QTech QSW-2800 series Скачать руководство пользователя страница 322

Страница: 322 / 415

+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1

308

Chapter 41 Security Feature Configuration

41.1 Introduction to Security

Feature

Before introducing the security features, we here first introduce the DoS. The DoS is short for

Denial of Service, which is a simple but effective destructive attack on the internet. The server

under DoS attack will drop normal user data packet due to non-

stop processing the attacker’s

data packet, leading to the denial of the service and worse can lead to leak of sensitive data of

the server.

Security feature refers to applications such as protocol check which is for protecting the server

from attacks such as DoS. The protocol check allows the user to drop matched packets based

on specified conditions. The security features provide several simple and effective protections

against Dos attacks while acting no influence on the linear forwarding performance of the

switch.

41.2 Security Feature

Configuration

41.2.1 Prevent IP Spoofing Function Configuration Task Sequence

1. Enable the IP spoofing function.

Command

Explanation

Global Mode

[no] dosattack-check srcip-equal-dstip

enable

Enable/disable the function of checking if the IP

source address is the same as the destination

address.

41.2.2 Prevent TCP Unauthorized Label Attack Function

Configuration Task Sequence

1. Enable the anti TCP unauthorized label attack function

Command

Explanation

Global Mode

Содержание QSW-2800 series

Страница 1: ...IC SWITCH CONFIGURATION 2 15 2 1 BASIC CONFIGURATION 2 15 2 2 TELNET MANAGEMENT 2 16 2 2 1 Telnet 2 16 2 2 2 SSH 2 18 2 3 CONFIGURE SWITCH IP ADDRESSES 2 19 2 3 1 Switch IP Addresses Configuration Tas...

Страница 2: ...EXAMPLES 5 50 CHAPTER 6 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION6 51 6 1 INTRODUCTION TO PORT LOOPBACK DETECTION FUNCTION 6 51 6 2 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION TASK LIST 6 52...

Страница 3: ...EXAMPLE 11 81 11 4 EFM OAM TROUBLESHOOTING 11 81 CHAPTER 12 PORT SECURITY 12 83 12 1 INTRODUCTION TO PORT SECURITY 12 83 12 2 PORT SECURITY CONFIGURATION TASK LIST 12 83 12 3 EXAMPLE OF PORT SECURITY...

Страница 4: ...to Selective QinQ 16 113 16 3 2 Selective QinQ Configuration 16 113 16 3 3 Typical Applications of Selective QinQ 16 114 16 3 4 Selective QinQ Troubleshooting 16 116 16 4 VLAN TRANSLATION CONFIGURATI...

Страница 5: ...TION 17 135 17 6 1 Introduction to MAC Notification 17 135 17 6 2 MAC Notification Configuration 17 135 17 6 3 MAC Notification Example 17 137 17 6 4 MAC Notification Troubleshooting 17 137 CHAPTER 18...

Страница 6: ...22 169 22 1 1 Introduction to Layer 3 Management Interface 22 169 22 1 2 Layer 3 Interface Configuration Task List 22 169 22 2 IP CONFIGURATION 22 170 22 2 1 Introduction to IPv4 IPv6 22 170 22 2 2 I...

Страница 7: ...RVER CONFIGURATION 27 190 27 3 DHCP RELAY CONFIGURATION 27 192 27 4 DHCP CONFIGURATION EXAMPLES 27 194 27 5 DHCP TROUBLESHOOTING 27 197 CHAPTER 28 DHCPV6 CONFIGURATION 28 199 28 1 INTRODUCTION TO DHCP...

Страница 8: ...DHCP SNOOPING 32 227 32 2 DHCP SNOOPING CONFIGURATION TASK SEQUENCE 32 228 32 3 DHCP SNOOPING TYPICAL APPLICATION 32 232 32 4 DHCP SNOOPING TROUBLESHOOTING HELP 32 233 32 4 1 Monitor and Debug Informa...

Страница 9: ...D Snooping Troubleshooting 35 257 CHAPTER 36 MULTICAST VLAN 36 258 36 1 INTRODUCTIONS TO MULTICAST VLAN 36 258 36 2 MULTICAST VLAN CONFIGURATION TASK LIST 36 258 36 3 MULTICAST VLAN EXAMPLES 36 259 CH...

Страница 10: ...BLESHOOTING HELP 39 303 CHAPTER 40 OPERATIONAL CONFIGURATION OF AM FUNCTION 40 305 40 1 INTRODUCTION TO AM FUNCTION 40 305 40 2 AM FUNCTION CONFIGURATION TASK LIST 40 305 40 3 AM FUNCTION EXAMPLE 40 3...

Страница 11: ...T 44 322 44 3 SSL TYPICAL EXAMPLE 44 323 44 4 SSL TROUBLESHOOTING 44 324 CHAPTER 45 IPV6 SECURITY RA CONFIGURATION 45 325 45 1 INTRODUCTION TO IPV6 SECURITY RA 45 325 45 2 IPV6 SECURITY RA CONFIGURATI...

Страница 12: ...CHAPTER 50 SAVI CONFIGURATION 50 349 50 1 INTRODUCTION TO SAVI 50 349 50 2 SAVI CONFIGURATION 50 349 50 3 SAVI TYPICAL APPLICATION 50 353 50 4 SAVI TROUBLESHOOTING 50 354 CHAPTER 51 MRPP CONFIGURATION...

Страница 13: ...55 4 SFLOW TROUBLESHOOTING 55 381 CHAPTER 56 SNTP CONFIGURATION 56 382 56 1 INTRODUCTION TO SNTP 56 382 56 2 TYPICAL EXAMPLES OF SNTP CONFIGURATION 56 383 CHAPTER 57 NTP FUNCTION CONFIGURATION 57 384...

Страница 14: ...TO RELOAD SWITCH AFTER SPECIFID TIME 60 398 60 2 RELOAD SWITCH AFTER SPECIFID TIME TASK LIST 60 398 CHAPTER 61 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU 61 399 61 1 INTRODUCTION TO...

Страница 15: ...IP address to the switch via the Console interface to be able to access the switch through Telnet The procedures for managing the switch via Console interface are listed below Step 1 setting up the en...

Страница 16: ...l Programs Accessories Communication HyperTerminal 2 Type a name for opening HyperTerminal such as Switch Opening HyperTerminal 3 In the Connecting using drop list select the RS 232 serial port used b...

Страница 17: ...that is the CLI configuration mode for Switch Testing RAM 0x077C0000 RAM OK Loading MiniBootROM Attaching to file system Loading nos img done Booting Starting at 0x10000 Attaching to file system Perfo...

Страница 18: ...with Telnet the following conditions should be met Switch has an IPv4 IPv6 address configured The host IP address Telnet client and the switch s VLAN interface IPv4 IPv6 address is in the same network...

Страница 19: ...vlan 1 Switch Config if Vlan1 ip address 10 1 128 251 255 255 255 0 Switch Config if Vlan1 no shutdown To enable the Telnet Server function users should type the CLI command telnet server enable in th...

Страница 20: ...he commands used in the Telnet CLI interface after login is the same as that in the Console interface Telnet Configuration Interface 1 1 2 2 Management via HTTP To manage the switch via HTTP the follo...

Страница 21: ...Firefox browser with 1 5 or later version For example if the IPv6 address of the switch is 3ffe 506 1 2 3 Input the IPv6 address of the switch is http 3ffe 506 1 2 3 and the address should draw togeth...

Страница 22: ...to find it and implement read write operation on it Details about how to manage switches via SNMP network management software will not be covered in this manual please refer to Snmp network managemen...

Страница 23: ...queries 1 2 1 2 Admin Mode To Admin Mode sees the following In user entry system if as Admin user it is defaulted to Admin Mode Admin Mode prompt Switch can be entered under the User Mode by running...

Страница 24: ...odes Interface Type Entry Operates Exit VLAN Interface Type interface vlan Vlan id command under Global Mode Configure switch IPs etc Use the exit command to return to Global Mode Ethernet Port Type i...

Страница 25: ...al Mode Configure parameters for Extended IP ACL Mode Use the exit command to return to Global Mode 1 2 2 Configuration Syntax Switch provides various configuration commands Although all the commands...

Страница 26: ...y entered commands you can use the Down key to return to the next command Left The cursor moves one character to the left You can use the Left and Right key to modify an entered command Right The curs...

Страница 27: ...mation error Output error message Explanation Unrecognized command or illegal parameter The entered command does not exist or there is error in parameter scope type or format Ambiguous command At leas...

Страница 28: ...7 3311 www qtech ru 18 1 14 command error if only show r is entered as Shell is unable to tell whether it is show run or show running config Therefore Shell will only recognize the command if sh ru is...

Страница 29: ...xit Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode show privilege Show privilege of the curre...

Страница 30: ...ion As a Telnet server switch allows up to 5 telnet client TCP connections And as Telnet client using telnet command under Admin Mode allows the user to login to the other remote hosts Switch can only...

Страница 31: ...web login Configure authentication method list with telnet authentication enable method1 method2 no authentication enable Configure the enable authentication method list authorization line console vty...

Страница 32: ...ssh server enable no ssh server enable Enable SSH function on the switch the no command disables SSH function username username privilege privilege password 0 7 password no username username Configure...

Страница 33: ...Switch IP Addresses All Ethernet ports of switch are default to Data Link layer ports and perform layer 2 forwarding VLAN interface represent a Layer 3 interface function which can be assigned an IP...

Страница 34: ...ddress ipv6 address prefix length Configure IPv6 address including aggregation global unicast address local site address and local link address The no command deletes IPv6 address 3 BOOTP configuratio...

Страница 35: ...e on the SNMP network management Agent is the server software runs on the devices which need to be managed NMS manages all the managed objects through Agents The switch supports Agent function The com...

Страница 36: ...ains an OID Object Identifier and a brief description about the node OID is a set of integers divided by periods It identifies the node and can be used to locate the node in a MID tree structure shown...

Страница 37: ...1 2 3 and 9 Statistics Maintain basic usage and error statistics for each subnet monitored by the Agent History Record periodical statistic samples available from Statistics Alarm Allow management co...

