Manuale d’uso / di manutenzione del prodotto 4500 del fabbricante 3Com
Vai alla pagina of 742
3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V03.
Copyright © 2006-2009, 3Com Co rporation. All right s reserved. No part of this documentation may be reproduced in any form or by any means or u sed to make any derivative work (such as translation, transformation, or adaptation) without wr itten permission from 3Com Corporation.
About This Manual Organization 3Com Switch 4500 Family Config uration Guide is organized as follows: Part Contents 1 Login Introduces the ways to log into an Ethernet swit ch and CLI related configuration. 2 Configuration File Management Introduces conf iguration file and the re lated configuration.
Part Contents 27 UDP Helper Introduces UDP helper and the relate d configuration. 28 SNMP-RMON Introduces the configuratio n for network management through SNMP and RMON 29 NTP Introduces NTP and the related co nfiguration. 30 SSH Introduces SSH2.0 and the related co nfiguration.
GUI conventions Convention Description < > Button names are inside angle bra ckets. For example, click <OK>. [ ] Window names, menu item s, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slash es.
i Table of Contents 1 Logging In to an Ethernet Switch ········································································.
ii Switch Conf iguration························································································.
1-1 1 Logging In to an Ethernet Switch Go to these sections for information you are inte rested in: z Logging In to an Ethernet Switch z Introduction to the User Interface Logging In to an Ethernet Sw.
1-2 Table 1-1 Description on user interfa ce User interface Applicable user Port used Remarks AUX Users logging in through the console port Console port Each switch can accommodate one AUX user. VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY users.
1-3 Common User Interface Configuration Follow these steps to co nfigur e common use r interface: To do… Use the command… Remarks Lock the current user interface lock Optional Available in user view A user interface is not locked by default.
2-1 2 Logging In Through the Console Port Go to these sections for information you are inte rested in: z Introduction z Setting Up a Login Environment for Login Through th e Console Port z Console Por.
2-2 2) If you use a PC to connect to the console port, l aunch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Window s 9X/Windows 20 00/Windows XP. The following assumes that you are ru nning Windows XP) and pe rform the configuratio n shown in Figure 2-2 through Figure 2-4 for the connection to be created.
2-3 Figure 2-4 Set port parameters 3) Turn on the switch. You will be prompted to pr ess the Enter key if t he switch successfully completes POST (power-on self test ). The pr ompt appears after you press the Enter key. 4) You can then configure the switch or check t he information abo ut the switch by executing the correspondi ng commands.
2-4 Configuration Remarks Set the maximum number of lines the screen can contain Optional By default, the screen can contain up to 24 lines. Set history command buffer size Optional By default, the history command buffer can contain up to 10 commands.
2-5 To do… Use the command… Remarks Set the maximum number of lines the screen can contai n screen-length screen-length Optional By default, the screen can contain up to 24 lines. You can use the screen-le ngth 0 command to disable the function to display information in pages.
2-6 Changes made to the authentication mode for cons ol e port login takes effect after you quit the command-line interfa ce and then log in again. Console Port Login Configuration with Authentication.
2-7 Network diagram Figure 2-5 Network diagram for AUX user interface c onfigu ration (with the authentication mode bei ng none) Configuration PC running Telnet Ethernet G E1/0/1 Configuration procedure # Enter system view . <Sysname> system-view # Enter AUX user interface view .
2-8 To do… Use the command… Remarks Enter syst em view system-view — Enter AUX user interface view user-interface aux 0 — Configure to authenticate users using the local password authenticatio.
2-9 <Sysname> system-view # Enter AUX user interface view . [Sysname] user-interface aux 0 # S pecify to authenticate users logging in throu gh the console port using the local p assword. [Sysname-ui-aux0] authentication-mode password # Set the local password to 12345 6 (in plain text).
2-10 To do… Use the command… Remarks Enter the default ISP domain view domain d omain-name Specify the AAA scheme to be applied to the domain scheme { local | none | radius-scheme radius-scheme-n ame [ local ] } Configure the authenticati on mode Quit to system view quit Optional By default, the local AAA scheme is applied.
2-11 z Set the service type of the local user to Terminal and the comman d level to 2. z Configure to authenticate the users in the scheme mode. z The baud rate of the console po rt is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 comm ands.
2-12 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the.
3-1 3 Logging In Through Telnet Go to these sections for information you are inte rested in: z Introduction z Telnet Configuration with Authentication Mode Being Non e z Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 support s T elnet.
3-2 Configuration Description Configure the protocols the user interface support s Optional By default, Telnet and SSH protocol are supported. Set the commands to be executed automatically after a user log in to the user interface successfully Optional By default, no command is executed automatically after a user logs into the VTY user interface.
3-3 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10, that is, the history command buffer of a user can store up to 10 commands by default.
3-4 To improve security and prevent attacks to the unus ed Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enable d or disabled after correspondi ng configurations. z If the authentication mode is none , TCP 23 will be enabled, and T CP 22 will be disabled.
3-5 Network diagram Figure 3-1 Network diagram for Telnet configu ratio n (with the authentication mode being n one) Configuration procedure # Enter system view . <Sysname> system-view # Enter VTY 0 use r interface view . [Sysname] user-interface vty 0 # Configure not to authenticate T elnet users logging in to VTY 0.
3-6 When the authentication mode is p assw ord, the command level available to users logging in to the u ser interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the con sol e port and the current user level is set to the administrator level (level 3).
3-7 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to co nfigure T elnet with the authentication mo de being scheme: To do… Use the command… .
3-8 Refer to the AAA part of this manual for information about AAA, RADIUS. Configuration Example Network requirements Assume current user logins through the con sole port and the user level is set to the administrator level (level 3). Perform the following configurations fo r users logging in to VTY 0 using T elnet.
3-9 # Set the maximum number of lines the screen can cont ain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the hi story command buf fer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes.
3-10 Figure 3-5 Network diagram for Telnet conne ction establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethern et por t Ethernet Switch 4) Launch Teln et on your PC, with the IP addres s of VLAN-interface 1 of the switch as the parameter, as shown in Figure 3-6 .
3-11 Telnetting to another Switch from the Current Switch Y ou can T elnet to another switch from the current swit ch . In this case, the current switch operates as the client, and the other operates as the server .
4-1 4 Logging In Using a Modem Go to these sections for information you are inte rested in: z Introduction z Configuration on the Switch Side z Modem Connection Establishment Introduction The administ.
4-2 Y ou can verify your configuration by executing the AT & V command. The configuration commands a nd the output of diffe rent modems m ay differ.
4-3 Figure 4-1 Establish the connection by using modems Console port PSTN Telephone line Modem serial cable Telephone number of the romote end: 82882285 Modem Modem 4) Launch a terminal emulation utility on the PC a nd set the telephone number t o call the modem directly connected to the switch, as sh own in Figure 4-2 through Figure 4-4 .
4-4 Figure 4-3 Set the telephone number Figure 4-4 Call the modem 5) If the password authentication mode is specif ied, enter the password when prompted. If the password is correct, the prompt (such as <Sysna me>) appears. You can then configure or man age the switch.
5-1 5 CLI Configuration When configuring CLI, go to these sections for information you are interested in: z Introduction to the CLI z Command Hierarchy z CLI Views z CLI Fea tures Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch.
5-2 z Monitor level (level 1): Commands at this level are mainly use d to maintain the system and diagnose service faults, and they cannot be save d in configuration file. Such commands i nclude debugging and terminal . z System level (level 2): Commands at this level are mainly used to configure se rvices.
5-3 To do… Use the command… Remarks Enter syst em view sy stem-view — Configure the level of a command in a specific view command-privilege level level view view command Required z You are recom.
5-4 T o avoid misoperations, the administrat ors are reco mmended to log in to the device by using a lower privilege level and view device op erating parameters , and when they have to maint ain the d.
5-5 To do… Use the command… Remarks Switch to a specified user level super [ level ] Required Execute this command in user view. z If no user level is specified in the super password command or the super command, level 3 is used by default. z For security purpose, the password entered is not di splayed whe n you switch to another user level.
5-6 Table 5-1 CLI views View Available operation Prompt example Enter method Quit method User view Display operation status and statistical information of the switch <Sysname> Enter user view once logging into the switch. Execute the quit command to log out of the switch.
5-7 View Available operation Prompt example Enter method Quit method FTP client view Configure FTP client parameters [ftp] Execute the ftp command in user view. SFTP client view Configure SFTP client parameters sftp-c lient> Execute the sftp command in system view.
5-8 View Available operation Prompt example Enter method Quit method RADIUS scheme view Configure RADIUS scheme parameters [Sysname-radius-1 ] Execute the radius scheme command in system view. ISP domain view Configure ISP domain parameters [Sysname-isp-aaa 123.
5-9 cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List .
5-10 Table 5-2 Display-related operations Operation Function Press <Ctrl+C> Stop the display output and execution of the command. Press any character except <Space>, <Enter>, /, +, and - when the display output pau ses Stop the display output.
5-11 Table 5-3 Common error messa ges Error message Remarks The command does not exist. The keyword does not exist. The parameter type is wrong. Unrecognized comm and The parameter value is out of range. Incomplete command The command entered is incomplete.
6-1 6 Logging In Through the Web-based Network Management Interface Go to these sections for information you are inte rested in: z Introduction z Establishing an HTTP Connection z Configuring the Login Ban ner z Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in.
6-2 3) Establish an HTTP connection between y our PC and the switch, as shown in Figure 6-1 . Figure 6-1 Establish an HTTP connection bet ween your PC and the switch 4) Log in to the switch through IE.
6-3 Configuration Example Network requirements z A user logs in to the switch through Web. z The banner page is desi red when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login bann er configuration Configuration Procedure # Enter system view .
6-4 To do… Use the command… Remarks Enter syst em view system-vie w — Enable the Web server ip http shutdo w n Required By default, the Web server is enabled.
7-1 7 Logging In Through NMS Go to these sections for information you are inte rested in: z Introduction z Connection Establishment Usi ng NMS Introduction Y ou can also log in to a switch through a Networ k Management S tation (NMS), an d then configure and manage the switch throug h the agent softwa re on the switch.
8-1 8 Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are inte rested in: z Overview z Configuring Source IP Addres s for Telnet Service Packets z Dis.
8-2 Operation Command Description Specify a source interface for Telnet server telnet-server source -interface interface-type interface-num ber Optional Specify source IP address for Telnet client tel.
9-1 9 User Control Go to these sections for information you are inte rested in: z Introduction z Controlling Telnet Users z Controlling Network Management Us ers by Source IP Addresses z Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL.
9-2 z If no ACL is configured on the VTY user interfac e, users are not controlled wh en establishing a Telnet connection using this user interface. z If an ACL is configured on the VTY user interface.
9-3 To do… Use the comm and… Remarks Apply a basic or advanced ACL to control Telnet us ers acl acl-numb er { inbound | outbound } Apply an ACL to control Telnet users by ACL Apply a Layer 2 ACL t.
9-4 z Defining an ACL z Applying the ACL to control users a ccessing the switch throu gh SNMP T o control whether an NMS can manage the swit ch, you can use this function.
9-5 Network diagram Figure 9-2 Network diagram for controlling SNMP use rs using ACLs Switch 10.110.100.46 Host A IP network Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.
9-6 To do… Use the command… Remarks Enter syst em view system-vie w — Create a basic ACL or enter basic ACL view acl number acl-numbe r [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default.
9-7 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the W eb users sou rce d from the IP addre ss of 10.1 10.100.52 to access the switch.
i Table of Contents 1 Configuration F ile Management ·········································································.
1-1 1 Configuration File Management When configuring co nfiguration file management, go to these sectio ns for information you are interested in: z Introduction to Configuration File z Configuration Task List Introduction to Configuration File A configuration file records and stor es user configurati ons performed to a switch.
1-2 z When saving the current configuration, you can spe cify the file to be a main or backup or normal configuration file. z When removing a configuration file from a switch , you can specify to remove the main or backup configuration file.
1-3 When you use the sav e safely command to save the configuratio n file, if the switch reboot s or the power fails during the saving process, the switch init ializes it self in the following two conditions wh en it starts up next time: z If a configuration file with the extension .
1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage switch reset saved-configuration [ backup | main ] Required Available in user view Y ou may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configurat ion file does not match the new software.
1-5 The configuration file must use .c fg as its extension name and the st artup con figuration file must be saved at the root dire ctory of the switch.
i Table of Contents 1 VLAN Ov erview ·················································································.
1-1 1 VLAN Overview This chapter covers these topics: z VLAN Overview z Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadca st network, wh ere all host s are in the same broadcast domain and connected with each othe r through hubs or switch e s.
1-2 Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the followin g advantages. z Broadcasts are confine d to VLANs. This decreas es ba ndwidth consumption and improve s network performance. z Network security is improved.
1-3 tag is encap sulated after the destination MAC ad dress and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3 , a VLAN tag cont ains four fields, including the t ag protocol identifier (TPID), priority , canonical fo rmat indicator (CFI), and VLAN ID.
1-4 z Independent VLAN learnin g (IVL), where the sw itch maintains an indepen dent MAC address forwarding table for each VLAN. The source MAC addr ess of a packet received in a VLAN on a port is reco.
1-5 A hybrid port allows the packets of m ultiple VLANs to be sent untagged, but a trunk p ort only allows the packets of the default VLAN to be sent untagged.
1-6 Table 1-2 Packet processing of a trunk po rt Processing of an incoming packet For an untagged packet For a tagged packet Processing of an outgoing packet z If the port has already been added to its default VLAN, tag the packet with the default VLAN tag and then forward the packet.
2-1 2 VLAN Configuration When configuring VLAN, go to these section s for information you are interested in: z VLAN Configuration z Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration .
2-2 z VLAN 1 is the system default VLAN, whi ch needs not to be created and cannot be removed, either. z The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered thro ugh GVRP. For details, refer to “GVRP” part of this manual.
2-3 The operation of enabling/disabli ng a VLAN’ s VL AN interface does not influence the phy sical status of the Ethernet port s belonging to this VLAN.
2-4 Assigning an Ethernet Port to a VLAN Y ou can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view . z You can assign an access port to a VLAN in ei ther Ethernet port view or VLAN view. z You can assign a trunk po rt or hybrid port to a VLAN only in Ethernet port view.
2-5 Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, it s default VLAN is the VLAN it resides in and cannot be configured.
2-6 Network diagram Figure 2-1 Network diagram for VLAN configuratio n SwitchA SwitchB PC1 PC2 GE1/0/1 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/12 GE1/0/13 Server2 Server1 Configuration procedure z Configure Switch A. # Create VLAN 100, specify it s descriptive string as Dept1 , and add GigabitEthernet 1/0/1 to VLAN 100.
2-7 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B.
i Table of Contents 1 IP Addressing Configuration ···········································································.
1-1 1 IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For detail s about IPv6 address, refer to IPv6 Managem ent .
1-2 Table 1-1 IP address classe s and ranges Class Address ra nge Remarks A 0.0.0.0 to 127.255.255.255 The IP address 0.0.0.0 is used by a host at bootstrap for temporary communi cation. This address is never a valid de stination address. Addresses st arting with 127 are reserved for loopback test.
1-3 subnetting. When designing your net work, you should note that subnetting i s somewhat a tradeof f between subnet s and accommodated ho sts. For ex am ple, a Class B network can accommodate 65,534 (2 16 – 2.
1-4 z A newly specified IP address ove rwrites the previous one if there is any. z The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device.
1-5 Network diagram Figure 1-3 Network diagram for IP address co nfiguration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.
1-6 round-trip min/avg/max = 2/3/5 ms.
2-1 2 IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are intere sted in: z IP Performance Overview z Configuring IP Performance Opti.
2-2 z synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval , the TCP connection cannot be created. z finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.
2-3 z If the destination of a packet is local while the transport layer protocol of the packet is not supp orted by the local device, the device sends a “protoco l unreachabl e” ICMP error packet to the source.
2-4 To do… Use the command… Remarks Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket [ socktype sock-type ] [ task-id .
i Table of Contents 1 Voice VLAN Co nfiguration ············································································.
