configure the VLAN and VLAN interface a From the navigation tree select Network Links VLAN b Create VLAN 2 c Add port GigabitEthernet 1 0 2 to the untagged port list of VLAN 2 d Create VLAN interface 2 and configure its IP address as 192 168 1 40 24 4 Configure the Stelnet client login authentication method as scheme a Log in to the switch through the console port b C...

Страница 126: ...2 1 1 The rate of traffic for accessing the Internet is limited to 15 Mbps Figure 38 Network diagram Configuration procedure 1 Configure QoS policies a From the navigation tree select QoS QoS QoS Policy b Apply a QoS policy to the incoming traffic of GigabitEthernet 1 0 2 c Access the details page for the QoS policy to modify the applied QoS policy as follows Create IPv4 ACL 2000 and add a rule to...

Страница 127: ...ce values 0 1 and 2 respectively 3 Configure hardware queuing a From the navigation tree select QoS QoS Hardware Queuing b Access the details page for GigabitEthernet 1 0 1 to perform the following tasks Configure the queuing algorithm as WRR byte count Modify the byte counts of queues 0 1 and 2 as 2 1 and 1 respectively 4 Configure rate limit a From the navigation tree select QoS QoS Rate Limit b...

Страница 128: ...Permit 256 Source 192 168 2 0 0 0 0 255 Destination 192 168 0 100 0 Create a time range named work Specify the start time as 08 00 Specify the end time as 18 00 Select Monday through Friday Deny 256 Destination 192 168 0 100 0 N A 4 Enable rule match counting for the ACL Verifying the configuration 1 Ping the database server from different departments to verify the following items You can access t...

Страница 129: ... 1 and MAC address 00 01 02 03 04 06 d Add an IP source guard entry for Host C The entry contains interface GigabitEthernet 1 0 2 IP address 192 168 0 3 and MAC address 00 01 02 03 04 05 2 Configure Device B a Configure IP addresses for the interfaces Details not shown b From the navigation tree select Security Packet Filter IP Source Guard c Add an IP source guard entry for Host B The entry conta...

Страница 130: ...DIUS server Use name as the authentication and accounting shared keys for secure RADIUS communication between the switch and the RADIUS server Use ports 1812 and 1813 for authentication and accounting respectively Figure 41 Network diagram Configuration procedure 1 Configure IP addresses for the interfaces as shown in Figure 38 Details not shown 2 Configure a RADIUS scheme on the switch a From the...

Страница 131: ...e navigation tree select Security Authentication RADIUS 2 Verify the configuration of RADIUS scheme 802 1X Details not shown 3 From the navigation tree select Security Authentication ISP Domains 4 Verify the configuration of ISP domain dm1X Details not shown 5 Use the configured user account to pass authentication 6 From the navigation tree select Security Access Control 802 1X 7 Verify that the n...

Страница 132: ...iguration of local user dotuser Details not shown 3 From the navigation tree select Security Authentication ISP Domains 4 Verify the configuration of ISP domain abc Details not shown 5 Use the user account dotuser and password 12345 to pass authentication 6 From the navigation tree select Security Access Control 802 1X 7 Verify that the number of online users is not 0 on GigabitEthernet 1 0 1 Deta...

Страница 133: ...r 3 Configure an ISP domain on the switch a From the navigation tree select Security Authentication ISP Domains b Add ISP domain macauth and set the domain state to Active c Set the access service to LAN access d Configure the ISP domain to use RADIUS scheme macauth for authentication authorization and accounting of LAN users 4 Configure MAC authentication on the switch a From the navigation tree ...

Страница 134: ...WithOUI mode to control Internet access of users Configure the switch to meet the following requirements Use the RADIUS server to perform authentication authorization and accounting for users Use name as the authentication and accounting shared keys for secure RADIUS communication between the switch and the RADIUS server Use ports 1812 and 1813 for authentication and accounting respectively Authen...

Страница 135: ...h a From the navigation tree select Security Access Control Port Security b Enable port security c On the advanced settings page for GigabitEthernet 1 0 1 set the port security mode to userLoginWithOUI d On the 802 1X tab of the advanced settings page for GigabitEthernet 1 0 1 set the 802 1X mandatory domain to portsec e On the advanced settings page for port security add five OUI values to the OU...