Страница 38: ...of SNMP management station Command Explanation Global Mode snmp server securityip ipv4 address ipv6 address no snmp server securityip ipv4 address ipv6 address Configure IPv4 IPv6 security address wh...

Страница 39: ...onfigure view Command Explanation Global Mode snmp server view view string oid string include exclude no snmp server view view string oid string Configure view on the switch This command is used for S...

Страница 40: ...below Switch config snmp server enable Switch config snmp server community rw private Switch config snmp server community ro public Switch config snmp server securityip 1 1 1 5 The NMS can use private...

Страница 41: ...tring to access the switch with read write permission or use public as the community string to access the switch with read only permission Scenario 6 NMS will receive Trap messages from the switch Not...

Страница 42: ...Shell 2 5 1 Switch System Files The system files includes system image file and boot file The updating of the switch is to update the two files by overwrite the old files with the new ones The system...

Страница 43: ...mode run setconfig to set the IP address and mask of the switch under BootROM mode server IP address and mask and select TFTP or FTP upgrade Suppose the switch address is 192 168 1 2 and PC address i...

Страница 44: ...e nos img exists overwrite Y N N y Writing nos img Write nos img OK Boot Step 6 The following update file boot rom the basic environment is the same as Step 4 Boot load boot rom Loading Loading file o...

Страница 45: ...es not provide file access authorization and uses simple authentication mechanism transfers username and password in plain text for authentication When using FTP to transfer files two connections need...

Страница 46: ...iguration sequence storage FLASH Flash memory used to save system file and configuration file System file including system image file and boot file System image file refers to the compressed file for...

Страница 47: ...e 2 5 3 2 FTP TFTP Configuration The configurations of switch as FTP and TFTP clients are almost the same so the configuration procedures for FTP and TFTP are described together in this manual 2 5 3 2...

Страница 48: ...rname and password this no command will delete the username and password 3 Modify FTP server connection idle time Command Explanation Global Mode ftp server timeout seconds Set connection idle time 3...

Страница 49: ...er to the switch FTP Configuration Computer side configuration Start the FTP server software on the computer and set the username Switch and the password superuser Place the 12_30_nos img file to the...

Страница 50: ...Vlan1 no shut Switch Config if Vlan1 exit Switch config ftp server enable Switch config username Admin password 0 superuser Computer side configuration Login to the switch with any FTP client software...

Страница 51: ...erver v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful 150 Opening ASCII mode data connection for bin ls recv total 480 nos img no...

Страница 52: ...the switch is upgrading system file or system start up file through FTP the switch must not be restarted until close ftp client or 226 Transfer complete is displayed indicating upgrade is successful...

Страница 53: ...ait recv 1526037 write ok transfer complete close tftp client If the switch is upgrading system file or system start up file through TFTP the switch must not be restarted until close tftp client is di...

Страница 54: ...dynamically add the candidate switches to the cluster which is already established Accordingly they can configure and manage the member switches through the commander switch When the member switches a...

Страница 55: ...ages of the cluster Set the max number of lost keep alive messages that can be tolerated in the cluster Remote cluster network management Remote configuration management Remotely upgrade member switch...

Страница 56: ...in the cluster Admin mode clear cluster nodes nodes sn candidate sn list mac address mac addr Clear nodes in the list of candidate switches maintained by the switch Command Explanation Global Mode clu...

Страница 57: ...xplanation Global Mode ip http server Enable http function in commander switch and member switch Notice must insure the http function be enabled in member switch when commander switch visiting member...

Страница 58: ...he command switch is correctly configured and the auto adding function cluster auto add is enabled If the ports connected the command switch and member switch belongs to the cluster vlan After cluster...

Страница 59: ...5 the command would look like interface ethernet 1 2 5 Port speed duplex mode and traffic control can be configured under Ethernet Port Mode causing the performance of the corresponding network ports...

Страница 60: ...phy integrated force1g half force1g full nonegotiate master slave force10g full no speed duplex Sets port speed and duplex mode of 100 1000Base TX or 100Base FX ports The no format of this command re...

Страница 61: ...this port and configure the recovery time the default is 300s The no command will disable the rate violation function of a port Global Mode port rate statistics interval interval value Configure the...

Страница 62: ...net1 8 1 9 Switch2 config monitor session 1 destination interface ethernet 1 10 Switch3 Switch3 config interface ethernet 1 12 Switch3 Config If Ethernet1 12 speed duplex force100 full Switch3 Config...

Страница 63: ...solation groups can a switch have 5 2 Task Sequence of Port Isolation 1 Create an isolate port group 2 Add Ethernet ports into the group 3 Display the configuration of port isolation 1 Create an isola...

Страница 64: ...gure above with e1 1 e1 10 and e1 15 all belonging to VLAN 100 The requirement is that after port isolation is enabled on switch S1 e1 1 and e1 10 on switch S1 can not communicate with each other whil...

Страница 65: ...source MAC is already learnt by the layer 2 device only with a different source port the original source port will be modified to the new one which means to correspond the original MAC address with th...

Страница 66: ...erval of loopback detection 2 Enable the function of port loopback detection lCommand Explanation Port Mode loopback detection specified vlan vlan list no loopback detection specified vlan vlan list E...

Страница 67: ...l mode automatic recovery enabled or not or recovery time 6 3 Port Loopback Detection Function Example Typical example of port loopback detection As shown in the above configuration the switch will de...

Страница 68: ...be globally enabled And the corresponding relation between the spanning tree instance and the VLAN should be configured Switch config spanning tree Switch config spanning tree mst configuration Switch...

Страница 69: ...the physical layer communication problems between the devices can not be found As shown in Graph the problem in fiber connection can not be found through mechanisms in physical layer like automatic ne...

Страница 70: ...s notification messages and adjust the local TTL time to live according to that interval Besides ULDP provides the reset mechanism when the port is disabled by ULDP it can check again through reset me...

Страница 71: ...port 5 Configure the method to shut down unidirectional link Command Explanation Global configuration mode uldp manual shutdown no uldp manual shutdown Configure the method to shut down unidirectiona...

Страница 72: ...sm interface ethernet IFname no debug uldp fsm interface ethernet IFname Enable or disable the debug switch of the state machine transition information on the specified port debug uldp error no debug...

Страница 73: ...won t be shut down Switch A configuration sequence SwitchA config uldp enable SwitchA config interface ethernet 1 1 SwitchA Config If Ethernet1 1 uldp enable SwitchA Config If Ethernet1 1 exit Switch...

Страница 74: ...s Down In order to make sure that neighbors can be correctly created and unidirectional links can be correctly discovered it is required that both end of the link should enable ULDP using the same aut...

Страница 75: ...to different parameters The Recovery timer is disabled by default and will only be enabled when the users have configured recovery time 30 86400 seconds Reset command and reset mechanism can only res...

Страница 76: ...ific LLDP defines a general advertisement information set a transportation advertisement protocol and a method to store the received advertisement information The device to advertise its own informati...

Страница 77: ...onfigure the intervals of LLDP updating messages 5 Configure the aging time multiplier of LLDP messages 6 Configure the sending delay of updating messages 7 Configure the intervals of sending Trap mes...

Страница 78: ...Global Mode lldp transmit delay seconds no lldp transmit delay Configure the sending delay of updating messages as the specified value or default value 7 Configure the intervals of sending Trap messa...

Страница 79: ...relative information of LLDP Command Explanation Admin Global Mode show lldp Display the current LLDP configuration information show lldp interface ethernet IFNAME Display the LLDP configuration info...

Страница 80: ...terface ethernet 1 4 SwitchA Config If Ethernet1 4 lldp transmit optional tlv portDesc sysCap SwitchA Config If Ethernet1 4 exit SWITCH B configuration task sequence SwitchB config lldp enable SwitchB...

Страница 81: ...and can not only add network s bandwidth but also provide link backup Port aggregation is usually used when the switch is connected to routers PCs or other switches Port aggregation As shown in the a...

Страница 82: ...ard to implement the link dynamic aggregation LACP protocol uses LACPDU Link Aggregation Control Protocol Data Unit to exchange the information with the other end After LACP protocol of the port is en...

Страница 83: ...t forward the data packets Because the limitation of the max port number in the aggregation group if the current number of the member ports exceeds the limitation of the max port number then the syste...

Страница 84: ...lance method for port group 5 Set the system priority of LACP protocol Command Explanation Global Mode port group port group number no port group port group number Create or delete a port group Comman...

Страница 85: ...8 9 10 of S2 are access ports and add them to group2 with passive mode All the ports should be connected with cables The configuration steps are listed below Switch1 config Switch1 config interface e...

Страница 86: ...pts ports aggregated successfully after a while now ports 1 2 3 4 of S1 form an aggregated port named Port Channel1 ports 6 8 9 10 of S2 form an aggregated port named Port Channel2 can be configured i...

Страница 87: ...ion finishes immediately when the command to add port 2 to port group 1 is entered port 1 and port 2 aggregate to be port channel 1 when port 3 joins port group 1 port channel 1 of port 1 and 2 are un...

Страница 88: ...e network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the length of Jumbo frames they will not be sent to CPU We discard the Jumbo fr...

Страница 89: ...for monitoring the whole network connectivity and locating the fault in access aggregation network layer Compare with CFM Y 1731 standard set by ITU International Telecommunications Union is more pow...

Страница 90: ...le OAM entity on the other side receives the notification it will also log and report it With the log information network administrators can keep track of network status in time The link event monitor...

Страница 91: ...s not generate Dying Gasp OAMPDU it still receives and processes such OAMPDU sent by its peer 4 Remote loopback testing Remote loopback testing is available only after an Ethernet OAM connection is es...

Страница 92: ...when configuring OAM parameters 1 Enable EFM OAM function of port Command Explanation Port mode ethernet oam mode active passive Configure work mode of EFM OAM default is active mode ethernet oam no e...

Страница 93: ...shold low low frames window seconds no ethernet oam errored frame period threshold low window Configure the low threshold and window period of errored frame period event no command resotores the defau...

Страница 94: ...stores the default value optional ethernet oam errored frame period threshold high high frames none no ethernet oam errored frame period threshold high Configure the high threshold of errored frame pe...