1-1 1 Voice VLAN Configuration When configuring voice VLAN, go to these sectio ns for information you are intere sted in: z Voice VLAN Overview z Voice VLAN Configuration z Displaying and Maintaining Voice VLAN z Voice VLAN Configuration Example Voice VLAN Overview V oice VLANs are allocated specially fo r voice traf fic.
1-2 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1 , the IP phone needs to work in conj unction with the DHCP server an d the NCP to establish a path for voice dat a transmission. An IP phone goe s through the following thre e phases to become capa ble of transmitting voice dat a.
1-3 z An untagged packet carries no VLAN tag. z A tagged packet carries the tag of a VLAN. T o set an IP a ddress and a voice VLAN f or an IP pho ne manually , just ma ke sure that the voi ce VLAN ID to be set is consistent with that of the switch and the NCP is rea chable to the IP addre ss to be set.
1-4 Configuring Voice VLAN Assi gnment Mode of a Port A port can work in automatic voice VLAN assignm ent mode or ma nual voice VLAN assignment mode. Y ou can configure the voice VLAN assignment mode for a port according to dat a traffic p assing through the port.
1-5 Table 1-2 Matching relationship bet ween port types and vo ice d evices capable of acquiri ng IP address and voice VLAN automatically Voice VLAN assignment mode Voice traffic ty pe Port type Suppo.
1-6 Table 1-3 Matching relationshi p between port types and voice devices acqui ring voice VLAN through manual configuration Voice VLAN assignment mode Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN, and the access port permit s the traffic of the default VLAN.
1-7 Voice VLAN Mode Packet Type Processing Method Packet carrying the voice VLAN tag matches the OUI list, the packet is transmitted in the voice VLAN. Otherwise, the packet is dropped. Packet carrying any other VLAN tag The packet is forwarded or dropped based on whether the receiving port is assigned to the carried VLAN.
1-8 To do… Use the command… Remarks Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes. Enable the voice VLAN function globally voice vlan vla.
1-9 To do… Use the command… Remarks Enable the voice VLAN security mode voice vlan security enable Optional By default, the voice VLAN security mode is enabled. Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1,440 minutes.
1-10 z The voice VLAN function can be enabled for only one VLAN at one time. z If the Link Aggregation Control Protocol (LACP) is enabled on a port , voice VLAN feature cannot be enabled on it. z Voice VLAN function can be enabled only for t he static VLAN.
1-11 Voice VLAN Configuration Example Voice VLAN Configuration Example (A utomatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2 , The MAC address of IP phone A is 001 1-1 100-0001 .
1-12 # Configure the allowe d OUI addresses a s MAC addresses p refixed by 001 1-1 1 00-0000 or 001 1-2200-0000. In this way , Device A identifie s packets whose MAC addres ses match any of the configured OUI addresses as voice packet s.
1-13 Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configu re it to operate in manual voi ce VLAN assignment mode. Add the por t to which an IP phone is connected to the voice VLA N to enable voice traf fic to be transmitted within the voice VLAN.
1-14 [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 2 [DeviceA-Ethernet1/0/1] port hybrid vlan 2 untagged # Enable the voice VLAN function on Ethernet 1/0/1. [DeviceA-Ethernet1/0/1] voice vlan enable Verification # Display the OUI addresses, the corresponding OU I address ma sks and the corresponding de scription strings that th e system support s.
i Table of Contents 1 Port Basic Co nfiguration ············································································.
1-1 1 Port Basic Configuration When performing basi c port configur ation, go to these sections for information y ou are interested in: z Ethernet Port Configuration z Ethernet Port Configuration Exam.
1-2 To do... Use the command... Remarks Enter syst em view s ystem-vie w — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown Optional By default, the port is enabled. Use the shutdo wn command to disable the port.
1-3 Follow these steps to co nfigure aut o-negotiation speeds for a port : To do... Use the command... Remarks Enter syste m view system-v iew — Enter Ethernet interface view interface interface-typ.
1-4 To do... Use the command... Remarks Limit unknown unicast traffic received on the current port unicast-suppression { ratio | pps max-pp s } Optional By default, the switch does not suppress unknown unica st traffic. Enabling Flow Control on a Port Flow control is enabled on both the local and pee r sw itches.
1-5 z If you specify a source ag gregation group ID, the system will us e the port with the smallest port number in the aggregation group as the sou rce.
1-6 z To enable loopback detection on a sp ecific port, you must use the loopback-detection enable command in both system view and the specific port view. z After you use the undo loopback-de tection enable command in system view, loopback detection will be disabled on all ports.
1-7 To do... Use the command... Remarks Enter syst em view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable the system to test connected cables virtual-ca.
1-8 The port state change delay takes effe ct when the port goes down but not when the port goes up. Follow these steps to set the po rt state cha nge delay: To do … Use the command … Remarks Ente.
1-9 To do... Use the command... Remarks Clear port sta tistics reset coun te rs interface [ interface-type | interface-type interface-num ber ] Available in user view After 802.1x is enabled on a port, clearing the statistics on the port will not work.
1-10 Troubleshooting Ethernet Port Configuration Symptom : Fail to configure the default VLAN ID of an Ethernet port. Solution : T ak e the following steps: z Use the display interface or display port comma nd to check if the port i s a trunk port or a hybrid port.
i Table of Contents 1 Link Aggregati on Configur ation ········································································.
1-1 1 Link Aggregation Configuration When configuring link aggregation, go to these se ctions for information you are interested in: z Overview z Link Aggregation Classifi cation z Aggregation Group C.
1-2 Table 1-1 Consistency consideration s for ports in an aggregation Category Considerations STP State of port-level STP (enabled or disa bled) Attribute of the link (point-to-point or otherwise) con.
1-3 In a manual aggregation group, the syst em sets the p orts to selected o r unselected st ate according to the following rules. z Among the ports in an aggregation group that are in up state, the s.
1-4 z There is a limit on the number of selected ports in an aggregation g roup. Theref ore, if the number of the selected ports in an aggregation group exce eds the maximum number su pported by the device, those with lower port num bers operate as the se lected ports, and others a s unselected ports.
1-5 Aggregation Group Categories Depending on wh ether or not load shari ng is implem ented, aggregation g roups can be load-sharing o r non-load-sharing aggregati on groups.
1-6 Link Aggregation Configuration z The commands of link a ggregation cannot be conf igured with the commands of port loop back detection feature at the same time. z The ports where the mac-addre ss max-mac-count command is config ured cannot be added to an aggregation group.
1-7 z When you change a dyn amic/static gro up to a manua l group, the system will automatically disable LACP on the member ports. When you change a dyn ami c group to a static group, the system will remain the member ports LACP-enabled.
1-8 Y ou need to enable LACP on the port s which you want to p articipate in dyna mic aggregation of the system, because, only when LACP is enabled on those ports at both end s, can the two parties re ach agreement in adding/removing port s to/from dynamic aggregation grou ps.
1-9 If you have saved the current configuration with the sav e command, after system reboot, the configuration concerning manual an d static aggregati on group s and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost.
1-10 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar co nfiguration on Switch B to implement link aggregation.
1-11 [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled port s can be aggregated into one dynamic aggregation grou p to implement load sharing only when they have the same basi c conf iguration (such as rate, duplex mode, and so on).
i Table of Contents 1 Port Isolation Configuration ··········································································.
1-1 1 Port Isolation Configuration When configuring port isola tion, go to these sections for information you are intere sted in: z Port Isolation Overview z Port Isolation Configuration z Displaying .
1-2 z When a member p ort of an aggregation group join s/ leaves an isolation group, the other ports in the same aggregation group will join/leave the isol ation group at the same time. z For ports that belong to an aggregation group and an isolation gro up simultaneously, removing a port from the aggregation group has no effect on the other ports.
1-3 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z.
i Table of Contents 1 Port Security Configuration ···········································································.
1-1 1 Port Security Configuration When configuring port secu rity , go to these sections for information you are interested in: z Port Security Overview z Port Security Configuration Task List z Displ.
1-2 Table 1-1 Description of port security mode s Security mode Description Feature noRestriction In this mode, access to the port is not restricted. In this mode, neither the NTK nor the intrusion protection feature is triggered.
1-3 Security mode Description Feature userlogin In this mode, port-based 802.1x authentication is performed for access users. In this mode, neither NTK nor intrusion protection will be triggered. userLoginSecure MAC-based 802.1x authentication i s performed on the access user.
1-4 Security mode Description Feature macAddressElseUs erLoginSecure In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user i s authenticated. Otherwise, the port perfo rms 802.1x authentication of the user.
1-5 Task Remarks Configuring Security MAC Addre sses Optional Enabling Port Security Configuration Prerequisites Before enabling port securi ty , you need to di sable 802.1x and MAC authenti cation globally . Enabling Port Security Follow these steps to ena ble port security: To do.
1-6 This configuration is dif ferent from that of t he maximum number of MAC addresses that can be leaned by a port in MAC address manageme nt. Follow these steps to set the maximum number of MAC addresse s allowed on a port: To do... Use the command.
1-7 z Before setting the port security mode to autolearn , you need to set the maximum number of MAC addresses allowe d on the port with the port-security max-mac-count command. z When the port operates in t he autolearn mode, you cannot change the maximum number of MAC addresses allowe d on the port.
1-8 To do... Use the command... Remarks Set the timer during which the port remains disabled port-se curity timer disableport timer Optional 20 seconds by default The port-security timer disableport c.
1-9 Configuring Security MAC Addresses Security MAC addresses are special MA C addresse s that never age out. One se curity MAC address can be added to only one port in the same VLAN so th at you can bind a MAC address to one port in the same VLAN.
1-10 Displaying and Maintaining Po rt Security Configuration To do... Use the command... Remarks Display information about port security configuration display port-security [ interface interface-list .
1-11 [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seco nds af ter intrusion p rotection is triggered.
i Table of Contents 1 DLDP Conf iguration ···············································································.
1-1 1 DLDP Configuration When configuring DLDP , go to these sections for information you are interested in: z Overview z DLDP Fundamental s z DLDP Configuration z DLDP Configuration Example Overview Device link detection protocol (DL DP) is an tec hnology for dealing wit h unidirectional links that may occur in a network.
1-2 Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 Device B GE1/0/49 GE1/0/50 PC Device link detection protocol (DL DP) can detect the link st atus of an optical fiber ca ble or copper twisted pai r (such as super category 5 twisted p air).
1-3 DLDP packet ty pe Function RSY-Advertisement packets (referred to as RSY packets hereafter) Advertisement packet with the RSY flag set to 1. RSY advertisement packets are sent to request synchron izing the neig hbor information whe n neighbor information is not locally available or a neigh bor information entry ages out.
1-4 DLDP Status A link can be in one of these DLDP states: initial, ina ctive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status be fore DLDP is ena bled.
1-5 Timer Description Entry aging timer When a new neighbor join s, a neighbor entry is created and the correspondi ng entry aging timer is enabled When an advertisement packet is receiv ed from a nei.
1-6 Table 1-4 DLDP operating mode and neighbor entry aging DLDP operating mode Detecting a neighbor after the corresponding neighbor entry ages out Removing the neighbor entry immediately after the En.
1-7 Table 1-5 DLDP state and DLDP packet type DLDP state Ty pe of the DLDP packe ts sent Active Advertisement packets, with the RSY flag set or not set.
1-8 Table 1-7 Processing procedure when no echo pack et is re ceived from the neighbor No echo packet receiv ed from the neighbor Processing procedure In normal mode, no echo packet is re ceived when the echo waiting timer expires.
1-9 DLDP Configuration Performing Basic DLDP Configuration Follow these steps to pe rform basic DLDP configuration: To do … Use the command … Remarks Enter syst em view system-vie w — Enable DLD.
1-10 z When connecting two DLDP-e nabled devices, make sure the software runnin g on them is of the same version. Otherwi se, DLDP may operate improperly.
1-11 DLDP Configuration Example Network requirements As shown in Figure 1-4 , z Switch A and Switch B are connected through two pai rs of fibers. Both of them suppo rt DLDP. All the ports involved operate in mand atory full duplex mode, with their rates all being 1,000 Mbps.
1-12 # Set the DLDP han dling mode for unidirectional links to auto . [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibe rs in a crossed way , two or three ports may be in the disable st ate, and the rest in the inactive state.
i Table of Contents 1 MAC Address Tabl e Management··········································································.
1-1 1 MAC Address Table Management When MAC address t able mana gement functions, go to these sections for information you are interested in: z Overview z MAC Address Table Management z Displaying MAC Address Table Information z Configuration Example This chapter describes the management of stat ic, dynami c, and blackhole MAC address entries.
1-2 Generally , the majority of MAC addres s entries are created and maint ained through MAC addres s learning. The followin g describes the MA C add ress learning process of a swit ch: 1) As shown in Figure 1-1 , User A and User B are both in VLAN 1.
1-3 Figure 1-4 MAC address learning diag ram (3) 4) At this time, the MAC address table of the switch include s two forwarding entries shown in Figure 1-5 .
1-4 z The MAC address aging timer only takes effect on dy namic MAC address entries. z With the “destination MAC address tri ggered upd ate functio n” enabled, when a switch fin ds a packet with a destination address matching one M A C address entry withi n the aging time, it updates the entry and restarts the aging timer.
1-5 Task Remarks Enabling Destination MAC Addre ss Triggered Update Optional Configuring a MAC Address Entry Y ou can add, modify , or remove a MAC address entry , remove all MAC address entries concerning a specific port, or remove specific type of MAC addre ss entries (dynamic or st at ic MAC addre ss entries).
1-6 z When you add a MAC addre ss entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherw ise, the entry will not be added. z If the VLAN specified by the vl an argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.
1-7 By setting the maximum number of MAC addre sses that can be learned from individual ports, the administrator can control the number of the MAC address entrie s the MAC address table ca n dynamically maintai n. When the number of the MAC add re ss entries learnt from a port reaches the set value, the port stops le arning MAC ad dresses.
1-8 To do… Use the com mand… Remarks Display the aging time of the dynamic MAC address entries in the MAC addre ss table display mac-address aging-time Display the configured start port MAC addres.
i Table of Contents 1 Auto Detect Configuration ············································································.
1-1 1 Auto Detect Configuration When configuring the auto detect function, go to t hese sections for information you are interested in: z Introduction to the Auto Detect Function z Auto Detect Configu.
1-2 Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to co nfi gure the auto detect function: To do… Use the command… Re.
1-3 T o avoid such problems, you can config ure another route to back up the st atic route and use the Auto Detect function to judge the validity of the st atic rout e. If the static route is valid, packet s are forwarded according to the st atic route, and the ot her route is st andby .
1-4 Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interf a ces backup. When dat a can be transmitted through two VLAN interfaces on the switch to the sam e desti nation, configure one of the VLAN inte rface as the active interface and the other as the st andby interf ace.
1-5 z On switch A, configure a static route to Switch C. z Enable the static route wh en the detected group 8 i s reachable . z To ensure normal operating of the auto detect func tion, configure a static route to Switch A on Switch C.
1-6 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3 . The confi guration procedure is omitted. # Enter system view . <SwitchA> system-view # Create auto detected group 10.
i Table of Contents 1 MSTP Conf iguration ···············································································.
ii Configuring Di gest Snooping ····················································································.
1-1 1 MSTP Configuration Go to these sections for information you are inte rested in: z Overview z MSTP Configuration Task List z Configuring Root Bridge z Configuring Leaf Nod es z Performing mCheck .
1-2 In STP , BPDUs come in two types: z Configuration BPDUs, used to calculate span ning trees and maintain the spanning tree topol ogy. z Topology change notification (TCN) BPDUs, used to notify concerned devices o f network topology changes, if any.
1-3 Figure 1-1 A schematic diagram of design ated bridges and desi gnated ports All the ports on the root bridge are desig nated ports. 4) Bridge ID A bridge ID consists of eig ht bytes, where the first tw o bytes represent the bridge priority of th e device, and the latter six bytes represent the MAC addre ss of the device.