Страница 136: ...igure a RADIUS scheme on the switch a From the navigation tree select Security Authentication RADIUS b Add RADIUS scheme rs1 c Configure the primary authentication server Set the IP address to 192 168 0 112 Set the authentication port number to 1812 Set the shared key to radius Set the server state to Active d Configure the primary accounting server Set the IP address to 192 168 0 112 Set the acco...

Страница 137: ... port to 50100 c Add a portal Web server Specify the server name as newpt Specify the URL The URL must be the same as the URL of the portal Web server used in the network This example uses http 192 168 0 111 8080 portal d Add an interface policy Select interface VLAN interface 100 In the IPv4 configuration area enable portal authentication and select the Direct method Select portal Web server newp...

Страница 138: ...tion tree select Security Authentication RADIUS b Add RADIUS scheme rs1 c Configure the primary authentication server Set the IP address to 192 168 0 113 Set the authentication port number to 1812 Set the shared key to radius Set the server state to Active d Configure the primary accounting server Set the IP address to 192 168 0 113 Set the accounting port number to 1813 Set the shared key to radi...

Страница 139: ...ay agent mode d Configure the IP address of the DHCP server as 192 168 0 112 e Open the DHCP server advanced settings page and enable the Record DHCP relay client information feature 6 Configure authorized ARP on the switch a From the navigation tree select Network IP ARP b Open the advanced settings page c Open the ARP attack protection page d Enable authorized ARP on VLAN interface 100 7 Configu...

Страница 140: ...own in Figure 47 Switch A supports portal authentication The host accesses Switch A through Switch B A portal server acts as both a portal authentication server and a portal Web server A RADIUS server acts as the authentication accounting server Configure Switch A for cross subnet portal authentication Before passing the authentication the host can access only the portal Web server After passing t...

Страница 141: ...the VLAN and the VLAN interface on Switch A a From the navigation tree select Network Links VLAN b Create VLAN 4 c Open the details page for VLAN 4 d Create VLAN interface 4 and assign IP address 20 20 20 1 to it 5 Configure portal authentication on Switch A a From the navigation tree select Security Access Control Portal b Add a portal authentication server Specify the server name as newpt Specif...

Страница 142: ...eb server A RADIUS server acts as the authentication accounting server Configure direct portal authentication on the switch Before a user passes portal authentication the user can access only the local portal Web server After passing portal authentication the user can access other network resources Figure 48 Network diagram Configuration procedure 1 Configure a RADIUS scheme on the switch a From t...

Страница 143: ...Web server Specify the server name as newpt Specify the URL as http 2 2 2 1 2331 portal The URL can be the IP address of the interface enabled with portal authentication or a loopback interface s address other than 127 0 0 1 c Add a local portal Web server Select HTTP Select the default logon page abc zip The default logon page file must have existed in the root directory of the switch s storage m...

Страница 144: ...y pairs for SSH a From the navigation tree select Resources Public key Public key b Add local DSA ECDSA and RSA key pairs 2 Configure the SSH server a From the navigation tree select Network Service SSH b Enable the Stelnet service 3 Configure the VLAN and VLAN interface a From the navigation tree select Network Links VLAN b Create VLAN 2 c Access the details page for VLAN 2 to perform the followi...

Страница 145: ...Add a user account on the server Details not shown Configure the authentication authorization and accounting settings Details not shown Configure the user role feature to assign authenticated SSH users the network admin user role Details not shown Verifying the configuration Initiate an SSH connection to the switch and enter the correct username and password The user logs in to the switch Verify t...

Страница 146: ...avigation tree select PoE PoE 2 Enable PoE for GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 set the power supply priority to critical 3 Enable PoE for GigabitEthernet 1 0 3 and set the maximum PoE power for the interface to 9000 milliwatts ...

Страница 147: ...v6 address prefix length ipv6 address prefix length default gateway ipv6 gateway address Assigns an IPv6 global unicast address to VLAN interface 1 ipsetup ipv6 auto Enables VLAN interface 1 to obtain an IPv6 global unicast address through stateless autoconfiguration password Modifies the login password for a user ping host Identifies whether the destination IPv4 address is reachable and display r...

