Manuale d’uso / di manutenzione del prodotto 5500-SI del fabbricante 3Com
Vai alla pagina of 686
3Com ® Switch 5500 Family Configuration Guide Switch 5500-SI Switch 5500-EI Switch 5500G-EI www.3Com.com Part Number: 1001492 2 Rev. AC Published: December 2006.
3Com Corporation 350 Campus Drive Marlbor ough, MA USA 01752-3064 Copyright © 2006, 3Com Corporati on. All rights re served. No part of this documentati on may be repro duced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corpo ration.
3 C ONTENTS C ONTENTS A BOUT T HIS G UIDE Organization o f the Manu al 21 Intended Readership 22 Conventions 22 Related Manuals 23 1 G ETTING S TARTED Product Overview 25 XRN Overview 26 Major T echno.
4 C HAPTER : C ONTENTS Displaying Port Configurat ion Information in Brief 67 Ethernet Port Conf iguration Example 67 Ethernet Port T roubleshooting 68 Link Aggregation Configuration 68 Link Aggregati.
5 Protocol- Based VLAN Configuration 100 Configuring Protocol-Based VLANs 100 Displaying the Info rmation about Protocol-Based VLANs 101 V oice VLA N Configuration 102 V oice VLA N Configuration 102 D.
6 C HAPTER : C ONTENTS 10 DHCP S ERVER C ONFIGURATION Introduction to DHCP Server 125 Usage of DHCP Server 125 DHCP Fundamentals 125 DHCP Packet Processing Modes 127 DHCP Address Pool 127 Global Addre.
7 12 VRRP C ONFIGURATION VRRP Overview 151 Virtual Ro uter Overview 152 Intr oduction to Backup Gr oup 153 VRRP Configuratio n 155 Configuring a Virtual Router IP addr ess 155 Configuring Backup Gr ou.
8 C HAPTER : C ONTENTS Intr oduction to the Pr otection Funct ions 185 Prer equisites 186 Configuring BPDU Pr otection 187 Configuring Root Pr otect ion 187 Configuring Loop Pr evention 188 Configurin.
9 Displaying and Debugging RIP 233 Example: T ypical RIP Configuration 233 T roubleshootin g RIP 234 OSPF Configuration 235 Calculating OSPF Routes 235 Basic Concepts Related to OSPF 23 6 Configuring .
10 C HAPTER : C ONTENTS Option 82 Su pporting Co nfiguration 288 Prer equisites 288 Enabling Option 82 Supporting on a DHCP Relay 288 Option 82 Su pporting Co nfiguration Examp le 289 Introduction to .
11 Displaying Multicast MAC Address Configuration 324 Multicast Source Deny Configuration 325 Clearing MFC Forwarding Entrie s or Statistics Inform ation 325 Clearing Route Entries From The Cor e Mult.
12 C HAPTER : C ONTENTS Applying QoS Profile to the Port 374 QoS Profile Configuration Example 374 ACL Contro l Configuration 376 Configuring ACL for T elnet Users 376 Defining ACL 376 Importing ACL 3.
13 Configuring Timers 398 Enabling/Disabling a Quiet-Period T imer 399 802.1x Client V ersion Checking Configuration 399 Enabling the 802.1x Client V ersion Checking Fun ction 399 Configuring the Maximum Number of Retires to Send V ersion Checking Request Packets 399 Configuring the V ersion Checking Timer 400 802.
14 C HAPTER : C ONTENTS Configuring User Re-authentication at Rebo ot 425 Configuration Example for User Re-auth entication at Reboot 425 Setting the RADIUS Packet Encryption Key 425 T ag VLAN Assignment on T run k/Hybrid Por t Supported by 802.
15 MAC Addr ess T able Management 451 MAC Addres s T able Configuration 452 Displaying MAC Address T able 454 MAC Addr ess T able Management Display Example 454 MAC Addres s T able Management Configur.
16 C HAPTER : C ONTENTS Configur e NTP Br oadcast Mode 502 Configure NTP Multicast Mode 504 Configur e Authentication-enab led NTP Server Mode 505 SSH T erminal Services 506 Configuring SSH Server 507.
17 26 RSTP C ONFIGURATION STP Overview 539 Implemen t STP 539 Configuration BP DU Forwarding Mechanism in S TP 543 Implement RSTP on the Switch 543 RSTP Configuration 544 Enable/Disable RSTP on a Swit.
18 C HAPTER : C ONTENTS Network Management Operat ion Logging Con figuration 569 Displaying and Debugging SNMP 570 SNMP Configuration Example 570 Reading Usmusr T able Configuration Examp le 571 29 S .
19 32 C LUSTERING Clustering Overview 601 Switch Roles 6 02 Intr oduction to NDP 603 Intr oduction to NTDP 603 Intr oduction to Clu ster Roles 604 Management Device Configuratio n 605 Enabling System .
20 C HAPTER : C ONTENTS B RADIUS S ERVER AND RADIUS C LIENT S ETUP Setting Up A RADIUS Server 627 Configuring Micr osoft IAS RADIUS 627 Configuring Funk RADIUS 652 Configuring FreeRADIUS 656 Setting U.
A BOUT T HIS G UIDE This guide provides information about configuring your network using the commands supported on the 3Com ® Switch 5500 Family . The descriptions in this g uide apply to the Switch 5500-SI and Switch 5500-EI. Differ ences betwee n the models are noted in the text .
22 A BOUT T HIS G UIDE ■ ACL by RADIUS —Details ACL by RADUIS Configuration. ■ Auto Detect —Details Auto Detect Conf iguration. ■ RSTP —Details Spanning T ree Protocol Configuration. ■ PoE —Details PoE profile Configuration. ■ SNMP —Details Simple Network Management Protocol Configuration.
Related Manu als 23 Related Manuals The 3Com Switch 5500 Family Getting Started Guide provides information about installation. The 3Com Switch 5500 Family Command Reference Guid e provides all the information you need to use the configuration commands.
24 A BOUT T HIS G UIDE.
1 G ETTING S TARTED This chapter covers the following topics: ■ Product Overview ■ XRN Overview ■ Product Featur es ■ Logging in to the Switch ■ Command Line Interface ■ User Interface Configuration Product Overview The Switch 5500 Family are Layer 3 switchin g products supporting expandable resilient networking (XRN).
26 C HAPTER 1: G ETTING S TARTED The Switch 5500 family supports the following services: ■ Internet broadband access ■ MAN (metropolitan area network), enterprise/campus networking ■ Multicast service, multicast routing, and audio and video multicast service.
Product Features 27 Figure 1 Networking T opology with XRN Product Featur es T able 4 describes the featur es: Unit 2 Unit 1 Unit3 Unit 4 Fabric Server Core switche s Workgroup switche s Deskto p PCs Ta b l e 4 Function Features Features Description Port 802.
28 C HAPTER 1: G ETTING S TARTED Multicas t Internet Group Management Protocol (IGMP) Snooping Multicast VLAN Registration (MVR) Internet Group Management Protocol (IGMP) (EI models only) Protocol-Ind.
Logging in to the Switch 29 Logging in to the Switch This section descr ibes how to lo g in to the switch. Setting up Configuration Environment thr ough the Console Port Perform the following procedure to set up the configuration environment through the console port.
30 C HAPTER 1: G ETTING S TARTED Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection.
Logging in to the Switch 31 Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the comman d line p rom pt such as <SW5500> . 4 Enter a command to configure the Switch or view the operation state.
32 C HAPTER 1: G ETTING S TARTED Figure 6 Setting up the Configuration Envir onment thro ugh T elnet 3 Run T e lnet on the PC and enter the IP addr ess of the VLAN connected to the network port on the PC. Figure 7 Running T elnet 4 The terminal displays Login authentication and prompts the user to enter the logon password.
Logging in to the Switch 33 Figure 8 Pr oviding T elnet Client Service 1 Authenticate the T eln et user through the console por t on the T elnet Server (a Switch) before login. By default, the password is r equired to authen ticate T elnet users and to enable them to log on to the Switch.
34 C HAPTER 1: G ETTING S TARTED 2 Perform the following configur ations on the Modem that is directly connected to the Switch. (Y ou are not requir ed to configure the Modem connected to the terminal.
Logging in to the Switch 35 Figure 9 Setting up Remote Configuration Envir onment 4 Dial for connection to the Switch, using the terminal emulator and Mo dem on the remote end. The number you dial is the telephone nu mber of the Modem connected to the Switch.
36 C HAPTER 1: G ETTING S TARTED Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the r emote terminal emulator and wait for the pr ompt < SW5500> . Then you can configure a nd manage the Switch. Enter ? to view online help.
Command Line Interface 37 Command Line Interface The Switch 5500 family provide a series of configuration commands and command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: ■ Local configuration through the console port.
38 C HAPTER 1: G ETTING S TARTED user has entered super password [ level level ] { simple | cipher } password . .) For the sake of confidentiality , on the screen the user cannot see the password that they entered. Only when correct passwor d is input three times, can the user switch to the higher level.
Command Line Interface 39 VLAN Interface View Configure IP interface parameters for a VLAN or a VLAN aggregation [SW5500-Vlan-interface1] Enter interface vlan-interface 1 in System View quit returns t.
40 C HAPTER 1: G ETTING S TARTED Features and Functions of Command Line Command Line Help The command line interface provid es full and partial online help. Y ou can get help information through the online help commands, which are described below: 1 Enter ? in any view to get all the commands in that vi ew .
Command Line Interface 41 Displaying Characteristics of the Command Line The command line interface provides a paus ing f unction. If the inf ormation to be displayed exceeds one scr een, users have three choices, as shown in T able 6. History Command The command line interface provides a function similar to that of the DosKey .
42 C HAPTER 1: G ETTING S TARTED Editing Characteristics of Command Line The command line interface provides basic comman d editing and suppor ts the editing of multiple lines.
User Interface Configuration 43 T o number the user interface by relative number , repr esented by interface + number assigned to each type of user interface : ■ AUX user interface = AU X 0. ■ The first VTY interface = VTY 0, th e second one = VTY 1, and so on.
44 C HAPTER 1: G ETTING S TARTED Configuring the Attributes of AUX (Console) Port Use the speed , flow control , parity , stop bit , and data bit commands to configure these attributes of the AUX (console) port. Perform the following configurations in User Interface (AUX user interface on ly) View .
User Interface Configuration 45 Configuring the T erminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal serv ice, disconnection upon timeout, lockab le user interface, configuring terminal screen length, and history command buffer size.
46 C HAPTER 1: G ETTING S TARTED Setting the Screen Length If a command displays more than one scr een of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in differ ent screens and you can view it more conveniently .
User Interface Configuration 47 Perform the following configu rat ion in User Interface View . Configure for password authentication when a user logs in thr ough a VTY 0 user interface and set the password to 3Com.
48 C HAPTER 1: G ETTING S TARTED By default, the specified log ged-in us er can access the co mmands at Level 1. Setting the Command Level used after a Us er Logs In from a U ser Interface Y ou can us.
User Interface Configuration 49 auto-execute command The following command is us ed to automa tically ru n a command after you log in. Afte r a command is configured to be run automatically , it will be automatically execut ed when you log in again.
50 C HAPTER 1: G ETTING S TARTED.
2 A DDR ESS M ANAGEMENT C ONFIGURATION Introduction to Address Management Y ou can easily configure the switch on wh ich the Address Manage (AM) featur e is enabled to allow a user with the specif ied MAC address to gain network access through the specified IP address in a small network, such as a campus network.
52 C HAPTER 2: A DDRESS M ANAGEMENT C ONFIGURATION Perform the follo wing operations to bind the MAC addr ess and IP addr ess of a legal user to the specified port; no other configuration is required. Address Management Configuration Example This section contains co nfiguration examples .
Address Management Configuration Example 53 T o configure an address management IP address pool on GigabitEthernet 1/0/1, allowing 20 IP addresses starting from 202.10.20.1 to 202.10.20.20 to access the network, enter the following: [S5500] interface GigabitEthernet 1/ 0/1 [S5500-GigabitEthernet 1/0/1] am ip- pool 202.
54 C HAPTER 2: A DDRESS M ANAGEMENT C ONFIGURATION.
3 P ORT O PERATION This chapter covers the following topics: ■ Ether net Port Configuration In troduction ■ Link Aggregation Configuration ■ Global Broadcast Suppression Featur e ■ Configuring.
56 C HAPTER 3: P ORT O PERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ether net Port View . Perform the following co nfiguration in System Vi ew . Enabling/Disabling an Ethern et Port Use the following command to disable or enable the port.
Ethernet Port Configuration Introduction 57 duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiatio n) mode. Setting Speed on the Ethernet Port Use the following command to set the speed of the Ether net port.
58 C HAPTER 3: P ORT O PERATION Permitting/Forbidding Jumbo Frames to Pass through an Ethernet Port An Ethernet port may encounter jumbo fram es exceeding the standard frame length, when switching large throughput data like transmitting files. This command can forbid or permit jumbo frames to pass through an Ethernet port.
Ethernet Port Configuration Introduction 59 Perform the following co nfiguration in Ether net Port View . By default, the port is access port. Note that: ■ Y ou can configure four types of ports co ncurrently on the same Switch, but you cannot switch port type betw een trunk por t, hybrid por t and stack port.
60 C HAPTER 3: P ORT O PERATION can configure to tag some VLAN packet s, based on w hich the packets can be pr ocessed dif fer ent ly . Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its defaul t VLAN is the one to which it belongs.
Ethernet Port Configuration Introduction 61 Loopback detection function for a port is enabled on ly when the loopback-detection enable command is enabled under both system view and port view . When the undo loopback-detectio n enable command is used under system view , the loopback detection function wi ll be disabled for all ports.
62 C HAPTER 3: P ORT O PERATION By default, port loopback detection and the loopback detectio n control function on trunk and hybrid ports are disabled. The de tection interval is 30 seconds, and the system detects the default VLAN on the trunk and hybrid ports.
Ethernet Port Configuration Introduction 63 authenticated devices can obtain data frame s from the port so as to p revent illegal devices from filching network data.
64 C HAPTER 3: P ORT O PERATION The time set by the port-security timer di sableport timer comma nd takes effect when the disableport-temporarily mode is se t by the port-security intrusion-mod e command. T o avoid confliction, the following lim itation on the 802.
Ethernet Port Configuration Introduction 65 Network diagram Figure 14 Network diagram for port security configuration Configuration procedur e Configure switch A as follows: 1 Enter the system view . <S5500> system-view 2 Enable port security . [S5500] port-security enable 3 Enter Ethern et1/0/1 port view .
66 C HAPTER 3: P ORT O PERATION statistics. The VLAN setting includes permit ted VLAN types, and default VLAN ID. The port setting includes port link type, po rt speed, and duplex mode. LACP setting includes LACP enabling/disabling. Perform the following co nfiguration in System Vi ew .
Ethernet Port Configuration Introduction 67 Displaying Port Configuration Information in Brief This S5500 version has a new command , display brief interface for you to display the port configuration information in brief, in cluding the port type, link state, link rate, duplex attribute, link type and default VLAN ID.
68 C HAPTER 3: P ORT O PERATION Ethernet Port T roubleshooting Fault: Default VLAN ID configuration failed. T roubleshooting: T ake the following steps. 1 Use the display interface or display port command to check if the port is a trunk port or a h ybrid port.
Link Aggregation Configu ration 69 T ypes of Link Aggregation The types of link aggregation are described in the following sections: ■ Manual Aggregation and Static LACP Aggregation ■ Dynamic LACP.
70 C HAPTER 3: P ORT O PERATION ■ The system sets to inactive state the port s with basic configurations different fr om that of the active port with minimum port number .
Link Aggregation Configu ration 71 ■ Aggregation gr oups with the minimum master port numbers if they reach the equal rate with other groups after the r esources ar e allocated to them When aggregation groups of higher priority levels appear , the aggregation groups of lower priority levels releas e their hardwar e resour ces.
72 C HAPTER 3: P ORT O PERATION Creating/Deleting an Aggr egation Group Use the following command to create a manual aggregation group or static LACP aggregation group, but the dynamic LACP aggregation gr oup is established by the system when LACP is enabled on the po rts.
Link Aggregation Configu ration 73 ■ port with static ARP configured ■ port with 802.1x enabled. ■ Y ou must delete the aggregation gr oup, inst ead of the port, if the manual or static LACP aggregation gr oup contains only one port. Setting/Deleting the Aggreg ation Gr oup Descriptor Perform the following co nfiguration in System Vi ew .
74 C HAPTER 3: P ORT O PERATION Perform the following co nfiguration in Ether net Port View . By default, port priorit y is 32768. Displaying and Debugging Link Aggregation After the above configurati.
Link Aggregation Configu ration 75 Link Aggregation Configuration Example Networking Requirement Switch A connects Switch B with three aggregation ports, numbered as Ethernet1/0/1 to Ethernet1/0/3, s o that incoming/o utgoing load can be balanced among th e member ports.
76 C HAPTER 3: P ORT O PERATION Only when the three ports ar e configur ed wi th identical basic conf iguration, rate and duplex mode, can they be added into a sa me dynamic aggregation group after LACP is enabled on them, for load sharing.
Displaying Information About a Specified Optical Port 77 Displaying Information About a Specified Optical Port Y ou can use the disp lay transceiver -inform ation interface comma nd to display the fol.
78 C HAPTER 3: P ORT O PERATION.
4 XRN C ONFIGURATION This chapter covers the following topics: n Introduction to XRN n Configuring an XRN Fabric n Fabric Configuration Example Introduction to XRN Several XRN Switches of the same model ca n be interconnected to create a “Fabric”, in which each Switch is a unit.
80 C HAPTER 4: XRN C ONFIGURA TION T able 60 Configuring F TM The Switch 5500 Series : the SI units supports basic XRN, that is, Distributed Device Management (DDM) and Distributed Link Aggregation (DLA); the EI units support enhanced XRN, that is DDM, Distributed Resilient Ro uting (DRR).
Configuring an XRN Fabric 81 n If the modified unit ID is an existing one, the Switch prompts you to confirm if you really want to change the unit ID. If you choose to change, the existing unit ID is replaced and the priority is set to 5.
82 C HAPTER 4: XRN C ONFIGURA TION T able 66 Setting a Fa bric Name for Switches By default, the Fabric name is “550 0-EI”. Setting an XRN Authentication Mode for Switches Only the Switches with the same Fabric name and XRN authentication mode can constitute a Fabric.
RMON on XRN 83 Networking Diagram Figure 18 Networking Diagram of a Fabric Configuration Procedur e Configure Switch A: [SW5500] change unit-id 1 to 1 [SW5500] fabric-port gigabitethernet1/0/51 enable.
84 C HAPTER 4: XRN C ONFIGURA TION If you configure the same entry in the same ROM group for devices of a fabric to be differ ent values, the entry values of all the conflicting devices will adopt that of the conflicting device with the smallest Unit ID when you syn chronize the devices.
Peer Fabric Port Detection 85 n If the switch can r eceive DISC packets sent by the peer , the F TM module determines whether peer sending ports correspond to local receiving ports according to informatio n in the packet.
86 C HAPTER 4: XRN C ONFIGURA TION reached max units Analysis: The "reached max units" message indicates that the maximum number of units allowed by the current fabric is reache d. Y ou will fail to add new devices to the fabric in this case.
Multiple Fabric Port Candidates 87 A port cannot be a fabric port if the jumboframe function is enabled on the port. So make sure the jumboframe function is disabled on a p ort if you want to configure the port to be a fabric port.
88 C HAPTER 4: XRN C ONFIGURA TION.
5 DLDP C ONFIGURATION This chapter contain s DLDP overvi ew , fundamentals, precautions during configuration, and configuration inf ormation. DLDP Overview Y ou may have encountered unidirectional links in networking.