1-4 6) Port ID A port ID used on a 3Com switch 4500 consi sts of tw o bytes, that is, 16 bits, where the first six bit s represent the port priority , and the latter ten bits represent the port number . The default priority of all Ethernet ports on 3Com switche s 4500 is 128.
1-5 Table 1-2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU o n a port, the device performs the following processing: z If the received configurati.
1-6 Step Description 3 The device compares the calculated confi guration BPDU with the co nfiguration BPDU on the port whose role is to be determined, and acts as follows based on the comparison r esu.
1-7 Device Port name BPDU of port BP1 {1, 0, 1, BP1} Device B BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} Device C CP2 {2, 0, 2, CP2} z Comparison proce ss and result on each device The following t able shows the comp arison process an d result on each device.
1-8 Device Comparison process BPDU of por t after comparison z Port CP1 receives the configuratio n BPDU of Device A {0, 0, 0, AP2}. Device C finds that the re ceived configuration BPDU is superior to the configuration BPDU of the local po rt {2, 0, 2, CP1}, and updates the configuratio n BPDU of CP1.
1-9 Figure 1-3 The final calculated spanning tree To facilitate description, the sp anning tree calculation process in this example is simplified, while the actual process is more complicated.
1-10 For this reason, the protocol use s a state transitio n me chanism. Namely , a newly electe d root port and the designated port s must go through a peri od, which is twice the forward delay time, before they transit to the forwarding state. The peri od allows the ne w configuration BPDUs to be propag ated throughout the entire network.
1-11 z MSTP supports mapping VLANs to Multi ple Span ning Tree (MST) instan ces (MSTIs) by means of a VLAN-to-instance m apping table. MSTP introduces instances (whi ch integrates multiple V LANs into a set) and can bind m ultiple VLANs to an instance, thus saving com munication overhead and improving resource utilization.
1-12 2) MSTI A multiple spanning tree inst ance (MSTI) refers to a sp anning tree in an MST region. Multiple spanning trees ca n be establis hed in one MST region. These spannin g trees are independent of each other . For example, each region i n Figure 1-4 cont ains multiple sp anning trees known as MSTIs.
1-13 z A region boundary port i s located on the boundary of an MST regio n and is used to connect one MST region to another MST region, an STP-ena bled region or an RSTP-enabl ed region. z An alternate port is a seconda ry port of a root port or master po rt and is used for rapid transition.
1-14 z Forwarding state. Ports in this state can forw ard user packets and receive/ send BPDU packet s. z Learning state. Ports in thi s state can receive/ send B PDU packets but do n ot forward user packets. z Discarding state. Ports in this st ate can only receive BPDU packet s.
1-15 In addition to the basic MSTP functions, 3com Swit ch 4500 also provides the following functions for users to manage their switche s. z Root brid ge hold z Root brid ge backup z Root guard z BPDU guard z Loop guard z TC-BPDU attack guard Protocols and Standards MSTP is documente d in: z IEEE 802.
1-16 Task Remarks Configuring the Maximum Transmitting Rate on the Current Port Optional The default value is recom mended. Configuring the Current Port as an Edg e Port Optional Setting the Link Type.
1-17 To do... Use the command... Remarks Configure the name of the MST region region-name name Required The default MST region name of a switch is its MAC address.
1-18 Configuration example # Configure an MST region named info , the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through V LAN 30 being mapped to MSTI 2.
1-19 Using the stp root primary / stp root secondary command, you can specify the cu rrent switch as the root bridge or the secondary root bridge of the MSTI identified by the inst ance-id argument.
1-20 To do... Use the command... Remarks Set the bridge priority for the current swit ch stp [ instance instan ce-id ] priority priority Required The default bridge priority of a switch is 32,7 68.
1-21 To do... Use the command... Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure how a port recognizes and se nds MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and send s MSTP packets in the automatic mode.
1-22 <Sysname> system-view [Sysname] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count lim it s the size of the MST regi on.
1-23 To do... Use the command... Remarks Enter syst em view system-vie w — Configure the network di ameter of the switched network stp bridge-diameter bridgenumber Required The default network diame ter of a network is 7. The network diameter parameter indicates the size of a network.
1-24 z The forward delay para meter and the n etwork diameter a re correlated. Normally , a large network diameter corresponds to a large forward delay.
1-25 Configuration procedure Follow these steps to co nfigur e the timeout time factor: To do... Use the command... Remarks Enter syst em view system-vie w — Configure the timeout time factor for the switch stp timer-factor number Required The timeout time factor defaults to 3.
1-26 As the maximum transmitting rate parameter dete rmines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting rate of Ethernet 1/0/1 to 15.
1-27 You are recommended to configure the Ethernet ports connected directly to terminal s as edge ports and enable the BPDU guard function at the sa me time. This not only enables these ports to turn to the forwarding state rapidly bu t also secures your netwo rk.
1-28 To do... Use the command... Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keywo rd is adopted by default.
1-29 To do... Use the command... Remarks Enter syst em view system-vie w — Enable MSTP stp enable Required MSTP is enabled globally by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports.
1-30 Configuring the Path Cost for a Port The path co st parameter refle cts the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be dif fer ent in different MSTIs.
1-31 When calculating the p ath cost of an aggregat ed link, the 802.1D-1998 st andard does not t ake the number of the port s on the aggreg ated link into account, whereas the 8 02.
1-32 [Sysname] undo stp interface Ethernet 1/0/1 instance 1 cost [Sysname] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] in.
1-33 1) Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <.
1-34 To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-number — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on Ethernet 1/0/1.
1-35 To do... Use the command... Remarks Enter syst em view system-vie w — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard function is disabled by default.
1-36 Configuration procedure Follow these steps to co nfigure the r oot guard function in system vi ew: To do... Use the command... Remarks Enter syst em view system-vie w — Enable the root guard function on specified ports stp interface interface-list root-protection Required The root guard function is disabled by default.
1-37 z You are recommended to enabl e loop guard on the ro ot port and alternate port of a non-root bri dge. z Loop guard, root guard, and edge port settings are m utually exclusiv e. With one of these functions enabled on a port, any of the other two functions can not take effect even if you have configured it on the port.
1-38 maximum times for a switch to remove the MAC a ddress tabl e and ARP entries to 100 and the swit ch receives 200 TC-BPDUs in the period, the switch removes the MAC ad dress table an d ARP entries for only 100 times within the period. Configuration prerequisites MSTP runs normally on the switch.
1-39 switch, and put them in the BPDUs to be sent to t he another manufacturer' s switch. In this way , the switch 4500 can communi cate with another manufacturer’s switche s in the same MST region. The digest snooping function is not ap plicable to edge ports.
1-40 z When the digest snooping feature is enabled on a por t, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port.
1-41 Figure 1-6 The RSTP rapid transition mechanism Root port blocks oth er non- edge ports, changes to forwarding state and sends Agreement to upstream device Downstream switch Upstream switch Propos.
1-42 Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8 , a 3Com switch 4 500 is connected to another manufacturer's switch. The former operates as the downstre am switch, and the latter operates as the up stream switch.
1-43 z The rapid transition feature can b e enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port.
1-44 Configuration procedure Follow these steps to ena ble trap messages conforming to 802.1d st andard: To do... Use the command... Remarks Enter syste m view system-v iew — Enable trap messages conforming to 802.
1-45 Network diagram Figure 1-9 Network diagram for MSTP configuration The word “permit” shown in Figure 1- 9 means the correspondi ng link permits packets of spe cific VLANs. Configuration procedure 1) Configure Switch A # Enter MST regi on view .
1-46 # Activate the settings of the MST region manually . [Sysname-mst-region] active region-configuration # S pecify Switch B as the root bridge of MSTI 3. [Sysname] stp instance 3 root primary 3) Configure Switch C. # Enter MST regi on view . <Sysname> system-view [Sysname] stp region-configuration # Configure the MST regi on.
i Table of Contents 1 IP Routing Prot ocol Overview ··········································································.
ii Filters ······························································································.
1-1 1 IP Routing Protocol Overview Go to these sections for information you are inte rested in: z Introduction to IP Route and Routing Ta ble z Routing Protocol Overview z Displaying and Maintaining a Routing T able Introduction to IP Route and Routing Table IP Route Routers are used for route selection o n the Inter net.
1-2 z Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing prot ocols, or be manually configure d static routes. The one with the highest preference (the smallest numerical value) will be sele cted as the current optimal route.
1-3 Routing Protocol Overview Static Routing and Dynamic Routing S tatic routing is easy to configu re and requires le ss syst em resources. It works well in sm all, stable networks with simple topolo gies.
1-4 each routing protocol (including st atic routes) is assigned a priority . The route found by the routing protocol with the highest priority is preferred.
1-5 routing information. Each routin g protocol shares routin g information discovered by oth er routing protocols through a route redist ribution mechanism.
2-1 2 Static Route Configuration When configuring a st atic route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying .
2-2 Default Route T o avoid too large a routing t able, you can configure a default route. When the destination address of a p acket fails to match any entry in the routing t able, z If there is default route in the routing table, the default route will be selected to forward the packet.
2-3 To do... Use the command... Remarks Display the brief information of a routing table display ip routing-table Display the detailed information of a routing table display ip routing-table verbose D.
2-4 1) Perform the following conf iguration s on the switch. # Approach 1: Configure st atic routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.
3-1 3 RIP Configuration When configuring RIP , go to these secti ons for information you are intere sted in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this chapter refers to a router i n a generic sense or an Eth ernet switch running a routing protocol.
3-2 z Interface: Outbound interface on thi s router, th rough which IP packets sh ould be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed si nce the routing entry was last upd ated.
3-3 Task Remarks Enabling RIP on the interfaces attached to a spe cified network segment Req uired Setting the RIP operating status on an interface Optional Configuring Basic RIP Functions Specifying .
3-4 z Related RIP commands configured in interfa ce view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a spe cified network segment. When RIP is disable d on an interface, it does not operate on the interface, that is, it neit her receives/sends routes on the interface, nor forwards any interface route.
3-5 z Set the preference of RIP to change the preference ord er of routing protocols. This orde r makes sense when more th an one route to the same des tination is d iscovered by multiple routing protocols. z Redistribute external route s in an environ ment with multiple routing protocols.
3-6 Follow these steps to co nfigur e RIP route summarizat ion: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable RIP-2 automatic route summarizatio.
3-7 z The filter-polic y import command filters the RIP ro utes receiv ed from neigh bors, and the ro utes being filtered out will neither be added to the routing table no r be advertised to any neighbors.
3-8 RIP Network Adjustment and Optimization In some special netwo rk environment s, some RI P features need to be c onfigure d and RIP network performance needs to be adjusted and optimized.
3-9 Split horizon cannot be disabled on a po int-to-point link. Configuring RIP-1 packet zero field check Follow these steps to co nfigure RIP-1 p acket zero field chec k: To do.
3-10 Configuring RIP to unicast RIP packets Follow these steps to co nfigure RIP to unicast RIP packets: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — .
3-11 Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/1 6 Configuration procedure Only the configuration related to RIP is listed below. Before the follo wing configuration, make sure the Ethernet link layer works normally and the IP addres se s of VLAN interfaces are configured correctly.
4-1 4 IP Route Policy Configuration When configuring an IP route policy , go to thes e sections for information you are interested in: z IP Route Policy Overview z IP Route Policy Configuration Task L.
4-2 For ACL confi guration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understa nd. When IP-prefix list is applied to filter routing information, it s matching object is the destination addre ss field in routing information.
4-3 z if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy.
4-4 To do... Use the command... Remarks Enter syste m view system-v iew — Enter the route-policy view route-policy route-policy-nam e { permit | deny } node node-number Required Define a rule to mat.
4-5 IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and ea sier to understand. When I P-prefix is applied to filtering routing information, it s matching object is the destination addre ss information field of routing information.
4-6 IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dy namic Route Backup Network requirements The required speed of convergen ce in the small network of a compa ny is not high. The network provides two services. Mai n and backup links are provi ded for each service for the purpose of reliability .
4-7 z For the OA server, the main link is be tween Sw itch A and Switch C, while the backup link i s between Switch B and Switch C. z For the service server, the main link is between Swi tch B and Switch C, while the backup link is between Switch A and Switch C.
4-8 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode bein g permit in the route policy . Define if-match clauses.
4-9 2) Display data forwarding paths when the main link of the OA serve r between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 1.0.0.0/8 RIP 100 6 6.
i Table of Contents 1 Multicast Overview ···············································································.
ii Configuring IG MP S nooping ····················································································.
1-1 1 Multicast Overview In this manual, the term “router” refers to a router in the generic sen se or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interactio n services such as data, voice, and video services are running on the network.
1-2 Assume that Host s B, D and E need this informati on. The source server est ablishes transmissi on channels for the devi ces of these users respectively .
1-3 Information Transmission in the Multicast Mode As described in the previous sectio ns, unicast is su it able for networ ks with sp arsely distributed users, whereas broadcast is suit able for networks with dense ly distributed users. When the number of users requiring information is not cert ain, unicast and broadcast not ef ficient.
1-4 z All receivers interested in the same information form a multicast group. Multicast group s are not subject to geographic restriction s. z A router that supports Layer 3 multica st is called multicast router or Layer 3 multica st device. In addition to providing multicast routing, a mult icast router can also manage multicast group members.
1-5 z Distributive application: Multicast make s multiple-poi nt application possible. Application of multicast The multicast technology ef fectively addresses the is sue of point-to-multipoint dat a transmission.
1-6 Multicast Architecture The purpose of IP multicast is to transmit information from a m ulticast source to receivers in the multicast mode and to satisfy information requiremen t s of receivers.
1-7 z The membership of a group is dynamic. A host can joi n and leave a multicast group at any time. z A multicast group can be either permane nt or temporary. z A multicast group whose addresse s are assigned by IANA is a permanent multica st group.
1-8 Class D address range Description 224.0.0.13 All Protocol Independ ent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork band width management (SBM) 224.
1-9 Multicast Protocols z Generally, we refer to IP multic ast working at the network layer as Laye r 3 multicast and the correspondi ng multicast protocols as Layer 3 mult ica st protocols, which inc.
1-10 Among a variety of mature intra-domain multic ast routing protocols, Protocol Independent Multicast (PIM) is a popul ar one. Based on the forwarding me chanism, PIM comes in two m odes – dense mode (often referred to as PIM-DM) and sp arse mode (often referred to as PIM-SM).
1-11 z In the network, multicast packet transmission is base d on the guidance of the multicast forwarding table derived from the unica st routing table or t he multicast routing table specially provided for multicast.
1-12 considers the path alo ng which the packet from t he RPF neighbor arrived on the RPF interface to be the shortest path that leads b ack to the source. Assume that unicast routes exis t in the network, as shown in Figure 1-7 . Multicast packet s travel along the SPT from the multicast source to the receivers.
1-1 2 Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sen se or a Layer 3 Ethernet switch running an IP multicast protocol.
1-2 To do... Use the command... Remarks Enter syst em view system - vie w — Enter Ethernet port view interface interface-type interface-number — Configure multicast source port suppress ion multicast-source-deny Optional Multicast sour ce port suppression is disabled by default.
1-3 z If the multicast MAC address entry to be created already exists, the system gives you a prompt. z If you want to add a port to a multicas t MAC address entry created through the mac-address multicast command, you need to remove the entry firs t, cre ate this entry again, and then add the specified port to the forwarding ports of this ent ry.
1-1 3 IGMP Snooping Configuration When configuring IGMP snooping, go to these section s for information you are interested in: z IGMP Snooping Overview z Configuring IGMP Snooping z Displaying and Mai.
1-2 Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast pack et transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast.
1-3 member ports. The switch record s all member ports on the lo cal device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snoopi ng and related messages and actions Table 3-1 Port a.
1-4 A switch will not forward an IGMP report through a n on-router port for the fo llowing re ason: Due to the IGMP report suppre ssion mechanism, if member hosts of that multicast group still exist u.
1-5 Configuring IGMP Snooping Complete the following t asks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snoop ing Optional Configuring Time.