Страница 148: ... use of Hewlett Packard Enterprise support personnel when troubleshooting an issue This is not a supported feature for operation in customer networks Restores the default display poe pse Use display poe pse to display PSE information Syntax display poe pse pse id Views User view Predefined user roles network admin network operator Parameters pse id Specifies a PSE by its ID Usage guidelines If you...

Страница 149: ... Max Power Maximum power of the PSE Remaining Guaranteed Power Remaining guaranteed power of the PSE Maximum guaranteed power of the PSE Total maximum power of all critical PIs of the PSE PSE CPLD Version PSE CPLD version number PSE Software Version PSE software version number PSE Hardware Version PSE hardware version number Legacy PD Detection Nonstandard PD detection status Enabled Disabled Powe...

Страница 150: ...User view Predefined user roles network admin Usage guidelines You can use either of the following methods to assign an IPv4 address to VLAN interface 1 DHCP VLAN interface 1 acts as a DHCP client to dynamically obtain an IPv4 address from the DHCP server Manual Allows you to use the ipsetup ip address command to assign an IPv4 address to this interface Whichever method is used the newly obtained ...

Страница 151: ...N interface 1 DHCP VLAN interface 1 acts as a DHCP client to dynamically obtain an IPv4 address from the DHCP server Manual Allows you to use the ipsetup ip address command to assign an IPv4 address to this interface Whichever method is used the newly obtained IPv4 address overwrites the existing IPv4 address Examples Assign 192 168 1 2 to the interface and specify 192 168 1 1 as the default gatew...

Страница 152: ...interface 1 and specify 2 3 as the default gateway Sysname ipsetup ipv6 address 2 2 64 default gateway 2 3 Related commands ipsetup ipv6 auto ipsetup ipv6 auto Use ipsetup ipv6 auto to configure VLAN interface 1 to obtain an IPv6 global unicast address through stateless autoconfiguration Syntax ipsetup ipv6 auto Default No IPv6 global unicast address can be obtained for VLAN interface 1 through st...

Страница 153: ...lay related statistics Syntax ping host Views User view Predefined user roles network admin Parameters host Specifies the destination IPv4 address or host name The host name must be a case insensitive string of 1 to 253 characters that can contain only letters digits hyphens underscores _ and dots Usage guidelines To terminate a ping operation press Ctrl C Examples Ping IP address 1 1 2 2 Sysname ...

Страница 154: ...ring of 1 to 253 characters that can contain only letters digits hyphens underscores _ and dots Usage guidelines To terminate a ping operation press Ctrl C Examples Ping IPv6 address 2001 2 Sysname ping ipv6 2001 2 Ping6 56 data bytes 2001 1 2001 2 press CTRL_C to break 56 bytes from 2001 2 icmp_seq 0 hlim 64 time 62 000 ms 56 bytes from 2001 2 icmp_seq 1 hlim 64 time 23 000 ms 56 bytes from 2001 ...

Страница 155: ...ice in either of the following modes Refresh mode Updates the PSE firmware without deleting it You can use the refresh mode in most cases Full mode Deletes the current PSE firmware and reloads a new one Use the full mode if the PSE firmware is damaged and you cannot execute any PoE commands Examples Upgrade the firmware of PSE 7 in service Sysname poe update refresh POE 168 bin pse 7 quit Use quit...

Страница 156: ...For data security the device does not reboot if you reboot the device while the device is performing file operations Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot task correctly A reboot command with the force keyword might result in file system corruption because it does not perform data protection Examples Reboot all stack ...

Страница 157: ...IPv6 subnet mask length IPv6 global address IPv6 subnet mask length IPv6 default gateway Software images on slot 1 Current software images flash 1950 cmw710 boot r3111p02 bin flash 1950 cmw710 system r3111p02 bin Main startup software images flash 1950 cmw710 boot r3111p02 bin flash 1950 cmw710 system r3111p02 bin Backup startup software images flash 1950 cmw710 boot a0007 ft bin flash 1950 cmw710...

Страница 158: ...contain only letters digits hyphens underscores _ and dots service port Specifies the TCP port number for the Telnet service on the remote host The value range is 0 to 65535 and the default is 23 source Specifies a source IPv4 address or source interface for outgoing Telnet packets If you do not specify this keyword the command uses the primary IPv4 address of the routing outbound interface as the...