90 C HAPTER 5: DLDP C ONFIGURATION DLDP provides the following featur es: n As a link layer pr otocol, it works together with the physical layer protocol to monitor the link status o f a device.
DLDP Overview 91 DLDP operating mode DLDP can operate in two modes: nor mal and enhanced. DLDP implementation 1 If the link is up after DLDP is enabled on the port, DLDP sends DLDP packets to the peer device, and analyses and pr ocesses DLDP packets received fr om the peer device.
92 C HAPTER 5: DLDP C ONFIGURATION 2 DLDP analyzes and pr ocesses re ceived packets as follows: n In authentication mode, DLDP authenticate s the packets on the port, and discards those do not pass the au thentication.
DLDP Configuration 93 Precautions During DLDP Configuration It is recommended that the followi ng pr ecautions be taken during DLDP configuration: n DLDP works only when the link is up.
94 C HAPTER 5: DLDP C ONFIGURATION When you use the dldp enable/dldp di sable command in system view to enable/disable DLDP gl obally on all optical ports of the switch, this comman d is only valid for existing optical ports on the de vice, it is not valid for t hose added subsequently .
DLDP Configuration Example 95 Network diagram Figure 21 Fiber cr oss-connection Figure 22 Corr ect connection/disconnection in one dir ection Configuration procedur e 1 1Configure SwitchA a Configure .
96 C HAPTER 5: DLDP C ONFIGURATION e Set the DLDP handling mode for unidirectional links to auto [S5500A] dldp unidirectional-shutdow n auto f Display the DLDP st atus on Switch A [S5500A] display dld.
6 VLAN O PERATION This chapter covers the following topics: ■ VLAN Configuration ■ V oice VLAN Configuration VLAN Configuration This chapter describes how to configure a VLAN VLAN Overview A virtual local area network (VLAN) cr ea tes logical gr oups of LAN devices into segments to implement virtual workgroups .
98 C HAPTER 6: VLAN O PERA TION Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN. Perform the following configu ration in VLAN View .
VLAN Configuration 99 Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface. Perform the following co nfiguration in VLAN Interface Vi ew . The operation of shutting down or enablin g the VLAN interface has no effect on the UP/DOWN status of the Ethernet ports on the local VLAN.
100 C HAPTER 6: VLAN O PER ATION Configuration Procedur e 1 Create VLAN 2 and enter its view . [SW5500] vlan 2 2 Add Ether net1/0/1 and Ethernet1/0/2 to VLAN2. [SW5500-vlan2] port ethernet1/0/1 to ethernet1/0/2 3 Create VLAN 3 and enter its view . [SW5500-vlan2] vlan 3 4 Add Ether net1/0/3 and Ethernet1/0/4 to VLAN3.
Protocol-Based VLAN Configu ration 101 I. Creating a VLAN pr otocol type T able 85 lists the operatio ns to create a VLAN pr otocol type. As the mode llc dsap ff ssap ff and ipx r aw keywords result i.
102 C HAPTER 6: VLAN O PER ATION Vo i c e V L A N Configuration V oice VLAN is specially designed for users’ voice flow , and it distributes different port prec edence in diff ere nt cases. The system uses the source MAC of the tr affic travelling thr ough the port to identify the IP Phone data flow .
Voice VLAN Configuration 103 Enabling/Disabling V oice VLAN Featur es Enable/disable the V oice VLAN in System View . The VLAN must already exist before you can enable V oice VLAN features. Y ou cannot delete a speci fied VLAN that has enabled V oice VLAN feat ures and only one VLAN can enable V oice VLAN at one time.
104 C HAPTER 6: VLAN O PER ATION Enabling/Disabling V oice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the V oice VLAN, while the other VLANs are not influenced. If security mode is disabled, the system cannot filter anything.
Voice VLAN Configuration 105 Configuring a voice VLAN to operate in manual mode Refer to T able 96 to configu re a VLAN in manual mode. Y ou can enable voice VLAN feature for only one VLAN at a moment. A port operating in the automatic mode cannot be added to/removed from a voice VLAN.
106 C HAPTER 6: VLAN O PER ATION Displaying and Debugging of V oice VLAN After completing the above co nfiguration, enter the display command in any view to view the configuration and running state of V oice VLAN.
Creating VLANs in Batches 107 Creating VLANs in Batches T o improve efficiency , you can create VLANs in batches by performing the operations listed in T able 98. Vo i c e V L A N Configuration V oice VLANs are VLANs configured specially for voice data str eam.
108 C HAPTER 6: VLAN O PER ATION As multiple types of IP phones exist, you ne ed to match port mode with types of voice stream sent by IP phones, as listed in T able 99T Configuring the V oice VLAN Function Configuration Prer equisites ■ Create the corr esponding VLAN before configuring a voice VLAN.
Voice VLAN Configuration 109 Configuring a voice VLAN to operate in automatic mode V oice VLAN Displaying and Debugging Refer to T able 101 to display or debug a voice VLAN. Vo i c e V L A N Configuration Example Network requir ements ■ Create VLAN 3 as a voice VLAN.
110 C HAPTER 6: VLAN O PER ATION 3 Enable the voice VLAN function for the po rt and configure the port to operate in manual mode. [S5500-vlan3] quit [S5500] interface Ethernet1/0/3 [S5500-Ethernet1/0/3] voice vlan enable [S5500-Ethernet1/0/3] undo voice vla n mode auto [S5500-Ethernet1/0/3] quit 4 Specify the OUI address.
7 GVRP C ONFIGURATION This chapter co ntains GVRP conf iguration informat ion. Introduction to GVRP GVRP (GARP VLAN Registration Protocol) is an application of GARP (Generic Attr ibute Registration Protocol).
112 C HAPTER 7: GVRP C ONFIGU RATION ■ Leave: When a GARP entity e xpects to unre gister a piece of attribute information, it sends out a Leave message .
Introduction to GVRP 113 GVRP Packet Format The GVRP packets are in the fo llowing format: Figure 26 Format of GVRP packets T able 102 describes the pack et fields in Figure 26.
114 C HAPTER 7: GVRP C ONFIGU RATION GVRP Configuration The GVRP configuration tasks includ e c onfiguring the timers, en abling GVRP , and configuring the GVRP p ort registration mode. Configuration Prer equisite The port on which GVRP will be enabled must be conf igured to the T runk port.
GVRP Configuration 115 T able 104 describes the relations between the timer s: Configuration Example Network requir ements Y ou should enable GVRP on the switches to implement the dynamic r egistration and update of VLAN information between the switches.
116 C HAPTER 7: GVRP C ONFIGU RATION b Configur e the port Ethernet1/0/ 2 to the T r unk port, and allow a ll VLAN packets to pass [S5500] interface Ethernet1/0/2 [S5500-Ethernet1/0/2] port link-type trunk [S5500-Ethernet1/0/2] port trunk per mit vlan all c Enable GVRP on the T runk p ort.
8 VLAN-VPN C ONFIGURATION This chapter contain s configuratio n information to create VLAN-VPNs. VLAN-VPN Overview The VLAN-VPN function enables packe ts to be transmitted across the operators' backbone networks with VLAN tags of private networks nested in those of public networks.
118 C HAPTER 8: VLAN-VPN C ONFIGURATION Adjusting the TPID V alues of VLAN-VPN Packet T ag protocol identifier (TPID) is a portion of the VLAN tag field. IEEE 802.1Q specifies the value of TPID to be 0x8100. Figur e 30 illustrates the structur e of the T ag field of an Ether net frame defined by IEEE 802.
Inner VLAN Tag Priority Replication Configu ration 119 The VLAN-VPN function is unavailable if the port has any of the protocols among GVRP , GMRP , XRN, NTDP , STP and 802.
120 C HAPTER 8: VLAN-VPN C ONFIGURATION Y ou can execute the vlan-vpn enable or vl an-vpn uplink enable co mmand for a port, but do not execute both of the two command s for a port.
VLAN-VPN Configuration Example 121 Configuration Procedur e Perform the following procedur e to configure switches A and C. 1 Configure Switch A and Switch C. As the configuration performed on Switch A and Sw itch C is th e same, config uration on Switch C is omitted.
122 C HAPTER 8: VLAN-VPN C ONFIGURATION.
9 DHCP O VERVIEW Introduction to DHCP W ith networks getting larger in size and more complicated in structure, lack of available IP addresses beco mes the common situation the network administrat ors have to face, and network configuration becomes a tough task for the network administr ators.
124 C HAPTER 9: DHCP O VERV IEW DHCP IP Address Assignment This section contains infor mati on on DHCP IP Address Assignments. IP Address Assignment Policy Currently , DHCP provides the following three IP address assignment policies to meet the requir ements of diff erent clients: ■ Manual assignment.
10 DHCP S ERVER C ONFIGURATION Introduction to DHCP Server This section contains configu ration introduction on DHCP Server . Usage of DHCP Server Generally , DHCP se rvers are used in the fo llowing .
126 C HAPTER 10: DHCP S ERVER C ONFIGURATION IP addr ess lease update After a DHCP server dy namically assigns an IP address to a DHCP client, the IP add ress keeps valid only within a sp ecified lease time and will be reclaimed by the DHCP server when the lease expir es.
Introduction to DHCP Server 127 DHCP Packet Processing Modes ■ Global address pool: In r esponse to the DH CP packets receiv ed from DHCP clients, the DHCP server picks IP ad dr esses from its global address pools and assigns them to the DHCP clients.
128 C HAPTER 10: DHCP S ERVER C ONFIGURATION (such as domain name), you just need to configu re them on the network segment or the corresponding subnets. The following is the details of configuratio n inheritance. ■ A newly created child addr ess pool inherits th e configurations of its parent address pool.
Global Address Pool-Based DHCP Server Configuration 129 Configuring Global Address Pool Mode on Interface(s) Y ou can configure the global address pool mo de on the specified or all interfaces of a DHCP server .
130 C HAPTER 10: DHCP S ERVER C ONFIGURATION The static-bind ip-address command and the stat ic-bind mac-address command can be executed repeatedly . In this case, the new configuration overwrites the previo us one.
Global Address Pool-Based DHCP Server Configuration 131 Y ou can configure domain names to be used by DHCP clients for ad dress pools. After you do this, the DHCP server pr ovides the domain names to the DHCP clients as well while the former assigns IP addr esses to th e DHCP clients.
132 C HAPTER 10: DHCP S ERVER C ONFIGURATION Customizing DHCP Service Wi th the evolution of DHCP , new optio ns are constantly coming into being. Y ou can add the new options as the properties of DHCP servers by performing the fo llowing configuration.
Interface Address Pool-based DHCP Server Configuration 133 interfaces eases configuration work load and makes you to configure in a mor e convenient way . Enabling DHCP Y ou need to enable DHCP before perf orming DHCP configurations. DHCP-related configurations are valid on ly when DHCP is enabled.
134 C HAPTER 10: DHCP S ERVER C ONFIGURATION bound to a DHCP client to come from a sp ecial DHCP addr ess pool that contains only the IP address. Configuring to assign IP ad dr esses by static binding Some DHCP clients, such as WWW servers, need to be assigned fixed IP addr esses.
Interface Address Pool-based DHCP Server Configuration 135 The dhcp serv er forbidden-ip command can be executed repeatedly . That is, you can repeatedly configure IP addresses that ar e not dynamically assigned to DHCP clients.
136 C HAPTER 10: DHCP S ERVER C ONFIGURATION Configuring NetBIOS Services for DHCP Clients For Microsoft Windows-based DHCP clie nts th at communicate through NetBIOS protocol, the host name-to-IP address transla tion is carried out by WINS servers. So you need to perform WINS-related conf iguration for most Win dows-based hosts.
DHCP Security Configurati on 137 Customizing DHCP Service Wi th the evolution of DHCP , new optio ns are constantly coming into being. Y ou can add the new options as the properties of DHCP servers by performing the fo llowing configuration. DHCP Security Configuration DHCP security configuration is needed to ensure the security of DHCP service.
138 C HAPTER 10: DHCP S ERVER C ONFIGURATION receives a r esponse or the number of the se nt ICMP packets reaches the specified maximum number . The DHCP server assigns the IP address to the DHCP client only when no response is r eceived during the whole course.
Option 184 Supporti ng Configurati on 139 The sub-option 3 of opt ion 184 comprises two parts, w hich carry the previously mentioned two items respectively . A flag value of 0 indicates that the voice VLAN identification function is not enab led, in which case the inform ation carried by the VLAN ID part will be neglected.
140 C HAPTER 10: DHCP S ERVER C ONFIGURATION Configuring the option 184 supporting function in system view Perform the operation s listed in T able 129 if you specify to assign IP addresses of an interface-based address pool to DHCP clients. This method allows you to configure the opt ion 184 supporting function for multip le interfaces.
Option 184 Supporti ng Configurati on 141 Configuring the option 184 supporting function in interface view Perform the operation s listed in T able 130 if you specify to assign IP addresses of an interface-based address pool to DHCP clients. This method allows you to configure the optio n 184 supporting function for a sp ecific interface.
142 C HAPTER 10: DHCP S ERVER C ONFIGURATION Configuring the option 184 supporting func tion in global DHCP address pool view Perform the operation s listed in T able 131 if you specify to assign IP addresses of a global DHCP address pool to DHCP clients.
Option 184 Supporti ng Configurati on 143 Network diagram Figure 33 Network diagram for option 184 supporting configuration Configuration procedur e 1 Configure the DHCP client Configure the 3COM VCX device to operate as a DHCP client and to re quest for all sub-options of option 184 .
144 C HAPTER 10: DHCP S ERVER C ONFIGURATION DHCP Server Displaying and Debugging Y ou can verify your DHCP-related configuration by executing the display command in any view . T o clear the informatio n about DHCP servers, execute the reset command in user view .
DHCP Server Configuration Example 145 The DHCP settings o f the 10.1.1 .0/25 network segment are as follows: ■ Lease time: 10 days plus 12 hours ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ NetBIOS server: none ■ Gateway: 10.1 .1.126 The DHCP settings of the 10.
146 C HAPTER 10: DHCP S ERVER C ONFIGURATION 5 Return to sys tem view . [S5500-dhcp-pool-1] quit 6 Configure DHCP addr ess pool 2, including address range, domain name, DNS server address, lease time, NetBIOS server address, and gateway address. [S5500] dhcp server ip-pool 2 [S5500-dhcp-pool-2] network 10.
11 DHCP R ELAY C ONFIGURATION Introduction to DHCP Relay This section contains an introduction to DHCP Relay Usage of DHCP Relay Early DHCP implementations assumes that DH CP clients and DHCP servers ar e on the same network segment, that is, you ne ed to deploy at least one DHCP server for each network segment, which is far from economical.
148 C HAPTER 11: DHCP R ELAY C ONFIGURAT ION Actually , a DHCP r elay enab les DHCP clients and DHCP se rvers on differ ent networks to communicate with each other by fo rwarding the DHCP br oadcasting packets transparently between them.
DHCP Relay Displayi ng 149 The group number referenced in the dh cp-ser ver groupNo command must has already been configured by using the dhcp-ser ver groupNo ip ipaddress1 [ ipaddress-list ] command. DHCP Relay Displaying Y ou can verify your DHCP relay-related configuration by executing the following display commands in any view .
150 C HAPTER 11: DHCP R ELAY C ONFIGURAT ION 5 Configure an IP addr ess for VLAN 2 interface , so that th is interface is on the same network segment with the DHCP clients.
12 VRRP C ONFIGURATION VRRP Overview Vi rtual router r edundancy protocol (VRRP) is a fault-tolerant pr otocol. As shown in Figure 37, in general, ■ A default route (for example, the next hop address of the default r oute is 10.100.10.1, as shown in Figure 37) is configured for every host on a networ k.
152 C HAPTER 12: VRRP C ONFIGURA TION Figure 38 Virtual r outer The switches in the backup gro up have the following features: ■ This virtual router has its own IP addre ss: 10.100.10.1 (which can be the interface address of a switch within the backup gr oup).
VRRP Overview 153 ■ The virtual router IP addresses and the real IP addr esses used by the member switches in the backup group must belong to the same network segment. If they are not in the same network segment, th e backup group wi ll be in initial state.
154 C HAPTER 12: VRRP C ONFIGURA TION Configuring switch priority The status of each switch in a backup group is determined by its priority . The master switch in a backup group is the one currently with the highest priority . Switch priority ranges from 0 to 255 (a larger number indicates a higher switch priority) and defaults to 100.
VRRP Configuration 155 Configuring VRRP timer The master switch advertises its normal ope ration state to the switches within the VRRP backup group by sending VRRP pack ets once in each specified interval (determined by the adver -interv al argument).
156 C HAPTER 12: VRRP C ONFIGURA TION Configuring Backup Gr oup-Related Parameters T able 138 lists the operations to configure a switch in a backup group. Configure a virtual router IP address vrrp vrid virtual-router-ID virtual-ip virtual-address Optional virtual -router -ID : VRRP backup group ID.
Displaying and Clearing VRRP Information 157 Displaying and Clearing VRRP Information Y ou can execute the display command in any view to view VRRP configuration.
158 C HAPTER 12: VRRP C ONFIGURA TION Configuration procedur e 1 Configure Switch A. a Configure VLAN 2. <LSW-A> system-view System View: return to User View wit h Ctrl+Z. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface vlan-interface 2 [LSW-A-Vlan-interface2] ip address 2 02.
VRRP Configuration Example 159 Network diagram Figure 40 Network diagram for interface tracking configuration Configuration procedur e 1 Configure Switch A.
160 C HAPTER 12: VRRP C ONFIGURA TION 2 Configure switch B. a Configure VLAN 2. <LSW-B> system-view System View: return to User View wit h Ctrl+Z. [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface vlan-interface 2 [LSW-B-Vlan-interface2] ip address 2 02.
VRRP Configuration Example 161 Network diagram Figure 41 Network diagram for multiple-VRRP backup gr oup configuration Configuration procedur e 1 Configure Switch A. a Configure VLAN 2. <LSW-A> system-view System View: return to User View wit h Ctrl+Z.
162 C HAPTER 12: VRRP C ONFIGURA TION b Create backup group 1. [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 c Create backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 d Set the prio rity for ba ckup gr oup 2.
13 MSTP C ONFIGURATION MSTP Overview Sp anning tree pr otocol (STP) cannot enable Ethern et ports to transit their states rapidly . It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or is an edge port.
164 C HAPTER 13: MSTP C ONFIGURATION Basic MSTP T erminologies Figure 42 illustrates primary MS TP terms (assuming that each switch in it has MSTP employed). Figure 42 Basic MSTP terminologies MST region A multiple spanning tree (MST) region comp rises multiple switches and the connected network segments.
MSTP Overview 165 IST An internal spanning tree (IST) is a spanning tree in an MST region. IST s, along with the common spanning tree (CST), form the common and internal spanning tree ( CIST) of the entir e switched network. An IST is a branch of CIST and is a special MSTI.
166 C HAPTER 13: MSTP C ONFIGURATION The role of a region edge port is consist ent with that of the port in the CIST . For example, port 1 on switch A shown in Figure 43 is a region edge port, and it is a master port in the CIST . Therefore, it is a master port in all MS TIs in the region.
MSTP Overview 167 Determining an MSTI In an MST reg ion, MSTP generates dif fer en t MSTIs for differ ent VLANs accor ding to VLAN-to-spanning tree mapping s.
168 C HAPTER 13: MSTP C ONFIGURATION MSTP Implementation on Switches MSTP is compatible with both STP an d RSTP . That is, sw itches running MSTP ca n recognize STP and RSTP packets and use them to calculate spanning trees.
Root Bridge Configu ration 169 Prer equisites Before configuration, determ ine what r oles the switches will play in the spanning trees, that is, whether a swit ch will be the root, a branch, or a leaf in a spanning tr ee.
170 C HAPTER 13: MSTP C ONFIGURATION Configuration example 1 Configure an MST r egion, with the name being info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 thr ough VLAN 30 being mapped to MSTI 2.