1-6 z Although both Layer 2 and Layer 3 multicast protocol s can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VL AN interface. z Before enabling IGMP Snooping in a VLAN, be su re to enable IGMP Snooping globally in syst em view; otherwise the IGMP Snooping settings will not take effect.
1-7 Configuring Timers This section describes ho w to configure the aging timer of the router port, the aging timer of the multicast member port s, and the query response timer .
1-8 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number — Enable fast leave processi ng for specific VLANs igmp-snooping fast-leave [ vlan vlan-list ] Required By default, the fast leave processing feature is disabl ed.
1-9 To do... Use the command... Remarks Enter syst em view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure a multicast group filter igmp-snooping group-policy acl-number [ vlan vlan-list ] Optional No group filter is configured by default, namely hosts can join any multicast group.
1-10 z To prevent bursting traffic in the network or p e rformance deterioration of the device cau sed by excessive multicast groups, you can set the maximu m number of m ulticast groups that the switch should pr ocess.
1-11 To do... Use the command... Remarks Enable IGMP Snooping querier igmp-snooping querier Required By default, IGMP Snooping querier is disabled. Configuring IGMP query interval Follow these steps to co nfigure IGMP query interval: To do... Use the command.
1-12 z If the function of dropping unknown multicast pack ets or the XRN fabri c function is enabled, you cannot enable unkno wn multicast flooding supp ression. z Unknown multicast floodin g suppression and multicas t source port suppre ssion cannot take effect at the same time.
1-13 Configuring a Stat ic Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a st atic router port, so that the switch has a st atic conne ction to a multicast router and receives IGMP messages from that router .
1-14 Therefore, to ensure that IGMP entries will not age out, the port must receive IGMP general queries periodically. Follow these steps to co nfigure a port as a simulated group memb er: To do.
1-15 Configuring Multicast VLAN In traditional multicast implement ations, when user s in dif ferent VLANs listen to the same multicast group, the multicast dat a is copied o n the multicast rout er for each V LAN that cont ains receivers. This is a big waste of network ban dwidth.
1-16 To do... Use the command... Remarks Enter Ethernet port view for the Layer 3 switch interface interface-type interface-number — Define the port as a trunk or hybrid port port link-type { trunk .
1-17 IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements T o prevent multicast traf fic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. z As shown in Figure 3-3 , Router A connects to a multicast source (Source) throu gh Ethernet 1/0/2, and to Switch A through Ethernet 1/0/1.
1-18 3) Configure Switch A # Enable IGMP Snooping globally . <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign Ethernet 1/0/1 throu gh Ethernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN.
1-19 Table 3-2 Network devices and t heir configuration s Device Device description Net working description Switch A Layer 3 switch The interface IP address of VLAN 20 is 168.10.1.1. Ethernet 1/0/1 is connected to the workstation and belon gs to VLAN 20.
1-20 Network diagram Figure 3-4 Network diagram for multicast VLAN configuratio n WorkStation SwitchA SwitchB Vlan-int20 168.10.1.1 Eth1/0/1 Eth1/0/10 V l a n2 V l an3 Eth1/0/10 Vlan10 E th 1 /0/1 E th 1 /0/2 HostA HostB Vlan-int10 168.
1-21 # Create VLAN 2, VLAN 3 and VLA N 10, configure VL AN 1 0 as the multicast VLAN, and then enable IGMP Snoopi ng on it. [SwitchB] vlan 2 to 3 Please wait.
1-22 z If the multicast group set up by IGMP Snooping is not correct, contact your technical support personnel..
i Table of Contents 1 802.1x Confi guration ········································································································· ························ 1-1 Introduction to 802.
ii Layer 3 Erro r Cont rol ······················································································.
1-1 1 802.1x Configuration When configuring 802.1x, go to these section s for information you are interested in: z Introduction to 802.1x z Introduction to 802.1x Configuratio n z Basic 802.1x Configuration z Advanced 802.1x Configuration z Displaying and Maintaining 802.
1-2 Figure 1-1 Architecture of 802.1x authentication z The supplicant system is the entity se eking acce ss to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator sy stem at the other end of the LAN segment. The supplicant system is usually a user termin al device.
1-3 z The controlled port can be used to pass se rvice packet s when it is in authorized state. It is blocked when not in authorized state. In th is case, no packets can pass through it. z Controlled port and uncontrolle d port are two propert ies of a port.
1-4 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: z The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. z The Protocol version field holds the version of t he protocol supp orted by the sender of the EAPoL packet.
1-5 z The Length field indicates the si ze of an EAP packet, which includes the Code, Identifier, Length, and Data fields. z The Data field carries the EAP packet, whose format differs with the Code field. A Success or Failure packet does not co ntain the Data field, so the Length field of it is 4.
1-6 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets a re encap sulated in higher level protoco l (such as EAPoR) packet s to enable t hem to successf ully reach the aut hentication server .
1-7 Figure 1-8 802.1x authentication procedure (in EA P relay mode) S uppl icant system PAE RA D UI S server EAPO L EAPO R EAPO L -S t a r t E A P - Request / I dent it y E A P - Res ponse / I dent it.
1-8 feedbacks (through a RADIUS access-acc ept packet and an EAP-success pa cket) to the switch to indicate that the supplicant system is authenticated. z The switch changes the state of the correspo nding port to accepted state to allow the supplicant system to access the network.
1-9 Figure 1-9 802.1x authentication procedure (in EA P terminating mode) Supplicant system PAE Authenticator system PAE RADIU S server EAPOL RADIUS EAPOL - Start EAP - Request /Identity EAP - Respons.
1-10 z Re-authentication timer ( reau th-period ). The switch initiates 8 02. 1x re-authentication at the interval set by the re-authentication timer. z RADIUS server timer ( server-timeout ).
1-11 z Only disconnect s the supplicant sy st em but sends n o Trap packets. z Sends Trap packets withou t disco nnecting the supplicant system. This function needs the cooperation of 8 02.1x client and a CAMS server . z The 802.1x client needs to be capable of detecti ng multiple network adapters, proxie s, and IE proxies.
1-12 z After the maximum number retries h ave been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. z Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.
1-13 z The RADIUS server ha s the switch perfo rm 802.1x re-authentication of user s. The RADIUS server sends the switch an Acce ss-Accept p acket with t he Termination-Action attribut e field of 1. Upon receiving the packet, the switch re-aut h enticates the user periodically.
1-14 Basic 802.1x Configuration Configuration Prerequisites z Configure ISP domain and the AAA scheme to be a dopted. You can specify a RADI US scheme or a local scheme. z Ensure that the service type is configured as lan-access (by using the serv ice-type command) if local authentication scheme is ado pted.
1-15 To do… Use the command… Remarks Enable online user handshaking dot1x handshake enable Optional By default, online user handshaking is enabled. z 802.1x configurations take effect only after you enabl e 802.1x both globally and for specified ports.
1-16 To do… Use the command... Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-valu e | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-per iod tx-period-valu e | ver-period ver-period-val ue } Optional The settings of 802.
1-17 To do... Use the command... Remarks Enable proxy checking function globally dot1x supp-proxy-check { logoff | trap } Required By default, the 802.
1-18 As for the dot1x version-user command, if you execute it in sy stem view without specifying the interface-list argument, the command a pplies to all ports. You can also execute this command in port view. In this case, this command applie s to the current port only and the interface-list argument is not needed.
1-19 z The guest VLAN function is available only wh en the switch operates in the port-based access control mode. z Only one guest VLAN can be configured for each switch. z The guest VLAN function cannot be i mplemented if you configure the d ot1x dhcp-launch command on the switch to enable DHCP -triggered authent ication.
1-20 During re-aut hentication, the switch always uses the latest re-au thentication interval configure d, no matter which of the above-mentioned two ways is used to determin e the re-authentication interval.
1-21 a real-time accounting pa cket to the RADIUS serv ers on ce in every 15 minut es. A user name is sent to the RADIUS servers wi th the domain name truncated. z The user name and password for local 802.1x authent icatio n are “localuser” and “lo calpass” (in plain text) respectively.
1-22 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authent ication RADIUS servers to exchange me ssages.
2-1 2 Quick EAD Deployment Configuration When configuring quick EAD deploymen t, go to these sections for information you are inte rested in: z Introduction to Quick EAD Depl oyment z Configuring Quic.
2-2 Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802.1x on the switch. z Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-con trol command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that user s can access before pa ssing 802.
2-3 large number of users log in but cannot pa ss authentic ation, the switch may r un out of ACL resources, preventing other users from loggin g in. A timer called ACL timer is designe d to solve this problem. Y ou can control the usage of ACL resources by setting the ACL timer .
2-4 Configuration procedure Before enabling quick EAD deployment, make su re sure that: z The Web server is configured properly. z The default gateway of the PC is configured as the IP addre ss of the Layer-3 virtual interface of the VLAN to which the port that is directly co nnected with the PC belongs.
3-1 3 HABP Configuration When configuring HABP , go to these sections for information you are interested in: z Introduction to HABP z HABP Server Configuration z HABP Client Configuration z Displaying and Maintain ing HABP Configuration Introduction to HABP When a switch is configure d with the 802.
3-2 To do... Use the command... Remarks Configure the current switch to be an HABP server habp server vlan vlan-id Required By default, a switch operates as an HABP client after you enable HABP on the swit ch. If you want to use the switch as a management switch, you need to configure the switch to be an HABP server.
4-1 4 System Guard Configuration When configuring System Guard, go to these se ctions for information you are interested in: z System Guard Overview z Configuring System Guard z Displaying and Maintai.
4-2 To do... Use the command... Remarks Set the maximum number of infected hosts that can be concurrently monitored system-guard ip detect-maxnum num ber Optional 30 by default Set the maximum number .
4-3 Enabling Layer 3 Error Control Follow these steps to ena ble Layer 3 error control: To do... Use the command... Remarks Enter syste m view system-v iew — Enable Layer 3 error control system-guar d l3err enabl e Required Enabled by default Displaying and Maintaining S ystem Guard Configuration To do.
i Table of Contents 1 AAA Ov erview ··················································································.
1-1 1 AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, author ization and accounting. It provides a uniform framew ork for you to configure th ese three functions to implement network security management.
1-2 Introduction to ISP Domain An Internet service provider (ISP) domain is a gro up of users who belong to the same ISP . For a username in the format of userid @isp-name or userid.isp-name, the isp-na me following the " @" character is the ISP domain name.
1-3 Figure 1-1 Databases in a RADI US server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication o r accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged betwe en a RADI US client (a switch, for exam ple) and a RADIUS server are verified through a shared key .
1-4 4) The RADI US client accepts or denie s the user dependi ng on the received authent ication result. If it accepts the user, the RADI US client sends a st art-accounting request (Acco unting-Request, with the Status-Type attribute value = start) to the RADIUS server.
1-5 Code Message type Message description 4 Accounting-Request Direction: client->server. The client transmits this m essage to the server to request the server to start or end the accounting (whether to start or to end the accounting is determin ed by the Acct-Status-Type attribute in the message).
1-6 Type field val ue Attribute type T ype field val ue Attribute t ype 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compre ssion 35 Log.
2-1 2 AAA Configuration AAA Configuration Task List Y ou need to configure AAA to provide network access services for legal users while protecting network devices and preventing unautho rized access and rep udiation behavior .
2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring sepa rate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively.
2-3 To do… Use the command… Remarks Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled. Set the self-service server location function self-service-url { disable | enable url-string } Optional By default, the self-service server location function is disabled.
2-4 To do… Use the comm and… Remarks Configure an AAA scheme for the ISP domain scheme { local | none | radius-scheme radius-scheme-n ame [ local ] } Required By default, an ISP domain uses the local AAA scheme.
2-5 To do… Use the command… Remarks Configure an authentication scheme for the ISP domain authentication { radius-scheme radius-scheme-n ame [ local ] | local | none } Optional By default, no separate authentication scheme is configured.
2-6 Currently , the switch su pports the follo wing two ty pes of assigne d VLAN IDs: integer and string. z Integer: If the RADIUS authenticati on server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer o n the switch (thi s is also the default mode o n the switch).
2-7 The local users are users set on the switch, with each user uniquely identified by a username. T o make a user who is requesting ne twork service pass lo cal authentication, you should ad d an entry in the local user databa se on the switch for the user .
2-8 z The following characters a re not allowed in the user-nam e string: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user pass word-display -mode cipher-.
2-9 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authori zation Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS M.
2-10 creating a new RADIUS scheme, you should configu re the IP addr ess and UDP port number of each RADIUS server you want to use in this sche me. These RADIUS se rvers fall into two types: authentication/authorization, and ac counting.
2-11 To do… Use the command… Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system.
2-12 To do… Use the command… Remarks Set the IP address and port number of the seconda ry RADIUS accounting server secondary accounting ip-address [ port-num ber ] Optional By default, the IP address and UDP port number of the secondary accou nting server are 0.
2-13 To do… Use the command… Remarks Enter syst em view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system.
2-14 To do… Use the command… Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system.
2-15 To do… Use the command… Remarks Set the status of the secondary RADIUS authentication/authorization server state secondary authentication { block | active } Set the status of the secondary RA.
2-16 z Generally, the access users a re named in the userid@i sp-name format. Here, isp-name after the “ @” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADI US se rvers cannot accept t he username s that carry ISP domain names.
2-17 z If you adopt the local RADIUS server function, the UDP port number of the authentication/authorization server must be 1645, the UDP po rt number of the accounting server must be 1646, and the IP addresses of the servers m ust be set to the addresses of this switch.
2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is thr ee seconds.
2-19 online when the user re-l ogs into the network befo re the CAMS pe rforms online user detection, and the user cannot get authenti cated. In this case, the us er ca n access the network agai n only when the CAMS administrator manually rem oves the user's online information.
2-20 Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific or all ISP domai.
2-21 The configuration pro cedure for remote authentication of SSH users by RADIUS serv er i s similar to that for Telnet users. The following text only takes Tel n et users as example to descri be the configuration procedure for remote authentication.
2-22 [Sysname-isp-cams] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] accounting optional [Sysname-radius-cams] primary authentication 10.
2-23 [Sysname-ui-vty0-4] quit # Create and configure a local user nam ed telnet. [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple aabbcc [Sysname-luser-telnet] quit # Configure an authentication scheme fo r the default “system” domain.
3-24 z None or incorre ct RADIUS server IP address is set on the switch — Be sure to set a corr ect RADIUS server IP address. z One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as those on the RADIUS server.
3-25 Figure 3-1 Typical network application of EAD EAD Configuration The EAD configuration include s: z Configuring the attributes of ac ce ss users (such as u sername, user type, and passwo rd).
3-26 z You are required to configu re the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users. The following are the configuration t asks: z Connect the RADIUS auth entication server 10.110.
3-27 [Sysname-isp-system] radius-scheme cams.
i Table of Contents 1 MAC Address Authenticat ion Confi guration ···································································.
1-1 1 MAC Address Authentication Configuration When configuring MAC add ress authentication, go to these section s for inform ation you are interested: z MAC Address Authent ication Overview z Related.
1-2 format configured with the mac-authenticati on authmode usernameasmacad dress usernameformat co mmand; otherwise, the authentication will fail. z In fixed mode, all users’ MAC addresses a r e automatically mapped to the configured local passwords and usernames.
1-3 To do... Use the command... Remarks quit Set the user name in MAC address mode for MAC address authentication mac-authentication authmode usernameasmacaddress [ usernameformat { w ith-hy phen | without-hy phen } { lowercase | uppercase } | fixedpass word password ] Optional By default, the MAC address of a user is used as the user name.
1-4 Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Num ber of MAC Address Aut hentication Users Allowed to Acce ss a Port Optional Configuring a Guest VLAN Different from Guest VLANs described in the 802.
1-5 After a port is added to a Gue st VLAN, the switch will re-authenticate the first access user of this port (namely , the f irst user whose unicast M AC address is learned by the switch) p e riodically . If this user passes the re-a uthentication, this port will exit the Gue st VLAN, and thus the user can a ccess the network normally .