Страница 159: ...remote host The value range is 0 to 65535 and the default is 23 Usage guidelines To terminate the current Telnet connection press Ctrl K or execute the quit command Examples Telnet to the host at 5000 1 Sysname telnet ipv6 5000 1 transceiver phony alarm disable Use transceiver phony alarm disable to disable transceiver module source alarm Use undo transceiver phony alarm disable to enable transcei...

Страница 160: ...ase insensitive string The file must be stored in the root directory of a storage medium in the system The value range is 1 to 63 characters for the storage medium base filename bin segments of the file path This length limit does not include the stack member ID or slot number in front of the storage medium segment system system package Specifies the file path of a bin system image file a case ins...

Страница 161: ...om bin already exists Overwrite Y N y Verifying server file Downloading file boot bin from remote TFTP server please wait Done This command will upgrade the Boot ROM file on the specified board s Continue Y N y Now Upgrade the Boot ROM of slot 1 please wait Done Download file all ipe from the root directory of the TFTP server and use the ipe file at the next startup Sysname upgrade 192 168 8 2 run...

Страница 162: ...s the main startup software images at the next reboot on slot 1 xtd cli mode Use xtd cli mode to switch to extended CLI mode Use undo xtd cli mode to restore the default Syntax xtd cli mode undo xtd cli mode Default You can display and execute part of the commands on the device Views User view Predefined user roles network admin Usage guidelines Extended CLI is for the use of Hewlett Packard Enter...

Страница 163: ...g Extended CLI mode is intended for developers to test the system Before using commands in extended CLI mode contact the Technical Support and make sure you know the potential impact on the device and the network ...

Страница 164: ... which you select at least one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names...

Страница 165: ...rwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewa...

Страница 166: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Страница 167: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Страница 168: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Страница 169: ...sequence 54 DHCP IP address conflict detection 55 IP 39 IP address classes 39 Address Resolution Protocol Use ARP administrator configuration 93 password control 20 22 RBAC 20 21 user account 20 21 aggregating link See Ethernet link aggregation aging MAC address table timer 34 allocating DHCP IP address allocation sequence 54 alternate port MST 35 Anycast IPv6 address type 46 applying PBR apply cl...

Страница 170: ...ntication 122 AAA TACACS server SSH user 136 administrator 93 ARP 40 ARP static entry 104 DDNS 45 DDNS www 3322 org 107 device maintenance 93 DHCP 115 DHCP snooping 103 direct security portal authentication local portal Web server 87 Ethernet link aggregation 27 97 examples 93 interface storm control 31 IP 39 IP source guard IPSG 73 IPv4 dynamic DNS 106 IPv4 local PBR 112 IPv4 source guard static ...

Страница 171: ...e also Option relay agent 55 relay agent entry periodic refresh 55 relay agent relay entry recording 55 snooping See DHCP snooping DHCP snooping configuration 103 discarding MST discarding port state 36 displaying settings of table entry 9 DNS 45 See also DDNS DDNS configuration 45 DDNS configuration www 3322 org 107 dynamic domain name resolution 44 IPv4 dynamic DNS 106 IPv4 static DNS 105 proxy ...

Страница 172: ...eriodic packet send 41 group Ethernet link aggregation group 27 Ethernet link aggregation member port state 27 guest VLAN 802 1X authentication 76 H hardware congestion management queue scheduling profile 71 hardware queuing configuration 68 SP queuing 69 WFQ queuing 70 WRR queuing 69 I ICMPv6 IPv6 ND protocol 49 icon Web interface 8 ID IP address class Host ID 39 IP address class Net ID 39 IGMP s...

Страница 173: ... proxy 51 IP source guard IPSG configuration 73 IPv4 See IPv4 source guard IPng 46 See also IPv6 IP to MAC DHCP snooping 38 IPv4 IP 39 IP address classes 39 IP addressing masking 39 IP addressing subnetting 39 IPv4 local PBR configuration 112 IPv4 source guard static binding configuration 121 IPv4 static routing configuration 111 IPv6 46 See also IPng address formats 46 address type 46 EUI 64 addr...