Страница 95: ...pback supported Other parameters use the default configuration Configuration on PE PE config interface ethernet 1 1 PE config if ethernet1 1 ethernet oam Other parameters use the default configuration...

Страница 96: ...y communicate in OAM loopback mode it should cancel remote loopback in time after detect the link performance Ensuring the used board supports remote loopback function Port should not configure STP MR...

Страница 97: ...corresponding port security feature and takes a pre defined action automatically This reduces user s maintenance workload and greatly enhances system security 12 2 PORT SECURITY Configuration Task Lis...

Страница 98: ...curity interface interface id address vlan Show port security configuration 12 3 Example of PORT SECURITY Internet HOST A HOST B SWITCH Ethernet1 1 Typical topology chart for port security When the in...

Страница 99: ...onfig if ethernet1 1 exit Switch config 12 4 PORT SECURITY Troubleshooting If problems occur when configuring PORT SECURITY please check whether the problem is caused by the following reasons Check wh...

Страница 100: ...DDM applications are shown in the following 1 Module lifetime forecast Monitoring the bias current is able to forecast the laser lifetime Administrator is able to find some potential problems by moni...

Страница 101: ...re Voltage Bias current there are fixed thresholds Because the user s environments are difference the users is able to define the threshold including high alarm low alarm high warn low warn to flexibl...

Страница 102: ...toring 1 Show the real time monitoring information of the transceiver 2 Configure the alarm or warning thresholds of each parameter for the transceiver 3 Configure the state of the transceiver monitor...

Страница 103: ...ceiver Interface Temp C Voltage V Bias mA RX Power dBM TX Power dBM 1 21 33 3 31 6 11 30 54 A 6 01 Command Explanation Port mode transceiver monitoring enable disable Set whether the transceiver monit...

Страница 104: ...QTECH on Sep 29 2010 Type is 1000BASE SX Link length is 550 m for 50um Multi Mode Fiber Link length is 270 m for 62 5um Multi Mode Fiber Nominal bit rate is 1300 Mb s Laser wavelength is 850 nm Brief...

Страница 105: ...mA 6 11 W 10 30 0 00 5 00 0 00 RX Power dBM 30 54 A 9 00 25 00 9 00 25 00 TX Power dBM 13 01 9 00 25 00 9 00 25 00 Step2 Configure the tx power threshold of the fiber module the low warning threshold...

Страница 106: ...ation information Transceiver monitor is disabled Monitor interval is set to 30 minutes The last threshold violation doesn t exist Ethernet 1 22 transceiver threshold violation information Transceiver...

Страница 107: ...please check whether the problem is caused by the following reasons Ensure that the transceiver of the fiber module has been inserted fast on the port or else DDM configuration will not be shown Ensur...

Страница 108: ...voice device expediently LLDP MED TLVs provide multiple information such as PoE Power over Ethernet network policy and the location information of the emergent telephone service 14 2 LLDP MED Configur...

Страница 109: ...ith Civic Address LCI format and enter Civic Address LCI address mode The no command cancels all configurations of the location with Civic Address LCI format ecs location tel number no ecs location Co...

Страница 110: ...onfigure Switch A SwitchA config interface ethernet1 1 SwitchA Config If Ethernet1 1 lldp enable SwitchA Config If Ethernet1 1 lldp mode both this configuration can be omitted the default mode is RxTx...

Страница 111: ...SwitchA show lldp neighbors interface ethernet 1 1 Port name Ethernet1 1 Port Remote Counter 1 TimeMark 20 ChassisIdSubtype 4 ChassisId 00 1f ce 00 00 02 PortIdSubtype Local PortId 1 PortDesc SysName...

Страница 112: ...sisIdSubtype 4 ChassisId 00 1f ce 00 00 02 PortIdSubtype Local PortId 1 PortDesc Ethernet1 1 SysName SysDesc SysCapSupported 4 SysCapEnabled 4 Explanation 1 Both Ethernet1 2 of switch A and Ethernet1...

Страница 113: ...near MED device it sends LLDP MED TLV If network connection device configured the command for sending LLDP MED TLV the packets also without LLDP MED TLV sent by the port that means no MED information...

Страница 114: ...same corporation through the service provider network To maintain a local concept it not only needs to transmit the data within the user s private network across the tunnel but also transmit layer 2...

Страница 115: ...own in Figure User A has two devices CE 1 and CE 2 and both devices belong to the same VLAN User s network is divided into network 1 and network 2 which are connected by the service provider network W...

Страница 116: ...the original destination MAC address of the packet and then sends the packet to network 2 of user A bpdu tunnel configuration of edge switches PE1 and PE2 in the following PE1 configuration PE1 config...

Страница 117: ...lowing IEEE 802 1Q The key idea of VLAN technology is that a large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands A VLAN network defined logically Each bro...

Страница 118: ...r of the user Hybrid ports and Trunk ports receive the data with the same process method but send the data with different method Hybrid ports can send the packets of multi VLANs without the VLAN tag w...

Страница 119: ...Mode switchport mode trunk access hybrid Set the current port as Trunk Access or Hybrid port Command Explanation Port Mode switchport trunk allowed vlan WORD all add WORD except WORD remove WORD no s...

Страница 120: ...g mode switchport hybrid native vlan vlan id no switchport hybrid native vlan Set delete PVID of the port Command Explanation Global Mode vlan ingress enable no vlan ingress enable Enable Disable VLAN...

Страница 121: ...figuration description VLAN2 Site A and site B switch port 2 4 VLAN100 Site A and site B switch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site A and site B switch port 11 Connect...

Страница 122: ...f Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 exit Switch config Switch B Switch config vlan 2 Switch Config Vlan2 switchport interface ethernet 1 2 4 Switch Config Vlan2 exit Swi...

Страница 123: ...y SwitchA We can implement this status through Hybrid port Configuration items are as follows Port Type PVID the VLANs are allowed to pass Port 1 10 of Switch A Access 10 Allow the packets of VLAN 10...

Страница 124: ...e Ethernet 1 10 Switch Config If Ethernet1 10 switchport mode hybrid Switch Config If Ethernet1 10 switchport hybrid native vlan 10 Switch Config If Ethernet1 10 switchport hybrid allowed vlan 7 9 10...

Страница 125: ...and PE2 is to provide a reliable layer 2 link The technology of Dot1q tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves Both the ISP internet...

Страница 126: ...onnected to CE1 port10 is connected to public network the TPID of the connected equipment is 9100 port1 of PE2 is connected to CE2 port10 is connected to public network Configuration Item Configuratio...

Страница 127: ...1q tunnel tpid 0x9100 Switch Config 16 2 4 Dot1q tunnel Troubleshooting Enabling dot1q tunnel on Trunk port will make the tag of the data packet unpredictable which is not required in the application...

Страница 128: ...200 Eth 1 1 Eth 1 2 Eth1 9 Eth1 9 Eth1 2 Eth1 1 IP Phone IP Phone IP Phone Vlan 201 300 PC PC VLAN 100 200 IP Phone IP Phone IP Phone Vlan 201 300 SP Network VLAN1000 2000 Command Explanation Global P...

Страница 129: ...LAN 1000 switch config if ethernet1 1 switchport hybrid allowed vlan 1000 untag Configure the mapping rules for selective QinQ on Ehernet1 1 to insert VLAN 1000 tag as the outer VLAN tag in packets wi...

Страница 130: ...vlan 201 300 switch config if ethernet1 2 dot1q tunnel selective enable switch config if ethernet1 9 switchport mode hybrid switch config if ethernet1 9 switchport hybrid allowed vlan 1000 2000 tag 1...

Страница 131: ...n CE1 and CE2 of the client network with VLAN3 The port1 of PE1 is connected to CE1 port10 is connected to public network port1 of PE2 is connected to CE2 port10 is connected to public network Command...

Страница 132: ...it switch Config Note this switch only supports the in direction 16 4 4 VLAN translation Troubleshooting Normally the VLAN translation is applied on trunk ports Normally before using the VLAN translat...

Страница 133: ...figure Multi to One VLAN translation on the port 2 Show the related configuration of Multi to One VLAN translation 1 Configure Multi to One VLAN translation on the port 2 Show the related configuratio...

Страница 134: ...E F VID 101 User A B C VID 100 UserA UserB UserC UserD UserE UserF switch1 switch2 VLAN translation typical application Configuration Item Configuration Explanation VLAN Switch1 Switch2 Trunk Port Dow...

Страница 135: ...physical location to another As we can see the greatest advantage of this VLAN division is that the VLAN does not have to be re configured when the user physic location change namely shift from one sw...

Страница 136: ...rt mac vlan enable no switchport mac vlan enable Enable disable the MAC based VLAN function on the port Command Explanation Global Mode mac vlan vlan vlan id no mac vlan Configure the specified VLAN t...

Страница 137: ...h A Switch B Switch C Configuration procedure Switch A Switch B Switch C switch Config mac vlan mac 00 1f ce 11 22 33 vlan 100 priority 0 switch Config exit switch 16 6 4 Dynamic VLAN Troubleshooting...

Страница 138: ...tes so as to ensure protocol entities registering and deregistering the attribute According to different transmission attributes GARP can be divided to many application protocols such as GMRP and GVRP...

Страница 139: ...A and G switches manually So the same VLAN of two unadjacent switches can communicate mutually through GVRP protocol instead of configuring each intermediate switch manually for achieving the purpose...

Страница 140: ...C can communicate with each other through Switch B without static VLAN100 entries Configuration Item Configuration description VLAN100 Port 2 6 of Switch A and C Trunk port Port 11 of Switch A and C...

Страница 141: ...11 Switch Config If Ethernet1 11 switchport mode trunk Switch Config If Ethernet1 11 gvrp Switch Config If Ethernet1 11 exit Switch C Switch config gvrp Switch config vlan 100 Switch Config Vlan100 s...

Страница 142: ...ame and creates a mapping to the destination port Then the MAC table is queried for the destination MAC address if hit the data frame is forwarded in the associated port otherwise the switch forwards...

Страница 143: ...and port1 5 and no port mapping for 00 01 33 33 33 33 present the switch broadcast this message to all the ports in the switch assuming all ports belong to the default VLAN1 PC3 and PC4 on port 1 12 r...