1-6 z If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on th e number of MAC address aut hentication users to more than one, the configur ation does not take effect.
1-7 z If both the limit on the number of MAC address authentication user s and the limit on the number of users configured in the p ort security function are configured for a p ort, the smaller value of the two configured limits is adopted as th e maximum numb er of MAC addre ss authentication use rs allowed to access this port.
1-8 # Set the user name in MAC address mode for MAC address authentica tion, requir ing hyphened lowercase MAC add resses as the usernames an d passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user .
i Table of Contents 1 ARP Confi gurati on···············································································.
1-1 1 ARP Configuration When configuring ARP , go to these secti ons for information you are interested in: z Introduction to ARP z Configuring ARP z Configuring Gratuitous ARP z Configuring ARP Sourc.
1-2 Figure 1-1 ARP message format Hard wa re t ype (16 bit s ) Protocol typ e (16 bi ts) Length of ha rdware addr ess Length of prot ocol addres s Op era tor ( 16 bi ts ) Hardwa re ad dress o f th e s.
1-3 Value Description 5 Chaos 6 IEEE802.X 7 ARC netw ork ARP Table In an Ethernet, the MAC addresses of two host s must be available for the two host s to communicate with each other . Each host in an Ethernet main tains a n ARP t able, where the latest used IP address-to-MAC address mappi ng entri es are stored.
1-4 mode, all hosts on this su bnet can receive the requ est, but only the requested h ost (namely, Host B) will process the request. 3) Host B compares its own IP address wit h the des tination IP address in the ARP request.
1-5 z If they are not consistent, the ARP packet is considered invalid and the correspondi ng ARP entry is not learned. Configuring ARP Follow these steps to co nfigure ARP basic function s: To do… .
1-6 The sending of gratuitous ARP packets is enabled as long as an S4500 switch o perates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets wh enever a.
1-7 Configuration procedure <Sysname> system-view [Sysname] undo arp check enable [Sysname] interface vlan 1 [Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.
i Table of Contents 1 DHCP Ov erview··················································································.
1-1 1 DHCP Overview When configuring DHCP , go to these sections for information you are interested in: z Introduction to DHCP z DHCP IP Address Assignment z DHCP Packet Format z Protocol Specificatio.
1-2 z Automatic assignment. The DHCP se rver assi gns IP addresses to DH CP clients. The IP addresses wil l be occupied by the DHCP clients perm anently. z Dynamic assignment. The DHCP se rver assigns IP addresse s to DHCP clients for predetermined period of time.
1-3 By default, a DHCP client update s its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server whe n half of the leas e time elapse s. The DHCP server respo nds with a DHCP-ACK p acket to notify the DHCP client of a new IP lease if t he server can assign the same IP address to the client.
1-4 z file: Path and name of the boot configuration file that the DHCP server specifie s for the DHCP client. z option: Optional variable-length fields, including packet type, valid lease time, IP addre ss of a DNS server, and IP address of the WINS server.
2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these section s for information you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Rel a.
2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP se rver interoperate with each other in a simila r way as they do without the DHCP rela y agent.
2-3 Figure 2-2 Padding contents for sub-o ption 1 of Option 82 Figure 2-3 Padding contents for sub-o ption 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP .
2-4 If a switch belongs to an XRN fabri c, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Conf iguration Task List Complete the followin.
2-5 To improve security and avoid malicious attack to th e unused SOCKETs, S4500 Ethernet swit ches provide the following functions: z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is ena bled. z UDP 67 and UDP 68 ports are disabled when DHCP i s disabled.
2-6 To do… Use the command… Remarks Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type interface-number — Enable the address checking function address-che ck enable Required Disabled by default.
2-7 Currently, the DHCP relay agent handshake function on an S4500 se ries switch can only interoperate with a Windows 2000 DHCP se rver. Enabling unauthorized DHCP server detection If there is an una.
2-8 To do… Use the command… Remarks Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default. Configure the strategy for the DHCP relay agent to .
2-9 Network diagram Figure 2-4 Network diagram for DHCP relay agent Switch B DHCP server Switch A DHCP relay DHCP client DHCP client DHCP client DHCP client Vlan-int2 10.1.1.2/24 Vlan-int1 10.10.1.1/24 Vlan-int2 10.1.1.1/24 Configuration procedure # Create DHCP se rver group 1 and configure an IP address of 10.
2-10 z Check if an address pool that is on the same network seg ment with the DHCP clients is configure d on the DHCP server. z Check if a reachable route is configured bet ween the DHCP relay agent and the DHCP server.
3-1 3 DHCP Snooping Configuration When configuring DHCP snooping, go to these se ctions for information you are interested in: z DHCP Snooping Overview z Configuring DHCP Snooping z Displaying and Mai.
3-2 Figure 3-1 Typical network diagram for DHCP snooping ap plication DHCP snoopi ng listens the following two types of pa ckets to retrieve the IP addresses the DHCP clients obtain from DHCP servers .
3-3 Figure 3-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length ide ntifiers of the Circuit ID and Remote ID sub-options. T o interwork with these device s, S4500 Series Ethernet Switches suppo rt Option 82 in the standard format.
3-4 When receiving a DHCP client’ s request without Option 82, the DHCP snooping device will add the option field with the configured sub-optio n and then forward the packet.
3-5 z If an S4500 Ethernet switch is e nabled with DHCP sno oping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. z You need to specify the ports connected to the valid DHCP servers as truste d to ensu re that DHCP clients can obtain valid IP addresses.
3-6 Configuring a handling policy for DHCP packets with Option 82 Follow these steps to co nfigure a handling policy for DHCP packet s with Option 82: To do… Use the command… Remarks Enter syst em.
3-7 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Configure the circuit ID sub-option in Option 82 dhcp-snooping information [ vlan vlan-id.
3-8 z If you configure a remote ID sub-option in b oth system view and on a port , the remote ID sub-option configured on the port applie s when the port receives a packet, and the glob al remote ID applies to other interfaces that have no remote ID sub-option configured.
3-9 z Enable DHCP-snooping Option 82 support on the switch and set the remote ID field in Option 82 to the system name of the switch. Set the circuit ID sub-option to abcd in DHCP packets from VLAN 1 on Ethernet 1/0/3.
4-1 4 DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to thes e sections for information you are interested in: z Introduction to DHCP Client z Introduction to BOOTP Client .
4-2 Configuring a DHCP/BOOTP Client Follow these steps to co nf igure a DHCP/BOOTP client: To do… Use the command… Remarks Enter syst em view system-vie w — Enter VLAN interface view interface v.
4-3 Network diagram Figure 4-1 A DHCP network Configuration procedure The following describes only the configu ration on Switch A serving as a DHCP client.
i Table of Contents 1 ACL Confi guration ···············································································.
1-1 1 ACL Configuration When configuring ACL, go to these secti ons for inform ation you are interested in: z ACL Overview z ACL Configuration Task List z Displaying and Maintain ing ACL Configuration.
1-2 Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP address ran ge (that is, the more the number of zeros in the wildca rd mask ), the higher the match prio rity. 2) Fragment keyword: A rule with the fragment keyword is pri or to others.
1-3 z Referenced by routing poli cies z Used to control Telnet, SNMP and Web login users z When an ACL is directly applied to hardware for packet filt ering, the switch will permit packets if the packets do not match the ACL.
1-4 An absolute time range on Switch 4500 Serie s can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure Follow these steps to co nfigure a time range: To do.
1-5 <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packet s based on their source IP addresses.
1-6 Configuration example # Configure ACL 2000 to deny pa ckets who s e source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000.
1-7 Note that: z With the config match order specified for the advan ced ACL, you can modify any existent rule. T he unmodified part of the rule remains. With the auto m atch order specified for the ACL, you cannot modify any existent rule; otherwise t he system prompts error information.
1-8 To do... Use the command... Remarks Define an ACL rule rule [ rule-id ] { permit | deny } rule-string Required For information about rule-string , refer to ACL Commands .
1-9 To do... Use the command... Remarks Enter syst em view system-vie w — Create a user-defined ACL and enter user-defined ACL view acl number acl-number Required Define an ACL rule rule [ rule-id ].
1-10 Acl's step is 1 rule 0 deny 06 ff 27 Applying ACL Rules on Ports By applying ACL rule s on ports, you can f ilter packet s on the corresponding po rts.
1-11 Configuration procedure Follow these steps to appl y ACL rule s to ports in a VLAN: To do... Use the command... Remarks Enter syst em view system-vie w — Apply ACL rules to ports in a VLAN packet-filter vlan vlan-id { inbound | outbound } acl-rule Required For information about acl-rule , refer to ACL Commands .
1-12 Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control T elnet login users.
1-13 Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is ac tive from 8:00 to 18:00 everyday . <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter pa ckets with the so urce IP addre ss of 10.
1-14 Configuration procedure # Define a periodic time range that is ac tive from 8:00 to 18:00 everyday . <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter p ackets d estined for wage query serve r .
1-15 User-defined ACL Configuration Example Network requirements As shown in Figure 1-6 , PC 1 and PC 2 are co nnected to the swit ch through Ethernet 1/0/1 an d Ethernet 1/0/2 respectively . They be long to VLAN 1 and acce ss the Internet through the same gate way , which has an IP addre ss of 192.
1-16 Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Eth1/0/1 PC 1 PC 3 Database server PC 2 VLAN 10 Eth1/0/2 Eth1/0/3 192.168.1.2 Configuration procedure # Define a periodic time range that is a ctive from 8:00 to 18:00 in working days.
i Table of Contents 1 QoS Confi guration ···············································································.
1-1 1 QoS Configuration When configuring QoS, go to these secti ons fo r information you are interested in: z Overview z QoS Supported By Switch 4500 Series z QoS Configuration z Displaying and Maintaining QoS z QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) i s a co ncept concerning service deman d and supply .
1-2 and V oD. As for other applications, such as transaction processin g and T elnet, although bandwid th is not as critical, a too long delay may cause unexpected result s. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications de mand higher se rvice performance from IP networks.
1-3 QoS Supported By Switch 4500 Series The Switch 4500 series suppo rt the QoS features listed in T able 1-1 : Table 1-1 QoS features supported by Switch 4500 series QoS Feature Description Refer to … Traffic classificati on Classify incoming traffic based on ACLs.
1-4 protocol or the port number of an application. Normal ly , traffic classification is done by checking the information carried in p acket header . Packet p aylo ad is rarely adopted fo r traffic classification. The identifying rule is unlimited in ra nge.
1-5 z Assured forwarding (AF) cl ass: This class is furt h er divided into four subclasse s (AF1/2/3/4) and a subclass is further divided i nto three drop priorities, so the AF service level can be segmented.
1-6 2) 802.1p priority 802.1p priority lies in Layer 2 p ack et headers and is a pplicable to occasions where the Layer 3 p acket header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure abov e, the 4-byte 802.
1-7 Priority trust mode After a p acket enters a swit ch, the switch sets the 802.1p pri ority and local preceden ce for the packet according to it s own capabi lit y and the corresponding rules. 1) For a packet carrying no 802.1q tag When a packet carrying no 802.
1-8 Priority Marking The priority marking function is to rea ssign priority for the traf fic matching an A CL referenced for traffic classificati on. z If 802.1p priority marking is configured, the traffic will be mapped to the local precedence correspondi ng to the re-marked 802.
1-9 enough to forward the pa ckets, the traf fic is conformi ng to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: z Average rate: The rate at which to kens are put in to the bucket, na mely, the permitted average rate of the traffic.
1-10 The Switch 4500 se ries support three queu e scheduling algorithms: S trict Priority (SP) queuing, Weighted Fai r Queuing (WFQ), and Wei ghted Round Robin (WRR) queuing. 1) SP queuing Figure 1-6 Diagram for SP queuing SP queue -scheduling algorithm is specially designe d fo r critical service application s.
1-11 Figure 1-7 Diagram for WFQ queuin g Before WFQ is introduced, you mu st understan d fair queuing (FQ) first. FQ i s designed for the p urpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows.
1-12 Figure 1-8 Diagram for WRR queuing WRR queue-scheduling al gorithm schedules all t he queues in turn and every qu eue can be assured of a certain service time.
1-13 In WRED algorithm, an up per limit and a lower limit are set for each queu e, and the packet s in a queue are processed as follows. z When the current queue length is smaller t han the lo wer lim.
1-14 Configuration procedure Follow these steps to co nfigure to trust port priority: To do… Use the command… Remarks Enter syst em view sy stem-view — Enter Ethernet port view interface interfa.
1-15 Configuration procedure Follow these steps to co nfigure the mappi ng between 802.1p priority and local pr ecedence: To do… Use the command… Remarks Enter syste m view system-v iew — Configure the mapping between 802.
1-16 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icm.
1-17 To do… Use the command… Remarks Enter syst em view system-view — Mark the priorities for the packet s belonging to a VLAN and matching specific ACL rules traffic-priority v lan vlan-id { in.
1-18 To do… Use the command… Remarks Configure traf fic policing traffic-limit inbound acl-rule [ union-effect ] target-rate [ burst-bucket burst -bucket-size ] [ exceed action ] Required Specify a committed information rate (CIR) for the target-r ate argument, and specify a committed bust size (CBS) for the burst-bucket -size argument.
1-19 To do… Use the command… Remarks Configure line rate line-rate { inbound | outbound } target-rate [ burst-bucket burst-bucket -size ] Required S pecify a committed information rate (CIR) for the target-rate argument, and specify a committed bust size (CBS) for the burst-bucket -size argument.
1-20 Configuration procedure Follow these steps to co nfigure queue scheduling in system view: To do… Use the command… Remarks Enter syste m view system-v iew — Configure queue scheduling queue-.
1-21 z The queue scheduling algorithm sp ecified by using the queue-scheduler command in system view takes effect on all the ports. The qu eue scheduling algorithm configured in port view must be the same as that configured in system vi ew. Othe rwise, the system prompt s configuration errors.
1-22 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure WRED wre d qu eue-index qsta rt probability Required By default, WRED is not configured.
1-23 For information about the mirroring-gr oup monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example Network requirement s: z Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segme nt.
1-24 QoS Configuration Examples Configuration Example of Traf fic policing and Line Rate Network requirement An enterprise network connect s all the departme nts through an E thernet switch. PC 1, with the IP address 192. 168.0.1 belongs to the R& D department and is conne cted to Ethernet 1/0/1 of the switch.
1-25 Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 1-10 , an enterprise netwo rk connects all the departme nts through an E thernet switch. Client s PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; client s PC 4 through PC 6 are connected to Eth ernet 1/0/3 of the switch.
1-26 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2] quit 3) Configure queue scheduling # Apply SP queue schedul ing algorithm.
1-27 Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [S.
1-28 # Configure VLAN mapping on Ethernet 1/0/1 1 to replace VLAN tag 100 with VLAN t ag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-remark-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLA N tag 200 with VL AN tag 600.
i Table of Contents 1 Mirroring Conf iguration ············································································.
1-1 1 Mirroring Configuration When configuring mirro ring, go to these section s for information you are interested in: z Mirroring Overview z Mirroring Configuratio n z Displaying and Maintaining Por.
1-2 Remote Port Mirroring Remote port mirroring does not requi re the source and destination port s to be on the same device. The source and destination p orts can be located on multiple devices across the net work. This allows an administrator to monitor traf fic on remote devices conveniently .
1-3 Sw it ch Ports involved Function Intermediate switch T r unk por t Sends mirrored packet s to the destination switch. T wo trunk ports are necessary for the intermediate switch to connect the devi ces at the source switch side and the destination switch side.
1-4 Configuring Local Port Mirroring Configuration prerequisites z The source port is determined a nd the direction in whi ch the packets are to be mirrored is determined.
1-5 Configuration on a switch acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN a re determined. z Layer 2 connectivity is ensured between t he source and destination switches over the remote-probe VLAN.
1-6 cannot be configured with function s like VLAN-VPN , port loop back detection, packet filtering, QoS, port security, and so on. z You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port. z Only an existing static VLAN can be configur ed as the remote-prob e VLAN.