Root Bridge Configu ration 171 A secondary root bridge becomes a r oot bridge if the original root bridge fails or is turned off . A seconda ry r oot bridge re mains uncha nged if a ne w ro ot bridg e is configured.
172 C HAPTER 13: MSTP C ONFIGURATION Configuration example Configure the bridge priority of the current switch to be 4,096 in spanning tr ee instance 1.
Root Bridge Configu ration 173 Configuration procedur e Note that only the maximum hop count setting configured on a switch acting as the region r oot limits the size of the MST r egion. Configuration example Set the maximum hop count of the MST r egion to 30 on the future r egion root.
174 C HAPTER 13: MSTP C ONFIGURATION T o solve this problem, MSTP adopts the state transiti on mechanism. W ith this mechanism, new root ports and designated ports must go through an intermediate state to the forwarding state, so that the new BPDUs can be advertised throughout the network.
Root Bridge Configu ration 175 It is recommended that you specify the network diameter and the Hello time b y using the stp root primary or stp root secondary command.
176 C HAPTER 13: MSTP C ONFIGURATION Configuration procedur e in system view Configuration procedur e in Eth ernet port view Y ou can configure the maximum transmission sp eed of ports with either of the above two methods.
Root Bridge Configu ration 177 Configuration procedur e in system view Configuration procedur e in Eth ernet port view On a switch with BPDU protection not enabled, an edge port becomes a non-edge port again once it receives a BPDU fr om another port.
178 C HAPTER 13: MSTP C ONFIGURATION Configuration procedur e in system view Configuration procedur e in Eth ernet port view Only the master ports of aggregation ports can be configured to connect to point-to-point link.
Root Bridge Configu ration 179 Configuration example Configure Ethernet1/0/1 port to connect to point-to-point link. 1 Configure in system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp interface ethernet1/0/1 point-to-point force-true 2 Configure in Ethernet port view .
180 C HAPTER 13: MSTP C ONFIGURATION Configuration example Enable MSTP on the switch and di sab le MSTP on port Ether net1/0/1. 1 Configure in system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp enable [S5500] stp interface ethernet1/0/1 disable 2 Configure in Ethernet port view .
Leaf Node Configuration 181 Configuring MSTP Operation Mode Refer to “Configuring MSTP Operation Mode”. Configuring the Timeout Time Factor Refer to “Configuring the T imeout T ime Factor”. Configuring the Maximum T ransmission Speed of a Port Refer to “Configuring the Maximu m T ransmission Speed of a Port”.
182 C HAPTER 13: MSTP C ONFIGURATION Normally , the path cost of a por t in full-duple x mode is slightly less than that of the port in half-duplex mode. When calculating the path cost of an aggr egate link, the 802.1D-1998 standa rd doe s not take the number of the aggregated links into account, whereas the 802.
Leaf Node Configuration 183 Configuration example (A) Configure the path cost of port Ether net1/0/1 in spanning tree instance 1 to be 2,000. 1 Configure in system view . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp interface ethernet1/0/1 instance 1 cost 2000 2 Configure in Ethernet port view .
184 C HAPTER 13: MSTP C ONFIGURATION Configuring the priority of a port in Ethernet port view Changes of port priorities ca n cause MSTP to redetermine the roles of ports, r esulting in state transition of ports. A lower port priority value in dicates a higher port priority .
Protection F unctions C onfiguratio n 185 Configuration Procedur e Y ou can perfo rm the mCheck operation in the following two ways. Performing the mCheck operation in system view Performing the mCheck operation in Ethe rnet port view CAUTION: Execute the stp mcheck command on switches configured to operate in MSTP mode only .
186 C HAPTER 13: MSTP C ONFIGURATION automatically shut it down and notifies th e network ad ministrator of the situation. Only the administrator can r estore edge ports that are shut down. Root protection A root bridge and its secondary root br idges must re side in the same region.
Protection F unctions C onfiguratio n 187 Configuring BPDU Protection Configuration procedur e Configuration example Enable the BPDU protection function.
188 C HAPTER 13: MSTP C ONFIGURATION Configuring Loop Prevention Configuration procedur e Configuration example Enable the loop prevention fu nction on port Et hernet1/0/1.
BPDU Tunnel Configuration 189 Figure 44 BPDU T unnel network hierarchy Configuring BPDU T unnel Notes: ■ Y ou must enable STP on a device before enabling the BPDU tunnel function on it. ■ The BPDU tunnel function is on ly available to access ports.
190 C HAPTER 13: MSTP C ONFIGURATION Displaying and Debugging MSTP After completing the above co nfigurations, you ca n display MSTP o peration and verify your configuration by executing the display command in any view .
MSTP Configuration Example 191 Configuration procedur e 1 Configure Switch A. a Enter MST region view . <S5500> system-view System View: return to User View wit h Ctrl+Z.
192 C HAPTER 13: MSTP C ONFIGURATION 4 Configure Switch D. a Enter MST region view . <S5500> system-view System View: return to User View wit h Ctrl+Z.
BPDU Tunnel Configuration Example 193 2 Configure Switch B. a Enable RSTP . <S5500> system-view System View: return to User View wit h Ctrl+Z. [S5500] stp enable b Add Ether net0/1 port to VLAN 10. [S5500] vlan 10 [S5500-Vlan10] port Ethernet 0/1 3 Configure Switch C.
194 C HAPTER 13: MSTP C ONFIGURATION f Add the trunk port to all VLANs. [S5500-Ethernet1/0/1] port trunk per mit vlan all Notes: ■ Y ou must enable STP on a device before enabling the BPDU tunnel function on it. ■ The BPDU tunnel function is on ly available to access ports.
14 C ENTRALIZED MAC A DDR ESS A UTHENTICATION C ONFIGURATION Introduction to Centralized MAC Address Authentication Centralized MAC address authentication controls accesses to a netw ork through ports and MAC addresses. This kind of au thentication requires no client softwar e.
196 C HAPTER 14: C ENTRALIZED MAC A DDRESS A UTHENTICATION C ONFIGURATION Centralized MAC Address Authentication Configuration The following sections describe cen tralized MAC addre ss authentication .
Centralized MAC Address Authentication Configu ration 197 ■ Server -timeout timer . If the connection b etween a switch and a RADIUS server times out when the switch authenticates a user on one of its ports, th e switch turns dow n the user . Y ou can use the server -timeout timer to set the time out time.
198 C HAPTER 14: C ENTRALIZED MAC A DDRESS A UTHENTICATION C ONFIGURATION 4 Enable globa l centralized M AC address authenti cation. [S5500] mac-authentication 5 Configure the domain name for centralized MAC address authentication user to be aabbcc163.
15 SSH T ERMINAL S ERVICES SSH T erminal Services This section contains infor mat ion for SSH T erminal Services. I ntr oduction to SSH Secure Shell (SSH) can pr ovide information security and powerfu.
200 C HAPTER 15: SSH T ERMINAL S ERVICES Figure 48 Establish SSH channels thr ough W A N The communication process between the server and client includes these five stages: 1 V ersion negot iation stage. These opera tions are completed at this stage: ■ The client sends TCP connection requirement to the server .
SSH Terminal Services 201 ■ The client authenticates infor mation from the user at the server till the authentication succeeds o r the connection is tur ned off due to aut hentication timeout. SSH supports two authentication types: password authentication and RSA authentication.
202 C HAPTER 15: SSH T ERMINAL S ERVICES Configuring supported protocols When SSH protocol is specified, to ensure a successful login, you must config ure the AAA authentication using the authentication-mode scheme command. The protocol inbound ssh configuration fails if you conf igured authentication-mode password and authentication-mode none .
SSH Terminal Services 203 Configuring authentication type New users must specify authentication ty pe. Otherwise, they cannot access the switch. If RSA authentication type is defined, then the RSA public key of the client user must be configured on the switch.
204 C HAPTER 15: SSH T ERMINAL S ERVICES The manual mode is rather complex since it requires format conversation with the specific software first and then manual configuration. 2 Automatic mode with the command Operations on the client include: ■ SSH1.
SSH Terminal Services 205 SSH Client Configuration T able 186 describes SSH configurat ion tasks. In the initial authentication, if the SSH c lient does not have the public key for the serv er which it accesses for the f irst time, th e client continues to access the server and save locally the public key of the server .
206 C HAPTER 15: SSH T ERMINAL S ERVICES SSH Server Configuration Example Network requir ements As shown in Figure 49 , configure a local connection fr om the SSH client to the switch.
SSH Terminal Services 207 RSA public key authentication 1 Set AAA authentication on the user interfaces. [S5500] user-interface vty 0 4 [S5500-ui-vty0-4] authentication-mod e scheme 2 Set the user interf aces to support SSH.
208 C HAPTER 15: SSH T ERMINAL S ERVICES Network diagram Figure 50 Network diagram for SSH client configuration Configuration procedur e 1 Configure the client to run the initial authentication. [S5500] ssh client first-time enable 2 Configure server public keys on the client.
SSH Terminal Services 209 b Start the client and use the RSA public key authentication according to the encryption algorithm defined. [S5500] ssh2 10.165.87.136 22 perfer _kex dh_group1 perfer_ctos_cipher des perfer_ctos_h mac md5 perfer_stoc_hmac md5 username: client003 Trying 10.
210 C HAPTER 15: SSH T ERMINAL S ERVICES BOTH the private AND public key MUST be in /home/user/ for OpenSSH to work. result: [root@localhost openssh-4.2p1]# ./ssh -2 -l 1 -i /home/user/ssh_rsa_key 192.168.0.131 SF TP Service Th e following sections describe SF TP service.
SFTP Service 211 SF TP Client Configuration The following sections describe SF TP client configuration tasks: ■ Configuring SF TP client ■ Enabling the SF TP clie nt ■ Disabling the SF TP client.
212 C HAPTER 15: SSH T ERMINAL S ERVICES Disabling the SF TP client Operating with SF TP directories SF TP directory-r elated operations include: ch anging or displaying the cu rrent dir ectory , creating or deleting a dir ectory , displaying fi les or information of a specific dir ectory .
SFTP Service 213 Displaying help information Y ou can display help information about a co mmand, such as synta x and parameter s. SF TP Configuration Example Network requir ements As shown in Figure 51, ■ An SSH connection is present between Switch A and Switch B.
214 C HAPTER 15: SSH T ERMINAL S ERVICES 2 Configure Switch A (SF TP client) a Establish a connection to the remote SF TP server and enter SF TP client view . [S5500] sftp 10.111.27.91 b Display the current directory on the SF TP server , delete file z and verify the operation.
SFTP Service 215 f Upload file pu to the SF TP server and re name it to puk. V erify the operations. sftp-client> put pu puk Local file: pu ---> Remote file: fl ash:/puk Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 vrpcfg.
216 C HAPTER 15: SSH T ERMINAL S ERVICES.
16 IP R OUTING P RO T O C O L O PERATION IP Routing Pr otocol Overview Routers select an appropriate path through a network for an IP packet accor ding to the destination add ress of the packet. Each router on the path receives the packet and forwards it to the next router .
218 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Configuring the IP Routing Protocol is described in the following sections: ■ Selecting Routes Through the Routing T able ■ Routing Management Policy Selecting Routes Through the Ro uting Ta b l e For a router , the routing table is the key to forwarding packets.
IP Routing Protocol Overview 219 Figure 53 The r outing table Routing Management Policy The Switch 5500 support s the configuration of a series o f dynamic routing protocols such as RIP and OSPF , as well as stat ic routes . The static routes configur ed by the user are managed together with the dynamic r out es as detected by the routing protocol.
220 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Supporting Load Sh aring and Route Backup I. Load sharing Supports mult i-route mode, allowing the us er to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached using multiple dif fer ent paths, w hose precedences are equal.
Static Routes 221 The following routes are static r outes: ■ Reachable route—The IP packet is sent to the next hop towards the destination. This is a common type of static route.
222 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION The parameters are explained as follows: ■ IP address and mask The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decima l mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask.
Static Routes 223 Displaying and Debugging Static Routes After you configure static and default routes, execute the display command in any view to display the static route configur ation, and to verify the effect of the configuration.
224 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION 2 Configure the static route for Ethernet Switch B [Switch B] ip route-static 1.1.2.0 25 5.255.255.0 1.1.3.1 [Switch B] ip route-static 1.1.5.0 25 5.255.255.0 1.1.3.1 [Switch B] ip route-static 1.1.1.0 25 5.
RIP 225 ■ Cost—The cost for the router to reach the destination, which should be an integer in the range of 0 to 16. ■ T imer—The length of time from the last time that the routing entry was modified until now . The timer is reset to 0 wheneve r a routing entry is modified.
226 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION ■ Enabling RIP to Impo rt Routes of Other Pro tocols ■ Configuring t he Defaul t Cost for the Impor ted Route ■ Setting th e RIP Prefer ence ■.
RIP 227 3Com does not recommend the use of this command, because the destination address does not need to r eceive two copies of the same message at the same time. Note that peer should be restricted using the following commands: rip work , rip output , rip input and network .
228 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION By default, the values of the period updat e and timeout timer s are 30 seconds and 180 seconds respectively . The value of the garbage-collection timer is four times of that of Period Update ti mer: 120 seconds.
RIP 229 In addition, the rip work command is functionally equivalent to both the rip input and rip output commands. By default, all interfaces except loopback interfaces both receive and transmit RIP update packets.
230 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu ration in Interface View: The usual packet format follows RFC1723 an d nonstandard follows RFC2082. Configuring Split Horizon Split horizon means that the r oute r eceived through an interface will not be sent through this interface again.
RIP 231 Perform the following configu rations in RIP View . By default, the cost value for the RIP imported route is 1. Setting the RIP Preference Each routing protocol has its own prefer ence by which the routing policy selects the optimal route from the routes of differ ent protocols.
232 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu rations in RIP View . Configuring RIP to Filter the Received Routes Configuring RIP to Filter the Distributed Routes By default, RIP will not filter the r ece ived and distributed routing information.
RIP 233 T raffic Sharing Across RIP Interfaces Equal-cost routes are routes with the same destination but dif fer ent next hop addresses in a r outing table. After traffic sh aring across RIP interfaces is enabled, th e system averagely distributes the traffic to its RIP interfaces through equal-cost routes.
234 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Networking Diagram Figure 55 RIP configuration networking Configuration Procedur e The following configuration only shows the operat ions related to RIP . Before performing the following configuration, please make sure the Ethernet link la yer can work normally .
OSPF Configuration 235 OSPF Configuration Open Shortest Path First (OSPF) is an Inte rior Gateway Protocol based on the link state developed by IETF . Only the Switch 5500-EI su pports the OSPF protocol.
236 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION OSPF Packets OSPF uses five types of packets: ■ Hello Packet. The Hello Packet is the most common packet sent by the OSPF protocol. A ro uter periodic ally sends it to its neighb or . It contains the valu es of some timers, DR, BDR and the known neighbor .
OSPF Configuration 237 ■ Backup Designated Router (BDR) If the DR fails, a new DR must be elected and synchronized with the other routers on the segment. This process will take a r elatively long time, during which the route calculation is incorrect.
238 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION ■ Setting the Interface Pr iority for DR Election ■ Configuring the Pe er ■ Setting the Interval of Hello Packet T ransmission ■ Setting a Dea.
OSPF Configuration 239 Entering OSPF Area View Perform the following configurat ions in OSPF View . area_id is the ID of the OSPF ar ea, which can be a decimal integer or in IP addr ess format. Specifying the Interface OSPF divides the AS into dif ferent areas.
240 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Configuring the Network T ype on the OSPF Interface The route calculation of OSPF is based upon the topology of the adjacent network of the local router . Each router describes the topology of its adjacent network and transmits it to all the other routers.
OSPF Configuration 241 Configuring the Cost for Sending Packets on an Interface Y ou can control network traffic by configuring dif ferent message sending costs for differ ent interfaces. Otherwise, OSPF automa tically calculates th e cost accor ding to the baud rate on the current interface.
242 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu ration in Interface View: By default, the priority of the Interface is 1 in the DR election. The value can be taken from 0 to 255. Configuring the Peer In an NBMA network, some special conf igurations are r equir ed.
OSPF Configuration 243 Setting a Dead Timer for the Neighboring Routers If hello packets are not received fr om a neighboring router , that router is considered dead. The dead timer of neighboring routers refers to the interval after which a router considers a neighboring router dead.
244 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION The value of interval should be bigger than the interval in which a packet can be transmitted and returned between two routers. An LSA retransmission inter val that is too small will cause unne cessary retransmission.
OSPF Configuration 245 By default, the STUB area is not configured, and the cost of the default r oute to the STUB ar ea is 1. Configuring the NSSA of OSPF T o ke ep the adva ntages of stub areas and .
246 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION generated on the ABR, even though the defa ult route 0.0.0.0 is not in the routing table. On an ASBR, however , the default ty pe-7 LSA r ou te can be generated only if the default route 0.0.0.0 is in the r outing table.
OSPF Configuration 247 After the summarization of impo rted routes is configured, if the local router is an autonomous system border router (ASBR) , this command summarizes the imported T ype-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported T ype-7 LSA in the summary address range.
248 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Configuring the OSPF Area to Support Packet Authentication All the r outers in an ar ea must use the sa me authentication mode. In addition, all routers on the same segment must use th e same authentication key password.
OSPF Configuration 249 Intra-area and inter -area r outes describe the int ern al AS topolo gy whereas the external routes describes how to select th e route to the destinations beyond the AS. The exter nal type-1 routes refer to imported IGP routes (such as static route and RIP).
250 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION By default, when importing exter nal routes, the type of imported route is type-2, the cost is 1 and the tag is 1. The interval of importing the external route is 1 second. The upper limit to the exter nal routes imported is 1000 per second.
OSPF Configuration 251 Configuring OSPF Route Filtering Perform the following configu ration in OSPF View . Configuring OSPF to Filter the Received Routes Configuring OSPF to filter the distributed routes By default, OSPF will not filter the im ported and distributed r outing information.
252 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Disabling the Interface to Send OSPF Packets Use the silent-interface command to prevent the interface from transmitting OSPF packets. Perform the following configu ration in OSPF View . By default, all the interfaces are allowed to transmit and receive OSPF packets.
OSPF Configuration 253 Perform the following co nfiguration in System Vi ew . By default, OSPF TRAP function is disabled, so the switch does not send TRAP packets when any OSPF process is abnormal. The conf i guration is valid to all OSPF proce sses if you do not specify a process ID.
254 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Display Command for OSPF Neighb or Information Use the command display ospf peer statistics , which has the same display output as that of display ospf peer brief command.
OSPF Configuration 255 The commands listed in the follow ing examples enable Switch A and Switch C to be DR and BDR, respectively . Th e priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. S witch C has the second highest prior ity , so it is elected as the BDR.
256 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Only when the curren t DR is of fline does the DR change. Shut down Switch A, and run display ospf peer command on Switch D to display its neighbors. Note that the original BDR (Switch C) becomes the DR, and Switch B is the new BDR.
OSPF Configuration 257 [Switch B-ospf-1] area 1 [Switch B-ospf-1-area-0.0.0.1] networ k 197.1.1.0 0.0.0.255 [Switch B-ospf-1-area-0.0.0.1] vlink- peer 3.3.3.3 3 Configure Switch C: [Switch C] interface Vlan-interface 1 [Switch C-Vlan-interface1] ip address 152.
258 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION ■ Ensure the backbone area connects with all other areas. ■ The virtual links cannot pass through the STUB area.
IP Routing Policy 259 and the matching object s are attributes of routing information. The relationship of if-match clauses for a node uses a series of Boolean “AND” statements. As a result, a match is found unless all the matching conditions specified by the if-match clauses are satisfied.