Страница 144: ...Broadcast frame The switch can segregate collision domains but not broadcast domains If no VLAN is set all devices connected to the switch are in the same broadcast domain When the switch receives a...

Страница 145: ...ing or filter entry Clear dynamic address table Command Explanation Admin Mode clear mac address table dynamic address mac addr vlan vlan id interface ethernet portchannel interface name Clear the dyn...

Страница 146: ...listed below 1 Set the MAC address 00 01 11 11 11 11 of PC1 as a filter address Switch config mac address table static 00 01 11 11 11 11 discard vlan 1 2 Set the static mapping relationship for PC2 a...

Страница 147: ...for forwarding in that port if the connection is changed to another port the switch will learn the MAC address again to forward data in the new port However in some cases security or management polic...

Страница 148: ...no switchport port security timeout restores the default setting switchport port security mac address mac address no switchport port security mac address mac address Add static secure MAC address the...

Страница 149: ...some occasions Here are some possible causes and solutions If MAC address binding cannot be enabled for a port make sure the port is not enabling port aggregation and is not configured as a Trunk port...

Страница 150: ...f MAC notification supported by the port Command Explanation Global mode snmp server enable traps mac notification no snmp server enable traps mac notification Configure or cancel the global snmp MAC...

Страница 151: ...c notification Switch config mac address table notification Switch config mac address table notification interval 5 Switch config mac address table notification history size 100 Switch Config If Ether...

Страница 152: ...e MSTP can reduce the number of spanning tree instances which consumes less CPU resources and reduces the bandwidth consumption 18 1 1 MSTP Region Because multiple VLANs can be mapped to a single span...

Страница 153: ...IST master with both of the path costs to the CST root and to the IST master set to zero The bridge also initializes all of its MST instances and claims to be the root for all of them If the bridge r...

Страница 154: ...nstances That can form various topologies Each instance is independent from the others and each distance can have its own attributes such as bridge priority and port cost etc Consequently the VLANs in...

Страница 155: ...ing tree mst instance id port priority Set port priority for specified instance spanning tree mst instance id rootguard no spanning tree mst instance id rootguard Configure currently port whether runn...

Страница 156: ...orward time time no spanning tree forward time Set the value for switch forward delay time spanning tree hello time time no spanning tree hello time Set the Hello time for sending BPDU messages spanni...

Страница 157: ...ns the format is determined by checking the received packet Command Explanation Port Mode spanning tree cost no spanning tree cost Set the port path cost spanning tree port priority no spanning tree p...

Страница 158: ...ning tree flush once the topology changes Disable the spanning tree don t flush when the topology changes Protect the spanning tree flush not more than one time every ten seconds The no command restor...

Страница 159: ...00000 200000 Port 7 200000 200000 By default the MSTP establishes a tree topology in blue lines rooted with SwitchA The ports marked with x are in the discarding status and the other ports are in the...

Страница 160: ...ig Port Range switchport mode trunk Switch2 Config Port Range exit Switch2 config spanning tree Switch3 Switch3 config vlan 20 Switch3 Config Vlan20 exit Switch3 config vlan 30 Switch3 Config Vlan30 e...

Страница 161: ...stance 0 of the entire network In the MSTP region which Switch2 Switch3 and Switch4 belong to Switch2 is the region root of the instance 0 Switch3 is the region root of the instance 3 and Switch4 is t...

Страница 162: ...pology Of the Instance 3 after the MSTP Calculation The Topology Of the Instance 4 after the MSTP Calculation Switch2 Switch3 Switch 4 2 2 3 3 X 4 4 X 5 5 X 6 7 6 x 7 X Switch1 Switch2 Switch3 Switch4...

Страница 163: ...meters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2 Bridge_Forward_Delay 1 0 seconds Bridge_Max_Age Bridge_Max_Age 2 Bridge_...

Страница 164: ...e data transfer service to fulfill program requirements QoS cannot generate new bandwidth but provides more effective bandwidth management according to the application requirement and network manageme...

Страница 165: ...Traffic within the QoS policing policy range bandwidth or burst value is called In Profile Out of Profile Traffic out the QoS policing policy range bandwidth or burst value is called Out of Profile 19...

Страница 166: ...ration is flexible the complexity or simplicity depends on the network topology and devices and analysis to incoming outgoing traffic 19 1 3 Basic QoS Model The basic QoS consists of four parts Classi...

Страница 167: ...he flow to configure different policies that allocate bandwidth to classified traffic the assigned bandwidth policy may be dual bucket dual color or dual bucket three color The traffic will be assigne...

Страница 168: ...cedence for the egress packets the queuing operation assigns the packets to different priority queues according to the internal priority while the scheduling operation perform the packet forwarding ac...

Страница 169: ...lass map Set up a classification rule according to ACL CoS VLAN ID IPv4 Precedent DSCP IPV6 FL to classify the data stream Different classes of data streams will be processed with different policies C...

Страница 170: ...lass map and enter class map mode the no class map class map name command deletes the specified class map match access group acl index or name ip dscp dscp list ip precedence ip precedence list ipv6 a...

Страница 171: ...policy for the classified flow Set corresponding action to different color packets The no command will delete the mode configuration accounting no accounting Set statistic function for the classified...

Страница 172: ...weight Command Explanation Global Mode mls qos queue algorithm sp wrr no mls qos queue algorithm Set queue management algorithm the default queue management algorithm is wrr mls qos queue weight weigh...

Страница 173: ...ch config mls qos queue weight 1 1 2 2 Switch Config If Ethernet1 1 mls qos cos 5 Configuration result When QoS enabled in Global Mode the egress queue bandwidth proportion of all ports is 1 1 2 2 Whe...

Страница 174: ...After the above settings done bandwidth for packets from segment 192 168 1 0 through port ethernet 1 2 is set to 10 Mb s with a burst value of 4 MB all packets exceed this bandwidth setting in that s...

Страница 175: ...h2 Switch config Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 mls qos trust cos 19 4 QoS Troubleshooting trust cos and EXP can be used with other trust or Policy Map trust dscp ca...

Страница 176: ...ransmission policy for a special type of data frames The switch can only designate a single destination port of redirection for a same class of flow within a source port of redirection while it can de...

Страница 177: ...this flow to port 1 The following is the configuration procedure Switch config access list 1 permit host 192 168 1 111 Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 access group 1...

Страница 178: ...Q Basic QinQ based the port After a port configures QinQ whether the received packet with tag or not the device still packs the default VLAN tag for the packet Using basic QinQ is simple but the setti...

Страница 179: ...o command deletes the specified match standard 2 Configure policy map of flexible QinQ Command Explanation Global mode policy map policy map name no policy map policy map name Create a policy map and...

Страница 180: ...ly in DSLAM1 DSCP10 corresponds to Broad Band Network DSCP20 corresponds to VOIP DSCP30 corresponds to VOD After the downlink port enables flexible QinQ function the packets will be packed with differ...

Страница 181: ...ymap p1 class c3 set s vid 3001 Switch config policymap p1 class c3 exit Switch config policymap p1 exit Switch config interface ethernet 1 1 Switch config if ethernet1 1 dot1q tunnel enable Switch co...

Страница 182: ...if ethernet1 1 service policy p1 in 21 4 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port please check whether the problem is caused by the following reasons Make sur...

Страница 183: ...ayer 3 interface should be in UP state for Layer 3 interface in UP state otherwise Layer 3 interface will be in DOWN state The switch can use the IP addresses set in the layer 3 management interface t...

Страница 184: ...of Internet which require IP addresses the supply of IP addresses turns out to be more and more tense People have been working on the problem of shortage of IPv4 addresses for a long time by introduci...

Страница 185: ...ile calculating devices The Mobile IP Protocol defined in IETF standard makes mobile devices movable without cutting the existing connection which is a network function getting more and more important...

Страница 186: ...ss mask command cancels IP address of VLAN interface 2 Configure the default gateway Command Explanation Global Mode ip default gateway A B C D no ip default gateway A B C D Configure the default gate...

Страница 187: ...ssage number Command Explanation Interface Configuration Mode ipv6 nd dad attempts value no ipv6 nd dad attempts Set the neighbor query message number sent in sequence when the interface makes duplica...

Страница 188: ...Configuration Task List ARP Configuration Task List 1 Configure static ARP 1 Configure static ARP Command Explanation Interface Configuration Mode arp ip_address mac_address no arp ip_address Configur...

Страница 189: ...7 495 797 3311 www qtech ru 18 1 175...

Страница 190: ...h ARP scanning features is found in the segment the switch will cut off the attack source to ensure the security of the network There are two methods to prevent ARP scanning port based and IP based Th...

Страница 191: ...based threshold threshold value no anti arpscan port based threshold Set the threshold of the port based ARP Scanning Prevention anti arpscan ip based threshold threshold value no anti arpscan ip bas...

Страница 192: ...r disable the SNMP Trap function of ARP scanning prevention show anti arpscan trust ip port supertrust port prohibited ip port Display the state of operation and configuration of ARP scanning preventi...

Страница 193: ...ort SwitchA Config If Ethernet1 2 exit SwitchA config interface ethernet1 19 SwitchA Config If Ethernet1 19 anti arpscan trust supertrust port Switch A Config If Ethernet1 19 exit SWITCHB configuratio...

Страница 194: ...cation between two host computers in the same network even if are connected by the switches it sends an ARP reply packet to two hosts separately and make them misunderstand MAC address of the other si...

Страница 195: ...n At one time it doesn t interrupt the automatic learning function of ARP Thus it prevents ARP spoofing and attack to a great extent 24 2 Prevent ARP Spoofing configuration The steps of preventing ARP...

Страница 196: ...1 address A MAC address In further a transfers its received packets to C by modifying source address and destination address the mutual communicated data between B and C are received by A unconsciousl...

Страница 197: ...config ip arp security convert If the environment changing it enable to forbid ARP refresh once it learns ARP property it wont be refreshed by new ARP reply packet and protect use data from sniffing...

Страница 198: ...revent PC2 from receiving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network will be collapsed ARP GUARD schematic diagram We utilize the...

Страница 199: ...www qtech ru 18 1 185 25 2 ARP GUARD Configuration Task List 1 Configure the protected IP address Command Explanation Port configuration mode arp guard ip addr no arp guard ip addr Configure delete AR...

