Manuale d’uso / di manutenzione del prodotto 10014298 del fabbricante 3Com
Vai alla pagina of 294
http://www.3com.com/ Switch 7750 Configuration Guide Version 3.1.5 Published August 2005 Part No.10014298.
3Com Corporation 350 Campus Drive Marlbor ough, MA 01752-3064 Copyright © 2005, 3Com C orporation. All rights reserv ed. No part of th is documentation may be r eproduced in any form or by any means or used to make any deri vative work (such as translat ion, transformation, or adaptation) without written perm ission fr om 3Com Corporation.
C ONTENTS A BOUT T HIS G UIDE Conventions 9 S YSTEM A CCESS Product Overview 11 Features 11 Configuring the Swit ch 7750 12 Setting T erminal Parame ters 13 Configuring Through T elnet 16 Configuring .
Subnet and Mask 68 Configuring an IP Addr ess 68 T roubleshooting an IP Address Configuration 70 Configuring Addr ess Resolution Pr otocol (ARP) 70 Configuring ARP 71 DHCP Relay 72 Configuring DHCP Re.
Configuring PIM-DM 131 Configuring PIM-SM 136 PIM-SM Operating Principles 136 Pr eparing to Con figur e PIM-SM 137 Configuring PIM-SM 138 GMRP 146 Configuring GMRP 146 Q O S/ O PERATION ACL Overview 1.
Configuring the Bridge Priori ty for a Switch 1 93 Configuring the Max Hops in an MST Region 194 Configuring the Switching Network Diameter 194 Configuring the T ime Parameters of a Switch 195 Configu.
Displaying Devices 255 Maintaining and Debugging the System 255 Configuring System Basics 256 Displaying System Information and State 257 Debugging the System 257 T e sting T ools for N etwork Conn ec.
.
A BOUT T HIS G UIDE This guide describes the 3Com ® Switch 7750 and how to configure it in ver sion 3.0 of the software. Conventions Ta b l e 1 lists icon conventions that are used throughout this book. Ta b l e 2 lists the text convent ions used in this book.
10 A BOUT T HIS G UIDE Words in italics Italics are used to: ■ Emphasize a point. ■ Denote a new term at the place where it is defined in the text. ■ Identify command variables. ■ Identify menu names, menu commands, and software button names. Examples: From the Help menu, select Contents .
1 S YSTEM A CCESS This chapter covers the following topics: ■ Produc t Overview ■ Configuring the Switch 7750 ■ Setting T ermina l Paramete rs ■ Command Line Interface Product Overview The 3Com Switch 77 50 is a large capa city , modu larized wire speed Layer 2/Layer 3 switch.
12 C HAPTER 1: S YSTEM A CCESS Configuring the Switch 7750 On the Switch 7750, you can set up the configuration environment through the console port. T o set up the local configuratio n environment: 1 Plug the DB-9 or DB-25 female plug of the console cable into the serial port of the PC or the terminal wher e the switch is to be configured.
Setting Terminal Parameters 13 Setting T erminal Parameters T o set terminal p arameters : 1 Start the PC and select Start > Programs > Accesso ries > Communications > HyperT erminal . The HyperT erminal window disp lays the Connection Description dialog box, as shown in Figur e 2.
14 C HAPTER 1: S YSTEM A CCESS ■ Baud rate = 9600 ■ Databit = 8 ■ Parity check = none ■ Stopbit = 1 ■ Flow control = none Figure 4 Set Communication Parameters 5 Click OK . The HyperT erminal dialogue box displays, as shown in Figure 5. 6 Select Prop erties .
Setting Terminal Parameters 15 Figure 5 HyperT erminal Window 7 In the Properties dialog box, select the Settings tab, as shown in Figure 6 . 8 Select VT100 in the Emula tion dropdown menu.
16 C HAPTER 1: S YSTEM A CCESS Setting the T er minal Parameters is described in the following sections: ■ Configuring Through T elnet ■ Configuring Through a Dial-up Modem ■ Configuring the Use.
Setting Terminal Parameters 17 4 Run T elnet on th e PC by selecting Start > Run from the Windows desktop and entering Te l n e t in the Open field , as shown in Figure 8 . Click OK . Figure 8 Run T elnet The terminal displays Login authentication and prompts you for the logon passwor d.
18 C HAPTER 1: S YSTEM A CCESS Figure 9 Pr ovide T elnet Client Service 1 Authenticate the T elnet user through the console port on the T elnet Server (Switch 7750) before login. By default, a password is required for authenticating the T elnet user to log in the Switch 7750.
Setting Terminal Parameters 19 Figure 10 Set Up Remote Configuratio n Environment 4 Dial for a connection to the switch, us ing the terminal emulator and modem on the remote end. Dial the telephone number of the modem connected to the Switch 7750. See Figure 11 and Figur e 12 .
20 C HAPTER 1: S YSTEM A CCESS Figure 12 Dial the Remote PC 5 Enter the preset login password on the r emote terminal emulator and wait for the <SW7750> prompt. 6 Use the appropriate commands to configur e the Switch 7750 or view its operational state.
Setting Terminal Parameters 21 T o n umber the user in terface by relative number , represented by interface + number assigned to each type of user interface: ■ AUX user interface = AUX 0. ■ The first VTY interface = VTY 0, th e second one = VTY 1, and so on.
22 C HAPTER 1: S YSTEM A CCESS Configuring the T erminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring term inal screen length and history command buffer size.
Setting Terminal Parameters 23 Configuring idle-timeout By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. The idle-timeout command is described in Ta b l e 7. Locking the User Interface The lock command locks the current user interface and prompts the user to enter a password.
24 C HAPTER 1: S YSTEM A CCESS Configuring the Authentication Method The authentication-mode command configures the user login authen tication method that allows access to an unauthorized user . Ta b l e 11 describes the authentication-mode command. Perform the following configuration in user interface view .
Setting Terminal Parameters 25 authentication server before executing the other commands. Commands that differ ent users can execute are defined on the T ACACS authentication server . For example, the user tel@hwtac passes th e authentication of the T A CACS server 192.
26 C HAPTER 1: S YSTEM A CCESS By default, a user can access the command s at Level 3 after logg ing in through the AUX user interface, and the commands at Level 0 af ter logging in through the VTY user interface. When a user log s in to the switch, th e command level that the user can access depends on two points.
Setting Terminal Parameters 27 Perform the following configuration in user view . The auto-execute Command is used to run a command auto matically after you log in.
28 C HAPTER 1: S YSTEM A CCESS Command Line Interface The Switch 7750 provides a series o f configuration comman ds and command line interfaces for configuring and managing the Swit ch 7750. The command line interface has the following features. ■ Local configuration through the console port.
Command Line Interface 29 Login users are also classified into four levels that correspond to the four command levels. After users of different le vels log in, they can only use commands at their own, or lower , levels.
30 C HAPTER 1: S YSTEM A CCESS For all views, use the quit command to return to system view and use the return command to return to user view . Ta b l e 20 Function Feature of Command View Command vie.
Command Line Interface 31 Features and Functions of the Command Line T asks for configuring the features and functions of the command line are described as follows: ■ Online Help ■ Common Command .
32 C HAPTER 1: S YSTEM A CCESS -v Verbose output. ICMP packets other than ECHO_RESPONSE that are received are listed STRING<1-20> IP address or hostna me of a remote system Ip IP Protocol ■ Enter a command with a ? , sep arated by a space. If this p osition is for parameters, all the parameters and their brief descriptions will be listed.
Command Line Interface 33 Editing Featur es of the Command Line The command line interface provides a basic command editing function and supports editing multiple lines.
34 C HAPTER 1: S YSTEM A CCESS.
2 P ORT C ONFIGURATION This chapter covers the following topics: ■ Ethernet Port Overview ■ Configuring Link Aggregation Ether net Port Overview The following features are found in the Ethernet po.
36 C HAPTER 2: P ORT C ONFIGURATION ■ Setting Flow Control for Ethernet Port ■ Permitting/Forbidding Jumb o Fr ames on th e Ether net port ■ Setting Ethernet Port Broa dcast Suppression Ratio .
Ethernet Port Overview 37 Setting Duplex Attribute of the Ether net Port Set the port to full duplex to send and rece ive data packets at the same t ime. Set the port to half-duplex to either send or receive only . If the port has been set to auto-negotiation mode, the local and peer ports will automatical ly negotiate the duplex mode.
38 C HAPTER 2: P ORT C ONFIGURATION Setting Flow Control fo r Ethernet Port If congestion occurs in the local switch afte r enabling flow control in both the local and the peer switch , th en the switch will inform its peer to pause sending packets. Once the peer switch receives this messa ge, it will pause pack et sending, and vice versa.
Ethernet Port Overview 39 Perform the following configuration in Ether net port view . By default, 100% broadcast traffic is allowed to pass through, that is, no bro adcast suppr ession will b e performed.