260 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Defining a Route Policy A r oute policy can include multiple nodes. Each node is a unit for the matching operation. The nodes are tested against the node_number . Perform the following co nfigurations in System View .
IP Routing Policy 261 By default, no matching is performed. The if-match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are specified, all the rout es will pass the f iltering on the node.
262 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION Perform the following configu ration in Routing Protocol View . By default, the routes di scovered by othe r pr otocols will not be distributed. In different routing protocol views, the pa rameter options are d ifferent.
IP Routing Policy 263 By default, the filtering of received r outes is not performed. Configuring the Filtering of Distributed Routes Define a policy concerning route distribution that filters the routing information that does not satisfy the conditions, and distribut es routes with the help of an ACL or address ip-pr efix.
264 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION stop forwarding the packet to the n etwork. Using the following configuration tasks, you can choose to forward the br oadcast packet to the network for broadcast. Perform the following configurat ion in system view .
Route Capacity Configur ation 265 c Enable OSPF protocol and specifies the num ber of the area to which the interface belongs. [Switch A] router id 1.1.1.1 [Switch A] ospf [Switch A-ospf-1] area 0 [Switch A-ospf-1-area-0.0.0.0] networ k 10.0.0.0 0.255.
266 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION to add new routes to the routing table and whether or not to keep connection with a routing pr otocol. The defaul t value n ormally meet s the net work requi rements. Y ou must be carefu l when modifying the configuratio n to avoi d reducing the stability of the networ k.
Route Capacity Configur ation 267 Displaying and Debugging Route Capacity Enter th e display command in any view to display the operation of the Rou te Capacity configuration.
268 C HAPTER 16: IP R OUTING P ROTOCOL O PERATION.
17 N ETWORK P R OTOCOL O PERATION This chapter covers the following topics: ■ IP Address Configuration ■ ARP Configuration ■ Resilient ARP Configuration ■ BOOTP Client Configur ation ■ DHCP .
270 C HAPTER 17: N ETWORK P ROTOCOL O PERATION When using IP addresses, note that some of them are r eserved for special uses, and are seldom used. The IP addresses you can use are listed in T able 265. Subnet and Mask Wi th the rapid development of the Inter net, available IP addresse s are depleting very fast.
IP Address Configurati on 271 address. If there is no subnet division, then its subnet mask is the defaul t value and the length of "1" indicates the net-id length. Therefore, for IP addr esses of classes A, B and C, the default values of correspondi ng subnet mask are 255.
272 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Perform the following co nfiguration in System Vi ew . By default, there is no host name associated to any host IP address. For further information on IP Address conf ig uration, please refer to the Getting Started Guide that accompanies your S witch.
ARP Configuration 273 IP Addr ess Configuration Example Networking Requirements Configure the IP address as 129.2.2.1 an d subnet mask as 255.255.2 55.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 63 IP Addr ess Configuration Networking Configuration Procedur e 1 Enter VLAN interface 1.
274 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP ad dr ess of Host B is IP_B.
Introduction to Gratuitous ARP 275 Note that: ■ Static ARP map entry will be always valid as long as the Switch works normally . But if the VLAN corresponding to the ARP ma pping entry is deleted, the ARP mapping entry will be also deleted. The valid pe riod of dynamic ARP map entries will l ast only 20 minutes by default.
276 C HAPTER 17: N ETWORK P ROTOCOL O PERATION By sending gratuitous ARP pa ckets, a network device can: ■ Determine whether or not IP addr ess conf licts exist between it and other network devices. ■ T rigger other network devices to upd ate its hardwar e address stor ed in their caches.
Introduction to Gratuitous ARP 277 Resilient ARP Configuration This section contains configuration information for Resilient ARP . Overview of Resilient ARP T o support resilient networking in XRN applications, redundant links ar e r equired between the XRN fabric and other devices.
278 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Y ou can use the following command to configure thr ough which VLAN interface the resilient ARP packet is sent. The system provides a default VLAN interface to send resilient ARP packets. Perform the following co nfiguration in System Vi ew .
BOOTP Client Configurati on 279 Networking Diagram Figure 64 Networking for Resilient ARP Configuration Configuration Procedur e 1 Enable resilient ARP function.
280 C HAPTER 17: N ETWORK P ROTOCOL O PERATION BOOTP Client Configuration BOOTP client is described in the following section. Configuring a VLAN Interface to Ob tain the IP Address Using BOOTP Perform the following co nfiguration in VLAN Interface Vi ew .
DHCP Configuration 281 Figure 65 T ypical DHCP Application. T o obtain valid dynamic IP addresses, the DHCP client exchanges differ ent types of information with the server at differ ent stages.
282 C HAPTER 17: N ETWORK P ROTOCOL O PERATION ■ A DHCP client extends its I P lease pe riod There is a time limit for the IP addr esses leased to DHCP clients. The DHCP server shall withdraw the IP addr e sses when their lease period expires. If the DHCP client wants to continue use of the old IP a ddr ess, it has to extend the IP lease.
DHCP Configuration 283 Option 82 supporting Intr oduction to option 82 supporting Option 82 is a relay agent information op tion in DHCP packets. When a request packet from a DHCP client travels thr o ugh a DHCP r elay on its way to the DHCP server , the DHCP relay adds option 82 into the request packet.
284 C HAPTER 17: N ETWORK P ROTOCOL O PERATION ■ Len: Specifies the Length of the agent information field. ■ Agent information field: Specifies the sub-opt ions used. 2 Sub-option format Figure 68 illustrates th e sub-option format. Figure 68 Sub-option format ■ SubOpt: Sub-option number .
DHCP Configuration 285 Mechanism of option 82 supporting on DHCP r elay The procedur e for a DHCP client to obtain an IP address from a DHCP server thr ough a DHCP r elay is exac tly the same as tha t for the client to obtain an IP address from a DHCP server directly .
286 C HAPTER 17: N ETWORK P ROTOCOL O PERATION DHCP Relay Configuration DHCP relay configuration is desc ribed in the following sections: ■ Enabling DHCP ■ Enabling DHCP ■ Configuring the DHCP S.
DHCP Configuration 287 Configuring the User Addr ess En try for the DHCP Server Group T o ensure that a valid user with a fixed IP addr ess in a VLAN configur ed with DHCP Relay passes the addr ess va.
288 C HAPTER 17: N ETWORK P ROTOCOL O PERATION to DHCP servers by DHCP clients thro ugh unicast when the DHCP clients release IP addresses, the user address entries maintained by the DHCP cannot be updated in time. The dyna mic user addr ess entry updatin g function is developed to resolve this problem.
DHCP Configuration 289 Option 82 Supporting Configuration Example Network requir ements T wo DHCP clients are on the network segm ent 10.110.0.0 (255.2 55. 0.0). They obtain IP addresses fr om a DHCP se rver thr ough a switch acting as DHCP relay . Option 82 supporting is enabled on the DHCP relay .
290 C HAPTER 17: N ETWORK P ROTOCOL O PERATION 6 Return to sys tem view . [S5500-vlan-interface 100] quit 7 Enable option 82 suppo rting on the DHCP relay , with t he keep keyword specified.
DHCP Configuration 291 Figure 71 Interaction between a DHCP client and a DHCP server . ■ DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain.
292 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Configuration Example I. Network requir ements As shown in Figure 71, the Ethernet1/0/1 port of Switch A (an S5500 series switch) is connected to Switch B (acting as a DHCP re lay). A network segment containing some DHCP clients is connect to the Ethernet1/0 /2 port of Switch A.
Introduction to DHCP Accounting 293 ■ Length: T wo bytes, identifying the to tal length of the ac countin g packet. ■ Authenticator: 16 bytes, identifying the information between the RADIUS server and client. The Attributes field contain s multiple sub-fields.
294 C HAPTER 17: N ETWORK P ROTOCOL O PERATION DHCP Accounting Fundamentals After you complete AAA and RADIUS configur ation on a switch with the DHCP server function enabled, the DHCP server a cts as a RADIUS client. For the authentication process of the DHCP server acting as a RA DIUS client.
Introduction to DHCP Accounting 295 ■ DHCP accounting is en abled on the DHCP serv er . ■ The IP addresses of the global DHCP addr ess pool belongs to the network segment 10.1.1.0/24. The DHCP server operates as a RADIUS client and adopts AA A for authentication.
296 C HAPTER 17: N ETWORK P ROTOCOL O PERATION 11 Enter VLAN 3 interface view and assign the IP addre ss 10.1.2.1/24 to the VLAN interface. [S5500] interface vlan-interface 3 [S5500-Vlan-interface3] ip address 1 0.1.2.1 24 12 Return to sys tem view . [S5500-Vlan-interface3] quit 13 Create a domain and a RADIUS scheme.
Introduction to DHCP Accounting 297 DHCP Relay D isplaying Y ou can verify your DHCP relay-r elated configuration by executing the following display commands in any view .
298 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Configuration Procedur e 1 Cre ate a DHCP server group tha t will use tw o DHCP servers (a master and an optional backup) and assign it the IP add resses of the two D HCP servers (th e first IP address is the master).
Access Management Configuration 299 T roubleshootin g DHCP Relay Configuration Perform the following procedur e if a user ca nnot apply for an IP address dynamically: 1 Use the display dhcp-server groupNo command to check if the IP address of the corresponding DHCP Server has been configur ed.
300 C HAPTER 17: N ETWORK P ROTOCOL O PERATION By default, the system disables the access management function. Configuring the Access Management IP Address Pool Based on the Port Y ou can use the following command to set the IP address pool for access management on a port.
Access Management Configuration 301 ■ In the same aggregation gr oup, the port isolation feature on one unit is consistent. ■ If a port is removed fr om an aggregation gr oup, its port isolation configuration will not change.
302 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Access Management Configuration Example Networking Requirements Organization 1 is connected to port 1 of th e Switch, and organization 2 to port 2. Ports 1 and 2 belong to the same VLAN. The IP addresses range 202.
UDP Helper Configuration 303 T o delete this feature, enter: <SW5500> system-view [SW5500] acl number 2500 [SW5500-acl-basic-2500] undo rule 0 UDP Helper Configuration This section contains UDP Helper configuration information .
304 C HAPTER 17: N ETWORK P ROTOCOL O PERATION Perform the following co nfiguration in System Vi ew . Note that : ■ Y ou must first enable the UDP Helper fu nction an d then config ur e the UDP port with the relay function. Otherwise, err or information will appear .
IP Performance Configuration 305 Displaying and Debugging UDP Helper Configuration After the above configuration, enter the display command in any v iew to display the running of the UDP Helper destination se rver , and to verify the effect of the configuration.
306 C HAPTER 17: N ETWORK P ROTOCOL O PERATION be terminated. The timeout of synwait timer range is 2 to 600 seconds and it is 75 seconds by default. ■ finwait timer: When the TCP connection state tur ns from FIN_W AIT_1 to FIN_W A IT_2, finwait timer will be started.
IP Performance Configuration 307 T roubleshooting IP Performance Fault: IP layer protocol works normall y but TCP and UDP cannot work normally . In the event of such a fault, yo u can enable the corresponding d ebugging informatio n output to view th e debugging info rmation.
308 C HAPTER 17: N ETWORK P ROTOCOL O PERATION.
18 M ULTICAST P RO T O C O L This chapter includes informat ion on the following: ■ IP Multicast Overview ■ IGMP Snooping ■ Common Multicast Configuration ■ Internet Group Management Protocol .
310 C HAPTER 18: M ULTICAST P ROTOCOL Figure 78 Comparison between the unicast and multicast transmission A multicast source does n ot necessarily belong to a multicast group. It only sends data to the multicast group and it is not necess arily a receiver .
IP Multicast Overview 311 Ranges and meanings of Class D addresses ar e shown in T able 306 Reserved multicast addresses that are commonly used are shown in T able 307. Ethernet Multicast MAC Addresses When unicast IP packets ar e transmitted in Ethernet, the destination MAC address is the MAC addr ess of the re ceiver .
312 C HAPTER 18: M ULTICAST P ROTOCOL Figure 79 Mapping between the multicast IP addr ess and the Ethernet MAC address Only 23 bits of th e last 28 b its in the IP multicast addr ess ar e mapped to the MAC address. Therefor e, the 32 IP multicast addresses are mapped to the same MAC address.
IP Multicast Overview 313 PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM) PIM dense mode is suitable for small networks. It assumes that each su bnet in the network contains at least one receiver inter ested in the multicast source.
314 C HAPTER 18: M ULTICAST P ROTOCOL Applying Multicast IP multicast technology effectively solves the pr oblem of packet forwarding from single-point to multi-point. It implements highly-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network bandwidth and reduce network loads.
IGMP Snooping 315 Figure 81 Multicast packet transmission when IGMP Snooping runs IGMP Snooping T erminology T able 308 explains switching terminology relevant to IGMP Snooping. The Switch 5500 runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address.
316 C HAPTER 18: M ULTICAST P ROTOCOL Figure 82 Implementing IGMP Snooping T able 309 explains IGMP Snooping terminology . T able 309 IGMP Snooping T erminology Term Meaning IGMP general query message Transmitted by the multicast r outer to query which multicast group contains member.
IGMP Snooping 317 Configuring IGMP Snooping IGMP Snooping configur ation includes: ■ Enabling/Disabling IG MP Snooping ■ Configuring Router Port Agin g Time ■ Configuring Maximum Response T ime ■ Configuring Aging Time of Multicast Group Member Of the above configurat ion tasks, enabling IGMP Snooping is required, while others are optional.
318 C HAPTER 18: M ULTICAST P ROTOCOL Perform the following configu ration in system view . By default, the port aging time is 105 seconds. Configuring Maximum Response Time Use the commands in T able 312 to manually configure the maxi mum response time.
IGMP Snooping 319 If IGMP fast leave pr ocessing is enabled, when r eceiving an IGMP Leave message, IGMP Snooping immediately removes the port from the multicast group. When a port has only one user , enabling IG MP fast leave processing on the port can save bandwidth.
320 C HAPTER 18: M ULTICAST P ROTOCOL Configuring Multicast VLAN In old multicast mode, when users in differ ent VLANs order the same multicast group, the multicast str eam is copied to each of the VLANs.
IGMP Snooping 321 Note that: ■ Y ou cannot set the isolate VLAN as a multicast VLAN. ■ One user port can belong to only one multicast VLAN. ■ The port connected to a user end can only be set as a hybrid port. ■ A multicast member port must belong to th e same multicast VLAN with the router port.
322 C HAPTER 18: M ULTICAST P ROTOCOL Configuration Example—Enable IGMP Snooping Networking Requirements T o implemen t IGMP Snooping on the switch, first en able it. The switch is connected to the router via the r outer port, and with user PCs through the non-router ports on vlan 10.
Common Multicast Configuration 323 Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then inpu t the command display igmp-snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent.
324 C HAPTER 18: M ULTICAST P ROTOCOL Multicast MAC Addr ess Entry Configuration In Layer 2 multicast, the system can a dd multicast forwar ding entries dynamically through Layer 2 multicast prot ocol. However , you can also manually create a static multicast address entry to bind a port to a multicast address.
Common Multicast Configuration 325 Multicast Source Deny Configuration The purpose of the multicast source deny feature is to filter out multicast packets on an unauthorized multicast source port to prevent the user connected to the port from setting up a multicast server without permission.
326 C HAPTER 18: M ULTICAST P ROTOCOL The forwarding entries in MFC are deleted along with the routing entries in the multicast kern el routing table. Displaying and Debugging Common Multicast Configuration Execute display command in any view to display the running of the mu lticast configuration, and to verify t he effect of the configuration.
Internet Group Manage ment Protocol (IGMP) 327 IGMP is not sym metric on hosts and r outer s. Hosts need to r espond to IGMP query messages from the multicast router , —, report the group membership to the router .
328 C HAPTER 18: M ULTICAST P ROTOCOL Configuring IGMP Basic IGMP configuration includes: ■ Enabling Multicast ■ Enabling IGMP on an Interface Advanced IGMP configuration includes: ■ Configuring.
Internet Group Manage ment Protocol (IGMP) 329 Configuring the Interval for Querying IGMP Packets The router finds out which multicast groups on its connected network segment have members by sending IGMP query messages periodically .
330 C HAPTER 18: M ULTICAST P ROTOCOL Configuring the Limit of IGMP Groups on an Interface If there is no limit to the number of IGMP gr oups added on a router interface or a router , the router memory may be exhaus ted, which may cause router failur e.
Internet Group Manage ment Protocol (IGMP) 331 By default, a router joins no mult icast group. Limiting Multicast Gr oups An Interface Can Access A multicast r outer learns whether there are members of a multicast gr oup on the network via the received IGMP member sh ip message.
332 C HAPTER 18: M ULTICAST P ROTOCOL Configuring the Present Ti me of IGMP Querier The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages, after the previous querier has stopped doing so.
PIM-DM Overview 333 Displaying and debugging IGMP After the above conf iguration, execute display command in any view to display the running of IGMP configuration, and to verify the effect of the configuration. Execute debugging command in u ser view for t he debugging of IGMP .
334 C HAPTER 18: M ULTICAST P ROTOCOL This process is called “flood & prune” pr ocess. In addition, nodes that are pruned provide timeout mechanism. Each router re-starts the “flood & prune” process upon pruning timeout. The consistent “flood & prune” process of PIM-DM is performed periodically .
PIM-DM Overview 335 Configuring PIM-DM PIM-DM basic configuration includes: ■ Enabling Multicast ■ Enabling PIM-DM PIM-DM advanced con figuration includes: ■ Entering the PIM View ■ Configurin.
336 C HAPTER 18: M ULTICAST P ROTOCOL Using undo pim command, you can clear the configur ation in PIM view , and back to system view . Configuring Sending Interval for the Hello Packets After PIM is enabled on an interface, it will send Hello message s periodically on the interface.
PIM-DM Overview 337 Only the routers that match the filtering ru le in the ACL can serve as a PIM neighbor of the current interface. Configuring the Maximum Number of PIM Neighbor on an Interface The maximum number of PIM neighbors of a router interface can be configured to avoid exhausting the memory of the router or router faults.
338 C HAPTER 18: M ULTICAST P ROTOCOL Displaying and Debugging PIM-DM After the above config uration, execute the display command in any view to display the running of PIM-DM configuration, and to verify the effect of the configuration. Execute the debugging command in user view for the debugging of PIM-DM.
PIM-SM Overview 339 Configuration Procedur e This section on ly describes the co nfiguration p rocedur e for Switch_A. Fo llow a similar configuration procedur e for Switch_B and Switch_C. 1 Enable the multicast routing protocol. [SW5500] multicast routing-enable 2 Enable IGMP and PIM-DM.
340 C HAPTER 18: M ULTICAST P ROTOCOL PIM-SM Operating Principle The working procedur es for PIM-SM incl ude: neighbor discovery , building the RP-rooted shar ed tree (RPT), multicast sour ce registration and switch over to the SPT . Neighbor Discovery The PIM-SM router uses Hello messages to perform neighbor discovery when it is started.
PIM-SM Overview 341 Preparations befor e Configuring PIM-SM Configuring Candidate RPs In a PIM-SM network, multiple RPs (c andidate-RPs) can be configured. Each Candidate-RP (C-R P) is responsible fo r forwarding multicast packets with the destination addresses in a certain range.
342 C HAPTER 18: M ULTICAST P ROTOCOL ■ Clearing PIM Neighbors It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate -RPs and Candidate- BSRs. Enabling Multicast Refer to “Common Multicast Configuratio n” on page 323.
PIM-SM Overview 343 Configuring Candidate-BSRs In a PIM domain, one or more candidate BSRs sho uld be configured. A BSR (Bootstrap Router) is elected among ca ndidate BSRs.
344 C HAPTER 18: M ULTICAST P ROTOCOL Configuring Static RP Static RP serves as the backup of dynamic RP , so as to improve network r obusticity . Perform the following co nfiguration in PIM view . Basic ACL can control the range of multicast group served by static RP .