1-7 To do… Use the command… Remarks Enter syste m view system-v iew — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN.
1-8 Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departm ents of a comp any connect to each other throug h Switch 4500 series: z Research and Develo pment (R&D) department is connected to Switch C through Ethernet 1/0/1.
1-9 Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all p ack ets received on and sent from the R&D dep artment and the marketing depa rtment on the data detection d evice.
1-10 Configuration procedure 1) Configure the source switch (Switch A) # Create remote source mi rroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-pro be VLAN.
1-11 [Sysname-Ethernet1/0/2] port trunk permit vlan 10 3) Configure the destination switch (Switch C) # Create remote destination mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-pro be VLAN.
i Table of Contents 1 XRN Fabric Co nfiguration ············································································.
1-1 1 XRN Fabric Configuration When configuring XRN fabr ic, go to these sect ions for information you are interested in: z Introduction to XRN z XRN Fabric Configuration z Displaying and Maintaining .
1-2 Figure 1-2 Port connection mode for Switch 4500 series bus topology XRN fabric Mode Green=Speed Y ellow=Dup lex RPS PWR Console Unit 1000 Base - X 1 Speed : Green=100Mbps , Y e llow=10Mbps 2 3 4 5.
1-3 z The number of the existing devices in the fabric does not rea ch the maximum number of devices allowed by the fabric (up to eight devices can form a fabri c). z The fabric name of the device and the exis ting devices in the fabric are the same. z The software version of the device is the sam e as that of the existing devices in the fabric.
1-4 Status Analysis Solution of the fabric are not the same, or the password configured does not match. passwords for the local device and the fabric as the same. How XRN Works When a fabric is esta blished, the devices determine their respective roles in the fabric by comp aring their CPU MAC addresse s.
1-5 Task Remarks Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fa bric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch Y ou can specify the fabric port of a switch in either system view or Ethernet interface view .
1-6 z Establishing an XRN system requi res a high cons istency of the configuration of each device. Hence, before you enable the fabri c port, do not per form any configuration for the port, and d o not configure some functions that a ffect the XRN for other port s or globally.
1-7 Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will aut omatically number the switches to constitute an XRN fabric by default, so that ea ch switch has a unique unit ID in t he fabric. Y ou can use the command in the following t able to set unit IDs for switches.
1-8 z If auto-numbering is sele cted, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numberi ng.
1-9 To do… Use the command… Remarks Enter syst em view system-vie w — Set the XRN fabric authentication mode for the switch xrn-fabric authentication-m ode { simple password | md5 key } Optional By default, no authentication mode is set on a switch.
1-10 Network Diagram Figure 1-3 Network diagram for forming an XRN fabri c Configuration Procedure 1) Configure Switch A. # Configure fabric port s. <Sysname> system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable # Configure the unit name as Unit 1 .
1-11 # Configure the unit name as Unit 3 . [Sysname] set unit 1 name unit3 # Configure the fabric name as hello . [Sysname] sysname hello # Configure the fabric authentication mode as simple and the p assword as we l c o m e . [hello] xrn-fabric authentication-mode simple welcome 4) Configure Switch D.
i Table of Contents 1 Cluster ·····················································································.
1-1 1 Cluster When configuring cluster , go to these sections for information you a re interested in: z Cluster Overview z Cluster Configuration Task List z Displaying and Maintaining Cluster Confi guration z Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contain s a group of switches.
1-2 Figure 1-1 A cluster implementation HGMP V2 ha s the following advanta ges: z It eases the configuration and m anagement of mult iple switches: You just need to configure a public IP address for t.
1-3 Table 1-1 Description o n cluster roles Role Configuration Function Management device Configured with a external IP address z Provides an interface for managing all the switches i n a cluster z Manages member devices through comma nd redirection, that is, it forwards the commands intended for specific member devices.
1-4 z A candidate device beco mes a member device after b eing added to a cluster. z A member device becom es a candidate device after it is removed from the cluster. z A management device becomes a ca ndidate devic e only after the cluster is removed.
1-5 packet data. The receiving devices store the info rm ation carried in the NDP packet into th e NDP table but do not forward the NDP packet. When they re ceive another NDP packet, if the informatio.
1-6 z To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP param eters. z On member/candidate devi ces, you only need to enable NTDP globally and on specifi c ports. z Member and candidate de vices adopt the NT DP settings of the manageme nt device.
1-7 Figure 1-3 State machine of the connection between the manag ement device and a member device Receives the handshake or management packets Fails to receive handshake packets in three consecutive i.
1-8 z Enabling the managemen t packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the manag ement VLAN only, through which the management pa ckets are isolated from other packets a nd netwo rk security is improved.
1-9 downstream switch comp ares its own MAC add ress with the destination MAC add ress carried in the multicast packet: z If the two MAC addresses are the same, the downstr eam switch sends a response to the switch sending the tracemac command, indi cating the success of the tracemac com mand.
1-10 Task Remarks Enabling NDP globally and on specific port s Required Configuring NDP-related p arameters Optional Enabling NTDP globally and on a specific port Requir ed Configuring NTDP-related p .
1-11 Configuring NDP-related parameters Follow these steps to co nfigure NDP-related param eters: To do… Use the command… Remarks Enter syst em view system-vie w — Configure the holdtime of NDP information ndp timer aging aging-in-seconds Optional By default, the holdtime of NDP information is 180 seconds.
1-12 To do… Use the command… Remarks Launch topology information collection manually ntdp explore Optional Enabling the cluster function Follow these steps to ena ble the cluster function: To do.
1-13 2) Establish a cluster in automatic mod e Follow these steps to est ablish a cluster in automatic mode: To do… Use the command… Remarks Enter syst em view system-vie w — Enter cluster view .
1-14 z The cluster switches a re properly connected; z The shared servers are properly conn ected to the manag ement switch. 2) Configuration procedure Follow these steps to co nfigure the netwo rk ma.
1-15 To reduce the risk of being attacked by malic ious users against o pened socket and enha nce switch security, the Switch 4500 series Ethernet switch es provide the following functions, so that a .
1-16 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these .
1-17 To do… Use the command… Remarks Return to system view quit — Return to user view quit — Switch between management device and member device cluster switch-to { member-nu mber | mac-add ress H-H-H | administrator } Optional Y ou can use this command switch to the view of a member device and switch back.
1-18 Configuring the enhanced cluster features Complete the following t asks to configure the enhanced cluster fea ture: Task Remarks Configuring cluste r topology manageme nt function Required Config.
1-19 If the management device of a cluster is a slave de vice in an XRN fab ric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric.
1-20 z NDP and NTDP have b een enabled on the mana ge ment device and member device s, and NDP- and NTDP-related paramet ers have been configured. z A cluster is established, and you can manage the member devices th rough the management device.
1-21 z The MIB view name is mib_a , which includes all objec ts of the subtree org z The SNMPv3 user is user_a , which belong s to the group group_a . # Create a community with the name of read_ a , allowing read-only access right using this community name.
1-22 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user .
1-23 z Perform the above operations on the m a nagement device of the cluster. z Creating a public local user is eq ual to execut ing these configurat ions on both the management device and the member.
1-24 Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster , where: z A Switch 4500 series switch serve s as the management device. z The rest are member devices. Serving as the manageme nt device, the Switch 45 00 swit ch manages the two membe r devices.
1-25 [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable 2) Configure the management device # Add port Ethernet 1/0/1 to VLAN 2.
1-26 # Set the delay for a member device to forw ard topol ogy collection request s to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topolo gy collection request s to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology informa tion to 3 minutes.
1-27 z After completing the above confi guration, you can execute the cluster sw itch-t o { member-number | mac-address H-H-H } command on the manage ment device to switch to member device view to maintain and manage a me mber device. After that, you can execute the cluster switch-to administrator command to return to management device view.
1-28 <Sysname> system-view [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.
1-29 Network diagram Figure 1-6 Network diagram for the enhance d cluster feature configuration FTP server 192 . 168 . 0.4 2 4 3 1 9 2. 1 6 8. 0 . 1 0001 - 2034 - a0e5 Management device Member device Member device Member device 1 Configuration procedure # Enter cluster view .
i Table of Contents 1 PoE Confi guration ···············································································.
1-1 1 PoE Configuration When configuring PoE, go to these secti ons fo r information you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example PoE Overview Introduction to .
1-2 z Through the fixed 24/48 Ethernet el ectrical ports , it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (32 8 feet). z Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. z When AC power input is adopted for the switch, the maximum total power that can be p rovided is 300 W.
1-3 Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Softwar e of Fabric Switches Online Optional Displaying PoE Configuration Optional Enabling the PoE .
1-4 z auto : When the switch is close to its full load in su pplying power, it will first supply power to the PDs that are connected to the ports with critical pr iority, and then supp ly power to the PDs that are connected to the ports with high priority.
1-5 Configuring the PD Compat ibility Detection Function After the PD com patibility detection function is ena bled, the switch can det ect the PDs that do not conform to the 802.3af sta ndard and supply power to them. After the PoE feature is enabled, perform the follo wing configuration to ena ble the PD comp atibility detection function.
1-6 z When the internal tempe rature of the switch d ecreases from X (X>65° C, or X>149°F) to Y (60°C ≤ Y<65°C, or 140°F ≤ Y<149°F), the switch still keeps t he PoE function disabled on all the ports.
1-7 Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing software of the fabric switch online update fabric { file - url | d.
1-8 Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW .
2-1 2 PoE Profile Configuration When configuring PoE profile, go to these sect ions for information y ou are interested in: z Introduction to PoE Profile z PoE Profile Configuration z Displaying PoE P.
2-2 To do… Use the command… Remarks Enable the PoE feature on a port poe enable Required Disabled by default. Configure PoE mode for Ethernet ports poe mode { signal | spare } Optional signal by default. Configure the PoE priority for Ethernet ports poe priority { critical | high | low } Optional low by default.
2-3 Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed information about the PoE profiles created on the switch display poe-profile { all-profile | interface.
2-4 Network diagram Figure 2-1 PoE profile application Network IP Phone Switch A AP IP Phone IP Phone IP Phone AP AP AP Eth1/0/1~Eth1/0/5 E th1/0/6~Eth1/0/10 Configuration procedure # Create Profile 1, and enter PoE profile view .
2-5 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configu ration information for Profile2.
i Table of Contents 1 UDP Helper C onfigurat ion ···········································································.
1-1 1 UDP Helper Configuration When configuring UDP helper , go to these sections for information you are interested in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintain.
1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to co nfigure UDP He lper: To do… Use the command… Remarks Enter syst em view system-vie w — Enable UDP Helper udp-helper enable Required Disabled by default.
1-3 To do… Use the command… Remarks Clear statistics about packets forwarded by UDP Helper reset udp-helper packet Available in user view UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.
i Table of Contents 1 SNMP Conf iguration ···············································································.
1-1 1 SNMP Configuration When configuring SNMP , go to these sections for information you are interested in: z SNMP Overview z Configuring Basic SNMP F unctions z Configuring Trap-Related F unctions z.
1-2 z Set the permission for a community to access an MIB object to be read-only or re ad-write. Communities with read-o nly permissions can only query the swit ch information, while those with read-write permission can config ure the switch as well. z Set the basic ACL specified by the community name.
1-3 To do… Use the command… Remarks Direct configura tion Set a community name snmp-agent community { read | wr i te } community - name [ acl acl-number | mib-vie w view-name ]* Set an SNMP group .
1-4 To do… Use the command… Remarks Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate-p assword plain-password mode { md5 | sha } { local-engineid | specified-engineid engin eid } Optional This command is used if passwo rd in cipher-text is needed for adding a new use r .
1-5 To do… Use the command… Remarks Enable the switch to send traps to NMS snmp - agent trap enable [ configuration | flash | stand ard [ authentication | cold st art | linkdo w n | linkup | warms.
1-6 To do… Use the command… Remarks Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default. z When SNMP logging is enabled on a device, SNMP logs are output to the informat ion center of the device.
1-7 z Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, conta ct and switch location, and enabling the switch to sent trap s. Thus, the NMS is able to access Switch A and receive the trap s sent by Switch A.
1-8 [Sysname] snmp-agent trap enable standard linkdown [Sysname] snmp-agent target-host trap address udp-domain 10 .10.10.1 udp -port 5000 params securityname public Configuring the NMS Authentication-related configuration on an NMS must be consi stent with that of the devices for the NMS to manage the devices successfully .
2-1 2 RMON Configuration When configuring RMON, go to these se ctions for information you are interested in: z Introduction to RMON z RMON Configuration z Displaying RMON z RMON Configuration Example Introduction to RMON Remote Monitoring (RMO N) is a kind of MIB defined by Internet En gineering T ask Force (IETF).
2-2 statistics and performance st atistics of the netwo rk seg ments to which the port s of the managed network devices are connected. Thus, t he NMS can further manage the netwo rks. Commonly Used RMON Groups Event group Event group is used to def ine the indexes of event s and the processing m ethods of the event s.
2-3 Statistics group S tatistics group contai ns the st atistics of each moni to red port on a switch. An entry in a stati stics g roup is an accumulated value counting from the ti me when the st atistics group is created.
2-4 z The rmon alarm and rmon prialarm commands take effect on existing no des only. z For each port, only one RM ON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to creat e another statistics e ntry with a different index for the same port.
2-5 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the ev ent t able, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the exte nded alarm t abl e to allow the system to cal culate the alarm variables with the (.
i Table of Contents 1 NTP Confi guration ···············································································.
1-1 1 NTP Configuration When configuring NTP , go to these secti ons for information you are intere sted in: z Introduction to NTP z NTP Configuration Task Li st z Configuring NTP Implementation Modes.
1-2 z Defining the accuracy of cloc ks by stratum to sy nchronize the clocks of all devices in a network quickly z Supporting access control (se e section Configuring Access Control Rig ht ) and MD5 e.
1-3 Figure 1-1 Implementation principle of NTP IP network IP network IP network IP network Device B Device A Device B Device A Device B Device A Device B Device A 10:00:00 am 11:00:0 1 am 10:00:00 am NTP message 10:00:0 0 am 11:00:01 am 11:00:02 am NTP message NTP message NTP message received at 10:00 :03 am 1.
1-4 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Passive peer Clock synchronization request packet Synchronize Network Active peer Works in passi.
1-5 Multicast mode Figure 1-5 Multicast mode T able 1-1 describes how the above ment ioned NTP mode s are implemented on 3Com S4500 serie s Ethernet switches.
1-6 z When a 3Com S4500 Ethern et switch works in se rver mode or symmetric passi ve mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer.
1-7 z Execution of one of the ntp-servi ce unicast-server , ntp-service unicast-peer , ntp-service broadcast-client , ntp-service broadca st-server , ntp-service multicast-client , and ntp-service multicast-server commands ena bles the NTP feature and ope ns UDP port 123 at the same time.
1-8 To do… Use the command… Remarks Specify a symmetric-pa ssive peer for the switch ntp-service unicast-p eer { remote-ip | peer-name } [ authen tication-key id key-id | priority | source-inter face Vlan-interface vlan-id | vers io n number ]* Required By default, a switch is not configured to work in the symmetric mode.
1-9 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interfac e vlan-id — Configure the switch to work in the NTP broadcast server mode ntp-service broadcas t-server [ authentication-keyid key-i d | vers io n number ]* Required Not configured by default.
1-10 To do… Use the command… Remarks Enter syst em view system-vie w — Enter VLAN interface view interface Vlan-interfac e vlan-id — Configure the switch to work in the NTP multicast client mode ntp-service multicast-client [ ip-address ] Required Not configured by default.
1-11 The access-control right mechani sm provides only a mi nimum degree of se curity protection f or the local switch. A more secure met hod is identity authentication. Configuring NTP Authentication In networks with higher security requirement s, the NTP authentication function mu st be enabled to run NTP .
1-12 Configuration Procedure Configuring NTP authentication on the client Follow these steps to co nfigure NTP aut hentication on the client: To do… Use the command… Remarks Enter syst em view system-view — Enable the NTP authentication function ntp-service authentication enable Required Disabled by default.