40 C HAPTER 2: P ORT C ONFIGURATION Perform the following configuration in Ether net port view . The access port will be added to an exis ting VLAN other than VLAN 1. The VLAN to which a Hybrid port is added must exist. The VLAN to which a T ru nk port is added cannot be VLAN 1.
Ethernet Port Overview 41 ■ T o guarantee proper packet transmission, the default VLAN ID of local hybr id port or T runk port should be identical to t hat of the hybr id port or T runk port on the peer switch. The VLAN of hybrid port and trunk port is VLAN 1 by default.
42 C HAPTER 2: P ORT C ONFIGURATION Example: Configuring the Default VLAN ID of the T runk Port In this example, the Ether net Switch (Switc h A) is connected to the peer (Switch B) through the trunk port Ether net1/0/1. This example shows the default VLAN ID for the trunk port and verifies the port trunk pvid vlan command.
Configuring Link Aggreg ation 43 The operation key i s a conf iguration set generated by LACP based on port setting (speed, duplex mode, basic configuration and management key).
44 C HAPTER 2: P ORT C ONFIGURATION In a manual or static LACP aggregation gr oup, its ports may be in an active or inactive state. However , only the a ctive por ts can receive user service packets. The active port with the minimum port number se rves as the master port, while others act as sub-ports.
Configuring Link Aggreg ation 45 Dynamic LACP aggr egation Dynamic LACP aggregation allows aut oma tic adding/deleting by the syst em but prohibits manual configuration of user s. Dynamic LACP aggregation can be established for a single port; this is calle d single port aggregation.
46 C HAPTER 2: P ORT C ONFIGURATION A load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others as standby ports. Selection criteria of se lected ports vary for differ ent types of aggr egation gr oups.
Configuring Link Aggreg ation 47 Creating or Deleting an Aggregation Gr oup Y ou can use the following command to create a manual aggregation gr oup or static LACP aggregation group, but the dynamic LACP aggr egation gr oup is established by the system wh en LACP is enabled on the ports.
48 C HAPTER 2: P ORT C ONFIGURATION Setting or Deleting an Aggregation Group Descrip tor Perform the following confi guration in system view . By default, an aggregatio n group has no descriptor .
Configuring Link Aggreg ation 49 Perform the following configuration in Ether net port view . The default value for port priority is 32768. Displaying and Debugging Link Aggr egation After you have co.
50 C HAPTER 2: P ORT C ONFIGURATION Example: Link Aggregation Configuration Switch A connects switch B with th r ee aggregation ports, number ed as Ethernet1/0/ 1 to Ethernet1/ 0/3, so th at the incom ing and o utgoing l oads can be balanced among the member ports.
Configuring Link Aggreg ation 51 Only when the three ports are configur ed with identical basic configuration, r ate and duplex mode, can they be added in to a same dynamic aggregation group after LACP is enabled on them, for load sharing.
52 C HAPTER 2: P ORT C ONFIGURATION.
3 VLAN C ONFIGURATION This chapter covers the following topics: ■ VLAN Overview ■ Configuring VLANs ■ Configuring GARP/GVRP ■ VLAN Overview A virtual local area network (VLAN) creat es logical gr oups of LAN devices into segments to implement virtual workgroups.
54 C HAPTER 3: VLAN C ONFIGURATI ON Common VLAN Configuration T asks The following sections discuss the common tasks fo r configuring a VLAN: ■ Creating or Deleting a VLAN ■ Specifying the Broadca.
Configuring VLANs 55 Setting or Deleting the VLAN Description Character String Y ou can use the following comma nd to set or delete the VLAN description character string. The description characte r strings, such as workgroup_name and department_name , are used to distinguish the dif ferent VLANs.
56 C HAPTER 3: VLAN C ONFIGURATI ON status of one or more Ethernet ports is UP , the status of the VLAN interface is UP also, so the VLAN interface is enabled. Displaying and Debugging a VLAN After the configuring a VLAN, execute the display command in any view to display the VLAN configuration, and to verify the effect of the configuration.
Configuring VLANs 57 Configuring Port-Based VLANs Adding Ethernet Ports to a VLAN Use the following command to add Ether net ports to a VLAN. Perform the following configuration in VLAN view . For the meanings of the parameters related to the Ether net ports and the specific numbering rules of the ports, see “Por t Configuration” on page 35 .
58 C HAPTER 3: VLAN C ONFIGURATI ON Creating and Deleting a VLAN Protocol T ype Y ou can use the following command to crea te or delete a VLAN protocol type. Perform the following conf iguration in VLAN view . Creating and Deleting the Asso ciation Between a Port and a Protocol-Based VLAN Perform the following configuration in Ether net port view .
Configuring VLANs 59 [SW7750-vlan2] port ethernet1/0/1 to eth ernet1/0/2 3 Create VLAN 3 and enters its view . [SW7750-vlan2] vlan 3 4 Add Ethernet1/0/3 and Ether net1/0/4 to VLAN3. [SW7750-vlan3] port ethernet1/0/3 to eth ernet1/0/4 Example: Protocol-Based VLAN Configuration From port G1/0/1, all the traffic with sour ce IP 10.
60 C HAPTER 3: VLAN C ONFIGURATI ON port hybrid vlan 1 untagged # return 2 Configure VLAN 2 and VLAN 3 as pr otoc ol VLANs. Set VLAN 2 as IP 10.0.0.1 protocol and VLAN 3 as IP pr otocol [SW7750-vlan2].
Configuring GARP/GVRP 61 vlan Specify current hybrid p ort's VLAN ID [SW7750-GigabitEthernet1/0/1] port hybri d protocol [SW7750-GigabitEthernet1/0/1] port hybri d protocol-vlan 2 0 [SW7750-Gigab.
62 C HAPTER 3: VLAN C ONFIGURATI ON join message. When the GARP particip ant wants to remove its attribute information from other switches, it sends a leave message. Th e leaveall timer is started at the same time that each GARP participant is enabled and a leaveall message is sent out when the leaveall timer times out.
Configuring GARP/GVRP 63 Note that the value of the join timer sh oul d be no less than twice the value of the hold timer , and the value of the leave time r shou ld be greater than twice the value of the join timer an d smaller than the le aveall timer value.
64 C HAPTER 3: VLAN C ONFIGURATI ON All the switches that support GVRP can distribute their local VLAN registration information to other switches so that VL AN in formation is consistent on all GVRP devices in the same network.
Configuring GARP/GVRP 65 ■ When an Ether net port registration type is set to normal, the dynamic and manual creation, r egistration, and log out of VLAN are allowed on this port.
66 C HAPTER 3: VLAN C ONFIGURATI ON Figure 18 GVRP Configuration Example Configure Switch A: 1 Set Ethernet1/0/1 as a tr unk port and allow all the VLANs to pass thro ugh. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] port link-ty pe trunk [SW7750-Ethernet1/0/1] port trunk p ermit vlan all 2 Cr eate VLANs.
4 N ETWORK P RO T O C O L O PERATION This chapter covers the following topics: ■ Configuring IP Address ■ Configuring Address Resolution Protocol (ARP) ■ DHCP Relay ■ IP Performance Configuring IP Address IP address is a 32-bit addr ess repr esented by four octets.
68 C HAPTER 4: N ETWORK P ROTOCOL O PERATION ■ T roubleshooting an IP Address Configuration Subnet and Mask IP protocol allocates one IP ad dress for each network interface. Multiple IP addresses can only be allocate d to a device which has mu ltiple network interfaces.
Configuring IP Address 69 Perform the following configuration in VLAN interface view . The network ID of an IP address is identified by the mask. For example , the IP address of a VLAN interface is 129.
70 C HAPTER 4: N ETWORK P ROTOCOL O PERATION Figure 19 IP Address Configuration Networking 1 Enter VLAN interface 1. [SW7750] interface vlan 1 2 Configure the IP addr ess for VLAN interface 1. [SW7750-vlan-interface1] ip address 129.2. 2.1 255.255.255.
Configuring Address Resolution Protoc ol (ARP) 71 corresponding MAC address is not found, Host A will store the IP packet in the queue waiting for transmission, and broa dcast an ARP request to attempt to resolve the MAX addr ess of Host B. The ARP request packet contains the IP ad dr ess of Host B and the IP address and MAC address of Host A.
72 C HAPTER 4: N ETWORK P ROTOCOL O PERATION By default, the switch does not learn gratuitous ARPs. Configuring the Dynamic ARP Aging Timer The following commands assign a dynamic ARP aging period to enable flexible configurations. Wh en the system lear ns a dynamic ARP entry , its aging period is based on the currently configur ed value.