PIM-SM Overview 345 Perform the following co nfiguration in PIM view . If an entry of a source gr oup is denied by the ACL, or the ACL does not define operation to it, or ther e is no ACL defined, the RP will send RegisterStop messages to the DR to prevent the register process of the multicast data stream.
346 C HAPTER 18: M ULTICAST P ROTOCOL In BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which then propagates the C-RP messages among the net work by BSR message. T o prevent C-RP spoofing, you need to configure crp-policy on the BSR to limit legal C-RP range and their service group range.
PIM-SM Overview 347 Networking Diagram Figure 87 PIM-SM configuration networking Configuration Procedur e 1 On Switch_A: a Enable PIM- SM. [SW5500] multicast routing-enable [SW5500] vlan 10 [SW5500-vl.
348 C HAPTER 18: M ULTICAST P ROTOCOL [SW5500] vlan 11 [SW5500-vlan11] port ethernet 1/0/4 t o ethernet 1/0/5 [SW5500-vlan11] quit [SW5500] interface vlan-interface 11 [SW5500-vlan-interface11] igmp e.
349.
350 C HAPTER 18: M ULTICAST P ROTOCOL.
19 ACL C ONFIGURATION This chapter covers the following topics: ■ Brief Introduction to ACL ■ QoS Configurat ion ■ QoS Profile Configurat ion ■ ACL Control Configuration ■ ACL Control Configuration Brief Introduction to ACL A series of matchi ng rules ar e r equir ed for the network devices to identify the packets to be filtered.
352 C HAPTER 19: ACL C ONFIGURATION The depth-first princip le is to put the st atement specifying the s mallest range of packets on the top of the list. This can be implement ed through comparin g the wildcards of the addresses. Th e smaller the wildcard is, th e less hosts it can specify .
Brief Introduction to ACL 353 T able 362 Set the Absolute T ime Range When the start-time and end-time are not co nfigur ed, it will be all the time for one day . The end time shall be later than the start time. When end-time end-date is not configur ed, it will be all the time fr om now to the date which can be displayed by the system.
354 C HAPTER 19: ACL C ONFIGURATION T able 363 Define Basic ACL Define Advanced ACL The rules of the classification for advanc ed ACL ar e defined on the basis of the attributes such as source and destination IP address, the TCP or UDP port number in use and packet priority to process the da ta packets.
Brief Introduction to ACL 355 T able 365 Define Layer -2 ACL Defining the User -defined ACL The user - defined ACL matches any bytes in the first 80 bytes of the Layer -2 dat a frame with the character string defined by the user and then processes them accordingly .
356 C HAPTER 19: ACL C ONFIGURATION T able 367 Activate ACL Displaying and Debugging ACL After the above conf iguration, execute display command in all views to display the running of the ACL configurat ion, and to verify the effect of the configurat ion.
Brief Introduction to ACL 357 Configuration Procedur e In the following configurations, only the command s related to ACL configurations are listed. 1 Define the work time range Define time range from 8:00 to 18:00. [SW5500] time-range 3Com 8:00 to 18:0 0 working-day 2 Define the ACL to access the payment server .
358 C HAPTER 19: ACL C ONFIGURATION [SW5500] acl number 2000 b Define the rules for packet which sour ce IP is 10.1.1.1. [SW5500-acl-basic-2000] rule 1 deny s ource 10.
QoS Configuration 359 QoS Configuration Tr a f f i c T raffic r efers to all packets passing through a Switch. T raffic Classification T raffic classification means identifying the packets with certain ch aracteristics, using the matching rule called classification ru le, set by the configuratio n administrator based on the actual requirements.
360 C HAPTER 19: ACL C ONFIGURATION Figure 91 SP The SP is designed for the key se rvice application. A significant feature of the key service is the need for priority to enjoy the service to r educe the responding delay when congestion occurs.
QoS Configuration 361 QoS Configuration The process of QoS based traffic: 1 Identify the traffic by ACL 2 Perform the QoS opera tion to th e traffic. The configuration steps of QoS based traffic: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first.
362 C HAPTER 19: ACL C ONFIGURATION Configuration example for setting pr iority of a pr otocol packet 1 Change OSPF protocol packets’ IP pr iority to be 3.Enter system view . <S5500> system-view [S5500] 2 Set OSPF protocol packets’ IP priority to be 3.
QoS Configuration 363 Configure T raffic Mirr oring 1 Configure monitor port Perform the following configu ration in the Ethernet Port V iew . T able 375 Configure Monitor Port Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric.
364 C HAPTER 19: ACL C ONFIGURATION Configuring the Mapping Relationship Between COS and Local Precedence Using the following commands, you can configure the maps. Perform the following co nfiguration in System Vi ew . T able 380 Map Configuration By default, the Switch uses the default mapping relationship.
QoS Configuration 365 Y ou should first define an ACL before this configuration task. The granularity of traf fic limit is 64kbps. If the tar get-ra te user input is in ( N*64, (N+1)*64], in which N is a natural number , Switch automaticaly sets (N+1)*64 as the parameter value.
366 C HAPTER 19: ACL C ONFIGURATION T able 385 Configuring T raffic Statistics For details about the command, refer to the Command Reference Manual. Configuring WRED Operation The func tion of W RED Operat ion is to av oid cong estion in advance. Perform the following configu ration in the Ethernet Port V iew .
QoS Configuration 367 Controlling T elnet using So urce IP and Destination IP This configu ration can be implemente d by means of advanced ACL, which ranges from 3000 to 3999.
368 C HAPTER 19: ACL C ONFIGURATION Contro lling T elnet using Source MAC This configuration can b e implemented by means of Layer 2 ACL, which ranges f rom 4000 to 4999. For the definition of ACL, refer to ACL part. Configuration Example Network requir ements Only T elnet users from 10.
QoS Configuration 369 Displaying and Debugging QoS Configuration Y ou can use the display command in any view to see the QoS operation and to check the status of the configuration. Y ou can also clear the statistic information using the reset command in the Eth er net Interface View .
370 C HAPTER 19: ACL C ONFIGURATION Networking Diagram Figure 93 QoS Configuration Example Configuration Procedur e Only the commands c oncerning Qo S/ACL configura tion are listed here . 1 Define outbound traffic for the wage server . a Enter numbered advanced ACL view .
QoS Configuration 371 Networking Diagram Figure 94 QoS Configuration Example Configuration Procedur e Define port mirroring, with monitoring port being Ethernet3/0/8.
372 C HAPTER 19: ACL C ONFIGURATION QoS Profile Configuration When used together with the 802.1x authentication function, th e QoS profile function can offer preconfigur ed QoS settings for a qualified user in authentication (or a group of users). When the user passes the 802.
QoS Profile Configuration 373 Perform the following co nfiguration in System Vi ew . T able 393 Entering QoS Profile View Y ou cannot delete the specific QoS profile which has been applied to the port. Adding/Removing T raffic Action to a QoS Profile From the QoS Pr ofile View , you can configure the QoS actions for current QoS pr ofile.
374 C HAPTER 19: ACL C ONFIGURATION ■ Port-based mode: The Switch delivers the traffic actions in the QoS profile dir ectly to the user port. Perform the following co nfiguration in Ether net Port V iew . T able 395 Configuring Profile Application Mode By default, port-based mod e is enabled on the port.
QoS Profile Configuration 375 The user (with user name someone and authentication password hello ) is accessed fr om the E thernet1/0/1 port into the Sw itch. The user is assigned into the 3com163.net domain. The QoS profile exam ple r efere nces the ACL with bandwidth limited to 128 kbps and new DSCP prefer ence value 46.
376 C HAPTER 19: ACL C ONFIGURATION g Configure the QoS pr ofile [SW5500] qos-profile example [SW5500-qos-profile-example] traffic-limit inb ound ip-group 3000 128 exceed drop [SW5500-qos-profile-exam.
ACL Control Configurati on 377 Importing ACL Y ou can import a defined ACL in User In terface View to achieve ACL contr ol. Perform the following configu rations respecti vely in System View and User Interfa ce View . T able 400 Importing ACL See the Command Referenc e Manual for details about these commands.
378 C HAPTER 19: ACL C ONFIGURATION Importing ACL Import the defined ACL into the command s with SNMP communit y , user name and group name configur ed, to achieve ACL contr ol over SNMP users.
ACL Control Configurati on 379 Configuration Example Networking Requirement Only SNMP users from 10.110.100.52 an d 10.110.100.46 can access the Sw itch. Networking Diagram Figure 99 ACL Configuration for SNMP Users Configuration Procedur e 1 Define a basic ACL.
380 C HAPTER 19: ACL C ONFIGURATION For more about the commands, r efer to the Command Reference Manual. Only the numbered basic ACL can be called for WEB NM user control. Configuration Example Networking Requirements Only permit Web NM user fr om 10.
20 C ONFIGURATION FOR Q O S F EATUR ES RSP AN Features Remote switched port analyzer (RSP AN) refers to remote port mirr oring. It breaks through the limitation that the mirror ed port and the mirrori.
382 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES T o implement the remote port management , a special VLAN, called Remote-probe VLAN, needs to be defined in all thre e types of switches.
RSPAN Features 383 Configuration Procedur es in the Source Switch Configuration Procedur es in the Intermediate Switch T able 404 Configuration procedures in the sour ce switch Operation Command Descr.
384 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES Configuration Procedur es in the Source Switch Configuration Example Network diagram requir ements The network description is as follows: ■ Switch A is connected to the data mo nitoring device using Ether net1/0/2.
RSPAN Features 385 ■ Configure Switch C to be the sour ce switch, Ethernet 1/0/2 to be the source port of remote mirr oring, and Ethernet1/0/5 to be the reflector port. Set Ethernet1/0/5 to be Access port, with STP disabled. Network Diagram Figure 102 Network diagram for RSP AN Configuration Procedur e 1 Configure Switch C.
386 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES [S5500-Ethernet1/0/1] port trunk per mit vlan 10 [S5500-Ethernet1/0/1] quit [S5500] mirroring-group 1 remote-des tination [S5500] mirroring-group 1 .
Displaying Information of the display acl command 387 ■ A fixed weighting value is deducted from the weighting value of each element of the rule. The rule with the smallest weig hting value left has the highest priority .
388 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES The Synchronization Feature of Queue Scheduling for Aggregation Ports This featu re pr ovi des the sync hro nization function of queue scheduling on.
Configuring Control Over Telnet 389 Controlling T elnet using Sour ce IP This configu ration can be implemente d by means of basic ACL, which ranges from 2000 to 2999. Controlling T elnet using Source IP and Destination IP This configu ration can be implemente d by means of advanced ACL, which ranges from 3000 to 3999.
390 C HAPTER 20: C ONFIGURATION FOR Q O S F EATURES Controlling T elnet using Source MAC This configuration can b e implemented by means of Layer 2 ACL, which ranges f rom 4000 to 4999. For the definition of ACL, refer to ACL part. Configuration Example Network requir ements Only T elnet users from 10.
21 802.1 X C ONFIGURATION This chapter covers the following topics: ■ IEEE 802.1x Over view ■ Configuring 802.1x ■ Centralized MAC Address Authentication ■ AAA and RADIUS Pr otocol Configuration For information on sett ing up a RADIUS serv er and RADIUS client refer to Appendix B.
392 C HAPTER 21: 802.1 X C ONFIG URATION Authenticator and Authentication Serv er exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information thr ough the EAPoL (Extensible Au thentication Protocol over LANs) frame defined by IEEE 802.
Configuring 802.1 x 393 Implementing 802.1x on the Switch The Switch 5500 Family not only sup por ts the port access authentication method regulated by 802.1x, but also extends and optimizes it in the following way: ■ Support to connect several End Stations in the downstream using a physical port.
394 C HAPTER 21: 802.1 X C ONFIG URATION Setting the Port Access Control Mode The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured.
Configuring 802.1 x 395 Setting the User Number on a Port The following commands are used for setting the number of users allowed by 802.1x on a specified port. When no port is specifie d, all the po rts accept the same n umber of users. Perform the following co nfigurations in System Vi ew or Ether net Port View .
396 C HAPTER 21: 802.1 X C ONFIG URATION The EAP-TLS mode authentica tes supplicant systems by authenticatin g licenses of both authentication servers and supplicant systems on both sides. In this mode, supplicant systems are authenticated by their lice nses only , which are applied for from authenti cation serv ers.
Configuring 802.1 x 397 Network diagram Figure 105 Network diagram for 802.1x PEAP configuration Configuration procedur e The following configur ations assume that PE AP is selected on 802.1x clients and the RADIUS server to authentica te 802.1x supplicant systems.
398 C HAPTER 21: 802.1 X C ONFIG URATION Configuring Timers The following commands are used for configuring the 802.1x timers. Perform the following co nfigurations in System Vi ew . T able 421 Configuring T imers handshake-period: This timer begins after the user has passed the authentication.
802.1x Client Version Checking Configu ration 399 Enabling/Disabling a Quiet-Period Timer Y ou can use the following commands to en able/disable a quiet-period timer of an Authenticator (which can be a Switch 5500).
400 C HAPTER 21: 802.1 X C ONFIG URATION the supplicant system. Such a process goes on and on until the maximum number of retries is r eached. If the maximum number of retries is r eached and the supp.
802.1x Client Version Checking Configu ration 401 When the Guest VLAN function is enabled: ■ The switch broadcasts active authentica tion packets to all 802.1x-enabled ports. ■ The switch adds the ports that do not return response packets to Guest VLAN When the maximum number of authentication retries is r eached.
402 C HAPTER 21: 802.1 X C ONFIG URATION Configuration procedur e 1 Enter system view . <S5500> system-view 2 Create VLAN 2. [S5500] vlan 2 3 Enter Ethern et1/0/1 port view . [S5500] interface ethernet1/0/1 4 Configure the port to operate in port-based authentication mode.
802.1x Client Version Checking Configu ration 403 ■ CAMS is configured to disable use of multiple network adapters, proxies, or IE proxies. By default, an 802.
404 C HAPTER 21: 802.1 X C ONFIG URATION A server group, consisting of two RADI US servers at 10.11. 1.1 and 10.11.1.2 respectively , is connect ed to the switch. The former o ne acts as the primary-authentication/second -accounting server . The latter one acts as the secondary-authen tication/primary-account ing server .
Centralized MAC Address Authentication 405 6 Set the encryption key when the system exchanges packets with the authentication RADIUS server . [SW5500-radius-radius1] key authentic ation name 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server .
406 C HAPTER 21: 802.1 X C ONFIG URATION Centralized MAC Address Au thentication Configuration Centralized MAC address authentication configuration includes: ■ Enabling MAC address authentication bo.
Centralized MAC Address Authentication 407 Configuring the User Name and Password for Fixed Mode If you configure the centralized MAC addre ss authentication mode to be fixed mode, you need to configure the user name and passwor d for fixed mode.
408 C HAPTER 21: 802.1 X C ONFIG URATION Displaying and Debugging Centralized MAC Address Authentication After the above config uration, perform the display command in an y view , you can view the centralized MAC addr ess authentication running state an d check the configuration result.
AAA and RADIUS Protocol Configuration 409 2 Add local access user . a Set the user name and password. [SW5500] local-user 00e0fc010101 [SW5500-luser-00e0fc010101] password simple 00e0fc0101 01 b Set the service type of the user to lan-access. [SW5500-luser-00e0fc010101] service-t ype lan-access 3 Enable the MAC address authentication globally .
410 C HAPTER 21: 802.1 X C ONFIG URATION returns the configuration information and accounting dat a to NAS. Here, NAS controls users and corresponding conn ections, while the RADIUS protocol regulates how to transmit configurat ion and accounting information between NAS and RADIUS.
AAA and RADIUS Protocol Configuration 411 Among the a bove conf iguration tasks, cr ea ting ISP domain is compulsory , otherwise the user attributes canno t be distinguishe d.
412 C HAPTER 21: 802.1 X C ONFIG URATION ■ None—no authentication and accounting. T able 438 Configuring AAA Scheme A dopted by the ISP Domain By default, after an ISP domain is cr eated, the default AAA scheme is local . Y ou cannot use a RADIUS sche me together with the local or none scheme.
AAA Separation 413 Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if th e RA DIUS accounting server fails when the accounting optional is configur ed, the user can still use the network resour ce, otherwise, the user will be disconnect ed.
414 C HAPTER 21: 802.1 X C ONFIG URATION Configuring Separate AAA Schemes If a bound AAA scheme (that is , the authenticati on, authorization and accounting are bound in one scheme) is configured as well as the separate authentication, authorization and accounti ng schemes, the separate ones will be adopted in precedence.
AAA Separation 415 Network diagram Figure 108 Network diagram for separate AAA schemes Configuration procedur e 1 Enter system view . <S5500> system-view 2 Create an ISP domain named cams. [S5500] domain cams 3 Return to sys tem view . [S5500-isp-cams] quit 4 Configure a RADIUS scheme named radius.
416 C HAPTER 21: 802.1 X C ONFIG URATION ■ If the threshold is reached, the switch sends messages containing the user's remaining online tim e to the client at the i nterval you configur ed. ■ The client keeps the user informed of the updated remaining online time through a dialog box.
Dynamic VLAN Assignment 417 Dynamic VLAN Assignment Through dynamic VLAN assignment, the Ethe r net swit ch dynamically adds the ports of the successfully authenticated users to differ ent VLANs depending on the attribute values assigned by RADIUS server , so as to control the network resour ces the users can access.
418 C HAPTER 21: 802.1 X C ONFIG URATION Network diagram Figure 109 Network diagram for dynamic VLAN assignment Configuration procedur e 1 Create a RADIUS scheme. [S5500] radius scheme ias [S5500-radius-ias] primary authentic ation 1.11.1.1 [S5500-radius-ias] primary accountin g 1.
Dynamic VLAN Assignment 419 Setting Attributes of the Local User The attributes of a local user inclu de its password display mode, state, service type and some other settings. Setting the Password Display Mode Perform the following co nfigurations in System View .
420 C HAPTER 21: 802.1 X C ONFIG URATION However , the user -privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types.
Dynamic VLAN Assignment 421 Among the above tasks, cr eating the RADI US scheme and setting the IP address of the RADIUS server are r equir ed, while othe r tasks are optional and can be performed as per your requir ements.
422 C HAPTER 21: 802.1 X C ONFIG URATION The authorization informatio n from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server .
Dynamic VLAN Assignment 423 Setting the Maximum Times of Real-tim e Accounting Request Failing to be Responded to A RADIUS server usually checks if a user is online with a timeout timer .
424 C HAPTER 21: 802.1 X C ONFIG URATION T able 455 Setting the Ma ximum Retransmitting Ti mes of Stopping Accounting Reques t By default, the stopping accountin g request can be r etransmitted up to 500 times. Enabling the Selection of the Radius Accounting Op tion Perform the following configu rat ions in RADIUS Scheme V iew .
User Re-authentication at Reb oot 425 The switch can automatically generate th e main attributes (NAS-ID, NAS-IP and session ID) of the Accounting-On packets. However , you can also manually configure the NAS-IP attribute with th e nas-ip command. When doing this, be sure to configure a correct and valid IP address.
426 C HAPTER 21: 802.1 X C ONFIG URATION By default, the keys of RADIUS authenti cation/authorization a nd accounting packets are all “3com”. T ag VLAN Assignment on T runk/Hybrid Port Supported by 802.1x Authentication Currently , the 802 .1x authentication module suppor ts T ag VLAN assignment only on Access port.
User Re-authentication at Reb oot 427 By default, the newly created RADIUS scheme supports the server type standard , while the "system" RADIUS scheme created by the system supports the server type 3com .
428 C HAPTER 21: 802.1 X C ONFIG URATION Setting the Unit of Data Flow that T ransmitted to the RADIUS Server The following command defines the unit of the data flow sent to RADIUS server .