1-13 To do… Use the command… Remarks Configure the specified key as a trusted key ntp-service reliable authenticati on-keyid key-id Required By default, no trusted authentication key is configured.
1-14 If you have specified an interface in the ntp-s ervice unicast-serv er or ntp-servi ce unicast-peer command, this interface wil l be used for sending NTP message s.
1-15 To do… Use the command… Remarks Display the information about the sessions mai ntained by NTP display ntp-service sessions [ verbose ] Display the brief information about NTP servers along th.
1-16 [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.
1-17 Configuration procedure z Configure Device C. # Set Device A as the NTP server . <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 z Configure Device B (after the Device C is syn chronized to Device A). # Enter system view .
1-18 Configuring NTP Broadcast Mode Network requirements z The local clock of Device C is set as the NTP mast er clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NT P broadcast messages through VLAN-interface 2.
1-19 View the NTP status of Device D after th e clock synchronizatio n. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.
1-20 Network diagram Figure 1-9 Network diagram for NTP multicast mode co nfiguration Configuration procedure z Configure Device C. # Enter system view . <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2.
1-21 Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicate s that Device D is sync hronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C.
1-22 z To synchronize Device B, you need to perform the following configurations on De vice A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key , with the key ID being 42 and the key being aNiceKey .
i Table of Contents 1 SSH Confi guration ···············································································.
1-1 1 SSH Configuration When configuring SSH, go to these secti ons fo r information you are interested: z SSH Overview z SSH Server and Client z Displaying and Maintain ing SSH Configuration z Compar.
1-2 The same key is used for both encryption and de cryp tion. Supported symmetric key algorithms incl ude DES, 3DES, and AES, which can effectively prevent dat a eavesdropping. z Asymmetric key algorithm Asymmetric key algorithm is also called publi c key algorithm.
1-3 Currently, the switch supports only SSH2 Version. Version negotiation z The server opens port 22 to listen to connection requ ests from cli ents. z The cli ent sends a TCP connection r equest to the se rver .
1-4 z The server starts to authent icate the user. If aut hentication fails, the server sends an authentica tion failure message to the client, which con tains t he list of methods used for a new auth entication process . z The client selects an authentication type from the method list to perform authentication again.
1-5 Figure 1-2 Network diagram for SSH connections Configure the devices accordin gly This docu ment describes two case s: z The 3Com switch acts as the SSH server to coope rate with softwa re that supports the SSH client functions. z The 3Com switch acts as the SSH serv er to coop erate with another 3Com swit ch that acts as an SSH client.
1-6 Task Remarks Configuring the User Interfaces for SSH Clients Required Preparation Configuring the SSH Managem ent Functions Optional Key Configuring Key Pairs Required Authentication Creating an S.
1-7 To do... Use the command... Remarks S pecify the supported protocol(s) protocol inbound { all | ssh } Optional By default, both T elnet and SSH are supported.
1-8 z You can configure a login header only wh en the service type is stelnet . For configuratio n of service types, refer to Specifying a Service Type for an SSH User . z For details of the header command, refer to the corresp onding section in Login Com mand .
1-9 To do… Use the command… Remarks Destroy the RSA key pair public-key local destroy rsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an auth entication type. Specif ying an authentication type for a new user is a must to get the user login.
1-10 To do... Use the command... Remarks Create an SSH user, and specify an authentication type for it ssh user username authentication-type { all | passwo rd | password-publickey | publickey } are us.
1-11 If the ssh user service-type command is executed wit h a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it.
1-12 To do... Use the command... Remarks Enter syst em view system-vie w — Import the public key from a public key file public-key peer keyname import sshkey filename Required Assigning a Public Key to an SSH User This configuration task is unnece ssary if the SSH user’s authentication mode is password .
1-13 With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format.
1-14 Task Remarks Opening an SSH co nnection with publickey authentication Required for publickey authenticatio n; unnecessary for pass word authentication z For putty, it is recommended to u se PuTTY releas e 0.53; PuTTY rele ase 0.58 is also suppo rted.
1-15 Note that while generating t he key pair , you must move the mouse continuou sly and keep the mouse off the green process bar in the blue box of shown in Figure 1-4 . Oth erwise, the process bar stop s moving and the key pair generating process is stopped.
1-16 Likewise, to save the priv ate key , cli ck Save private key . A warning window pop s up to prompt you whether to save the private key witho ut any precaution. Cli ck Ye s and enter the name of the file for saving the private key (“pri vate” in this case) to save the private ke y .
1-17 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of t he se rver . Note that there must be a route available between the IP addres s of the server and the client. Selecting a protocol for remote connection As shown in Figure 1-8 , select SSH under Protocol .
1-18 Figure 1-9 SSH client configuration interface 2 Under Protocol options , sele ct 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia c lient software, supports the DES algorithm only when the ssh1 version is selected.
1-19 Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window , navigate to the private key file and cli ck Open . If the connection is normal, a user will be prompted for a username. Once p assing the authenticat ion, the user can log in to the server .
1-20 Configuring whether first-time authentication is supported When the device connect s to the SSH server as an SSH client, you can configure whether the device supports first-time authentication.
1-21 Follow these steps to sp ecify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter syst em view system-vie w — S pecify a source IP address for the SSH client ssh2 source -ip ip-address Optional By default, no source IP address is configured.
1-22 To do... Use the command... Remarks Display information about all SSH users display ssh user-inform ation [ username ] Display the current source IP address or the IP address of the source interface specified for the SSH server .
1-23 The results of t he display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they c annot be directly used as parameters in the public-key peer comman d.
1-24 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001 , and set the authentication passwo rd to abc , protocol type to SSH, and command privilege level to 3 for the clie nt.
1-25 Figure 1-13 SSH client configuration interface (2 ) Under Protocol options , sele ct 2 from Preferred SSH protocol version . 3) As shown in Figure 1-13 , click Open . If the connection is normal, you will be prompted to enter the user name client001 and password ab c .
1-26 Network diagram Figure 1-14 Switch acts as server for p assword and RADIUS authentication Configuration procedure 1) Configure the RADIUS server This document takes CA MS Version 2.10 as an example to show the basi c RADIUS server configurations required.
1-27 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Dev ice Management , and then in the right pane, cli ck Add to enter the Add Account pa ge and perform the following configuration s: z Add a user named hello , and specify the password.
1-28 Generating the RSA key pair on the server is p rerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
1-29 Figure 1-17 SSH client configuration interface (1 ) In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . z From the category on the left pane of the window, select Connection > SSH . The window as shown in Figure 1-1 8 appears .
1-30 Under Protocol options , select 2 from Prefer red SSH protocol version . Then, click Open . If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the se rver .
1-31 [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWT ACA CS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.
1-32 In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . 2) From the category on the le ft pane of the window, select Connection > SSH . The window as shown in Figure 1-2 1 appears . Figure 1-21 SSH client configuration interface (2 ) Under Protocol options , select 2 from Prefer red SSH protocol version .
1-33 Configuration procedure z Configure the SSH server # Create a VLAN interface on the switch and assign an IP addre ss, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.
1-34 Figure 1-23 Generate a cl ient key pair (1) While generating the key pair, you m ust move the mouse continuously and keep the m ouse off the green process b ar show n in Figure 1-24 . Otherwise, the process bar sto ps moving and the key pair generating process is sto pped.
1-35 Figure 1-24 Generate a cl ient key pair (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key ( public in this case). Figure 1-25 Generate a cl ient key pair (3) Likewise, to save the priv ate key , cli ck Save private key .
1-36 Figure 1-26 Generate a cl ient key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you contin ue to configure the client. # Establish a connection with the SSH server 2) Launch PuTTY.
1-37 Figure 1-28 SSH client configuration interface (2 ) Under Protocol options , sele ct 2 from Preferred SSH protocol version . 4) Select Connection / SSH / Auth .
1-38 Click Browse to bring up the file selection window , navigate to the private key file and click OK . 5) From the window shown in Figure 1 -29 , click Open .
1-39 [SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of use r client001 as passwo rd.
1-40 Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and assign an IP addre ss, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.
1-41 <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch 001.
1-42 Network diagram Figure 1-32 Switch acts as client and first-ti me authentication is not suppo rted Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and as sign an IP address for it to se rve as the de stination of the client.
1-43 # Import the client’s public key file Swit ch001 and name the public key as Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign public key Switch001 to user client001 [SwitchB] ssh user client001 assign publickey Switch001 # Export the generated RSA host public key pair to a file named Switch002.
1-44 # Import the public key pai r named Switch002 from the file Switch002. [SwitchA] public-key peer Switch002 import sshkey Switch002 # S pecify the host public key pair name of the server . [SwitchA] ssh client 10.165.87.136 assign publickey Switch002 # Establish the SSH con nection to server 10.
i Table of Contents 1 File System Manage ment Confi guration ·····································································.
1-1 1 File System Management Configuration When configuring file syste m management, go to thes e sections for information you are interested in: z File System Configuration z File Attribute Configura.
1-2 Directory Operations The file system provides direct ory-relate d functions, such as: z Creating/deleting a directory z Displaying the current work directo ry, or contents in a specified directory.
1-3 To do… Use the command… Remarks Rename a file rename fileurl - source fileurl - dest Optional Available in user view Copy a file copy fileurl - source fileurl - dest Optional Available in user.
1-4 The format operation leads to the loss o f all files, including the conf iguration files, on the Flash memory and is irretrievable. Prompt Mode Configuration Y ou can set the prompt mode of the curre nt file system to alert or quiet .
1-5 Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin 2 -rwh 4 Apr 01 2000 23:55:49 snmpboots 3 -rwh 428 Apr 02 2000 00:47:30 hostkey 4 -rwh 572 Apr 02 2000 00:47:38 serverkey 5 -rw- 1220 Apr 02 2000 00:06:57 song.cfg 6 -rw- 26103 Jan 01 1970 00:04:34 testv1r1.
1-6 Attribute name Des cription Feature Identifier backup Identifies backup startup files. The backup startup file is used after a switch fails to start up using the main startup file. In the Flash memory, there can be only one app file, o ne configuration file and one Web file with the backup attribute.
1-7 Configuring File Attributes Y ou can configure and view the main attribute or back up attribute of the file us ed for the next startup of a switch, and change the m ain or backup attribute of the file.
1-8 Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly , you can o nly back up and restore the con fi guration file of the units one by one in a fabric system.
i Table of Contents 1 FTP and SFTP Configur ation ···········································································.
1-1 1 FTP and SFTP Configuration When configuring FTP and SFTP , go to these se ctions for information you are interested in: z Introduction to FTP and SFTP z FTP Configuration z SFTP Configuration Introduction to FTP and SFTP Introduction to FTP File T ransfer Protocol (FTP) is comm only used in IP-based networks to tran smit files.
1-2 files from an FTP server, and stops rotating whe n the file downloading is finished, as shown in Figure 1-1 . Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is establish ed based on an SSH2 connec tion.
1-3 To do… Use the command… Remarks Configure a password for the specified user password { simple | cipher } password Optional By default, no password is configured. Configure the service type as FTP service-ty pe ftp Required By default, no service is configured.
1-4 Follow these steps to co nfigure connection idle time: To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the FTP server ftp timeout min.
1-5 Disconnecting a specified user On the FTP serve r , you can disconnect a specified us er from the FTP server to secure the network. Follow these steps to disco nnect a specified use r: To do… Us.
1-6 Figure 1-3 Process of displaying a shell banner Follow these steps to co nfigure the banner display for an FTP server: To do… Use the command… Remarks Enter syste m view system-v iew — Configure a login banner header login text Configure a shell banner header shell text Required Use either command or both.
1-7 To do… Use the command… Remarks Enter FTP client view ftp [ cluster | remote-server [ port-number ] ] — Specify to transfer files in ASCII charac ters ascii Specify to transfer files in binary streams binary Use either command. By default, files are transferred in ASCII characters.
1-8 To do… Use the command… Remarks Download a remote file from the FTP server get remotefile [ localfile ] Upload a local file to the remote FTP server put localfile [ remotefile ] Rename a file .
1-9 z The specified interface must be a n existing one. Otherwise a prompt appears to sho w that the configuration fails. z The value of the ip-addre ss argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails.
1-10 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp 2) Configure the PC (FTP client) Run an FTP client application on the P C to connect to the FTP server . Upload the application named switch.
1-11 z If available space on the Flash memory of the switch i s not enough to hold the file to be uploaded, you need to delete files not in use fro m the Flas h memory to make room for the file, and then upload the file again. The files in u se cannot be deleted.
1-12 Configuration procedure 1) Configure the sw itch (FTP se rver) # Configure the login ban ner of t he switch as “login banner a ppears” and the shell ban ner as “shell banner appears”. For det ailed configu ration of other network requi rements, see se ction Configuration Example: A Switch Operating as an FTP Server .
1-13 Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–related configuratio ns on the PC , that is, create a user account on the FT P serve r with username sw it ch and password hello . (For det ailed configuration, refer to the configuration instruction relevant to the FTP server sof tware.
1-14 <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader com mand and how to specify the startup file for a switch, refer to the System Maintenan ce and Debugging module of this manual.
1-15 To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SF TP server can interoperate with SFTP client sof tware, including SSH T e ctia Client v4.
1-16 To do… Use the command… Remarks Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_grou p } | prefer_ctos_cip.
1-17 If you specify to authenticate a client th rough public key on the server, the client needs to read the local private key when logging in to the SFTP server.
1-18 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP addre ss, which is used as the destination address for the client to conne ct to the SFTP server . [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.
1-19 sftp-client> # Display the current directory of the server . Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
1-20 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey 2 from the server and rename it as public .
2-1 2 TFTP Configuration When configuring TFTP , go to these sections for information you are interested in: z Introduction to TFTP z TFTP Configuration Introduction to TFTP Compared wi th FTP , Trivial File T ransfer Protocol (T FTP) features simple interactive access i nterface and no authentication control.
2-2 TFTP Configuration Complete the following t asks to configure TFTP: Task Remarks Basic configurations on a T FTP client — TFTP Configuration: A Switch Operating as a TFTP Client Specifying the s.
2-3 To do… Use the command… Remarks Specify the source IP address used for the current connection tftp tftp-server source-ip ip-address { get source-file [ dest-file ] | put source -file -url [ dest-file ] } Optional Not specified by default.
2-4 Network diagram Figure 2-1 Network diagram for TFTP configuration s Configuration procedure 1) Configure the TFTP server (PC) S tart the TFTP server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switch.
2-5 For information about the boot boot-loader com mand and how to specify the startup file for a switch, refer to the System Maintenan ce and Debugging module of this manual.
i Table of Contents 1 Informatio n Cent er···············································································.
1-1 1 Information Center When configuring information ce nter , go to these sections for information you are interested in: z Information Center Overview z Information Center Configuration z Displayin.
1-2 Information filtering by severity works this way: information with the seve ri ty value greater than the configured threshold is not output during the filtering. z If the threshold is set to 1, only information with the severity being emergencies will be output; z If the threshold is set to 8, inform ation of all severities will be output.
1-3 Outputting system information by source module The system information ca n be classified by source module and then filtered. Some module names and description are shown in T able 1-3 . Table 1-3 Source module name list Module name Description 8021X 802.
1-4 Module name Description SYSMIB System MIB module TAC HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VTY Virtual type terminal module XM XModem.
1-5 z If the address of the log host is specified in the information cent er of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host .
1-6 Module The module field represent s the name of the module t hat generates system in formation. Y ou can enter the info-center source ? comm and in system view to view the module list. Refer to T able 1-3 for module name and descripti on. Between “module” and “level” is a “/ ”.
1-7 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system informatio n such as log, trap, or debugging information is output when the user .
1-8 To do… Use the command… Remarks Set to display the UTC time zone in the output information of the information center info-center timestamp utc Required By default, no UTC time zone is displaye.
1-9 LOG TRAP DEBUG Output destination Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity Monitor terminal default (all modules) Enabled warning s Enable.