DHCP Re lay 73 Figure 20 DH CP Relay Schematic Diagram When the DHCP Client pe rforms initialization, it broadcas ts the r equest packet on the local network segment. If there is a DHCP server on the local network segment (e.g. the Ethernet on the right side of the figure) , then the DHCP can be configured dir ectly without the r elay .
74 C HAPTER 4: N ETWORK P ROTOCOL O PERATION The back up server IP address ca nnot be configured independently , inst ead, it has to be configured together with the master ser ver IP address. By default, the IP address of the DHCP Se rver is not configured.
DHCP Re lay 75 By default, DHCP security featur es function are disabled. Displaying and Debugging DHCP Relay Execute display command in all views to di splay the current DHCP Relay configuration, and to verify th e effect of the configuration. Execute the debugging command in user view to debug DHCP Relay configuration.
76 C HAPTER 4: N ETWORK P ROTOCOL O PERATION [SW7750] vlan 2 [SW7750-vlan2] port Ethernet 1/0/2 [SW7750] interface vlan 2 [SW7750-VLAN-Interface2] ip address 1.
IP Performance 77 debugging command to output the debugging in formation to the console. In this way , you can view the detailed informat ion of all DHCP packets on the console while applying for the IP address, ther eb y , conveniently locatin g the problem.
78 C HAPTER 4: N ETWORK P ROTOCOL O PERATION operation, you may have to use the following commands to prevent the corresponding packets from being sent to the CPU. Perform the following confi guration in system view . By default, redir ection pack ets and route unreachable packets ar e not sent to CPU, while TTL timeout packets are sent to CPU.
IP Performance 79 T roubleshooting IP Performance If the IP layer protocol works normally , but TCP and UDP do not work normally , you can enable the corresponding debugging information output to view the debugging informat ion. ■ Use the terminal debugging command to output the debugging information to the consol e.
80 C HAPTER 4: N ETWORK P ROTOCOL O PERATION.
5 IP R OUTING P R OTOCOL O PERATION This chapter covers the following topics: ■ IP Routing Protocol Overview ■ Static Routes ■ RIP ■ IP Routing Policy ■ Route Capacity IP Routing Protocol Overview Routers select an appropriate path through a network for an IP packet accor ding to the destination addr ess of the packet.
82 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Figure 22 About Hops Networks can have differ ent sizes, so , the segment lengths connected between two differ ent pairs of routers ar e also dif ferent.
IP Routing Protocol Overview 83 ■ The output interface — Indicates an interface through which an IP packet should be forwarded. ■ The next hop address — Indicates the next router that an IP packet will pass through. ■ The priority added to the IP routing table for a route — Indicates the type of route that is selected.
84 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION user are managed together with the dyna mic routes as detected by the r outing protocol. The static routes and the r outes learned or config ured by r outing protocols can be shared with each other .
Static Routes 85 ■ Unreachable r oute — When a static route to a destinatio n has the reject attribute, all the IP packets to this dest ination are discar ded, and the originat ing host is informed th at the destination is unreachable.
86 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION The parameters are explained as follows: ■ IP address and mask The IP address and mask use a decimal format. B ecause the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be r eplaced by the mask-length which refers to the digits of the consecutive 1s in the mask.
Static Routes 87 Perform the following configuration in system view . Displaying and Debugging Static Routes After you configure static an d default r outes, execute the display command in all views, to display the static route configur ation, and to verify the effect of the configuration.
88 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Figure 24 Static Route Configuration 1 Configure the static route for Etherne t Switch A: [Switch A] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [Switch A] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [Switch A] ip route-static 1.
RIP 89 RIP Routing Information Protocol (RIP) is a simple, dynamic r outing protocol, that is Distance-V ector (D-V) algorithm-based. It uses hop counts to measure the distance to the destination ho st, which is called routing cost. In R IP , the hop co unt from a router to its dir ectly connected network is 0.
90 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION validity of the routes. With these mechanisms, RIP , an interior routing protocol, enables the router to learn the routing information of the entire network. RIP has become one of the most p opular standards of transmitting router and host routes.
RIP 91 By default, RIP is not enabled. Enabling the RIP Interface For flexible contr ol of RIP operation, y ou can specify the interface and configure the network where it is located in the RIP network, so that these interfaces can send and receive RIP packets.
92 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION default multicast address is 224.0.0.9. The advantage of transmitting packets in the multicast mode is that t he hosts in t he same network that do not run R IP , do not receive RIP broadcast packets.
RIP 93 In fact, you may find that the timeout time of garbage-collection timer is not fixed. If period update timer is set to 30 sec onds, garbage-collection timer might range from 90 to 120 seconds.
94 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION By default, all interfaces except lo opb ack interface s both receive and transmit RIP update packets. Disabling Host Route In some cases, the r outer can receive many host routes fr om the same segment, and these routes ar e of little help in route addressing but consume a lot of network resources.
RIP 95 ■ MD5 authentication — This mode uses two packet formats: One format follows RFC1723 (RIP V ersion 2 Carrying Additional Information); the other format follows RFC2082 (RIP- 2 MD5 Authentication). Perform the following configuration in VLAN interface view The usual packet format follows RFC1723 and nonstandard follows RFC2082.
96 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Perform the following configurations in RIP view . By default, RIP does not import the route information of other protocols. Configuring the Default Cost for the Imported Route When you use th e import-route command to import the routes of other protocols, you can specify their cost.
RIP 97 By default, the additional routing metric added to the r oute when RIP sends the packet is 1. The additional routing metric when RIP r eceives the packet is 0.
98 C HAPTER 5: IP R OUTING P ROTOCOL O PERATION Example: T ypical RIP Configuration As shown in Figure 25 , the Switch C connects to the subnet 117.102.0.0 through the Ethernet port. The Ether net ports of Switch A and Switch B are connected to the network 155.
IP Routing Policy 99 IP Routing Policy When a router distributes or re ceives routing information, it needs to implement policies to filter the routing information so it can receive or distribute the r outing information that meets only the specified c ondition.
100 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION A basic ACL is usually used for routing information filtering. When the user defines the ACL, the user defines the range of an IP address, subnet for the destination net work segment address, or the next-hop address of the r outing information.
IP Routing Policy 101 The permit argument specifies that if a r oute sa tisfies all the if-m atch clauses of a node, the route passes the filtering of the node, and the apply clauses for the node are executed without taking the t est of the next node.
102 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION The if-match clauses for a node in the ro ut e policy require that the ro ute satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the routes pass the filtering on the node.
IP Routing Policy 103 Defining IP Prefix A prefix list is identified by the IP prefix name. Each IP prefix can include multiple items, and each item can specify the m atc hing range of the network prefix forms. The index-number parameter specifies the matching sequence in the prefix list.
104 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION Configuring for Filtering Distributed Routes Define a policy concerning route distribution that filters th e routing information that does not satisfy the conditions, and di stributes routes with the help of an ACL or address ip-prefix.
Route Capacity 105 routing information not satisfying the requ irement, but if all the items ar e in the deny mode, no routes will pass the ip-prefix filtering.
106 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION If automatic memory restoration is en ab led, when the free memory of the Ethern et switch exceeds the safety value, the disconnected routes will be restor ed. Perform the following confi gurations in system view .
Route Capacity 107 Enabling Automatic Recovery of Di sconnected Routing Protocols Perform the following configurations in system view . By default, memory automatic restoration function is enabled. Displaying and Debuggi ng Route Cap acity Execute the display command in all views to display the r oute capacity configuration.
108 C HAPTER 5: I P R OUTING P ROTOCOL O PERATION.
6 M ULTICAST P RO T O C O L This chapter includes information on the following: ■ IP Multicast Overview ■ Configuring Common Multicast ■ Configuring IGMP ■ IGMP Snooping ■ Configuring PIM-DM.
110 C HAPTER 6: M ULTICAST P ROTOCOL Figure 26 Comparison Between the Unicast and Multicast T ransmission A multicast source does not necessarily be long to a multicas t group. It only send s data to the multicast group and it is not necessarily a receiver .
IP Multicast Overview 111 A multicast group can be either permanent or temporary . Part of addresses in the multicast group are r eserved by th e IANA and are known as the permanent multicast group. IP addresses of a permanent group are unchanged, but the members in the g roup can change.
112 C HAPTER 6: M ULTICAST P ROTOCOL Assigned Number Au thority) stipulates t hat the higher 24 bits of the multicast MAC address is 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address.
IP Multicast Overview 113 The multicast routing cr eates a loop-free data transmission path from one data source to multiple receivers. The task of the multicast r outing protocol is to cr eate a distribution tree ar chitecture. A multicast router can use multiple methods to build up a path for data transmi ssion, i.
114 C HAPTER 6: M ULTICAST P ROTOCOL multicast routing table, to determine the incoming interface at which the packet arrives. If a source tr ee is used, the source address is the addr ess of the source host sending the multicast packet. If a shared tr ee is used, the source address is the addr ess of the root of the shared tr ee.