User Re-authentication at Reb oot 429 Setting the Timers of the RADIUS Se rver Setting the Response Timeout Timer of the RADIUS Server After RADIUS (authentication/authorization or accounting) request.
430 C HAPTER 21: 802.1 X C ONFIG URATION Configure the RADIUS Server Response Timer If the NAS receives no r esponse fr om th e RADIUS server afte r sending a RADIUS request (authentication/authorization or a ccounting request) for a period of time, the NAS resends the r equest, thus ensuring the user can obtain the RADIUS service.
User Re-authentication at Reb oot 431 AAA and RADIUS Protocol Con figuration Example For the hybrid configuration example of AAA/RADIUS protocol and 802.
432 C HAPTER 21: 802.1 X C ONFIG URATION Configuration Procedur e 1 Add a T elnet user . For details about configuring F TP and T e lnet users, refer to User Interface Configuration in the Getting Start ed chapter . 2 Configure r emote authentication mode for the T elnet user , that is, scheme mode.
User Re-authentication at Reb oot 433 2 Method 2: Using Local RADIUS authentication server . Local server method is similar to r emote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authent ication password to 3com, the UDP port number of the authenti cation server to 1645.
434 C HAPTER 21: 802.1 X C ONFIG URATION And that completes the configuration of the new radius server and associating it with a domain. Network Login Network login must first be enabled globally by issuing the co mmand dot1x: [5500-xx] dot1x 802.
User Re-authentication at Reb oot 435 Once the RADIUS scheme and domain have been set up, see Domain and RADIUS scheme cr eation, then switch login is enabled. By default, when you use the user name admin to login, you are actually logging in as "admin@local".
436 C HAPTER 21: 802.1 X C ONFIG URATION Fault Three: After being authenticated and authorized, the user cannot send charging bill to the RADIUS server . T roubleshooting: ■ The accounting port number may be set im properly . Please set a proper number .
22 F ILE S YSTEM M ANAGEMENT This chapter covers the following topics: ■ File System Overvie w ■ File Attribute Configuration ■ Configuring File Management ■ Configurat ion File Ba ckup and Re.
438 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Based on the operated objects, the file system can be divided as follows: ■ Directory operation ■ File operation ■ Storage device oper ation ■ Set t.
File Attribute Configuration 439 File Attribute Configuration Y ou can assign the main/backup attribut e to a file so as to use this file as the main/backup startup file upon next startu p of switch, check the main and backup files, and toggle between the main and backup attri butes of file.
440 C HAPTER 22: F IL E S YSTEM M ANAGEMENT File Operation The file system can be used to delete or undelet e a file and permanently delete a file. Also, it can be used to display file cont en ts, rename, copy and mo ve a file and display the information about a s pecified file.
Configuring File Management 441 Setting the Pr ompt Mode of the File System The following command can be used for sett in g the prompt mode of the current file system.
442 C HAPTER 22: F IL E S YSTEM M ANAGEMENT The configuration files ar e displayed in their corresponding saving for mats. Saving the Curr ent-configuration Use the save command to save the current-configuration in the Flash Memory , and the configurations will beco me the saved- configuration when the system is powered on for the next time.
Configuration File Backup and Resto ration 443 Configuration File Backup and Restoration The configuration file backup and restorat ion feature enables you to perform the following tasks: 1 Copy the current configurations on switch to a file on a TF TP server as a backup.
444 C HAPTER 22: F IL E S YSTEM M ANAGEMENT T able 484 Configuration of the S witch as F TP Client T able 485 Configuration of the S witch as F TP Server The prerequisite for normal F TP function is that the Switch and PC are reacha ble.
FTP Overview 445 If the ip-addr in the command is not an address of the device, your configuration fails. If you specify a non-existent interface in the command, your config uration fails. Configuring the F TP Server Authenti cation and Authorization Y ou can use the following commands to configure F T P server authentication and authorization.
446 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Displaying and Debugging F TP Server After the above conf iguration, execute display command in all views to display the running of the F TP Server configuration, and to verify the effect of the configuration.
FTP Overview 447 Displaying the Source IP Address of the F TP Client Use the display command in any view to display the sou rce IP address of the F TP clie nt for service packets. F TP Client Configuration Example Networking Requirement The Switch serves as the F TP client and the remote PC as the F TP server .
448 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Password:***** 230 Logged in successfully [ftp] 3 T ype in the authorized directory of the F T P server . [ftp] cd switch 4 Use the put command to upload the config.cfg to the F TP server . [ftp] put config.
TFTP Overview 449 3 Run F TP client on the PC an d establish F TP connection. Upload the switch.app to the Switch under the Flash d irectory and download the config.cfg from the Switch. F TP client is not shipped with the Switch, so you need to buy it se parately .
450 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Downloading Files by means of TF TP T o download a file, the client sends a request to the TF TP server and then r eceives data from it and sends acknowledgement to it. Y ou can use the following commands to download files by means of TF TP .
MAC Address Table Management 451 3 Enter System View an d download the switch.app from the TF TP server to the flash memory of the Switch. <SW5500> system-view [SW5500] 4 Configure IP addr ess 1.1.1.1 for the VLAN interface, ensur e the port connecting the PC is also in this V ALN (VLAN 1 in this example).
452 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Figure 117 The Switch Forwar ds Packets with MAC Address T able The Switch also provides the function o f MAC address aging. If the Switch r eceives no packet for a period of time, it will delete the related entry from the MAC address table.
MAC Address Table Management 453 Setting MAC Address Aging Time Setting an ap propriate aging time implemen ts MAC address aging. T oo long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets.
454 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Displaying MAC Addr ess Ta b l e After the above config uration, execute the display command in all views to display the running of the MAC address table configuration, and to verify the effect of the configuration.
MAC Address Table Management 455 Configuration procedur e The display command shows a stack wide view of the MAC addr ess table. [SW5500] display mac-address MAC ADDR VLAN ID STATE PORT I NDEX AGING T.
456 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Device Management With the device management function, th e Switch can display t he current running state and event debugging information ab out the unit, thereby implementing the maintenance and management of the stat e and commun ication of the physical devices.
Device Management 457 Upgrading BootROM Y ou can use this command to upgrade the Boo tROM with the BootROM program in the Flash Memory . This conf iguration task facilitates the remote upgrade. Y ou can upload the BootROM program file from a r emote end to the Switch using F TP and then use this command to upgrade the BootROM.
458 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Networking Diagram Figure 120 Networking for F TP Configuration Configuration Procedur e 1 Configure F TP server pa rameters on the PC. Define a user named as Switch , password hello , r ead and write authority over the Switch directory on the PC.
System Maintenance and Debuggi ng 459 8 Use the boot boot-loader command to specify the download ed program as the application at the next login and reboot the Switch. <SW5500> boot boot-loader switch.app <SW5500> display boot-loader The app to boot at the next time is: flash:/Switch.
460 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Basic System Configuration Setting the System Name f or the Switch Perform the op eration of sysname command in the System View . T able 508 Set the Name for the Switch Setting the System Clock Perform the op eration of clock datetime command in the User View .
Terminating the FTP Connection of a Specified User 461 T erminating the F TP Connection of a Specified User By using the following command, the network administrator can forcibly terminate the F TP connection of a specified user on the F TP server , in order to secur e the operation of the network.
462 C HAPTER 22: F IL E S YSTEM M ANAGEMENT System Debugging Enable/Disable the T erminal Debugging The Switch provides various ways for debugging most of the supported protocols and functions, which can help you diagnose and address the errors.
Displaying the State and Information of the System 463 T able 515 Enable/Disable the De bugging For more about the usage and format of the debugging commands, refer to the relevant chapters.
464 C HAPTER 22: F IL E S YSTEM M ANAGEMENT T esting T ools for Network Connection This section contains the tools nece ssar y to test network connections. ping The ping command can be used to check the network connection and if the host is rea c h ab l e .
Introduction to Remote-ping 465 The execution process of tracert is described as follows: Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent, for th e TTL is timeout. Re-send the p acket with TTL value a s 2 and the second hop returns the TTL timeout messag e.
466 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Remote-ping Configuration This section contains infor mation on remote-ping. Introduction to Remote-ping Configuration The configuration tasks for remote-pi.
Remote-ping Configuration 467 The remote-ping test does not display te st results. Y ou can use the display remote-ping command to view the test results. Y ou can use th e display remote-ping command to check the test history as well as the latest test results.
468 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 5 Display the test r esults. [S5500-remote-ping-administrator-icm p] display remote-ping results administrator icmp [S5500-remote-ping-administrator-icm p] display remote-ping history administrator icmp Logging Function Th is section contains infor mation on the Logging functio n.
Logging Functi on 469 " yyyy " is the year field. If changed to boot format, it r epresen ts the milliseconds fr om system booting. Generally , the dat a are so large that two 32 bits integers are used, and separated with a dot '.'.
470 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Note that there is a slash ('/') between module name and severity . 5 Severity Switch information falls into three categories: log information, debugging information and trap in formation. The info-c enter classifies every kind of inf ormation into 8 severity or urgent le vels.
Logging Functi on 471 T able 521 I nfo-Ce nter -Defined Sev erity Note that there is a slash between severity and digest. 6 Digest The digest is abbreviation, it r e present the abstract of contents. Note that the re i s a colon betwee n digest and content.
472 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 1 Sending the informatio n to loghost. T able 523 Sending the Information to Loghos t 2 Sending the information to the control terminal.
Logging Functi on 473 3 Sending the Information to monitor terminal 4 Sending the Information to log buffer . T able 526 Sending the Information to Log Buffer 5 Sending the Information to trap buffer .
474 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 6 Sending the Inf ormation to SNMP T able 528 Sending the Information to SNMP 7 T ur n on/off the information synchronization Switch in Fabric Figure 124 T .
Logging Functi on 475 T able 530 Configuring to Output Information to Loghost Ensure to enter the correct IP address using the info-center loghost command to configure loghost IP address. If you enter a loopback addre ss, the system prompts of invalid address appears.
476 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 4 Configuring loghost The configuration on th e loghost must be the same with that on the Switch. For related configuration, see the config uration examples in the latter part of this chapter .
Logging Functi on 477 T able 534 Configuring to Output Information to Control T ermina l 3 Configuring the informatio n source on the Swit ch. Wi th this configuration, you can define th e informat ion sent to the control terminal that is generated by which modules, inform ation type, information level, and so on.
478 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Perform the following operation in User View: T able 537 Enabling T erminal Display Function Sending the Information t o Te l n e t Te r m i n a l o r Dumb .
Logging Functi on 479 modu-name specifies the module name; default r epr esents all the modules; l evel re fers to the severit y levels; severity specifies the severity level of information. The information with the level be low it will not be output.
480 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Sending the Information to the Log Buffer T o send in formation to the log buffer , follow the steps below: 1 Enabling info-center Perform the following ope ration in System View . T able 543 Enabling/Disabling Info-cente r Info-center is enabled by default.
Logging Functi on 481 If you want to view the debugging information of some modu les on the Switch, you must select debugging as the information type when configuring the information source, meantime using the debugging command to turn on the debugging Switch of those modules.
482 C HAPTER 22: F IL E S YSTEM M ANAGEMENT modu-name specifies the module name; default r epr esents all the modules; l evel re fers to the severit y levels; severity specifies the severity level of information. The information with the level be low it will not be output.
Logging Functi on 483 3 Configuring the informatio n source on the Swit ch. Wi th this configuration, you can define the information that is sent to SNMP NM: generated by which modules, information type, informat ion level, and so on. Perform the following ope ration in System View .
484 C HAPTER 22: F IL E S YSTEM M ANAGEMENT The Switch provides a command to tur n on/off the synchronization Switch in every Switch. If the synchr onization Switch of a Switch is turned off, it does not send information to other Switches but sti ll receives information from others.
Logging Functi on 485 Configuring Synchronous Information Output Function Synchronous information output function work s to prevent users’ input from being interrupted by system output.
486 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 2 Configuration on the loghost This configuration is performed on the l ogho st. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.
Logging Functi on 487 Networking diagram Figure 128 Schematic Diagram of Configuration Configuration Procedur e 1 Enabling info-center [SW5500] info-center enable Set the host with th e IP address of 202.
488 C HAPTER 22: F IL E S YSTEM M ANAGEMENT c After the establishment of informat ion (log file) and the revision of /etc/syslog.conf , you should view th e number of syslogd (system daemon) through the following command, kill syslog d daemon and reuse -r option the start syslogd in daemon.
RMON Configuration 489 RMON Configuration Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network.
490 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Y ou can use the following commands to add/delete an entry to/from the alarm table. Perform the following co nfiguration in System Vi ew .
RMON Configuration 491 T able 561 Add/De lete an Entry to/from the Extended RMON Alarm T able Adding/Deleting an Entry to/fr om the Statistics T able The RMON statistics manage ment concer ns the port usage mo nitoring and error statistics when usin g the ports.
492 C HAPTER 22: F IL E S YSTEM M ANAGEMENT RMON Configuration Example Networking Requirements Set an entry in RMON Ethernet statistics table for the Ethern et port performance, which is convenient for network administrators’ query . Networking Diagram Figure 130 RMON Configuration Networking Configuration Procedur e 1 Configure RMON.
NTP Overview 493 ■ Record for an application when a user logs in to a system, a file is modified, or Basic Operating Principle of NTP Figure 131 illustrates the basi c operating principle of NTP: Figure 131 Basic Operating Principle of NTP In Figure 131, Switch A and Switch B ar e connected using the Ethernet port.
494 C HAPTER 22: F IL E S YSTEM M ANAGEMENT In this way , Switch A uses the above information to set the local clo ck and synchronize it with the clock on Switch B. The operatin g principle of NTP is briefly introduced above. For more information, refer to RFC1305.
NTP Configuration 495 T able 563 Configure NTP T ime Server NTP version number number ranges fr om 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; interface-name.
496 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configuring NTP Broadcast Client Mode Designate an interface on the loc al Switch to r eceive NTP br oadcast messages and operate in broadcast client mode. The local Switch listens to the broadcast fr om the server .
NTP Configuration 497 Multicast IP address ip-add ress defaults to 224.0.1.1. This command can only be configured on the interface where the NTP multicast packets will be received. Configuring NTP ID Authentication Enable NTP authen tication, set MD5 au thentication key , a nd specify the reliable key .
498 C HAPTER 22: F IL E S YSTEM M ANAGEMENT An interface is specified by interface-name or interface-type interface-nu mber . The source addr ess of the pack ets will be taken fr om the IP address of the interface.
Typical NTP Configuration Examples 499 Setting Maximum Local Sessions This configuration task is to set the maximum local sessions. Perform the following co nfigurations in System Vi ew . T able 575 Set the Maximum Local Sessions number specifies the maximum number of lo cal sessions, ranges from 0 to 100, and defaults to 100.
500 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Networking Diagram Figure 132 T ypical NTP Configuration Networking Diagram Configuration Procedur e Configure Switch 1: 1 Enter System View . <switch1> system-view 2 Set the local clock as the NTP master clock at str atum 2.
Typical NTP Configuration Examples 501 After the synchronization, Switch 2 turns into the follo wing status: [switch2] display ntp-service status clock status: synchronized clock stratum: 8 reference clock ID: 1.0.1.11 nominal frequency: 100.0000 Hz actual frequency: 100.
502 C HAPTER 22: F IL E S YSTEM M ANAGEMENT 3 Configure Switch 5: (Switch 4 has been synchr onized by Switch 3) a Enter System View . <switch5> system-view b After performing local synchroniz ation, set Switch 4 as a pee r . [switch5] ntp-service unicast-peer 3.
Typical NTP Configuration Examples 503 c Enter Vlan-interf ace2 view . [switch3] interface vlan-interface 2 d Set it as broadcast server . [switch3-Vlan-Interface2] ntp-service broadcast-server 2 Configure Switch 4: a Enter System View . <switch4> system-view b Enter Vlan-interf ace2 view .
504 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configure NTP Multicast Mode Network Requirements Switch 3 sets the local clock as th e master clock at stratum 2 and multicast packets from Vlan-interface2. Set Switch 4 and Sw itch 1 to receive multicast messages fr om their respective Vlan-interface2.
Typical NTP Configuration Examples 505 Configure Authentication-enabled NTP Server Mode Network Requirements Switch 1 sets the local clock as the NTP master clock at stratum 2. Switch 2 sets Switch 1 as its time server in server mo de and itself in clie nt mode and enables authentication.
506 C HAPTER 22: F IL E S YSTEM M ANAGEMENT SSH T erminal Services Secure Shell (SSH) can pr ovide information security and powerful authentication to prevent such assaults as IP address spoofi ng, plain-text password inter ception when users log on to the Switch remotely fr om an insecur e network environment.
SSH Terminal Services 507 way: The RSA public key of the client user is configured at the server . The client first sends the member modules of its RSA public key to the server , which ch ecks its validity . If it is valid, the server ge nerates a random number , which is sent to the client after being encrypted with RSA public key .
508 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configuring and Canceling Local RSA Key Pair In executing this command, if you have conf igured RSA host key pair , t he system gives an alarm after using this command and prompt s that the existing one will be replaced.
SSH Terminal Services 509 Defining SSH Authentication Retry V alue Setting SSH authentication retry value can effectively prevent malicious r egistration attempt. Perform the following co nfigurations in System View . T able 582 Defining SSH Authentication Retry V alue By default, the retry value is 3.
510 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Configuring SSH Client There ar e several types of SSH client sof tware, such as PuTTY and FreeBSD. Y ou should first configure the client’ s connecti on with the server . The b asic configuration tasks on the client include: ■ Specifying server IP add ress.
SSH Terminal Services 511 Figure 137 SSH key convert. Use the save button to save this converted key to a file. Open the public key file in Notepad and the following li nes of text befor e the ex isti.
512 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Figure 138 T ext file of myKey Save this to a file ending with a ".bat" extension e.g "keys.bat". This file can be transferred to the switch using F TP or TF TP . The key is installed using th e execute command in the System view [SW5500] execute keys.
SSH Terminal Services 513 In the Host Name (or IP address) text box key in the IP address of the Switch, for example, 10.110.28.10. Y ou can also input the IP ad dress of an interface in UP state, but its route to SSH client PC must be r eachable. Selecting SSH Protocol Select SSH for the Protocol item.
514 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Figure 141 SSH client configuration interface (3) Click Browse to enter the File Select interface . Choose a desir ed file an d click OK . Opening SSH Connection Click Open to enter SSH client interfa ce. If it runs normally , you are prompted to enter username an d password.
SSH Terminal Services 515 Displaying and Debugging SSH Run the display command in any view to view the running of SSH and further to check configuration result. Run the debugging command to debug the SSH. Perform the following configurat ions in any view .
516 C HAPTER 22: F IL E S YSTEM M ANAGEMENT [SW5500-luser-client002] service-type ssh 4 Specify AAA authentication on the user inter face. [SW5500] user-interface vty 0 4 [SW5500-ui-vty0-4] authentication-mod e scheme 5 Select SSH protocol on the Switch.
File System Configuration 517 File System Configuration Perform the following file system co nfiguration in user view . If you delete a file and then another f ile with the same name under the same directory , the recycle bin only re ser ves the last deleted file.
518 C HAPTER 22: F IL E S YSTEM M ANAGEMENT T o ensure that the switch can use the current configu rations after it restarts, you are recommended to save the current co nfigurations by using the sa ve command before restarting the switch.
FTP Lighting Co nfiguration 519 Enabling F TP Server on Switch After F TP server is enabled on an SWITCH 5500 switch, the seven-segmen t digital LED on the front panel of the switch will rotate clockw.
520 C HAPTER 22: F IL E S YSTEM M ANAGEMENT Enabling F TP Client on the Switch After F TP client is enable d on an SWITCH 5500 switch, the seven-segment digital LED on the front panel of the switch wi.