Страница 200: ...advertises gratuitous ARP requests the host will not have to send these requests This will reduce the frequency the hosts sending ARP requests for the gateway s MAC address Gratuitous ARP is a method...

Страница 201: ...10 whose IP address is 192 168 15 254 and network address mask is 255 255 255 0 in the switch system Five PCs PC1 PC2 PC3 PC4 PC5 are connected to the interface Gratuitous ARP can be enabled through t...

Страница 202: ...nabled in global configuration mode it can be disabled only in global configuration mode If gratuitous ARP is configured in interface configuration mode the configuration can only be disabled in inter...

Страница 203: ...and configuration parameters for the clients if DHCP server and clients are located in different subnets DHCP relay is required for DHCP packets to be transferred between the DHCP client and DHCP serv...

Страница 204: ...heoretically endless 3 Dynamically allocated address cannot be bound manually 4 Dynamic DHCP address pool can inherit the network configuration parameters of the dynamic DHCP address pool of the relat...

Страница 205: ...he address for server netbios node type b node h node m node p node type number no netbios node type Configure node type for DHCP clients The no operation cancels the node type for DHCP clients bootfi...

Страница 206: ...g address manually client identifier unique identifier no client identifier Specify delete the unique ID of the user when binding address manually 3 Enable logging for address conflicts Command Explan...

Страница 207: ...packet via DHCP relay to the DHCP client DHCP client chooses a DHCP server and broadcasts a DHCPREQUEST packet DHCP relay forwards the packet to the DHCP server after processing On receiving DHCPREQU...

Страница 208: ...ators and users a company is using switch as a DHCP server The Admin VLAN IP address is 10 16 1 2 16 The local area network for the company is divided into network A and B according to the office loca...

Страница 209: ...h config ip dhcp pool A1 Switch dhcp A1 config host 10 16 1 210 Switch dhcp A1 config hardware address 00 03 22 23 dc ab Switch dhcp A1 config exit Usage Guide When a DHCP BOOTP client is connected to...

Страница 210: ...switchport access vlan 2 Switch Config Erthernet1 2 exit Switch config interface vlan 2 Switch Config if Vlan2 ip address 10 1 1 1 255 255 255 0 Switch Config if Vlan2 exit Switch config ip forward p...

Страница 211: ...ch Config If Ethernet1 2 switchport mode trunk switch config service dhcp switch config ip forward protocol udp bootps switch config ip dhcp relay information option switch config ip dhcp relay share...

Страница 212: ...one of them will take effect furthermore in manual binding only one IP MAC binding can be configured in one pool If multiple bindings are required multiple manual pools can be created and IP MAC bindi...

Страница 213: ...provide extend function of DHCPv6 prefix delegation upstream route can assign address prefix to downstream route automatically that achieve the IPv6 address auto assignment in levels of network envir...

Страница 214: ...from the DHCPv6 client it will encapsulate the request in a Relay forward packet and deliver it to the next DHCPv6 relay or the DHCPv6 server The DHCPv6 messages coming from the server will be encaps...

Страница 215: ...signable of address pool dns server ipv6 address no dns server ipv6 address To configure DNS server address for DHCPv6 client domain name domain name no domain name domain name To configure DHCPv6 cli...

Страница 216: ...e vlan 1 4096 no ipv6 dhcp relay destination ipv6 address interface interface name vlan 1 4096 To specify the destination address of DHCPv6 relay transmit The no form of this command delete the config...

Страница 217: ...mand Explanation DHCPv6 address pool Configuration Mode prefix delegation pool poolname lifetime valid time preferred time no prefix delegation pool poolname To specify prefix delegation pool used by...

Страница 218: ...Prefix Delegation Client Configuration DHCPv6 prefix delegation client configuration task list as below To enable disable DHCPv6 service To enable DHCPv6 prefix delegation client function on port 1 T...

Страница 219: ...s and it is configured as DHCPv6 relay delegation Switch3 is configured as DHCPv6 server in secondary aggregation layer and connected with backbone network or higher aggregation layers The Windows Vis...

Страница 220: ...g Switch2 configuration Switch2 enable Switch2 config Switch2 config service dhcpv6 Switch2 config interface vlan 1 Switch2 Config if Vlan1 ipv6 address 2001 da8 1 1 2 64 Switch2 Config if Vlan1 exit...

Страница 221: ...connected to the DHCPv6 enabled switches but can not get IPv6 addresses In this situation it should be checked first whether the ports which the hosts are connected to are connected with the port whic...

Страница 222: ...entify all the possible DHCP attack messages according to the information in option 82 and defend against them DHCP Relay Agent will peel the option 82 from the reply messages it receives and forward...

Страница 223: ...2 to the end of the request message it receives then relay and forward the message to the DHCP server By default the sub option 1 of option 82 Circuit ID is the interface information of the switch con...

Страница 224: ...e the option 82 function of the switch Relay Agent The no ip dhcp relay information option is used to disable the option 82 function of the switch Relay Agent 2 Configure the DHCP option 82 attributes...

Страница 225: ...added option 82 sub option1 Circuit ID option as standard format Global Mode ip dhcp relay information option remote id standard remote id no ip dhcp relay information option remote id Set the subopti...

Страница 226: ...remote id suboption by themselves ip dhcp relay information option self defined remote id format ascii hex Set self defined format of remote id for relay option82 ip dhcp relay information option sel...

Страница 227: ...ected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server After the DHCP option 82 function is enabled since the Switch3 appends the port information of accessing...

Страница 228: ...102 2 option subnet mask 255 255 255 0 option domain name example com option domain name servers 192 168 10 3 authoritative pool range 192 168 102 21 192 168 102 50 default lease time 86400 24 Hours...

Страница 229: ...d of Relay Agent please pay attention to the retransmitting policy of the interface DHCP request messages To implement the option 82 function of DHCP Relay Agent the debug dhcp relay packet command ca...

Страница 230: ...d option 43 it will match with any option 60 If the received DHCP packet with option 60 from DHCP client DHCP client will receive the option 43 configured in the address pool 3 Address pool only confi...

Страница 231: ...r configures option 60 matched with the option 60 of fit ap to return option 43 attribute to FTP AP Configuration procedure Configure DHCP server router config ip dhcp pool a router dhcp a config opti...

Страница 232: ...client to trigger deny service attack through using MAC address of other legal clients Therefore IETF set rfc4649 and rfc4580 i e DHCPv6 option 37 and option 38 to solve these problems DHCPv6 option...

Страница 233: ...drop keep replace no ipv6 dhcp snooping remote id policy This command is used to configure the reforward policy of the system when receiving DHCPv6 packets with option 37 which can be drop the system...

Страница 234: ...ote id no ipv6 dhcp snooping remote id This command is used to set the form of adding option 37 in received DHCPv6 request packets of which remote id is the content of remote id in user defined option...

Страница 235: ...CPv6 request packets of which remote id is the content of remote id in user defined option 37 and it is a string with a length of less than 128 The no operation restores remote id in option 37 to ente...

Страница 236: ...8 of relay forw in the innermost layer are selected The no operation of it restores the default configuration i e selecting option 37 and option 38 of the original packets IPv6 DHCP Class configuratio...

Страница 237: ...l the requests matched with CLASS1 CLASS2 and CLASS3 will be assigned an address ranging from 2001 da8 100 1 2 to 2001 da8 100 1 30 from 2001 da8 100 1 31 to 2001 da8 100 1 60 and from 2001 da8 100 1...

Страница 238: ...1f ce 00 00 01 subscriber id vlan1 Ethernet1 1 SwitchB dhcpv6 class class1 config exit SwitchB config ipv6 dhcp class CLASS2 SwitchB dhcpv6 class class2 config remote id 00 1f ce 00 00 01 subscriber...

Страница 239: ...v6 address allocation if special server is used for uniform allocation and management for IPv6 address DHCPv6 server supports both stateful and stateless DHCPv6 Network topology In access layer layer2...

Страница 240: ...n the same VLAN otherwise it needs to use DHCPv6 relay Snooping option37 38 can process one of the following operations for DHCPv6 request packets with option37 38 replace the original option37 38 wit...

Страница 241: ...ol independently Defense against Fake DHCP Server once the switch intercepts the DHCP Server reply packets including DHCPOFFER DHCPACK and DHCPNAK it will alarm and respond according to the situation...

Страница 242: ...authentication status 32 2 DHCP Snooping Configuration Task Sequence 1 Enable DHCP Snooping 2 Enable DHCP Snooping binding function 3 Enable DHCP Snooping option82 function 4 Set the private packet v...

Страница 243: ...n 6 Set DES encrypted key for private packets Command Explanation Globe mode enable trustview key 0 7 password no enable trustview key To configure delete DES encrypted key for private packets 7 Set h...

Страница 244: ...p snooping binding dot1x Enable or disable the DHCP snooping binding dot1x function Command Explanation Port mode ip dhcp snooping binding user control no ip dhcp snooping binding user control Enable...

Страница 245: ...d to set that allow untrusted ports of DHCP snooping to receive DHCP packets with option82 option When disabling this command all untrusted ports will drop DHCP packets with option82 option ip dhcp sn...

Страница 246: ...fine the parameters of circute id suboption by themselves ip dhcp snooping information option self defined subscriber id format ascii hex Set self defined format of circuit id for snooping option82 Po...

Страница 247: ...If Ethernet1 11 exit switch config interface ethernet 1 12 switch Config If Ethernet1 12 ip dhcp snooping trust switch Config If Ethernet1 12 exit switch config interface ethernet 1 1 10 switch Config...

Страница 248: ...nfigured policies and the option 82 information in the message At the same time DHCP server can identify all the possible DHCP attack messages according to the information in option 82 and defend agai...

Страница 249: ...option 82 to the end of the request message it receives and perform layer 2 forwarding By default the sub option 1 of option 82 Circuit ID is the interface information of the switch connected to the...

Страница 250: ...NOOPING function 2 Enable DHCP Snooping binding function Command Explanation Global mode ip dhcp snooping binding enable no ip dhcp snooping binding enable Enable or disable DHCP SNOOPING binding func...