Configuring Common Multicast 115 Only when multicast is en abled can another multicast co nfiguration be used. Configuring the Multicast Route Limit If the existing route entries exceed the capacity v.
116 C HAPTER 6: M ULTICAST P ROTOCOL Displaying and Debugging Common Multicast Con figuration After the previous configu rations, execute the display command to view the multicast configurat ion, and to verify the configuration. Execute debugging command in user view for the debugging of multicast.
Configuring IGMP 117 discover whether hosts join the specified group on its subnets accord ing to the received r esponse messages. When the router r eceives the report that hosts leave the group, the r outer will send a gr oup-sp ecific query (IGMP V ersion 2) to discover whether there are no members in the group.
118 C HAPTER 6: M ULTICAST P ROTOCOL Advanced IGMP configuration includes: ■ Configuring the IGMP V ersion ■ Configuring the Interval for Sending the IGMP Group-Specific Query Packet ■ Configuri.
Configuring IGMP 119 Configuring the Interval for Sendi ng the IGMP Gr oup-Specific Query Packet In the shared network, where the same network segment includes multiple host s and multicast routers, the query r outer is responsible for maintaining the IGMP group membership on the interface.
120 C HAPTER 6: M ULTICAST P ROTOCOL query router r eceives the IGMP Member ship Report message within the defined period (equal to robust-value seconds), it continues to maintain the membership of this group.
Configuring IGMP 121 By default, a router does not join a multicast gr oup. Limiting Access to IP Multicast Groups A multicast router lear ns whether there are members of a multicast gr oup on the network when it receives an IGMP member ship message. A filter can be set on an interface to limit the range of allowed multicast groups.
122 C HAPTER 6: M ULTICAST P ROTOCOL Configuring the IGMP Querier Present Timer The IGMP querier present timer defines the peri od of time before the router takes over as the querier . Perform the following configuration in VLAN interface view . By default, the value is 120 seconds.
Configuring IGMP 123 Displaying and Debugging IGMP After the previous configurations, execute the display command in all views to display the running o f IGMP configuration, and to verify the effect of the configuration. Execute the debugging command in user view to debug IGMP .
124 C HAPTER 6: M ULTICAST P ROTOCOL IGMP Snooping IG MP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on layer 2. It is used for multicast group management and contr ol. IGMP Snooping runs on the link layer .
IGMP Snooping 125 Figure 29 Multicast Packet T ransmission W ith IGMP Snooping Implement IGMP Snooping This section introduces r elated switch concepts of IGMP Snooping: ■ Router Port: The port directly connected t o the multicast router . ■ Multicast member port: The port connected to the multicast member .
126 C HAPTER 6: M ULTICAST P ROTOCOL Figure 30 Implementing IGMP Snooping 1 IGMP general query message: T ransmitted by the multicast router to query which multicast group contains member . When a router port re ceives an IGMP general query message, the Switch 7750 will r eset the aging ti mer of the port.
IGMP Snooping 127 not have any member , the switch will notify the multicast r outer to remove i t from the multicast tree. Configuring IGMP Snooping is desc rib ed in the following sections: ■ Conf.
128 C HAPTER 6: M ULTICAST P ROTOCOL By default, the port ag in g time is 260 seconds. Configuring Maximum Response Time This task sets the maximum response time. If the Switch 7750 receives no r eport message from a port in the maximum r espon se time, it will r emove the port from the multicast group.
IGMP Snooping 129 Example: IGMP Snooping Configuration T o implement IGMP Snooping on the sw itch, first enable it. The switch is connected with the router thr ough the router port, and with user PC through the non-router ports. Figure 31 IGMP Snooping Co nfiguration Network 1 Display the status of GMRP .
130 C HAPTER 6: M ULTICAST P ROTOCOL ■ Input the display igmp-snooping group command to see if the multicast group is the expected one. ■ V erify that th e source IP address is correct for each multicast str eam. 3 Multicast forwarding table set up on the bottom layer is wrong.
Configuring PIM-DM 131 as a re dundancy packet without the multicast forwarding. The unicast routing information as path judgment can come from any unicast r outing protocol independent of any specified unicast routing pr otocol such as the routing information learned by RIP.
132 C HAPTER 6: M ULTICAST P ROTOCOL ■ Configuring the Maximum Number of PIM Neighbor on an Interface ■ Displaying and Debuggi ng PIM-DM When the router is run in the PIM-DM do ma in, it is best to en able PIM-DM on all interfaces of the no n-border r outer .
Configuring PIM-DM 133 Perform the following configuration in VLAN interface view . The default interval is 30 seconds. Y ou can configure the value according to differ ent network en vironments. Generally , this parameter does not need to be modified.
134 C HAPTER 6: M ULTICAST P ROTOCOL Configuring the Maximum Number of PIM Neighbor on an In terface Y ou can limit the PIM neighbors on an interface. No neighbor can be add ed any more when the limit is r eached. Perform the following configuration in th e PIM view .
Configuring PIM-DM 135 Example: PIM-DM Configuration LS_A has a port carrying Vlan 10 to co nnect Multicast Sour ce, a port carrying Vlan11 to connect LS_B and a port carryi ng Vlan12 to connect LS_C. Configure to implement multicast between Multicast S ource and Receiver 1 and Receiver 2.
136 C HAPTER 6: M ULTICAST P ROTOCOL [SW7750-vlan-interface12] pim dm Configuring PIM-SM PIM-SM (Protocol Independent Multicast, Sparse Mode) belongs to sparse mo de multicast routing protocols. PIM-SM is ma inly applicable to large-scale networks with broad scope a nd few group members.
Configuring PIM-SM 137 Figure 34 RPT Schematic Diagram Multicast Sour ce Registration When multicast source S sends a multicast packet to group G, the PIM-SM multicast router is r esponsible for encapsulating the packet into a registration packet upon receipt.
138 C HAPTER 6: M ULTICAST P ROTOCOL be configured to specify RP . As the back up of dynamic RP , static RP improves network robustness and enhances the oper ation and management capability of multicast network.
Configuring PIM-SM 139 Repeat this configuration t o enable PIM-SM on other interfaces. Only one multicast r outing pr otoc ol can be enabled on an interface at a time.
140 C HAPTER 6: M ULTICAST P ROTOCOL Otherwise, the candidate BSR will keep it s BSR addr ess and continue to r egard itself as the BSR. Perform the following conf iguration in PIM view . Candidate-BSRs should be configured on the routers in the network backbone.
Configuring PIM-SM 141 If static RP is in use, all r outers in the PIM domain must adopt the same configuration. If the configured static RP addr ess is the interf ace address of the local route r whose state is UP , the router will function as the static RP .
142 C HAPTER 6: M ULTICAST P ROTOCOL Only the register messages matching the ACL permit clause ca n be accepted b y the RP . Specifying an undefine d ACL will make the RP de ny all register messages.
Configuring PIM-SM 143 For detailed information of the crp-policy command, see the Switch 7750 Command Reference Guide . Clearing Multicast Route Entries from PIM Routing T able Perform the following configuration in user view . If in this command, the group-address is 224.
144 C HAPTER 6: M ULTICAST P ROTOCOL Execute the debugging command in user view to debug PIM-SM. Example: Configuring PIM-SIM Host A is the receiver of the multicast group at 225.0.0.1. Host B begins transmitting data destined to 225.0.0.1. Sw itch A receives the mul ticast data from Host B by Swit ch B.
Configuring PIM-SM 145 [SW7750-pim] interface vlan-interface 11 [SW7750-vlan-interface11] pim sm [SW7750-vlan-interface11] quit [SW7750] vlan 12 [SW7750-vlan12] port Ethernet 1/0/6 to E thernet 1/0/7 .
146 C HAPTER 6: M ULTICAST P ROTOCOL Configure Switch C: 1 Enable PIM-SM. [SW7750] multicast routing-enable [SW7750] vlan 10 [SW7750-vlan10] port Ethernet 1/0/2 to Ethernet 1/0/3 [SW7750-vlan10] quit .
GMRP 147 Enable/Disable GMR P Globally Perform the following configuration in system view . By default, GMRP is disabled. Enabling/Disabling GMRP on the Port Perform the following configuration in Ether net port view . GMRP should be enabled globally before being enabled on a port.
148 C HAPTER 6: M ULTICAST P ROTOCOL 2 Enable GMRP on the port. [SW7750] interface Ethernet 1/0/1 [SW7750-Ethernet1/0/1] gmrp Configure LS_B: 1 Enable G MRP globally .
7 Q O S/ O PERATION ■ ACL Overview ■ Configuring ACLs ■ Displaying and Debugging an ACL ■ Configuring QoS ■ Configuring ACL Control ACL Overview T he Access Control List (ACL) classifies the data packets with a series of ma tching rules, including source a ddress, destination address and port number .