TFTP Lighting Configu ration 521 The switch can only act as a TF TP clie nt. Figure 146 Network diagram for TF T P configuration TF TP Lighting Procedur e The TF TP ser ver and the TF TP client must be rea chable to each other for the TF TP function operates normally .
522 C HAPTER 22: F IL E S YSTEM M ANAGEMENT.
23 P ORT T RACKING C ONFIGURATION Introduction to the Port T racking Function Wi th the port tracking function enabled, yo u can specify to track the link state of the master’ s uplink por t and decrease the priority of the switch when the port fails.
524 C HAPTER 23: P ORT T RACKING C ONFIGURATIO N Network diagram Figure 147 Network diagram for port tracking configuration Configuration procedur e Configure the master switch. 1 Enter system view . <S5500> system-view System View: return to User View wit h Ctrl+Z.
24 D YNAMICALLY A PPLY ACL BY RADIUS S ERVER C ONFIGURATION Introduction to Dynamically Apply ACL by RADIUS Server The switch can dynamically provide pr e-de fined ACL rules for one or one group of authenticated user(s) through the combination of Dynamically Apply ACL by RADIUS Server function and 802.
526 C HAPTER 24: D YNAMICALL Y A PPLY ACL BY RADIUS S ERVER C ONFIGURATION Configuration Example This section contains a co nfiguration example. Network requir ements The switch implements the Dynamically Appl y ACL by RADIUS Server function for the access users.
Configuration Example 527 Configuration procedur e Configuration on the RADIUS server 1 Click User/Manage Users. See Figure 150. Figure 150 The first step 2 Create a new user , and then on the General Attributes page input the password of the user , meanwhile set the "Account Expiration Date" as Dec-31-2049.
528 C HAPTER 24: D YNAMICALL Y A PPLY ACL BY RADIUS S ERVER C ONFIGURATION Figure 152 The thir d step 4 Click Options/Encryption Keys, set the encryption ke y . See Figure 153. Figure 153 The fourth step 5 Input the NAS IP and the encryption key . See Figure 154.
Configuration Example 529 Figure 154 The fifth step Configuration on the switch 1 Enable 802.1x. <S5500> system-view [S5500] dot1x [S5500] dot1x interface ethernet 1/0 /1 2 Configure the IP address information for the RADIUS server . [S5500] radius scheme radius1 [S5500-radius-radius1] primary authe ntication 10.
530 C HAPTER 24: D YNAMICALL Y A PPLY ACL BY RADIUS S ERVER C ONFIGURATION On Unit 1:Total 1 connections match ed, 1 listed. Total 1 connections matched, 1 list ed. [S5500] display connection ucibindex 28 ------------------------Unit 1------ ------------------ Index=28 , Username=test@test163.
25 A UTO D ETECT C ONFIGURATION Introduction to the Auto Detect Function The auto detect fu nction uses ICMP request/r eply packets to test the connectivity of a network regularly . The auto detect function is carried out through detecting groups. A detecting group comprises of a group of the IP addresse s to be detected.
532 C HAPTER 25: A UTO D ETECT C ONFIGURATION Network diagram Figure 155 Network diagram for auto detect configuration Configuration procedur e 1 Enter system view . <S5500> system-view 2 Create detecting gr oup 10. [S5500] detect-group 10 3 Specify to detect the IP address of 10.
Auto Detect Implementation in Static Routing 533 Y ou can utilize a single detecting group si multaneously in multiple implementations mentioned above. Refer to the Routing Pro tocol part in Switch 5500 Series Switch O peration Manual for information about static routing.
534 C HAPTER 25: A UTO D ETECT C ONFIGURATION Configuration procedur e Configure Switch A. <S5500 A> system-view [S5500 A] detect-group 8 [S5500 A-detect-group-8] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A] ip route-static 10.
Auto Detect Implementation in VRRP 535 Network diagram Figure 157 Network diagram for VRRP Configuration procedur e 1 Configure Switch B. a Create detecting gr oup 9. <S5500 B> system-view [S5500 B] detect-group 9 b Specify to detect the reacha bility of the IP addr ess 10.
536 C HAPTER 25: A UTO D ETECT C ONFIGURATION c Set the backup group pr eference value of Switch D to 100. [S5500 D-vlan-interface1] vrrp vrid 1 priority 100 Auto Detect Implementation in VLAN Interface Backup The interface backup function is used to back up VLAN interfaces by using the auto detect function.
Auto Detect Implementation in VLAN Interface Backup 537 Network diagram Figure 158 Network diagram for VLAN inte rface backup Configuration procedur e 1 Configure Switch C. a Enter system view . <S5500 C> system-view b Configure a static r oute to VLAN interface 1 on Switch A as the primary route, with the IP address of 10.
538 C HAPTER 25: A UTO D ETECT C ONFIGURATION g Add the IP address of 10.1.1.4 to detec ti ng group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and set the detecting nu mber to 1. [S5500 A-detect-group-10] detect-lis t 1 ip address 10.
26 RSTP C ONFIGURATION This chapter covers the following topics: ■ STP Overview ■ RSTP Configuration ■ RSTP Configuration Example STP Overview Spanning T ree Protocol (STP) is applied in loop ne.
540 C HAPTER 26: RSTP C ONFIGURATION For a Switch, the designat ed bridge is a Switch in charge of forwarding BPDU to the local Switch using a port called the designate d po rt. For a LAN, the designated b ridge is a Switch that is in charge of forwarding BPDU to the network s egment using a port called the designated port.
STP Overview 541 2 Select the optimum configuration BPDU Every Switch transmits its configurat ion BPDU to other s. When a port r eceives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged.
542 C HAPTER 26: RSTP C ONFIGURATION Switch B compares the configuration BPDUs of the ports and selects th e BP1 BPDU as the optimum one. Thus BP1 is elected as the r oot port and the configuration BPDUs of Switch B ports a re updated as follows. The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1 } .
STP Overview 543 T o facilitate the descriptions, the descri ption of the example is simplified. For example, the root ID and t he designated b r idge ID in actual calculation should comprise both Switch priority and Switch MAC ad dress. Designated port ID should comprise port priority and port MAC addr ess.
544 C HAPTER 26: RSTP C ONFIGURATION In a Switch equipped with the XRN feature, RSTP has the following characteristi cs: 1) Processing the whole Fabric as a node; 2) Participation of all ports except .
RSTP Configuration 545 Specify a Switch as the root or backup root bridge The role of the current Switch as the root or backup root bridge depend s on the STP calculation. A Switch can be made the root bridge by specifying its Bridge preference to 0. Configure the Bridge preference of a Switch The Bridge preference of a Switch is 32768.
546 C HAPTER 26: RSTP C ONFIGURATION Configure the timeout time factor of a Switch The Switch, if has not received any Hel lo packet from the upstream Switch for thrice the Hello Time, will consider the upstream Switch failed and recalculate the spanning tree.
RSTP Configuration 547 After the STP protocol is enable d, the modifi cation of any parameter will result in the re-calculation of the spanning tre e on the Switch . It is therefore recomme nded to configure all the RSTP parame ters before en abling the STP feature on th e Switch and the port.
548 C HAPTER 26: RSTP C ONFIGURATION Perform the following co nfigurations in Ether net Port View . T able 597 Enable/Disable RSTP on a P ort Note that the redundancy route may be gene rated after RSTP is disabled on the Ether net port. By default, RSTP on all the ports will be enabled after it is enabled on the Switch.
RSTP Configuration 549 Set Priority of a Specified Bridge Whether a bridge can be selected as the “r oot” of the spanning tree depends on its priority . By assignin g a lower p riority , a bridge can be artificially specif ied as the root of the spanning tree.
550 C HAPTER 26: RSTP C ONFIGURATION By default, a Switch is neither the pr im ary root nor the secondary root of the spanning tree. Set Forward Delay of a Specified Bridge Link failure will cause re calculation of th e spanning t ree and ch ange its structure.
RSTP Configuration 551 T able 604 Set Max Age of the Specifie d Bridge If the Max Age is too short, it will r esult in fr equent calculation of spanning tr ee or misjudge the network congestion as a link fault. On the other hand, too lo ng Max Age may make the bridge unable to find link failure in time and weaken the network auto-sensing ability .
552 C HAPTER 26: RSTP C ONFIGURATION By default, an Ethernet port can transmit at most 3 STP packets within one Hello Ti m e . Set Specified Port to be an EdgePort EdgePort is not connected to any Switch di rectly or indirectly using the connected network.
RSTP Configuration 553 Specify the standard to be followed in Path Cost calculation The following two standards are cu rrently avail able on the Switch: ■ dot1d-1998 : The Switch calculates the default Path Cost of a port by the IEEE 802.1D-199 8 standard.
554 C HAPTER 26: RSTP C ONFIGURATION T able 611 Configure a Specified Port to be Connected to a Point-to-Point Link The two ports connected using the Point-to-Point link can enter the for warding state rapidly by transmitting synchronous packets, so that the unnecessary forwarding delay can be r educed.
RSTP Configuration 555 causes the network topolog y to reconfigure and may cause links to switch state. In normal cases, these ports will not receive STP BPDU. If someone forges a BPDU to attack the Switch , the network topology to reconfigure. BPDU protection function is used against such network attack.
556 C HAPTER 26: RSTP C ONFIGURATION For detailed information about the configuration commands, refer to the Command Manual . Display and Debug RSTP After the above conf iguration, execute display command in all views to display the running of the RSTP configuration, and to verify the effect of the configuration.
RSTP Configuration Example 557 Configuration Procedur e 1 Configure Switch A a Enable RSTP globally . [SW5500] stp enable b The port RSTP defaults are enabled after global RSTP is enabled. Y o u can disable RSTP on those ports t hat are not involved in the RSTP calcul ation, however , be careful and do not disable those involv ed.
558 C HAPTER 26: RSTP C ONFIGURATION b The port RSTP defaults are enabled after global RSTP is enabled. Y ou can disable RSTP on those ports that are not involved in RSTP calculation, however , be care ful and do not disable those involved. (The following configuratio n takes Ether net 1/0/4 as an example.
27 P O E P R OFILE C ONFIGURATION I ntr oduction to PoE Pr ofile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, 3Com Switch 5500 Family have provide d PoE Profile featur es.
560 C HAPTER 27: P O E P ROFILE C ONFIGURATION V arious PoE feat ures can be configured within one PoE Profile. The followin g holds while using the apply poe-profile command to apply a PoE Profile to.
PoE Profile Configuration 561 Figure 164 PoE Pr ofile application Configuration procedur es 1 Create Pr ofile 1, and enter PoE Profile view . <S5500> system-view [S5500] poe-profile Profile1 2 In Profile 1, add the PoE policy configurat ion applicable to Ether net1/0/1 through Ether net1/0/5 ports for type A group users.
562 C HAPTER 27: P O E P ROFILE C ONFIGURATION 7 Apply the configured Profile 1 to Ether net1/0/1 through Ether net1/0/5 port s. [S5500] ap ply poe-profile profile1 interface ethernet1/0/1 to ethernet1/0/5 8 Apply the configured Profile 2 to Ether net1/0/6 through Ether net1/0/10 por ts.
28 SNMP C ONFIGURATION SNMP Configuration Introduction The Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use an d widely accepted as an industry s tandard in practice.
564 C HAPTER 28: SNMP C ONFIGURATION The current SNMP Agent of the Switch supports SNM P V1, V2C and V3. The MIBs supported are listed in T able 616. T able 616 MIBs Supported by the Switch (Sheet 1 o.
SNMP Configuration Introduction 565 Configure SNMP The main co nfiguration of SNMP includes: ■ Set commun ity name ■ Set the Method of Id entifying and Contacting th e Administrator ■ Enable/Dis.
566 C HAPTER 28: SNMP C ONFIGURATION Setting Community Name SNMP V1 and SNMPV2C adopt the commun ity name authentication scheme. The SNMP message incompliant with the communit y name accepted by the device will be discarded. SNMP Community is named wi th a character string, which is called Community Name .
SNMP Configuration Introduction 567 Setting Lifetime of T rap Message Y ou can use the following command to set the lifetime of a T rap message. A trap message that e xists longer than the set lifetime will be dropped. Perform the following co nfiguration in System Vi ew .
568 C HAPTER 28: SNMP C ONFIGURATION T able 623 Set/Delete an SNMP G roup Setting the Source Address of T rap Y ou can use the following commands to set or remove the source address of the trap.
SNMP Configuration Introduction 569 T able 627 Set the Siz e of SNMP Packet sent/received by an Agent The agent can receive/send the SNMP pack ets of the sizes ranging from 484 to 17940, measured in bytes. By default, th e size of SNMP packet is 1500 bytes.
570 C HAPTER 28: SNMP C ONFIGURATION Displaying and Debugging SNMP After the above config uration, execute the display command in all views to display the running of the SNMP configuration, and to verify the effect of the configuration. Execute the debugging command in User View to debug SNMP configuration.
SNMP Configuration Introduction 571 Configuration Procedur e 1 Enter the Syst em View . <SW5500> system-view 2 Set the community name , group name and user . [SW5500] snmp-agent sys-info version all [SW5500] snmp-agent community write p ublic [SW5500] snmp-agent mib include inter net 1.
572 C HAPTER 28: SNMP C ONFIGURATION Networking diagram Figure 167 SNMP configuration example Configuration procedur e [SW5500] snmp-agent community read pu blic [SW5500] snmp-agent community write p .
29 S OUR CE IP A DDR ESS C ONFIGURATION Configuring Source IP Address f or Service Packets Y ou can configure source IP addr ess or sour ce interface for the F TP server , F TP client, TF TP client, T elnet server , T elnet client, SSH ser ver , SSH2 client and SF TP client to enhance service manageability .
574 C HAPTER 29: S OURCE IP A DDRESS C ONFIGURATION If the ip-addr in the command is not an address of the device, your configuration fails. If you specify a non-existent interface in the command, your config uration fails.
30 P ASSWOR D C ONTR OL C ONFIGURATION O PERATIONS Introduction to Password Contr ol Configuration The password contr ol feature is designe d to manage the following passwords: ■ T elnet passwords: passwords for logging into the switch through T elnet .
576 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS Password Contr ol Configuration This section contains configu ration infor mation on Password Control. Configuration Prer equisites A user PC is connected to the switch to be configured; both devices ar e operating normally .
Password Control Configuration 577 length limitation, the conf igured minimum passwor d length (if available); the enable/disable state of history password re cor ding, the maximum number of hist ory .
578 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS After password aging is enabled, the devi ce will decide whether the user password ages out when a user logging into the system is undergoing the password authentication. This has three cases: 1 The password has not expir ed.
Password Control Configuration 579 Configuring History Password Recor ding With this function enabled, when a login password expires, the system r equires the user to input a new password and save the old password automatically . Y ou can configure the maximum number of history records allowed for each user .
580 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS Configuring a User Login Password in Encryption Mode Configuring Login Attempts Limitation and Failure Pr ocessing Mode When the maximum.
Displaying Password Control 581 The system administrator ca n perform the followin g operations to manually remove one or all user entries in the blacklist.
582 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS Password Contr ol Configuration Example Network requir ements A PC is connected to the switch to be configured.
Password Contro l Configuration Example 583 7 Display the information abo ut the password contr ol for all users. S5500[S5500] display password-contro l Global password settings for all use rs: Passwo.
584 C HAPTER 30: P ASSWORD C ONTR OL C ONFIGURATION O PERATIONS.
31 MSDP C ONFIGURATION Among Switch 5500 Series Ethernet Switches, only Switch 5500-EI Series Ethernet Switches support the configu rations described in this chapter . Routers and router icons in this chapter represent r outers in the common sense and Ethernet swit ches running routing proto cols.
586 C HAPTER 31: MSDP C ONFIGURATION MSDP peers ar e interconnected o ver TCP connections (usin g port 639). A T CP connection can be establishe d between RPs in different PIM-SM domains, between RPs in the same PIM -SM domain, betwee n an RP and a common router , or between common ro uters.
Introduction to MSDP 587 Figure 170 T ypical networking of Anycast RP . T ypically , a multicast source S registers to the near est RP to cr eate an SPT , and receivers also send Join message s to the nearest RP to construct an RPT , so it is likely that the RP to which the multicast source has register ed is not the RP that receivers Join.
588 C HAPTER 31: MSDP C ONFIGURATION Figure 171 Identifying the multicast sour ce and receiving multicast data The complete interoperation process betw een a mul ticast source S in the PIM-SM1 domain and receivers in the PIM-SM1 and PIM-SM4 domains is as follows: 1 The multicast sour ce S in the PIM-SM1 domain begins to send data packets.
Introduction to MSDP 589 Figure 172 Forwar ding SA messages between MSDP peers As shown above, RP1 belongs to AS1. RP2, RP3 and RP4 belong to AS2. R P5 and RP6 belong to AS3. An MSDP peering relationship exists among these RPs. RP2, RP3, and RP4 form a mesh group.
590 C HAPTER 31: MSDP C ONFIGURATION Configuring MSDP Basic Functions T o enable exchange of information from the mult icast source S between two PIM-SM domains, you need to establish MSDP peer ing re.
Configuring Connection Between MSDP Peers 591 Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers An AS may contain multiple MSDP peers. T o avoid SA floodi ng between the MSDP peers, you can use the MSDP mesh mechan ism to impr ove traffic.
592 C HAPTER 31: MSDP C ONFIGURATION Configuring Description Information for MSDP Peers Y ou can configure description information for each MSDP peer to manage and memorize the MSDP peers.
Configuring SA Me ssage Transmission 593 Configuring MSDP Peer Connection Contr ol The connection between MSDP peers can be flexibly controlled. Y ou can disable the MSDP peering r elationships temporarily by shutting down the MSDP peers. As a result, SA messages cannot be transmitted between such two peers.
594 C HAPTER 31: MSDP C ONFIGURATION Configuring the T ransmission and Filtering of SA Request Messages After you enable sending SA request messages to MSDP peer s, when a router receives a Join message, it sends an SA request me ssage to the specified re mote MSDP peer , which responds with an SA message that it has cached.
Configuring SA Me ssage Transmission 595 Configuring a Rule for Filtering Received and Forwarded SA Messages Besides the creation of source information, controlling multicast sour ce information allows you to control the forwarding and reception of source information.
596 C HAPTER 31: MSDP C ONFIGURATION Displaying and Debugging MSDP Configuration After the above-mentioned configuration, you can use the display command in any view to view the MSDP running information, so as to verify configuration re sult. In the user view , you ca n execute the re s et command to reset the MSDP counter .
MSDP Configuration Example 597 The PIM-SM network imp lements OSPF to provide unicast routes and establish MSDP peers between SwitchC and SwitchD. Me anw hile, the Loopback10 interfaces of SwitchC and SwitchD play the roles of C-BSR and C-RP .
598 C HAPTER 31: MSDP C ONFIGURATION c When the multicast source S1 in the PI M-SM domain send s multicast information, the receivers attached to SwitchD can r e ceive the multicast information and can view the PIM ro uting infor mation on the switc h by using the display pim routing-table command.
Troubleshooting MSDP Co nfiguration 599 T roubleshooting MSDP Configuration The following sections provide troublesh ooting guidelines for MSDP configuration. MSDP Peer Always in the Down State Symptom An MSDP peer is configured, but it is always in the down state.
600 C HAPTER 31: MSDP C ONFIGURATION.
32 C LUSTERING Clustering Overview Clustering enable s the network to manage mu ltiple switches through the public IP address of a switch named the management device. Managed switches in a cluster are member devices, and often may not have an assigned pub lic IP addr ess.
602 C HAPTER 32: C LUSTERING ■ T opology co llection: Clustering implemen ts NTDP (Neighbor T opology Discovery Protocol) to collect information on devi ce connections and candidate devices within a specified hop range.