Страница 251: ...is the configuration of Switch1 MAC address is 00 1f ce 02 33 01 Switch1 config ip dhcp snooping enable Switch1 config ip dhcp snooping binding enable Switch1 config ip dhcp snooping information enab...

Страница 252: ...cate addresses for the network nodes from Switch1 within the range of 192 168 102 51 192 168 102 80 33 4 DHCP Snooping option 82 Troubleshooting To implement the option 82 function of DHCP SNOOPING th...

Страница 253: ...e Broadcast mode goes against the security and secrecy The emergence of IP Multicast technology solved this problem in time The Multicast source only sends out the message once Multicast Routing Proto...

Страница 254: ...p Permanent Multicast Group keeps its IP address fixed but its member structure can vary within The member amount of Permanent Multicast Group can be arbitrary even zero The IP Multicast addresses whi...

Страница 255: ...ure In order to guarantee that all Multicast packets get to the router via the shortest path the receipt interface of the Multicast packet must be checked in some certain way based on Unicast router t...

Страница 256: ...out of specified source and specified group REGISTER_STOP is transmitted directly and table entry is not allowed to set up This task is implemented in PIM SM model The implement of Multicast User Con...

Страница 257: ...e front one is the one which is configured the earliest Once the configured rules are matched the following rules won t take effect so rules of globally allow must be put at the end The commands are a...

Страница 258: ...Global Configuration Mode no access list 6000 7999 deny permit ip source source wildcard host source source host ip any source destination destination wildcard host destination destination host ip any...

Страница 259: ...tsium we configure Edge Switch so that only the switch at port Ethernet1 5 is allowed to transmit multicast and the data group must be 225 1 2 3 Also switch connected up to port Ethernet1 10 can trans...

Страница 260: ...fects you expect to the after sale service staff of our company 34 3 IGMP Snooping 34 3 1 Introduction to IGMP Snooping IGMP Internet Group Management Protocol is a protocol used in IP multicast IGMP...

Страница 261: ...group count of vlan and the max source count of every group The no ip igmp snooping vlan vlan id limit command cancels this configuration ip igmp snooping vlan vlan id l2 general querier no ip igmp s...

Страница 262: ...id immediate leave command disables the IGMP fast leave function ip igmp snooping vlan vlan id query mrsp value no ip igmp snooping vlan vlan id query mrsp Configure the maximum query response period...

Страница 263: ...xample As shown in the above figure a VLAN 100 is configured in the switch and includes ports 1 2 6 10 and 12 Four hosts are connected to port 2 6 10 12 respectively and the multicast router is connec...

Страница 264: ...ceive the traffic of program 1 Scenario 2 L2 general querier The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1 SwitchA takes the place of Multicast Rout...

Страница 265: ...ping function configuration and usage IGMP Snooping might not run properly because of physical connection or configuration mistakes So the users should note that Make sure correct physical connection...

Страница 266: ...eport back through the multicast address MLD Snooping is namely the MLD listening The switch restricts the multicast traffic from flooding through MLD Snooping and forward the multicast traffic to por...

Страница 267: ...ion ipv6 mld snooping vlan vlan id mrouter port learnpim6 no ipv6 mld snooping vlan vlan id mrouter port learnpim6 Enable the function that the specified VLAN learns mrouter port according to pimv6 pa...

Страница 268: ...command cancels this configuration 35 1 3 MLD Snooping Examples Scenario 1 MLD Snooping Function Open the switch MLD Snooping Function figure As shown above the vlan 100 configured on the switch consi...

Страница 269: ...application is operating on the four hosts Two hosts connected to port 2 and 5 are playing program 1 while the host connected to port 10 playing program 2 and the one to port 12 playing program 3 MLD...

Страница 270: ...d Query periodically global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2 general querier setting the vlan 60 to a Level 2 General Querier Configuration procedure is as fo...

Страница 271: ...nection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Ensure the MLD Snooping is enabled under global mode using ipv6 mld snooping Ensu...

Страница 272: ...ulticast VLAN is configured the multicast traffic will be continuously sent to the users 36 2 Multicast VLAN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping...

Страница 273: ...nd disables the IGMP snooping function 3 Configure the MLD Snooping ipv6 mld snooping vlan vlan id no ipv6 mld snooping vlan vlan id Enable MLD Snooping on multicast VLAN the no form of this command d...

Страница 274: ...fig if Vlan10 ip pim dense mode Switch Config if Vlan10 exit SwitchA config vlan 20 SwitchA config vlan20 exit SwitchA config interface vlan 20 SwitchA Config if Vlan20 ip pim dense mode SwitchA Confi...

Страница 275: ...7 495 797 3311 www qtech ru 18 1 261 When multicast VLAN supports IPv6 multicast usage is the same with IPv4 but the difference is using with MLD Snooping so does not give an example...

Страница 276: ...IP IP protocol number and TCP port UDP port Access lists can be categorized by the following criteria Filter information based criterion IP access list layer 3 or higher information MAC access list la...

Страница 277: ...list based on nomenclature Create an extensive IP access list based on nomenclature Specify multiple permit or deny rule entries Exit ACL Configuration Mode 5 Configuring a numbered standard MAC acces...

Страница 278: ...st source sIpAddr dIpAddr dMask any destination host destination dIpAddr icmp type icmp code precedence prec tos tos time range time range name Creates a numbered ICMP extended IP access rule if the n...

Страница 279: ...nge time range name Creates a numbered IP extended IP access rule for other specific IP protocol or all IP protocols if the numbered extended access list of specified number does not exist then an acc...

Страница 280: ...d extended IP access rule no deny permit igmp sIpAddr sMask any source host source sIpAddr dIpAddr dMask any destination host destination dIpAddr igmp type precedence prec tos tos time range time rang...

Страница 281: ...rce mac host_smac smac smac mask no access list num Creates a numbered standard MAC access list if the access list already exists then a rule will add to the current access list the no access list num...

Страница 282: ...2 ethertype protocol protocol mask Creates an extended name based MAC access rule matching untagged ethernet 2 frame the no form command deletes this name based extended MAC access rule no deny permit...

Страница 283: ...sing this number access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask igmp source source wildcard any s...

Страница 284: ...um deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask eigrp gre igrp ip ipinip ospf protocol num source source wildca...

Страница 285: ...ion mac host_dmac dmac dmac mask igmp source source wildcard any source host source source host ip destination destination wildcard any destination host destination destination host ip igmp type prece...

Страница 286: ...tocol num source source wildcard any source host source source host ip destination destination wildcard any destination host destination destination host ip precedence precedence tos tos time range ti...

Страница 287: ...c Exit name based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode exit Exits name based standard IPv6 ACL configuration mode 2 Configuring packet filtering function 1 En...

Страница 288: ...igure absolute time range Command Explanation Global Mode absolute start start_time start_data end end_time end_data Configure absolute time range no absolute start start_time start_data end end_time...

Страница 289: ...le Switch config interface ethernet 1 10 Switch Config If Ethernet1 10 ip access group 110 in Switch Config If Ethernet1 10 exit Switch config exit Configuration result Switch show firewall Firewall s...

Страница 290: ...3 access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac Switch show access group interface ethernet 1 10 interface name Ethernet1 10 MAC Ingress access list used is 1100 traff...

Страница 291: ...name Ethernet1 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol runs on the interface 600 of the switch A...

Страница 292: ...on Create the corresponding access list Configure datagram filtering Bind the ACL to the related interface The configuration steps are listed as below Switch config firewall enable Switch config vlan...

Страница 293: ...Viruses such as worm blaster can be blocked by configuring ACL to block specific ICMP packets or specific TCP or UDP port packet If the physical mode of an interface is TRUNK ACL can only be configure...

Страница 294: ...nfiguration if there are any ACLs bound to the VLAN the ACL will be removed from all the physical interfaces belonging to the VLAN and it will be bound to VLAN 1 ACL if ACL is configured in VLAN1 If V...

Страница 295: ...and configure the access from user The prevailing application of WLAN and LAN access in telecommunication networks in particular make it necessary to control ports in order to implement the user leve...

Страница 296: ...lement the operation of algorithms and protocols The PAE of the supplicant system is supposed to respond the authentication request from the authenticator systems and submit user s authentication info...

Страница 297: ...n the PAE of the authenticator system and the RADIUS server there are two methods to exchange information one method is that EAP messages adopt EAPOR EAP over RADIUS encapsulation format in RADIUS pro...

Страница 298: ...EAPOL Start whose value is 0x01 the frame to start authentication EAPOL Logoff whose value is 0x02 the frame requesting to quit EAPOL Key whose value is 0x03 the key information frame EAPOL Encapsula...

Страница 299: ...gth and Data in byte Data the content of the EAP packet depending on the Code type 38 1 4 The Encapsulation of EAP Attributes RADIUS adds two attribute to support EAP authentication EAP Message and Me...

Страница 300: ...authentication protocol messages can reach the authentication server through complicated networks In general EAP relay requires the RADIUS server to support EAP attributes EAP Message and Message Aut...

Страница 301: ...cation methods that may be extended in the future In EAP relay if any authentication method in EAP MD5 EAP TLS EAP TTLS and PEAP is adopted the authentication methods of the supplicant system and the...

Страница 302: ...authentication It is the earliest EAP authentication method used in wireless LAN Since every user should have a digital certificate this method is rarely used practically considering the difficult ma...

Страница 303: ...thod EAP PEAP is brought up by Cisco Microsoft and RAS Security as a recommended open standard It has long been utilized in products and provides very good security Its design of protocol and security...

Страница 304: ...he protocol devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802 1x Supports some applications in the case of which one physical port can have more...

Страница 305: ...ll be preferred 38 1 6 The Features of VLAN Allocation 1 Auto VLAN Auto VLAN feature enables RADIUS server to change the VLAN to which the access port belongs based on the user information and the use...

Страница 306: ...more authentication triggering messages than the upper limit EAP Request Identity from the port The authentication server assigns an Auto VLAN and then the port leaves Guest VLAN and joins the assign...

Страница 307: ...tion Port Mode dot1x port method macbased portbased userbased standard advanced no dot1x port method Sets the port access management method the no command restores MAC based access management dot1x ma...