150 C HAPTER 7: Q O S/ O PERA TION This type of filtering includes ACLs that are used with the QoS function, ACLs used to filter the packet transmit ted by the hardware, and so on. Filtering or Classifying Data T ransmitted by the Software An ACL can be used to filter or classify the data transmitted by the software of the switch.
Configuring ACLs 151 Configuring ACLs ACL configuration includes the tasks de scribed in the following sections: ■ Configuring the T ime Range ■ Selecting the ACL Mode ■ Defining an ACL ■ Acti.
152 C HAPTER 7: Q O S/ O PERA TION To d e f i n e t h e A C L : 1 Enter the corresponding ACL view 2 Add a rule to the ACL Y ou can add multiple rules to one ACL.
Configuring ACLs 153 Perform the following configuration in designated view . An advanced ACL is identified with numbers rangin g from 3000 to 3999. Note that port1 and port2 in this command specify the TCP or UDP ports used by various high-layer applications.
154 C HAPTER 7: Q O S/ O PERA TION A Layer -2 ACL can be identified with numb ers ranging from 4000 to 4999. If you assign an ACL to an interface and then make changes to the ACL, you must reassign the ACL to the interface before the changes to the ACL will apply on the interface .
ACL Configuration Examples 155 The matched information of the display acl config command specifies the rules treated by the switch’ s CPU. The matched information of the transmitted data by the switch can be displayed with the display qos-info traffic-statistic command.
156 C HAPTER 7: Q O S/ O PERA TION Define the work time range: 1 Set the time range 8:00 to 18:00. [SW7750] time-range 3com 8:00 to 1 8:00 working day Define the ACL to access the payment server: 1 Enter the name of the advanced ACL, named traffic-of-payserver .
Configuring QoS 157 Define the rules for packet with source IP address 10.1.1.1. [SW7750-acl-basic-traffic-of-host] rule 1 deny ip source 10.1.1.1 0 time-range 3com 4 Activate ACL.
158 C HAPTER 7: Q O S/ O PERA TION packets to the destination, not making any commitment or guarantee of the transmission reliabil ity , delay , or to satisfy othe r performanc e requir ements . Ethernet technology is currently the most widely used network technology .
Configuring QoS 159 the classification standards are encapsulat ed in the header of the packets. The packet content is seldom used as the classification standar d.
160 C HAPTER 7: Q O S/ O PERA TION Figure 39 SP SP is designed for the key ser vice application. A significant feat ure of the key service is requir ed, for priority t o enjoy the service, to reduce the response delay when congestion occu rs.
Configuring QoS 161 This random number is compared with the discarding pr obability for the current queue. Any packet whose random numb er is greater than the probability is discar ded. The longer th e queue, the higher the discarding probability . However , there is a maximum discar ding pr obability .
162 C HAPTER 7: Q O S/ O PERA TION Perform the following two configurat ion tasks in system view . Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated monitor port, for purpose of data an alysis and supervision.
Configuring QoS 163 Configuring the Mapping List for 802.1p Priority Y ou cannot modify the mappin g between local priority levels and outboun d queues, but you can change the mapp in g between 802.1p and local priority levels. Then the mapping bet ween 802.
164 C HAPTER 7: Q O S/ O PERA TION Configuring the Priority for Queue Scheduling Y ou can use the following command to con figure which priority is used for queue scheduling . Perform the following confi guration in system view . By default, the switch chooses the lo cal pr efer ence as the basic priority .
Configuring QoS 165 Setting Line Limit Line limit r efers to limiting the total rate at the port. The adjustment step for the line rate of the Switch 7750 is 1Mbps. Perform the following configurations in QoS view . Y ou can set line limit at a single port.
166 C HAPTER 7: Q O S/ O PERA TION Only the 20-Port 10/100/1000BASE-T a nd 20- Port 1000BASE-X -SFP I/O modules support this configuration. Relabeling the Priority Level Relabeling the priority level creates a polic y to tag the priority of the packets so they match the ACL.
Configuring QoS 167 Configuring T raffic Statistics The traffic statistics function counts th e transmitted dat a that matches the ACL rules. After the traffic statistics function is configured, you can use the dis play qos-info traffic-statistic command to display the statistics information.
168 C HAPTER 7: Q O S/ O PERA TION For output and description of the related commands, see the Switch 7750 Command Reference Guide . QoS Configuration Examples This section provides the following conf.
Configuring QoS 169 Figure 40 T raffic Limit and Line Rate Configuration Only the commands concerning Qo S/AC L configuratio n are listed here. T o create this configuration: 1 Define outbound traffic for the wage server . Enter name-based advanced ACL view using the traffi c-of-payserver .
170 C HAPTER 7: Q O S/ O PERA TION For a 48-port modu le, the monitoring po rt and the monitored port must all be at the ports 1-24 or ports 25-48, on which only one mirroring group can be configured in one direction.
Configuring QoS 171 [SW7750-acl-basic-2000] rule 0 permit ip source 1.0.0.2 0 time-range 3com 3 Relabel ef priority for PC1 packets. Enter QoS view . [SW7750-GigabitEthernet7/0/1] qos [SW7750-qosb-GigabitEthernet7/0/1] Relabel ef priority for PC1 packets.
172 C HAPTER 7: Q O S/ O PERA TION [SW7750-qosb-GigabitEthernet7/0/1] traffic-redirect inbound ip-group 1 rule 0 interface gigabitetherent 7/0/8 Queue Scheduling Modify the correspondence between 802.1p pr iority levels and lo cal priority levels to change the mapping between 802.
Configuring QoS 173 RED Run the RED operation for the packets se nt between 8:00 and 18:00 every day from IP addr ess 1.0.0.1 to the p ort E3/0/8 . RED operation is set so that the queue length that trigger s random discarding rang es from 64 Kbytes to 128 Kbytes.
174 C HAPTER 7: Q O S/ O PERA TION The 20-Port 10/100/1000 BASE-T and 20-Po rt 10 00BASE-X-SFP I/O modules do not support this configuration. Figure 46 T raffic Bandwidth T o create this configuration: 1 Define the time ra nge 8:00 to 18:00. [SW7750] time-range 3com 8:00 to 18 :00 daily 2 Define traffic rules for the packets of IP addr esses 1.
Configuring ACL Control 175 Figure 47 T raffic Statistics T o create this configuration: 1 Define the time range 8:00 to 18:00. [SW7750] time-range 3com 8:00 to 18:00 d aily 2 Define traffic rules for PC1 packets. [SW7750] acl number 2000 [SW7750-acl-basic-2000] rule 0 permit ip source 1.
176 C HAPTER 7: Q O S/ O PERA TION Configuring ACL Control for TELNET Users By configuring ACL control over TELNET , us ers can filter the malicious and illegal connection requests before passwor d authentication, and ensure device security .
Configuring ACL Control 177 Figure 48 Con trol TELNET User With ACL Use the following commands to control TELNET users with ACL. 1 Define the basic ACLs. [SW7750] acl number 2000 match-order con fig [SW7750-acl-basic-2000] rule 1 permit so urce 10.110.
178 C HAPTER 7: Q O S/ O PERA TION The privacy-mod priv-passwor d parameters are supported only in the extended version of the software. SNMP community is one of the features of SN MP v1 and SNMP v2, so with these versions of SNMP , you can import the ACL into the commands with SNMP community already config ured.
Configuring ACL Control 179 2 Import the basic ACLs. [SW7750] snmp-agent community read 3com acl 2000 [SW7750] snmp-agent group v2c 3comgroup acl 2001 [SW7750] snmp-agent usm-user v2c 3comuse r 3comgr.
180 C HAPTER 7: Q O S/ O PERA TION.
8 STP O PERATION This chapter covers the following topics: ■ STP Overview ■ Configuring STP ■ MSTP Overview ■ Configuring MSTP STP Overview Spanning T ree Pr otocol (STP) is applied in a loop network to block und esirable redundant paths. Using STP avoids the pr olif eration and infinite cycling of a packet in a loop network.
182 C HAPTER 8: STP O PERAT ION Designating Switches and Ports A designated switch is a switch in charge of forwarding packets to the local switch by a port called the designated port. For a LAN, the designated sw itch is a switch that forwards packets to the network segment by the designated po rt.
Configuring STP 183 Generating the Configuration BPDU When initialized, each port of the switch es will generate the configuration BPDU taking itself as the root, root path cost as 0, designated switch IDs as their own switch IDs, and the designated ports as their ports.
184 C HAPTER 8: STP O PERAT ION The comparison process of each switch is: ■ Switch A Ethernet 1/0/1 receives the configurat ion BPDU fr om Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the r eceived configuration BPDU.
Configuring STP 185 calculation is launched agai n by new events, for example, th e link from Switch B to C is down or the port receives a better configuration BPDU. Ethernet 1/0/1 receives the updated conf ig uration BPDU, {0, 5, 1, e1/0/4}, from Switch B.