Clustering Overview 603 Figure 175 Role changing rule ■ A cluster can have only one management device, which is necessary to the cluster . The management device collects NDP/NTDP information to discover and confirm candidate devices, w hich can be then added into the cluster through manual configurations.
604 C HAPTER 32: C LUSTERING When the NDP on the member device finds ch anges of neighbors, it will advertise the changes to the management device by ha ndshake pack ets. The management device can run NTDP to collect the specified to pology information and show the network topology c hanges in time.
Management Devi ce Configura tion 605 Management Device Configuration Management device c onfiguration involves: ■ Enable system and port NDP ■ Configure NDP parameters ■ Enable system and port .
606 C HAPTER 32: C LUSTERING Enabling the Cluster Function Configuring Cluster Parameters Configuring cluster parameters manually Configure the time that collected devices wait before forwarding the topology-collection request ntdp timer hop-delay time Optional Argument time is the dela y time.
Management Devi ce Configura tion 607 Configuring a cluster Automatically Configuring Intern al-Exter nal Interaction NM Interface for Cluster Management Configuration Configuration Preparation ■ The cluster swit ches are properly connected. ■ The inter nal server is properly co nnected with the management switch.
608 C HAPTER 32: C LUSTERING Member Device Configuration Member device configuratio n involves: ■ Enable system and port NDP ■ Enable system and port NTDP ■ Specifying the cluster F TP/TF TP ser.
Configuring Cluster Parameters 609 Configuring Cluster Parameters Displaying and Maintaining Cluster Configurations Y ou can view the configuration information of a cluster with the display commands, which can be executed in any view .
610 C HAPTER 32: C LUSTERING Clustering Configuration Example Network requir ements Three switches form a cluster , in which: ■ Switch 5500 acts as the man agement device.
Clustering Configuration Ex ample 611 b Configure holdtime of NDP information as 200 seconds. [S5500] ndp timer aging 200 c Configure interval of NDP packets as 70 seconds. [S5500] ndp timer hello 70 d Enable system NTDP and port NTDP on E 1/0/2 and E1/0 /3.
612 C HAPTER 32: C LUSTERING 2 Configure member devices (take one member as example) a Enable system NDP and port NDP on port Ether net1/1. [S5500] ndp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] ndp enable b Enable system NTDP and po rt NTDP on port Ether net1/1.
Clustering Configuration Ex ample 613 Network diagram Figure 176 Network diagram for the interfaces of cluster management network Configuration procedur e Configuring the Swit ch 5500 switch 1 Enter system view . Specify VLAN 3 as the mana gement VLAN.
614 C HAPTER 32: C LUSTERING.
33 HWT ACACS C ONFIGURATION Configuring HWT ACACS This chapter contains information on HWT ACACS configuration. HWT ACACS configuration tasks Refer to the tasks in T able 671 to configure HWT ACACS.
616 C HAPTER 33: HWTACACS C ONFIGURATION Pay attention to the following when configuring a T ACACS serv er: ■ HWT ACACS server does not check whether a scheme is being used by users when changing most of HWT ACACS attributes, unless you delete the scheme.
Configuring HWTACACS 617 Configuring HWT ACACS Authentication Servers Perform the following configu ration in HWT ACACS view . The primary and secondar y authentication servers ca nnot use the same IP address. The default port number is 49. If you execute this command repeatedly , th e new settings will replace the old settings.
618 C HAPTER 33: HWTACACS C ONFIGURATION Configuring Source Address for HWT ACACS Packets Sent by NAS Perform the following configu ration in the corresponding view . The HWT ACACS view takes precedence over the system view wh en configuring the source addr ess for HWT ACACS packets sent from the NAS.
Configuring HWTACACS 619 Setting the Unit of Data Flows Destined for the T ACA CS Server Perform the following configu ration in HWT ACACS view . The default data flow unit is byte.
620 C HAPTER 33: HWTACACS C ONFIGURATION The setting of real-time accounting interval somewhat depends on the performance of the NAS and the T ACACS server: a sh orter inter val requir es higher device performance. Y ou are therefor e recommended to adopt a longer interval when there are a large number of users (mor e than 1000, inclusive).
HWTACACS Protocol Configuration Ex ample 621 HWT ACACS Protocol Configuration Example For the hybrid configuration example of AAA/RADIUS protocol and 802.1x protocol, refer to Configuration Example in 802 .1x C onfig uration. It will not be detailed here.
622 C HAPTER 33: HWTACACS C ONFIGURATION Configuration procedur e 1 Configure a HWT ACACS scheme. [S5500] hwtacacs scheme hwtac [S5500-hwtacacs-hwtac] primary authe ntication 10.
A P ASSWOR D R ECOVERY P RO C E S S Introduction The Switch 5500 has two separate password systems: n Passwords which ar e used by the Web User Interface and the CLI and are stored in the 3comoscfg.cfg file. For more information on this, r efer to the Getting Started Guide which accompanies your Switch.
624 C HAPTER A: P ASSWORD R ECOVERY P ROCESS Bootrom Interface During the initial boot phase of the Switch (w hen directly connected using the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu.
Bootrom Interface 625 Skipping the Current Configuration File Enter boot menu option 7 to enable the Sw itch to boo t from the factory default configuration file 3comoscfg.def . When the Switch has booted from the factor y default it can be configur ed with an IP address and defaul t gateway if needed.
626 C HAPTER A: P ASSWORD R ECOVERY P ROCESS If the user configured bootrom passwor d is lost, a fixed, unit unique password can be provided by 3Com T ech nical Support to bypass the lost password.
B RADIUS S ERVER AND RADIUS C LIENT S ETUP This appendix covers the following topics: n Setting Up A RADIUS Server n Setting Up the RADIUS Client Setting Up A RADIUS Server There ar e many third party applications available to config ure a RADIUS server .
628 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP b The server will need to run in Native mode in or der to support EAP-TLS which is not available in Mixed mode. T o change mode go to the Active Directory Users and Computer s window , rig ht-click Dom ain and choose Properties , select Change Mode .
Setting Up A RADIUS Server 629 d Follow the wizard to cr eate a user , enter the required information at each stage e The password for the user must be set to be stored in r eversible encryption. Right-click the user account an d select Properties . Select the Account tab, check the box labe lled Store password using reversible encryption .
630 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components . The Certificate Services component should be checked.
Setting Up A RADIUS Server 631 4 Install the Internet Authenti cation Service (IAS) program. a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components. Enable Networking Services and ensur e Internet Authentication Service component is checked.
632 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP d Go to Programs > Administrative T ools > Active Director y Users and Computers and right-click your active directory domain. Select Properties e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted.
Setting Up A RADIUS Server 633 g The Certificate Request W izard will start. Select Next > Computer certificate template and click Next . h Ensure that your Certi ficate Authority is checked, then click Next . Review the Policy Change Information and click Finish .
634 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP e Give the policy a name, for example EAP-TL S, and select Next . f Click Add... g Set the conditions for using the policy to access the network. Select Day-An d-Time-Restrictions, and click Add.
Setting Up A RADIUS Server 635 k Select the appropriate certificate and click OK . T here should be at le ast one certificate. This is the certificate that has been created during the installation of the Certification Authority Service. Windows may ask if you wish to view the Help topic for EAP .
636 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP b When you are pr ompted for a login, enter the user account name and password that you will be using for the certificate. c Select Request a certificate and click Next > There ar e two ways to request a certificate: the Ad vanced Request or th e Standard Request.
Setting Up A RADIUS Server 637 f Either copy the settings fr om the scr eenshot below or ch oose dif fer ent key options. Click Save to save the PKCS #10 file.
638 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP j Select the second option as shown in the screenshot below , and click Next > k Open the previously saved PKCS #10 cert i ficate file in Notepad, select all (Control + a) and copy (Contr ol + c), as shown below l Paste the copied informat ion into the Saved Request field as shown below .
Setting Up A RADIUS Server 639 m Download the cert ificate and ce rtification path. Click on the Download CA Certificate hyperlink to save the ce rtificate. Save the fil e as DER encoded. Click on the Download CA certification path hyperlin k to save the PKCS #7, and select Save The certificate is also insta lled on the Certification Authority .
640 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP p Leave the settings on the next screen as is, click Next > followe d by Finish and OK . This will install the certificate, q Launch the Certification Authority management tool on the ser ver and expand the Issued Certificates folder .
Setting Up A RADIUS Server 641 Save the certificate using DER x.509 encoding, select DER encoded binar y followed by Next . Pr ovide a name for the certificate and save it to a specified location.
642 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP u Select the user that becomes the IEEE 80 2.1x client. Right-click on the user and select Name mappings . Select Add v Select the cer tificate that you h ave just exported and click Open . Click OK w In the Security Identity Mapping screen, clic k OK to close i t.
Setting Up A RADIUS Server 643 b Create a new r emote access policy under IAS and name it Switch Login. S elect Next> c Specify Switch Login to matc h the user s in the switch access gr oup, select.
644 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP e Use the Edit button to change the Service-T ype to Administrative. f Add a V endor specific attribu te to indi cate the access level that sh.
Setting Up A RADIUS Server 645 The V alue 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates ma nager access. On the Sw itch 5500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to “Setting Up the RADIU S Client” fo r information on setting up the client.
646 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Gr oups o n the Acti ve Dir ectory ser ver and assign the user accounts to each VLAN Group.
Setting Up A RADIUS Server 647 d Go to Programs > Administrative T ools > Internet Authentication Ser vice . an d select Remote Access Policies . Select the policy that you configured earlier , right-click and select Properties . e Click Add to add policy membership.
648 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to r etu rn you to the Security Policy pr operties.
Setting Up A RADIUS Server 649 i Click Edit Profile... and select the Advanced tab. Click Add . Refer to T able 686 and T able 687 for the RADIUS attribut es to add to the profile. j Select T unnel-Medium-T ype and click Add . k Ensure that the Attribute value is set to 802 and click OK .
650 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP m Select the T unnel-Pvt-Gro up-ID entry and click Add . n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK . This value represents the VLAN ID.
Setting Up A RADIUS Server 651 p Click Add again. In the pull down menu, sele ct Vir t u a l L AN s and click OK . q Click OK again and to return to the Add Attributes screen. Click Close . Y ou will now see the added attributes r Click OK to close the Profile scr een and OK again to clo se the Policy screen.
652 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP Configuring Funk RADIUS 3Com has successfully inst alled and tested Funk RADIUS running on a Windows server in a network with Switch 5500 deployed. Download the Funk Steel-Belted RADIUS Server application fr om www.
Setting Up A RADIUS Server 653 3 Either re-boot the server or stop then r estart the RADIUS service. T o stop and restart the Steel-Belted RADIUS service, go to Control Panel > Administrative tools > Ser vices . Scroll down to the Steel-Belted service, stop and restart it.
654 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP Passwords are case sensitive. 6 Enter the shared secret to encrypt the au thentication data. The shar ed secr et must be identical on the Switch 5500 and the RADIUS Server a Select RAS Clients from the left hand list, ent er a Client name , the IP address and the Sh ared secret .
Setting Up A RADIUS Server 655 Configuring auto VLAN and QoS for Funk RADIUS T o set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file radius.dct so that Retur n list attributes from the Funk RADIUS server ar e r eturned to the Sw itch 5500.
656 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 5500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.
Setting Up A RADIUS Server 657 2 Update the dictionary for Switch login a In /usr/local/etc/raddb cr eate a new file called dictionary.3Com containing the following info rmation: VENDOR 3Com 43 ATTRIB.
658 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP In the example above, T unnel-Medium-T yp e has been set to TMT802, to force FreeRADIUS to treat 802 as a string requiring to be looked up in the dictionary an d return integer 6, rather than return integer 802 which would be the case if T unnel-Medium-T ype was set to 802.
Setting Up the RADIUS Client 659 generate an EAPOL-Logoff message when the user logs-off, which leaves the port authorized. T o reduce the impact of this issue, decrease the "session-timeout" return list attribute to fo rce r e-authentication of the port more often.
660 C HAPTER B: RADIUS S ERVER AND RADIU S C LIENT S ETUP b This screen will appear: c Leave the Profile as default . The Identity is an account created on the RADIUS Server with the Password . d Click OK to finish the configurat ion. e Restart the client either by rebooting, or stopping and re-starting the service.
C A UTHENTICATING THE S WITCH 5500 WITH C ISCO S ECUR E ACS This appendix covers the following topics: n Cisco Secure A CS (T ACACS+) and the 3Com Switch 5500 n Setting Up the Cisco Secur e ACS (T ACA.
662 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS Adding a 3Com Switch 5500 as a RADIUS client Once logged into the Cisco Secure ACS interface, follow these steps: 1 Select Network Configuration from the left hand side 2 Select Add Entr y from under AAA Clients.
Setting Up the Cisco Secure ACS (TACACS+) server 663 5 Select Interface Configuration from the left h and side. 6 Select RADIUS ( IETF) from the list under Interface Configuration .
664 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS 8 Select Submit . 9 Repeat step 1 through step 8 for each Switch 5 500 on your n etwork.
Setting Up the Cisco Secure ACS (TACACS+) server 665 The screen below shows specific RADIUS attributes having been selected for the user . The user has the student profile selected and is assigned to VLAN 10 untagged. The RADIUS attributes need t o have already been selected , see step 7 in Ad ding a 3Com Switch 5500 as a RADIUS client.
666 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS 1=Monitor 2=Manager 3=Administrator b Locate the applica tion csutil.exe . in the utils dir ectory of the install path (eg. C:pro gram filesCisc o Secur e ACSutils). c Copy the 3Com.
Setting Up the Cisco Secure ACS (TACACS+) server 667 2 T o use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device. In the AAA Client Setup window select RADIUS (3C OM) fr om the Authenticate Using pull down list.
668 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS 5 Ensure that the 3Com-User -Access-Level option is selected for both User and Group setup, as shown below 6 Select User Setup.
Setting Up the Cisco Secure ACS (TACACS+) server 669 7 In the RADIUS (3Com) Attribute box , check 3Com-User -Access-Level and select Administrator from the pull down list, see below: 8 Select Submit . The Switch 5500 can now be managed by the Network Administrator through the CISCO Secure ACS serv er .
670 C HAPTER C: A UTHENTICATING THE S WITCH 5500 WI TH C ISCO S ECURE ACS.
D 3C OM XRN This section explains what 3Com XRN™ (eXpandabl e Resilient Networking) is and how you can use it to benefit your networ k. It also explains how to implement XRN on your network.
672 A PPENDIX D: 3C OM XRN What is XRN? XRN (eXpandable Resilient Network) is a 3Com LAN technology built into the software and hardwar e of your Switch that of fers high availability , scalability , and connectiv ity . Supported Switches XRN is supported by the 3Com Operati ng System on the following Sw itches installed with V ersion 1.
Benefits of XRN 673 Benefits of XRN The benefits of XRN include: n Increased envir onmental r esilience provided by: n Hardwar e and Software r edundancy per unit or across the Distributed Fabric. n Distributed management acro ss the Distributed Fabric.
674 A PPENDIX D: 3C OM XRN Switch units within the Distributed Fabric provide the same r outer interfaces and mirror each other’ s routing tables. This a llows each unit to keep the routing local to the unit for locally connected hosts and devices.
XRN Features 675 T able 691 Aggregated Links and Member Links Supported within a Fabric Distribut ed Link A ggregation Ex ample Y ou can also use DLA to create highly r esilient network backbones, supporting multihomed links to the wiring closets as shown in Figure 179.
676 A PPENDIX D: 3C OM XRN How to Implement XRN—Overview This section provides an overview on how to implement XRN in your network. Following the steps below will ensure that your XRN network operates corr ectly .
Important Considerations and Recommendations 677 n When you create a Distributed Fabric th e relevant port-based tables do n ot double in size, they r emain as they wer e. n When Switch 5500 units are in an XRN Distributed Fabric their unit IDs are user configurable.
678 A PPENDIX D: 3C OM XRN n All multihomed links and al ter nate paths must carry all VLANs, and packets must be tagged. n The Distributed Fabric is the ST P root bridge. n Individual port memb ers of each aggregated link must have VLAN memb ership manually configured before the aggregated link is set up.
Network Example using XRN 679 Figure 180 A Dual XRN Distribut ed Fabric Network How to Set up this Network This section provides information on how to configure an XRN network as shown in Figure 180. It assumes you have carrie d out step 1 to step 4 as detailed in “How to Implement XRN—Overview” on page 676.
680 A PPENDIX D: 3C OM XRN Recovering your XRN Network In the event of a failure within your XRN network, 3Com recommends that you follow the recommendations below . Unit Failure The step s below outline the procedure to recover your XRN network in the event of a unit failure within your Distributed Fabric.
How XRN Interacts with other Features 681 How XRN Interacts with other Features This section provides supplementary info rmation on how XRN interacts with other software featur es supported by your Switch.
682 A PPENDIX D: 3C OM XRN Figure 182 How XRN interacts with VLANs—Example 2 Legacy Aggregated Links Legacy aggr egated l inks, will r eact in the normal way if a unit within the Distributed Fabric fails, that is, all traf fic will be re directed down the link(s) to the unit that is still operating.
How XRN Interacts with other Features 683 STP/RSTP STP/RSTP should be used for multihom ed li nks if you ar e not able to use aggregated links. Figur e 184 shows how STP will prevent a loop occurring on a multihomed link. STP/RSTP should al ways be enabled i f yo ur multihomed links are aggr egated links.
684 A PPENDIX D: 3C OM XRN How a Failur e af fects the Distributed Fabric This section provides supplementary information on how the Distributed Fabric and traffic flow is affected by failur e of an Fabric Interconnect and of a unit in the Distributed Fabric.
How a Failure affects the Distributed Fabric 685 Router Switch B will continue to do all the routing. As it was r outing prior to Switch A ’ s failure ther e will be no change of the r outer identity , that is, the router interface IP addresses will not change.
686 A PPENDIX D: 3C OM XRN IEEE802.1D (Legacy STP) and RSTP The Switch 4200 is using legacy STP . ST P (and RSTP) will rec onfigure the network to open the previously blocked link to Switch B. The STP reconfiguration will cause all Switch forwarding databases (MAC addr ess tables) to be fast aged (if using RSTP , they will be flushed ).
Un punto importante, dopo l’acquisto del dispositivo (o anche prima di acquisto) è quello di leggere il manuale. Dobbiamo farlo per diversi motivi semplici:
Se non hai ancora comprato il 3Com 5500-SI è un buon momento per familiarizzare con i dati di base del prodotto. Prime consultare le pagine iniziali del manuale d’uso, che si trova al di sopra. Dovresti trovare lì i dati tecnici più importanti del 3Com 5500-SI - in questo modo è possibile verificare se l’apparecchio soddisfa le tue esigenze. Esplorando le pagine segenti del manuali d’uso 3Com 5500-SI imparerai tutte le caratteristiche del prodotto e le informazioni sul suo funzionamento. Le informazioni sul 3Com 5500-SI ti aiuteranno sicuramente a prendere una decisione relativa all’acquisto.
In una situazione in cui hai già il 3Com 5500-SI, ma non hai ancora letto il manuale d’uso, dovresti farlo per le ragioni sopra descritte. Saprai quindi se hai correttamente usato le funzioni disponibili, e se hai commesso errori che possono ridurre la durata di vita del 3Com 5500-SI.
Tuttavia, uno dei ruoli più importanti per l’utente svolti dal manuale d’uso è quello di aiutare a risolvere i problemi con il 3Com 5500-SI. Quasi sempre, ci troverai Troubleshooting, cioè i guasti più frequenti e malfunzionamenti del dispositivo 3Com 5500-SI insieme con le istruzioni su come risolverli. Anche se non si riesci a risolvere il problema, il manuale d’uso ti mostrerà il percorso di ulteriori procedimenti – il contatto con il centro servizio clienti o il servizio più vicino.