Страница 308: ...v6 passthrough no dot1x ipv6 passthrough Enables IPv6 passthrough function of global mode on a switch only applicable when access control mode is userbased the no operation of this command will disabl...

Страница 309: ...s The Network Topology of Guest VLAN Notes in the figures in this session E2 means Ethernet 1 2 E3 means Ethernet 1 3 and E6 means Ethernet 1 6 As showed in the next figure a switch accesses the netwo...

Страница 310: ...Online VLAN Being Offline As illustrated in the up figure when the users become online after a successful authentication the authentication server will assign VLAN5 which makes the user and Ethernet1...

Страница 311: ...mode on the port as portbased Switch Config If Ethernet1 2 dot1x port method portbased Set the access control mode on the port as auto Switch Config If Ethernet1 2 dot1x port control auto Set the por...

Страница 312: ...E 802 1x authentication client software is installed on the PC and is used in IEEE 802 1x authentication The configuration procedures are listed below Switch config interface vlan 1 Switch Config if v...

Страница 313: ...IEEE802 1x authentication client software on the computer and use the client for IEEE802 1x authentication The detailed configurations are listed as below Switch config interface vlan 1 Switch Config...

Страница 314: ...but still cannot pass through authentication connectivity between the switch and RADIUS server the switch and 802 1x client should be verified and the port and VLAN configuration for the switch should...

Страница 315: ...f the dynamically learnt MAC address matches no transmitted data in a long time the switch will delete it from the MAC address list Usually the switch supports both the static configuration and dynami...

Страница 316: ...imitation function of MAC on the ports 2 Configure the violation mode of ports Command Explanation Port mode switchport mac address violation protect shutdown recovery 5 3600 no switchport mac address...

Страница 317: ...ck to a certain extent When malicious users frequently do MAC cheating it will be easy for them to fill the MAC list entries of the switch causing successful DOS attacks Limiting the MAC list entry ca...

Страница 318: ...ss is mutually exclusive to these configurations so if the users need to enable the number limitation function of MAC address on the port they should check these functions mentioned above on this port...

Страница 319: ...host to be forwarded by the switch Given the fact that MAC IP can be exclusively bound with a host it is necessary to make MAC IP bound with a host for the purpose of preventing users from maliciously...

Страница 320: ...arding IP of the port 4 Configure the forwarding MAC IP Command Explanation Port Mode am mac ip pool mac address ip address no am mac ip pool mac address ip address Configure the forwarding MAC IP of...

Страница 321: ...the switch can be configured as follows Switch config am enable Switch config interface ethernet1 1 Switch Config If Ethernet1 1 am port Switch Config If Ethernet1 1 am ip pool 10 10 10 1 10 40 4 AM...

Страница 322: ...otecting the server from attacks such as DoS The protocol check allows the user to drop matched packets based on specified conditions The security features provide several simple and effective protect...

Страница 323: ...ction 2 Configure the minimum permitted TCP head length of the packet Command Explanation Global Mode no dosattack check tcp fragment enable Enable disable the prevent TCP fragment attack function dos...

Страница 324: ...iguration requirements the switch do not forward data packet whose source IP address is equal to the destination address and those whose source port is equal to the destination port Only the ping comm...

Страница 325: ...TACACS authentication function on the switch when the user logs such as telnet the authentication of user name and password can be carried out with TACACS 42 2 TACACS Configuration Task List 1 Config...

Страница 326: ...Mode tacacs server nas ipv4 ip address no tacacs server nas ipv4 To configure the source IP address for the TACACS packets for the switch 42 3 TACACS Scenarios Typical Examples TACACS Configuration A...

Страница 327: ...In configuring and using TACACS the TACACS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the following First good conditi...

Страница 328: ...urce RADIUS Remote Authentication Dial in User Service is a kind of distributed and client server protocol for information exchange The RADIUS client is usually used on network appliance to implement...

Страница 329: ...e fields Type field 1 octet the type of the attribute value which is shown as below Property Type of property Property Type of property 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHA...

Страница 330: ...ess of the RADIUS NAS 1 Enable the authentication and accounting function 2 Configure the RADIUS authentication key Command Explanation Global Mode radius server key string no radius server key To con...

Страница 331: ...ad time To configure the interval that the RADIUS becomes available after it is down The no form of this command will restore the default configuration radius server retransmit retries no radius serve...

Страница 332: ...rver is 10 1 1 3 and the authentication port is defaulted at 1812 accounting port is defaulted at 1813 Configure steps as below Switch config interface vlan 1 Switch Config if vlan1 ip address 10 1 1...

Страница 333: ...t 2004 1 2 3 3 Switch config radius server accounting host 2004 1 2 3 3 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable 43 4 RADIUS Troubleshooting In...

Страница 334: ...18 1 320 If the RADIUS authentication problem remains unsolved please use debug aaa and other debugging command and copy the DEBUG message within 3 minutes send the recorded message to the technical...

Страница 335: ...for application layer Some protocols such as HTTP FTP TELNET and so on can build on SSL protocols transparently The SSL protocol negotiates for the encryption algorithm the encryption key and the ser...

Страница 336: ...ch are not the formal certification keys issued by official authentic but the private certification keys generated by SSL software under Linux which may not be recognized by the web browser With regar...

Страница 337: ...cipher suite by SSL used 4 Maintenance and diagnose for the SSL function Command Explanation Admin Mode or Configuration Mode show ip http secure server status Show the configured SSL information debu...

Страница 338: ...use show interface command Then make sure SSL function is enabled use ip http secure server command Don t use the default port number if configured port number pay attention to the port number when i...

Страница 339: ...multaneously the normal users get incorrect address and will not be able to connect to the network So in order to implement the security RA function configuring on the switch ports to reject vicious R...

Страница 340: ...whether globally security RA is enabled 45 3 IPv6 Security RA Typical Examples IPv6 Security RA sketch map Instructions if the illegal user in the graph advertises RA the normal user will receive the...

Страница 341: ...y RA Troubleshooting Help The function of IPv6 security RA is quite simple if the function does not meet the expectation after configuring IPv6 security RA Check if the switch is correctly configured...

Страница 342: ...are allowed to pass when the authentication is successful MAB user didn t need to input the username and password manually in the process of authentication At present MAB authentication device only s...

Страница 343: ...ntication bypass timeout offline detect 0 60 7200 no mac authentication bypass timeout offline detect Set offline detection interval mac authentication bypass timeout quiet period 1 60 no mac authenti...

Страница 344: ...s guest vlan as vlan8 it joins in vlan1 vlan8 and vlan10 with untag method and enables MAB function Ethernet 1 3 is an access port connects to the printer and enables MAB function Ethernet 1 4 is a tr...

Страница 345: ...counting host 192 168 61 10 Switch config radius server key test Switch config aaa enable Switch config aaa accounting enable Enable the authentication function of each port Switch config interface et...

Страница 346: ...6 4 MAB Troubleshooting If there is any problem happens when using MAB function please check whether the problem is caused by the following reasons Make sure global and port MAB function are enabled M...

Страница 347: ...the access device and the network are faced with security problem especially from the client in the current access network Traditional Ethernet user can not be identified traced and located exactly ho...

Страница 348: ...n confirmation packet hereto PPPoE discovery stage is completed enter session stage PADT PPPoE Active Discovery Terminate packet is an especial packet of PPPoE its Ethernet protocol number 0x8863 is t...

Страница 349: ...de 5 kinds of packets in PPPoE discovery stage only type field value of session stage as 0x8864 PPPoE version field 4 bits Specify the current PPPoE protocol version the current version must be set as...

Страница 350: ...tag of the host It is similar to tag field of PPPoE data packets and is used to match the sending and reveiving end Because broadcast network may exist many PPPoE data packets synchronously 0x0104 AC...

Страница 351: ...4 byte Fig 11 3 Agent Circuit ID value MAC of the access switch is the default remote ID value of PPPoE IA remote ID value can be configured by user flexibly the length is less than 63 bytes 47 1 2 4...

Страница 352: ...pe self defined remote id mac hostname string WORD no pppoe intermediate agent type self defined remote id Configure the self defined remote id pppoe intermediate agent delimiter WORD no pppoe interme...

Страница 353: ...gent trust Switch config if ethernet1 1 pppoe intermediate agent vendor tag strip Step3 Port ethernet1 2 of vlan1 and port ethernet1 3 of vlan 1234 enable PPPoE IA function of port Switch config if et...

Страница 354: ...of Slot ID and Port ID as delimiter of Port ID and Vlan ID as Switch config pppoe intermediate agent type tr 101 circuit id identifier string efgh option spv delimiter delimiter Step6 Configure circu...

Страница 355: ...gging in authentication client The after 802 1x authentication adds web based authentication mode the user can download a special Java Applet program by browser or other plug in to replace 802 1x clie...

Страница 356: ...Mode webportal binding limit 1 256 no webportal binding limit Configure the max web portal binding number allowed by the port 4 Configure HTTP redirection address of web portal authentication Command...

Страница 357: ...on 48 3 Web Portal Authentication Typical Example Pc 2 Ethernet1 3 Ethernet1 2 Ethernet1 3 Pc 1 Ethernet1 2 Ethernet1 4 Ethernet1 5 Switch 2 Internet Ethernet1 1 Ethernet1 4 Ethernet1 6 Portal server...

Страница 358: ...255 255 255 0 Switch config webportal enable Switch config webportal nas ip 192 168 40 50 Switch config webportal redirect 192 168 40 99 Switch config interface ethernet 1 3 Switch config if ethernet...

Страница 359: ...n implement the filtering of the packets the packets match the specific rules can be allowed or denied ACL can support IP ACL MAC ACL MAC IP ACL IPv6 ACL Ingress direction of VLAN can bind four kinds...

Страница 360: ...orted by switch 4 Configure VLAN ACL of IPv6 type Command Explanation Global mode vacl ipv6 access group 500 699 WORD in out traffic statistic vlan WORD no ipv6 access group 500 699 WORD in out vlan W...

Страница 361: ...e rule as permit but other times the rule as deny and the policy is applied to Vlan1 Set the policy VACL_B of ACL for finance department At any time they can not access the outside network but can acc...