186 C HAPTER 8: STP O PERAT ION a transitional state mechanism is then ado pted to ensure the new configuration BPDU has been propagated throughout the network befor e the root port and designated port begin to sen d data again.
MSTP Overview 187 Figure 53 MSTP Concepts MST Region A multiple spanning tree r egion contains several physically a nd directly connected MSTP-capable switches sharing the same region name, VLAN-spanning tree mapping configuration and MSTP revision level config uration, and the network segments between them.
188 C HAPTER 8: STP O PERAT ION Multiple Spanning T ree Instance (MSTI) Multiple spanning trees can be generated in an MST region and ar e independent of one another . Each of these sp anning tr ees is called an MST I. MSTI Region root The MSTI re gion root r efers to the root of the MSTI in an MST r egion.
Configuring MSTP 189 Figure 54 Port Roles MSTP Principl es MSTP divides the ent ire Layer 2 network in to several MST r egions, and calculates and generates CST for them. Multiple spanning trees are generated in a r egion and each of them is called an MSTI.
190 C HAPTER 8: STP O PERAT ION ■ Configuring the Path Cost of a Po rt ■ Configuring the Priority of a Port ■ Configuring the Port Connection with the Point-to-Point Link ■ Configuring the mCh.
Configuring MSTP 191 Configuring the MST Region Perform the following configuration in MST region view . An MST region can contain up to 16 spanning tree instances, among which Instance 0 is an IST and instances 1 through 16 are MSTIs. Upon the completion of these configurations, the current switch is put into a specified MST region.
192 C HAPTER 8: STP O PERAT ION Y ou can use the following commands to specify th e current switch as the primary or secondary root of the spanning tree. Perform the following confi guration in system view . After a switch is configured as primary root switch or second ary root switch, you cannot modify the brid ge priority of the switch.
Configuring MSTP 193 provides two operation modes, STP-compatible mode and MSTP mode. In STP-compatible mode, the switch sends ST P packets by every port and serves as a region itself. In MSTP mode, the switch ports send MSTP or STP packets (when connected to the STP switch) and the switch pr ovides the multiple spanning tr ee function.
194 C HAPTER 8: STP O PERAT ION Configuring the Max Hops in an MST Region The scale of an MST region is limited by the max hops in the MST region; which is configured on the region r oot. As the BPDU travels from the spanning tr ee root, each time it is forwarded by a switch, the max hop is reduced by 1.
Configuring MSTP 195 Configuring the Time Parameters of a Switch The switch has three time parameters: ■ Forward delay ■ Hello time ■ Max age Forward delay is the switch state transitio n mechanism. The spanning tree will be recalculated upon link faults and its structure will change accor dingly .
196 C HAPTER 8: STP O PERAT ION that is too short, the switch frequently sends configuration BPDU, which adds burden and wastes the network resources. A max age that is too short, can caus e the network device to calculate the spanning tree frequent ly and mistake the congestion as a link fault.
Configuring MSTP 197 This parameter only takes a relative value without units. If it is set too large, too many packets will be transmitted during every hello time and too many network resour ces will be occupied. The default value is recommended. By default, the max transmission speed on every Ether net port of the switch is 3.
198 C HAPTER 8: STP O PERAT ION Configuring the Path Cost of a Port Path cost is r elated to the speed of th e link connected to the port. On the MSTP switch, a port can be configured with dif ferent path costs for dif ferent STIs.
Configuring MSTP 199 Perform the following configuration in system view . By default, the switch calculates the defaul t Path Cost of a port by the IEEE 8 02.1t standard. Generally the path cost of the links in full duplex status is lower than those in half duplex status.
200 C HAPTER 8: STP O PERAT ION In calculating the path cost of aggregat ion links, the 80 2.1D -1998 does not take into account the nu mber of aggregation links, but the 80 2.
Configuring MSTP 201 Configuring the Port Connection with the Point-to-Point Link The point-to-point link directly connects two switches. Y ou can config ure the port to connect or not connect with th e point-to-po int link in the following ways. Configuring in System View Perform the following configuration in system view .
202 C HAPTER 8: STP O PERAT ION configure a port not physically connecte d with the point-to -point link, rather , connected to such a link by forc e. By default, th e parameter is configured as auto . Configuring the mCheck V ariable of a Port The port of an MSTP s witch operates in either STP-compa tible or MSTP mode.
Configuring MSTP 203 low-speed link and congestion will occur on the network. The r oot pr otection function is used against such problem. The root port and other blocked ports main tain their state according to the BPDUs sent by an uplink switch.
204 C HAPTER 8: STP O PERAT ION For more about the configuratio n commands, see the Swit ch 7750 Comman d Reference Guide . Enabling MSTP on the Device Y ou can use the following command to en able MSTP on the device. Perform the following confi guration in system view .
Digest Snooping 205 By default, MSTP is enabled on all the ports after it is enabled on the device. Displaying and Debugging MSTP After you configure MSTP , execute the display command in all views to display the running of the MSTP configu ration, and to verify the effect of the configuration.
206 C HAPTER 8: STP O PERAT ION Prer equisites Switches of differ ent manufacturers are interconnected in a network and have MSTP properly employed. The network operates properly . Configuration Pr ocedure Note the following: ■ Y ou must enable digest sno oping on an interface first before enabling it globally .
9 AAA AND RADIUS O PERATION This chapter covers the following topics: ■ IEEE 802.1x ■ Implementing the AAA and RADIUS Protocols ■ Configuring AAA ■ Configuring the RADIUS Protocol ■ Configur.
208 C HAPTER 9: AAA AND RADIUS O PERATION The LAN access contr ol device needs to provide the Authenticator System of 802.1x. The computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client pr ovided by Microsoft Windows XP .
IEEE 802.1x 209 ■ EAPoL-Key: Key information frame, su pporting to encrypt the EAP packets. ■ EAPoL-Encapsulated-ASF-A lert: Suppor ts the Al erting message of Alert Standard Forum (ASF). The EAPoL-Sta rt, EAPoL-Logoff, and EAPoL-Key only exist be tween the Supplicant and the Authenticator .
210 C HAPTER 9: AAA AND RADIUS O PERATION Enabling/Disabling 802.1x The following commands can be used to enable/disable t he 802.1x on the specified port. When no port is specified in system view , the 802.1x is enabled/disabled globally . Perform the following con figurations in system view or Ether net port view .
IEEE 802.1x 211 By default, 802.1x authentication meth od on the port is MAC-based. That is, authentication is performed based on MAC addresses. Checking the Users that L og on the Switch by Pr oxy The following commands are used for ch ecking the users that log on by prox y .
212 C HAPTER 9: AAA AND RADIUS O PERATION By default, authenticati on will not be launched when the user runs DHCP and applies for dynamic IP addr esses. Configuring the Authenticati on Method for 802.1x Users The following commands can be used to configure the authentication method for 802.
IEEE 802.1x 213 By defa ult, the qu iet-period-value is 60 seconds, the tx-period-value is 30 seconds, the supp-timeout-value is 30 seconds, the se rver-timeout-value is 100 seconds. For more detailed information on the dot1x timer command, see the Switch 7750 Command R eference Guide .
214 C HAPTER 9: AAA AND RADIUS O PERATION All the supplicants belong t o the defaul t domain 3com163.net, which can contain up to 30 users. RADIUS authentication is performed first. If there is no response from the RADIUS server , local authenticati on will be performed.
Implementing the AAA and RADIUS Protocols 215 [SW7750-radius-radius1] primary authentication 10.11.1.1 [SW7750-radius-radius1] primary accounting 10.11.1.2 5 Set the IP address of the second au then tication/accountin g RADIUS servers. [SW7750-radius-radius1] secondary authen tication 10.
216 C HAPTER 9: AAA AND RADIUS O PERATION The network security mentioned here refers to access contr ol, including: ■ Which user can acc ess the network server ■ Which service can the authorized u.
Configuring AAA 217 RADIUS server generally uses a pr oxy function of the devices, like access server , to perform user a uthentication. The o peration process is as fo llows: 1 Send client user name and encryp ted password to RADIUS server .
218 C HAPTER 9: AAA AND RADIUS O PERATION userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name. The purpose of int roducing ISP domain settings is to support the mult i-ISP application environment.
Configuring AAA 219 By default, after an ISP domain is cr eate d, the used RADIUS server group is the default system (for relevant parameter configur ation, refer to “Configuring th e RADIUS Pr otoco l ” ), the state of domain is active , there is no limit to the amount of supplicants, and the idle-cut is disabled .
220 C HAPTER 9: AAA AND RADIUS O PERATION Disconnecting a User by Force Sometimes it is necessary to disco nnect a user or a category of users by force. The system provides the following command to serve this purpose. Perform the following confi guration s in system view .