Страница 174: ...em log destinations 92 information center system log levels 92 login first time 3 Web interface 2 logout Web 4 loop spanning tree configuration 34 M MAC 802 1X MAC based access control 74 MAC address entry configuration 101 MAC address table address learning 34 configuration 33 dynamic aging timer 34 entry types 33 MAC addressing ARP 40 gratuitous ARP 41 IP services gratuitous ARP packet learning ...

Страница 175: ...hbor entry 49 IPv6 ND protocol 49 network 802 1X architecture 73 802 1X authentication method 74 802 1X authentication trigger 75 802 1X Auth Fail VLAN 75 802 1X authorization state 74 802 1X critical VLAN 76 802 1X EAD assistant 77 802 1X guest VLAN 76 802 1X local authentication configuration 123 802 1X mandatory authentication domain 77 802 1X online user handshake 75 802 1X periodic online use...

Страница 176: ...t 802 1X 73 ARP 40 ARP attack protection 41 DDNS configuration 45 DHCP 53 DHCP relay agent 55 DHCP server 53 DHCP snooping 38 DNS 44 Ethernet link aggregation configuration 27 FTP 57 gratuitous ARP 41 HTTP 56 HTTPS 56 IGMP snooping 53 IP 39 IPv4 local PBR configuration 112 IPv4 static routing configuration 111 IPv6 46 Layer 2 LAN switching port isolation configuration 31 LLDP configuration 36 MAC ...

Страница 177: ...uest rules 87 parameter IPv6 RA message parameter 49 password SSH Secure Telnet server configuration password authentication enabled 117 PBR policy 52 Track collaboration 53 performing saving configuration 9 Web basic tasks 9 periodic gratuitous ARP packet send 41 policy IPv4 local PBR configuration 112 PBR 52 52 QoS application 68 QoS definition 68 QoS policy configuration 68 policy based routing...

Страница 178: ...ing 121 configuring IPv4 static DNS 105 configuring IPv4 static routing 111 configuring IPv6 ND neighbor entry 49 configuring LLDP 103 configuring MAC address entry 101 configuring MSTP 101 configuring ND 109 configuring network services 97 configuring NTP 96 configuring PoE 137 configuring port isolation 98 configuring port mirroring 110 configuring QoS 118 configuring RADIUS based MAC authentica...

Страница 179: ...ueue scheduling profile 71 Secure Telnet server configuration password authentication enabled 117 security 802 1X 73 802 1X authentication method 74 802 1X authentication trigger 75 802 1X Auth Fail VLAN 75 802 1X critical VLAN 76 802 1X EAD assistant 77 802 1X guest VLAN 76 802 1X local authentication configuration 123 802 1X mandatory authentication domain 77 802 1X online user handshake 75 802 ...

Страница 180: ... IPv4 dynamic DNS 106 IPv4 source guard static binding configuration 121 IPv4 static DNS 105 MAC address table entry 33 routing See static routing storm interface storm control 31 STP mode set 35 subnetting IP addressing 39 suppressing interface storm control configuration 31 switch IPv4 local PBR configuration 112 IPv4 static routing configuration 111 system FTP 57 HTTP 56 HTTPS 56 information ce...

Страница 181: ...relay agent 55 DHCP server 53 IGMP snooping 53 interface configuration 32 IP source guard IPSG configuration 73 IPv4 source guard static binding configuration 121 Layer 2 LAN switching port isolation configuration 31 LLDP CDP compatibility 38 port mirroring configuration 52 port based configuration 31 QoS policy application 68 voice VLAN assignment mode 33 voice VLAN assignment mode automatic 33 v...

Страница 182: ...action protocols 86 portal Web server 85 RBAC 21 resources features 60 security features 73 SNTP operating mode 19 SNTP time source authentication 20 system time source 19 table page 6 user account management 21 using Web interface 5 webpage types 6 Web interface configuration page 7 feature page 6 layout 5 table page 6 webpage types 6 Web login concurrent login user 3 default settings 2 first tim...

Результаты поиска

Содержание OfficeConnect 1950 Series

Отзывы:

Похожие инструкции для OfficeConnect 1950 Series

Бренды по названию

Популярные бренды

HPE OfficeConnect 1950 Series, Руководство пользователя

Результаты поиска

Содержание OfficeConnect 1950 Series

Отзывы:

Похожие инструкции для OfficeConnect 1950 Series

Бренды по названию

Популярные бренды