Страница 362: ...nacl vacl_a permit ip any source 192 168 1 0 0 0 0 255 Switch config ip ext nacl vacl_a deny ip any source any destination 4 Apply the configuration to VLAN Switch config firewall enable Switch config...

Страница 363: ...function is used to detect ND protocol packet it sets IPv6 address binding obtained by nodes with the stateless address configuration DHCPv6 Snooping function is used to detect DHCPv6 protocol packet...

Страница 364: ...dhcp lifetime lifetime type static no savi ipv6 check source binding ip ip address interface if name Configure a static or dynamic binding manually no command deletes the configured binding This comma...

Страница 365: ...x check function Command Explanation Global mode ipv6 cps prefix check enable no ipv6 cps prefix check enable Enable the address prefix check for SAVI no command disables the function Configure IPv6 a...

Страница 366: ...disable DHCPv6 trust of port Command Explanation Port mode ipv6 dhcp snooping trust no ipv6 dhcp snooping trust Enable DHCPv6 trust port no command disables the trust function port is translated from...

Страница 367: ...to use IPv4 and IPv6 source address authentication is implemented Typical network topology application for SAVI function Client_1 Client_2 Ethernet1 13 Ethernet1 12 Switch2 Switch1 Ethernet1 1 Ethern...

Страница 368: ...bal SAVI function enabled After that enable the global function of the corresponding SAVI scene according to the actual application scene and enable the port authentication function If client can not...

Страница 369: ...ring topology 2 fast convergence less than 1 s ideally it can reach 100 50 ms 51 1 1 Conception Introduction MRPP Sketch Map 1 Control VLAN Control VLAN is a virtual VLAN only used to identify MRPP pr...

Страница 370: ...amine packet hello the secondary port is used to receive Hello packet sending from primary node When the Ethernet is in health state the secondary port of primary node blocks other data in logical and...

Страница 371: ...sends LINK DOWN FLUSH_FDB packet to inform all of transfer nodes to refresh own MAC address forward list 3 Ring Restore After the primary node occur ring fail if the secondary port receives Hello pac...

Страница 372: ...of MRPP 4 Configure the compatible mode 5 Display and debug MRPP relevant information 1 Globally enable MRPP Command Explanation Global Mode mrpp enable no mrpp enable Globally enable and disable MRP...

Страница 373: ...Enable the compatible mode for ERRP the no command disables the compatible mode mrpp eaps compatible no mrpp eaps compatible Enable the compatible mode for EAPS the no command disables the compatible...

Страница 374: ...en it enables each MRPP ring in the whole MRPP ring and after all of the nodes are configured open the port When disable MRPP ring it needs to insure the MRPP ring doesn t have ring SWITCH A configura...

Страница 375: ...pp ring 4000 control vlan 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config If Ethernet1 1 mrpp ring 4000 primary port Switch config If Et...

Страница 376: ...stores the ring and then observes the ring is normal or not The convergence time of MRPP ring net is relative to the response mode of up down If use poll mode the convergence time as hundreds of milli...

Страница 377: ...SwitchA goes up to SwitchD through SwitchB and SwitchC port A1 and port A2 are the uplink ports SwitchA configures ULPP thereinto port A1 is set as the master port port A2 is set as the slave port Wh...

Страница 378: ...hrough the port which is switched to Forwarding state and update MAC address tables and ARP tables of other devices in the network ULPP respectively uses two kinds of flush packets to update the entri...

Страница 379: ...ct vlan reference instance instance list Configure the protection VLANs the no operation deletes the protection VLANs flush enable mac flush disable mac Enable or disable sending the flush packets whi...

Страница 380: ...port Show flush type and control VLAN received by the port clear ulpp flush counter interface name Clear the statistic information of the flush packets debug ulpp flush send receive interface name no...

Страница 381: ...tchB and SwitchC can enable the command that receives the flush packets it is used to associate with ULPP protocol running of SwitchA to switch the uplink immediately and reduce the switch delay When...

Страница 382: ...ist Switch Config vlan 10 Switch Config vlan10 switchport interface ethernet 1 1 Switch Config vlan10 exit Switch Config interface ethernet 1 1 Switch config If Ethernet1 1 ulpp flush enable mac Switc...

Страница 383: ...rt E1 2 When port E1 1 is recovering the normal state still port E1 2 forwards the data of VLAN 101 200 the data of VLAN 1 100 are switched to port E1 1 to forward SwitchA configuration task list Swit...

Страница 384: ...ch config If Ethernet1 1 ulpp flush enable mac Switch config If Ethernet1 1 ulpp flush enable arp SwitchC configuration task list Switch Config interface ethernet 1 2 Switch config If Ethernet1 2 swit...

Страница 385: ...port its state changes along with Up Down of ULSM group and is always the same with ULSM group state ULSM associates with ULPP to enable the downstream device to apperceive the link problem of the ups...

Страница 386: ...up globally Command explanation Global mode ulsm group group id no ulsm group group id Configure and delete ULSM group globally 2 Configure ULSM group Command explanation Port mode ulsm group group id...

Страница 387: ...usually associates with ULPP protocol to use In the topology SwitchA enables ULPP protocol it is used to switch the uplink SwitchB and SwitchC enable ULSM protocol to monitor whether the uplink is do...

Страница 388: ...hernet 1 3 Switch config If Ethernet1 3 ulsm group 1 uplink Switch config If Ethernet1 3 exit SwitchC configuration task list Switch Config ulsm group 1 Switch Config interface ethernet 1 2 Switch con...

Страница 389: ...irror function means that the switch exactly copies the data frames received by the specified rule of a port to another port The flow mirror will take effect only the specified rule is permit Switch s...

Страница 390: ...sent out by interface 9 and received from interface 7 sent and received by CPU and the data frames received by interface 15 and matched by rule 120 The source IP address is 1 2 3 4 and the destinatio...

Страница 391: ...dify the TRUNK group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source port traffi...

Страница 392: ...port Our data sample includes the IPv4 and IPv6 packets Extensions of other types are not supported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requireme...

Страница 393: ...4 Configure the packet head length copied by sFlow Command Explanation Port Mode sflow header len length vlaue no sflow header len Configure the length of the packet data head copied in the sFlow data...

Страница 394: ...on the port 1 1 and 1 2 of the switch Assume the sFlow analysis software is installed on the PC with the address of 192 168 1 200 The address of the layer 3 interface on the SwitchA connected with PC...

Страница 395: ...ical connection failure wrong configuration etc The user should ensure the following Ensure the physical connection is correct Guarantee the address of the sFlow analyzer configured under global or po...

Страница 396: ...removing the complex algorithm of NTP SNTP is used for hosts who do not require full NTP functions it is a subset of NTP It is common practice to synchronize the clocks of several hosts in local area...

Страница 397: ...be synchronized the network must be properly configured There should be reachable route between any switch and the two SNTP NTP servers Example Assume the IP addresses of the SNTP NTP servers are 10...

Страница 398: ...running NTP its time can be synchronized by other reference sources and can be used as a reference source to synchronize other clocks also can synchronize each other by transmit NTP packets 57 2 NTP F...

Страница 399: ...NTP client The no operation will cancel the configuration and restore the default value 4 To configure time zone Command Explication Global Mode clock timezone WORD add subtract 0 23 0 59 no clock ti...

Страница 400: ...erface to receive IPv6 NTP multicast packets 8 To configure some interface can t receive NTP packets Command Explication Interface Configuration Mode ntp disable no ntp disable To disable the NTP func...

Страница 401: ...s used as host the other is used as standby the connection and configuration as follows Switch A and Switch B are the switch or route which support NTP server The configuration of Switch C is as follo...

Страница 402: ...les by default the show command can be used to display current configuration If the configuration is right please use debug every relative debugging command and display specific information in procedu...

Страница 403: ...r time 58 2 Summer Time Configuration Task Sequence 1 Configure absolute or recurrent time range of summer time Command Explanation Global Mode clock summer time word absolute HH MM YYYY MM DD HH MM Y...

Страница 404: ...t in the following The summer time from 23 00 on the first Saturday of April to 00 00 on the last Sunday of October year after year clock offset as 2 hours and summer time is named as time_travel Conf...

Страница 405: ...en the switch and the remote equipment Options and explanations of the parameters of the Ping6 command please refer to Ping6 command chapter in the command manual 59 3 Traceroute Traceroute command is...

Страница 406: ...Traceroute6 repeat this action till certain datagram reaches the destination Traceroute6 Options and explanations of the parameters of the Traceroute6 command please refer to traceroute6 command chap...

Страница 407: ...6 Debug All the protocols switch supports have their corresponding debug commands The users can use the information from debug commands for troubleshooting Debug commands for their corresponding prot...

Страница 408: ...e oldest log information will be erased and replaced by the new log information information saved in NVRAM will stay permanently while those in SDRAM will lost when the system restarts or encounter an...

Страница 409: ...d information from the CLI command is classified informational Information from the debugging of CLI command is classified debugging Log information can be automatically sent to corresponding channels...

Страница 410: ...logging ipv4 addr ipv6 addr facility local number Enable the output channel of the log host The no form of this command will disable the output at the output channel of the log host logging loghost se...

Страница 411: ...55 255 255 0 Switch Config if Vlan1 exit Switch config logging 100 100 100 5 facility local1 level warnings Example 2 When managing VLAN the IPv6 address of the switch is 3ffe 506 1 and the IPv4 addre...

Страница 412: ...period of time usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 60 2 Reload Switch after...

Страница 413: ...tocol protocol type packets no cpu rx ratelimit protocol protocol type Set the max rate of the CPU receiving packets of the protocol type the no command set the max rate to default clear cpu rx stat p...

Страница 414: ...7 495 797 3311 www qtech ru 18 1 400...

Страница 415: ...uthentication line Command authentication line console vty web login local radius tacacs no authentication line console vty web login Function Configure VTY login with Telnet and SSH Web and Console s...

Результаты поиска

Содержание QSW-2800 series

Отзывы:

Похожие инструкции для QSW-2800 series

Бренды по названию

Популярные бренды

QTech QSW-2800 series, Руководство по настройке

Результаты поиска

Содержание QSW-2800 series

Отзывы:

Похожие инструкции для QSW-2800 series

Бренды по названию

Популярные бренды