Configuring the RADIUS Protocol 221 the RADIUS server group, and specify it to use RADIUS AAA schemes. For more about the configuration commands, refer to “Configuring AAA ” .
222 C HAPTER 9: AAA AND RADIUS O PERATION Several ISP domains can use a RADIUS server group at the same time. By default, the system has a RADIUS server group named system whose attributes are all default values. The defau lt attribute valu es are intr oduced in the following section.
Configuring the RADIUS Protocol 223 ones sugge sted. (Espec ially for some ea rlier RADIUS Servers, authentication/authorization po rt number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on the Switch 7750 need to be consistent with the port settings on the RADIUS server .
224 C HAPTER 9: AAA AND RADIUS O PERATION re sponse, NAS conside rs the communication with the curr ent RADIUS server disconnected a nd will transmit the r equest pack et to other RADIUS servers. Perform the following con figurations in RADIUS server group view .
Configuring the RADIUS Protocol 225 larger value. The following ta ble r ecommends the ratio of minute value to the number of users. By defa ult, minute is set to 12 minutes. Setting Maximum Times of Real-time Accounting Request The RADIUS server usually verifies that a user is online with timeout timer .
226 C HAPTER 9: AAA AND RADIUS O PERATION Perform the following configurations in RADIUS server group view . By default, the stop accounting request will be saved in the buf fer .
Configuring the RADIUS Protocol 227 communicate, NAS returns to the primary server . The following commands can be used to set the p rimary server to be acti ve manually , so that NAS can communicate with it immediately after troubleshooting.
228 C HAPTER 9: AAA AND RADIUS O PERATION By default, the default data unit is a byte and the default da ta packet unit is one packet. Configuring a Local RADIUS Server Gr oup RADIUS service adopts authentication/aut horization/accounting servers to manage users.
Configuring the RADIUS Protocol 229 RADIUS server , it has to re transmit the request to guarantee RADIUS service for the user . Y ou can use the following command to set response timeout timer of RADIUS server . Perform the following configurations in RADIUS scheme view .
230 C HAPTER 9: AAA AND RADIUS O PERATION 500 to 99912 =1000=15 By default, minute is set to 12 minutes. III. Configure the RADIUS Server Response T imer If the NAS receives no r esponse from th e RAD.
Configuring HWTACACS 231 4 Configuring the T ACACS accounting server and r elated featuresprimary accountingHWT ACACS viewConf iguring the primary accountin g server secondary accountingHWT ACACS vi e.
232 C HAPTER 9: AAA AND RADIUS O PERATION As afor ementi oned, HWT ACACS prot ocol is config ured scheme by schem e. Therefor e, you must create a HWT ACACS scheme and enter HWT ACACS view before you perform other configuration tasks. Perform the following confi guration in system view .
Configuring HWTACACS 233 2.4.4 Configuring HWT ACACS Authorization Servers Perform the following configuration in HWT ACACS view . T able 2- 39 Configuring HWT ACACS authorization servers OperationCom mand Configure the primary HWT ACACS author ization server .
234 C HAPTER 9: AAA AND RADIUS O PERATION Perform the following confi guration in HWT ACACS view . T able 2-41 Configuring stop-ac co unting packet retransmission OperationCommand Enable stop -account.
Configuring HWTACACS 235 T able 2- 43 Setting a key for securing the communication with the HWT ACACS server OperationCom mand Configure a key for securing the co mmunication with the acco unting, aut.
236 C HAPTER 9: AAA AND RADIUS O PERATION Setting T ACACS Server Time rs Setting the response timeout timer After HWT ACACS is implemented on the basis of TCP , server response time out or TCP timeout may terminate the connection to the T ACACS server .
Displaying and Debugging the AAA, RADIUS, and HWTACACS Protocols 237 The real-time accounting interval defaults to 12 minutes. Displaying and Debugging the AAA, RADIUS, and HWT ACACS Protocols After y.
238 C HAPTER 9: AAA AND RADIUS O PERATION AAA, RADIUS, and HWT ACACS Protocol Configuration Examples AAA/RADIUS protocol configuration comma nds are generally used together with 802.1x configuration co mmands. Refer to the typical configu ration examples provided in “Configuring 802.
AAA, RADIUS, and HWTACACS Protocol Configuration Examples 239 Figure 58 Con figuring Remote RADIUS Authentication for T elnet Users 1 Add a T elnet user . For details about configuring F TP and T elnet users, see “Conf iguring the User Interface” on page 20 .
240 C HAPTER 9: AAA AND RADIUS O PERATION switch, set the shar ed key fo r AAA packet encryption to expert . Configure the switch to send user names to the T A CACS server with isp-name removed.
Troubleshooting AAA, RADIUS, and HWTACACS Configurations 241 T roubleshooting AAA, RADIUS, and HWT ACACS Configurations The RADIUS pr otocol of th e TCP/IP pr otocol suite is located on the applica tion layer . It specifies how to exchange user information b etween the NAS and RADIUS servers of an ISP .
242 C HAPTER 9: AAA AND RADIUS O PERATION.
11 S YSTEM M ANAGEMENT This chapter covers the following topics: ■ File System ■ Managing the MAC Address T able ■ Managing Devices ■ Maintaining and Debuggin g the System ■ SNMP ■ RMON ■ NTP File System The Switch 7750 provides a file system module for efficient management with storage devices such as flash memory .
244 C HAPTER 11: S YSTEM M ANAGEMENT Managing Files Y ou can use the file system to delete, unde lete, or permanen tly delete a file. It can also be used to d isplay file contents; rename, copy , and move a file; and display the information about a specifie d file.
File System 245 Example: File System Operation 1 Format the flash. <SW7750> format flash: All sectors will be erased, proceed? [c onfirm] y Format flash: completed 2 Display the working directory in the flash. <SW7750> cd flash:/ <SW7750> pwd flash:/ 3 Create a directory named test.
246 C HAPTER 11: S YSTEM M ANAGEMENT Perform the following conf iguration in all views. The configuration files are displayed in their corresponding saving formats. Saving the Curre nt Configuration Use the save command t o retain the current-configuration in the flash memory .
File System 247 ■ F TP client — After connecting to the server by running the terminal emulator or T elnet on a PC, you can access the files on it, using the F T P command.
248 C HAPTER 11: S YSTEM M ANAGEMENT Configuring F T P Server Parameters Y ou can use the following commands to config ure the connection timeout of the F TP server .
Managing the MAC Address Table 249 ■ Download ing Files with TF TP Configuring the File T ransmission Mode TF TP transmits files in two modes; binary mode for program files and ASCII mode for text files. Use the following commands to configure the file transmission mode.
250 C HAPTER 11: S YSTEM M ANAGEMENT switch learns and adds in the MAC addre ss table. After this, subsequent packets destined for the same MAC address can be forwarded directly . If the MAC address cannot be found after broadcasting the pack et, the switch will drop it and notify the transmitter that the packet did not arr ive at the destination.
Managing the MAC Address Table 251 Perform the following configuration in system view . Disabling or Enabling Global MAC Addr ess Learning W ith the address learning function, an Ethernet switch can lear n new MAC addresses.
252 C HAPTER 11: S YSTEM M ANAGEMENT By defaul t, the MAC a ddre ss learning functi on is enabl ed. Setting MAC Addr ess Aging Time Setting an appropriate aging time implem ents MAC addr ess aging. T oo long or too short an aging time set by subscr ibers will cause t he Ethernet sw itch to flood a large amount of data packets.
Managing Devices 253 Example: Configuring MAC Ad dr ess T able Management The user logs in to the switch through the console port to configure the addr ess table management. Set the address aging time to 500s and add a static address 00e0-fc35-dc71 to Ether net 1/0/2 in vlan1.
254 C HAPTER 11: S YSTEM M ANAGEMENT Configuring the Managing Devices is described in the following sections: ■ Designating the APP for the Next Boot ■ Displaying Devices Designating the APP for t.
Maintaining and Debugging the Sys tem 255 Setting the Slot T empera ture Limit The Switch 7750 sounds an alarm when the temperature on a slot exceeds the pre set limit.
256 C HAPTER 11: S YSTEM M ANAGEMENT ■ Debugging the System ■ T esting T ools for Network Connection ■ Logging Function Configuring System Basics This section describes the followi ng basic syst.
Maintaining and Debugging the Sys tem 257 Perform this command in user view . By default, daylight saving time is not set. Displaying System Information and State The following display commands are used for displaying the system state and the statistics information.
258 C HAPTER 11: S YSTEM M ANAGEMENT Figure 61 Debugging Output Y ou can use the following commands to control debugging. Perform the following operatio ns in user view . For more about the usage and format of the debugging commands, refer to the appropriate chapters.