1-10 Setting to output system information to a monitor terminal Follow these steps to set to output syst em information to a monitor terminal: To do… Use the command… Remarks Enter syste m view system-v iew — Enable the information center info-center enable Optional Enabled by default.
1-11 To do… Use the command… Remarks Enable trap information terminal display function terminal trapping Optional Enabled by default Make sure that the debugging/log/trap information terminal disp.
1-12 z After the switches form a fabric, you can use the info-ce nter switch-on command to enabl e the information output for the switches to make t he log, debugging and trap informatio n of each switch in the fabric synchronous.
1-13 To do… Use the command… Remarks Enable information output to the log buffer info-center logbuffer [ channel { channel - number | channel - name } | size buffersize ]* Optional By default, the switch uses information channel 4 to output log information to the log buffer, which can holds up to 512 items by default.
1-14 Displaying and Maintaining Information Center To do… Use the com mand… Remarks Display information on an information channel display channel [ channel - num ber | channel - name ] Display the.
1-15 # Disable the function of outputting information to log host channel s, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.
1-16 Through combined configuration of the device name (facility), informatio n severity level threshold (severity), module name (filter) and the fil e “syslog.
1-17 Note the following items when you edit file “/etc/syslo g.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used a s a separator instead of a space. z No space is permitted at the end of the file name.
1-18 <Switch> system-view [Switch] info-center enable # Disable the function of outputting in formation to the console ch annels. [Switch] undo info-center source default channel console # Enable log information output to the console.
i Table of Contents 1 Boot ROM and Host Software Loading ·······································································.
1-1 1 Boot ROM and Host Software Loading T raditionally , switch sof tware is loaded through a se rial port. This approach is slow , time-consuming and cannot be used for remote loading. T o resolv e thes e problems, the TFTP and FTP modules are introduced into the switch.
1-2 The loading process of the Boot RO M software is the same a s that of the host software, except that during the former proce ss, you should press “6 ” or <Ctrl+U> and <Enter> after entering the BOOT menu and the system gives different prompts.
1-3 1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9.
1-4 0. Return Enter your choice (0-5): S tep 3: Choose an appropriate ba udrate for downl oading. For example, if you pre ss 5, the baudrate 1 15200 bp s is chosen and the system displays the followin.
1-5 Figure 1-2 Console port configuration dialog b ox S tep 5: Click the <Disconnect> button to disconne ct the HyperT erminal from the switch and then click the <Connect> button to reconnect the Hype rT erminal to the switch, as shown in Figure 1-3 .
1-6 Figure 1-4 Send file dialog box S tep 8: Click <Send>. The system displ ays the page, as sho wn in Figure 1-5 . Figure 1-5 Sending file page S tep 9: After the sending process comple tes, t he system displays the following information: Loading .
1-7 Loading host software Follow these steps to load the host software: S tep 1: Select <1> in BOOT Menu and pres s <Enter>. The sy stem displays the followin g information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
1-8 You can use one PC as both the configuration device and the TFTP server. S tep 2: Run the TFTP se rver program on the TFTP se rver , and specify the p ath of the program to be downloaded. TFTP server program is no t provided with the 3Com Series Ethernet Switches.
1-9 0. Return to boot menu Enter your choice(0-3): S tep 2: Enter 1 in the above menu to download the host sof tware usin g TFTP . The subsequent step s are the same as those for loading the Boot ROM, except that t he system gives the prompt for host sof tware loading instead of Boot ROM loading.
1-10 Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): S tep 4: Enter 2 in the above menu to download the Boot ROM usin g FTP . Then set the following FTP-related param eters as required: Load File name :switch.
1-11 Remote Boot ROM and Software Loading If your terminal is not directly connected to the swit ch, you can telnet to the switch, and use FTP or TFTP to load the Boot RO M and host software re motely .
1-12 Before restarting the switch, make sure you have save d all other configurations that you want, so as to avoid losing configuration information. 2) Loading host software Loading the host sof twar.
1-13 System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 S tep 3: Enable FTP servic e on the switch, and confi gur e the FTP user name to test and passwo rd to pass.
1-14 Figure 1-11 Enter Boot ROM directory S tep 6: Enter ftp 192.168.0 .28 and enter the user nam e test , password p ass , as shown in Figure 1-12 , to log on to the FTP serve r . Figure 1-12 Log on to the FTP server S tep 7: Use the put command to upload the file switch.
1-15 Figure 1-13 Upload file switch.btm to the switch S tep 8: Configure switch.btm to be the Boot RO M at next startup, and then rest art the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait.
2-1 2 Basic System Configuration and Debugging When configuring basi c system configuration and de bu gging, go to these sections for information you are interested in: z Basic System Configuration z .
2-2 Displaying the System Status To do… Use the command… Remar ks Display the current date and time of the system displa y clock Display the version of the system display version Display the infor.
2-3 Y ou can use the following commands to enable the two switches. Follow these steps to ena ble debugging and termi nal display for a specific modu le: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all modules by default.
3-1 3 Network Connectivity Test When config uring netw ork connec tivi ty test, go to these sections for information you are interested in: z ping z tracert Network Connectivity Test ping Y ou can use the ping command to check the network connectivity and the reachability of a host.
4-1 4 Device Management When configuring device manag ement, go to these sections for information you are interested in: z Introduction to Device Management z Device Management Configuration z Display.
4-2 Before rebooting, the system ch e cks whether there is any configur atio n change. If yes, it prompts whether or not to proceed. This prevent s the system from losing the configurations in case of.
4-3 Enabling of this function consumes some amount s of CPU resources. Therefore, if your network has a high CPU usage requi rement, you can disable this function to rele ase your CPU resource s. Specifying the APP to be Used at Reboot APP is the host sof tware of the switch.
4-4 Table 4-1 Commonly used pluggable transceivers Transceiver type Applied environment W hether can be an optical transceiver Whethe r can be an electrical transceiver SFP (Small Form-factor Pluggable) Generally used for 100M/1000M Ethernet interfaces or POS 155M/622M/2.
4-5 To do… Use the command… Remarks Display the current alarm information of the pluggable transceiver(s) display transceiver alarm interface [ interface-type interface-num ber ] Available for all.
4-6 z Make configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the P C is reachable to each other. The host soft ware switch.app and the Boot ROM file boo t.btm of the switch are stored in the directory sw it c h on the PC.
4-7 331 Give me your password, please Password: 230 Logged in successfully [ftp] 5) Enter the authorized path on the FTP server. [ftp] cd switch 6) Execute the get comm and to download the switch.a pp and boot.btm files on the FTP server to the Flash memory of the switch.
i Table of Contents 1 VLAN-VPN C onfigurat ion ············································································.
1-1 1 VLAN-VPN Configuration When configuring VLAN-V PN, go to these sections for information you are inte rested in: z VLAN-VPN Overview z VLAN-VPN Configuration z Displaying and Maintaining VLAN-VPN.
1-2 Figure 1-2 Structure of packets with double-laye r VLAN tags Destination MAC address 0 31 Data Source MAC address 15 Inner VLAN Tag Outer VLAN Tag Compared with MPLS-based Layer 2 VPN, VLAN-VPN ha s the following features: z It provides Layer 2 VPN tunnels that are simpler.
1-3 frame as needed. When doing that, you should set th e sam e TPID on both the customer-side port an d the service provider-side p ort. The TPID in an Ethernet frame has the same position with the pro tocol type field in a frame without a VLAN tag.
1-4 Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-V PN Packets on a Port Optional Configuring the Inner-to-O uter Tag Priority Replicating and Mapp.
1-5 z Besides the default TPID 0x8100, you can confi gure only one TPID value on a Switch 4500 switch. z For the Switch 4500 series to exch ange packets with the public network d evice properly, you should configure the TPID value used by the pub lic network device on both the customer-side port and the service provider-side port.
1-6 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in Figure 1-4 , Switch A and Switch B are both Switch 4500 serie s switches. They connect the users to the servers through the public netwo rk.
1-7 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit # Set the TPID value of Ethernet 1/ 0/12 to 0x9200 (for intercommunication with the device s in the public network) and configure the port as a trunk po rt permitting packet s of VLAN 1040.
1-8 2) The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. 3) The outer VLAN tag of the packet remains unchan ged whil e the packet travels in the publi c network, till it reaches Ethernet1/ 0/22 of Switch B.
2-1 2 Selective QinQ Configuration When configuring selective QinQ, go to these se ctions for information you are interested in: z Selective QinQ Overview z Selective QinQ Configuration z Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced appli cation of the VLAN -VPN feature.
2-2 telephone users (in VLAN 201 to VLAN 300). Packet s of all these users are forward ed by Switch A to the public network. After the selective QinQ feature an d the inner-to-outer t ag mapping featu.
2-3 device receives a packet from the service provider network, this devic e will find the path for the packet by searching the MAC ad dress table of th e VLAN corr e sponding to the outer t ag and unica st the pa cket. Thus, packet broad cast is reduced in selective QinQ applications.
2-4 Do not enable both the selective QinQ fu nction and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may opera te improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to ena ble the inter-V LAN MAC ad dress replicating feature: To do.
2-5 z The public network permits packets of VLAN 1000 and VLAN 120 0. Apply QoS policies for these packets to reserve band width for packets of VL AN 1200.
2-6 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hy brid port and configure VLA N 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN t ags when forwarding p ackets of VLAN 5, VLAN 1000, and VLAN 1200.
2-7 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and con figure VLAN 12 as it s default VLAN . Configure Ethernet 1/0/12 to remove VLAN t ags when forw arding packets of VLAN 12 and VLAN 1000.
i Table of Contents 1 Remote-ping Co nfiguration ···········································································.
1-1 1 Remote-ping Configuration Introduction to remote-ping remote-ping is a network diagno stic tool used to test the performance of protocols (only ICM P by far) running on network. It is an enhanced altern ative to the ping command. remote-ping test group is a set of remote-ping test paramete rs.
1-2 This paramet er is used to enable the sy stem to automat ically perform the sa me test at regular intervals. 5) Test timeout time T est timeout time is the durati on while the system waits for an EC HO-RESPONSE p acket after it sends out an ECHO-REQUEST p acket.
1-3 Table 1-2 Display remote-ping configuration Operation Command Description Display the information of remote-ping test history display remote-ping history [ administrator-nam e operation-tag ] Disp.
1-4 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 O.
i Table of Contents 1 IPv6 Conf iguration ···············································································.
1-1 1 IPv6 Configuration When configuring IPv6, go to these secti ons for inform ation you are interested in: z IPv6 Overview z IPv6 Configuration Task List z IPv6 Configuration Example z The term “router” in this document refers to a r outer in a generic sense or an Ethernet switch running a routing protocol.
1-2 Figure 1-1 Comparison between IPv4 heade r format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 addr ess are bo th 128 bits (1 6 bytes) long.
1-3 Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemente d by a group of Internet Control Message Protocol V ersion 6 (ICMPv6) messages. The IPv6 neighbo r discovery protocol m anages message e xchange between neighbo r nodes (nodes on the sam e link).
1-4 z Multicast address: An ident ifier for a set of interf aces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a mu lticast address is delivered to all interfaces identified by that address. z Anycast address: An identifier for a set of interf aces (typically belonging to different nodes).
1-5 z Unassigned addre ss: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but ma y not use it as a destination IPv6 address.
1-6 Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discov ery Protocol (NDP) use s five types of ICMPv6 messages to imple ment the following functions: z Address resolution z Neigh.
1-7 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighb or nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolutio n procedure is as follows: 1) Node A multicasts an NS message.
1-8 Figure 1-4 Duplicate address d etection The duplicate address detection procedu re is as follows: 1) Node A sends an NS message whose source ad dress is the unassi gned address :: and the destination address is the co rrespondin g solicite d-node multi cast address of the IPv6 address to be detected.
1-9 Task Remarks Configuring the Maximum Num ber of IPv6 ICMP Error Packets Sent within a Specified Time Optional Configuring the Hop Limit of ICMPv6 Reply Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address z An IPv6 address is required for a host to access an IPv6 network.
1-10 To do... Use the command... Remarks Automatically generate a link-local address ipv6 address auto link-local Configure an IPv6 link-local address Manually assign a link-local address for an interface.
1-11 Follow these steps to co nfi gure a static neigh bor entry: To do... Use the command... Remarks Enter syste m view system-v iew — Configure a static neighbor entry ipv6 neighbor ipv6-addre ss m.
1-12 Configuring the NS Interval After a device sends a n NS message, if it does not receive a response within a specific period, the device will send another NS message.
1-13 packets are received, the I Pv6 TCP connection status becomes TI ME_WAIT. If other packets are received, the finwait timer is reset from t he last packet and the con nection is terminated after the finwait timer expires. z Size of IPv6 TCP receiving/sending buffer.
1-14 To do… Use the command… Remarks Enter syst em view system-vie w — Configure the hop limit of ICMPv6 reply packets ipv6 nd hop-limit value Optional 64 by default.
1-15 IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements T wo switches are directly connected th rough two Ethernet port s. The Ethernet po rts belong to VLAN 2. Differe nt types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches.
1-16 Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD .
1-17 Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.
1-18 0.00% packet loss round-trip min/avg/max = 50/60/70 ms.
2-1 2 IPv6 Application Configuration When configuring IPv6 application, go to these sections for information you are interested in: z Introduction to IPv6 Application z Configuring IPv6 Application z .
2-2 IPv6 Traceroute The traceroute ipv6 command is use d to record the route of IPv6 packet s from source to de stination, so as to check whether the link is available and determine the point of failure.
2-3 To do… Use the command… Remarks Download/Upload files from TFTP server tftp ipv6 remote-system [ -i interface-type interface-number ] { get | put } source-filena me [ destination-filename ] Re.
2-4 Displaying and maintaining IPv6 Telnet To do… Use the command… Remarks Display the use information of the users who have logge d in displa y users [ all ] Available in any view IPv6 Applicatio.
2-5 bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.
2-6 Solution z Check that the IPv6 addresses are conf igured correctly. z Use the display ipv6 interface command to determine the interfa ces of the source and the destination and the link-layer protocol betwee n them are up. z Use the display ipv6 route-table command to verify that the destination is reachable.
i Table of Contents 1 Access Management Configurat ion ········································································.
1-1 1 Access Management Configuration When configuring acc ess management, g o to these se ctions for informa tion you are interes ted in: z Access Managemen t Overview z Configuring Access Management.
1-2 z A port without an access man agement IP addr ess pool configure d allows the hos ts to access external net works only if their IP add resses are not in the access manageme nt IP address p ools of othe r ports of the switch.
1-3 Access Management Conf iguration Examples Access Management Configuration Example Network requiremen ts Client PCs are connec ted to the external netw ork through Sw itch A (an Ethern et switch). The IP addresses of the P Cs of Organi zation 1 are in th e range 202.
1-4 [Sysname-Ether net1/0/1] am ip-pool 202.10 .20.1 20 Combining Access Management with Port Isolation Network requiremen ts Client PCs are connec ted to the external netw ork through Sw itch A (an Ethern et switch). The IP addresses of the P Cs of Organi zation 1 are in th e range 202.
1-5 # Set the IP add ress of VLAN -interface 1 to 2 02.10.20.2 00/24. [Sysname] inte rface Vlan-interf ace 1 [Sysname-Vlan- interface1] ip ad dress 202.10. 20.200 24 [Sysname-Vlan- interface1] quit # Configure the a ccess management IP address po ol on Ethernet 1/0/1.
i Table of Contents Appendix A Acronyms ················································································.
A-1 Appendix A Acronyms A AAA Authentication, Authorization and A ccounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System B.
A-2 LSDB Link State DataBase M MAC Medium Access Cont rol MIB Management Information Base N NBMA Non Broadca st MultiA ccess NIC Network Information Center NMS Network Management System NTP Network Ti.
A-3 VPN Virtual private network W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandabl e Resilient Networking.
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il 3Com 4500 è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del 3Com 4500 - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso 3Com 4500 imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul 3Com 4500 ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il 3Com 4500, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del 3Com 4500.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il 3Com 4500. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo 3Com 4500 insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.