Maintaining and Debugging the Sys tem 259 all the information needed. In this case, use display diagnostic-information command. Y ou can perform the fo llowing operations in all views. T o view the data later , enable savin g a screen capture to a file.
260 C HAPTER 11: S YSTEM M ANAGEMENT The following list provides the tracert execution process: 1 T racert sends a pack et with TTL value of 1. 2 The first hop sends back an ICMP err or me ssage indicating that the packet cannot be sent, for the TTL is timeout.
Maintaining and Debugging the Sys tem 261 For the above configuration, the lo g host is not configured on the switch. All ot her configurations will take effect af ter enabling the logging function. Enabling and Disabling the Logging Function Y ou can u se the following commands t o enable or disable the logg ing function.
262 C HAPTER 11: S YSTEM M ANAGEMENT The system assigns a channel in each output direction by default. See Ta b l e 293 . The six settings are independent from each other .
Maintaining and Debugging the Sys tem 263 Use the following commands to define the filtering rules of the channels. Perform the following oper ation in system view . ■ modu-name : specifies the module name. ■ level : r efers to the severity levels.
264 C HAPTER 11: S YSTEM M ANAGEMENT Configuring the Info-center Loghost This configuration is performed on the info-center loghost. The followin g configuration example is implemented on SunOS 4.0. The configurations on the Unix operating systems of ot her vendors are similar .
SNMP 265 Configur e the info-ce nter loghost as fo llows: 1 Enable the logging system. [SW7750] info-center enable 2 Set the host at 202.38.1.10 as info- center loghost, sets the severity threshold to informational, the output language to E nglish and allows the RSTP and IP modules to output infor mation.
266 C HAPTER 11: S YSTEM M ANAGEMENT In terms of structure, SNMP can be divi ded into two parts, NMS and Agent. NMS (Network Management Station) is the work station for running the client program. At present, the commonly used NM platforms include Sun NetManager and IBM NetView .
SNMP 267 The current SNMP Agent of Ether net s witch supports SNMP V1, V2 C and V3. The MIBs supported are listed in the following table. Configuring SNMP Configuring SNMP includes tasks that are desc.
268 C HAPTER 11: S YSTEM M ANAGEMENT only query the device information, whereas the community with r ead-write authority can also configure the device. Use the following commands to set the community name. Perform the following confi guration in system view .
SNMP 269 The authentication parameter specifies that th e packet is aut henticated withou t encryption. This parameter is supported only in SNMP V3. The privacy parameter specifies that the packet is authen ticated and encrypted. This parameter is supported only in SNMP V3.
270 C HAPTER 11: S YSTEM M ANAGEMENT By default, the engine ID is expressed as enterprise No. + device information. The device info rmation can be IP addr ess, MAC ad dress, or user -defined text. Setting and Deleting an SNMP Gr oup Use the following commands to set or delete an SNMP group.
SNMP 271 Perform the following configuration in system view . The authentication-mode parameter specifies the use of authentication. The privacy-mode parameter specifies the use of authentication and encryption. This parameter is supported only in SNMP V3.
272 C HAPTER 11: S YSTEM M ANAGEMENT Enabling and Disabling T ransm ission of T rap Information T o enable or disable tran smission of trap in formation, perform the following configuration in Ethernet po rt view . Disabling the SNMP Agent T o disable the SNMP Agent, perform the following configuration in system view .
SNMP 273 Example: SNMP Configuration A Network Management Station (NMS) and the Et hernet swit ch are connected by the Ether net. The IP address of NMS is 129.
274 C HAPTER 11: S YSTEM M ANAGEMENT 5 Set the administrat or ID, contact and the physical location of the Ether net swit ch. [SW7750] snmp-agent sys-info contac t Mr.Smith-Tel:3306 [SW7750] snmp-agent sys-info locati on telephone-closet,3rd-floor 6 Enable the SNMP agent to send the trap to Network Management Station whose IP address is 129.
RMON 275 ■ Adding an d Deleting an Entry to or fro m the Alarm T able ■ Adding an d Deleting an Entry to or fr om the Ev ent T able ■ Adding and Deleting an Entry to or from the History Contr ol.
276 C HAPTER 11: S YSTEM M ANAGEMENT Adding and Deleting an Entry to or fr om the History Contr ol T able The history data management helps you set the history data colle ctio n, periodical data collection, and storage of the specified por ts. The sampling information includes the utilization ratio, error co unts, and the total number of packets.
RMON 277 Displaying the RMON Configuration Execute the display command in all views to display the RMON configuration, and to verify the configurat ion. Example: RMON Configuration Set an entry in the RMON Ethernet statistics table for Ether net port performance, which is convenient for network administrators’ query .
278 C HAPTER 11: S YSTEM M ANAGEMENT Dropped packet events (due to la ck of resources):0 Packets received according to le ngth (in octets): 64 :644 , 65-127 :518 , 128-255 :688 256-511:101 , 512-1023:.
NTP 279 ■ Ether net Switch B serves as an NTP time server and Ethern et Switch A synchronizes the local clock with the clock of B. ■ It takes 1 second to t ransmit a data pack et from either A or B to the opposite end. The system clocks ar e synchr onized as follows: ■ Ethernet Switch A sends an NTP pack et to Ether net Switch B.
280 C HAPTER 11: S YSTEM M ANAGEMENT Y ou can set the NTP operating mode of the Switch 7750 according to its location in the network, and the network structur e. For example, you can set a remote server as the time server of the local eq uipment. In this case the local Ethernet Switch works as an NTP client.
NTP 281 than a broadcast, multicast, or reference clock IP address. In this mode, both the local switch and the remote server can sy nchronize their clocks with the clock of the opposite end.
282 C HAPTER 11: S YSTEM M ANAGEMENT Perform the following configurations in VLAN interface view . This command can only be configured on the interface wher e the NTP br oadcast packets are r eceived. Configuring NTP Multicast Server Mode Designate an interf ace on the local switch to transmit NTP multicast packet s.
NTP 283 Configuring NTP ID Authentication Enable NTP authentication, set the MD5 authentication key , and specify th e reliable key . A client will synchronize itself by a server only if the server can provide a relia ble key . Perform the following configurations in system view .
284 C HAPTER 11: S YSTEM M ANAGEMENT Perform the following confi gurations in system view . An interface is specified by interface-name or interface-type interface-number . The source address of the pack ets will be taken from the IP address of the interface.
NTP 285 Setting the Authority to Access a Local Switch Set the authority to access the NTP servic es on a local switch. This is a basic security measure. An access request will be matched with peer , serve , serve only , and query only in an ascending order of th e limitation.
286 C HAPTER 11: S YSTEM M ANAGEMENT NTP Configuration Examples NTP configuration examples are shown in the following: ■ Example: Configuring NTP Servers ■ Example: Configuring NTP Peers ■ Examp.
NTP 287 The above examples synchronized SW77502 by SW77501. Before the synchronization, the SW77502 is shown in the following status: [SW77502] display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequency: 100.
288 C HAPTER 11: S YSTEM M ANAGEMENT Display the sessions of SW77502 and y ou will see SW77502 ha s been connected with SW77501. [SW77502] display ntp-service sessions source reference stra reach p oll now offset delay disper ********************************** ********************************** ****** [12345]127.
NTP 289 The previous examples configure SW77504 and SW77505 as peers and configure SW77505 as in active peer mode and SW77504 in passive peer mode. Since SW77505 is at stratum 1 and SW77504 is at strat um 3, synchronize SW77504 by SW77505.
290 C HAPTER 11: S YSTEM M ANAGEMENT Example: Configuring NTP Broadcast Mode On SW77503, set local clock as t he NTP master clock at stratum 2, and configure to broadcast packets fr om Vlan-interface2. Configu re SW77504 and SW77501 to listen to the broadcast from their Vlan-interface2.
NTP 291 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.94 ms peer dispersion: 10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.2811A112) By this time, SW77504 has been synchronized by SW77503 and it is at st ratum 3, higher than SW77 503 by 1.
292 C HAPTER 11: S YSTEM M ANAGEMENT 3 Enable multicast client mode. [SW77504-Vlan-Interface2] ntp-service multi cast-client Configure Ethernet Switch SW77501: 1 Enter system view . <SW77501> system-view 2 Enter Vlan-interface2 view . [SW77501] interface vlan-interface 2 3 Enable multicast client mode.
NTP 293 Perform the following additional configurat ions on SW77501: 1 Enable authentication. [SW77501] ntp-service authentication ena ble 2 Set the key . [SW77501] ntp-service authentication-key id 42 authentication-mode md5 aNiceKey 3 Configure the key as reliable.
294 C HAPTER 11: S YSTEM M ANAGEMENT.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il 3Com 10014298 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del 3Com 10014298 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso 3Com 10014298 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul 3Com 10014298 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il 3Com 10014298, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del 3Com 10014298.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il 3Com 10014298. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo 3Com 10014298 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.