3Com 4500 Bedienungsanleitung
- Schauen Sie die Anleitung online durch oderladen Sie diese herunter
- 742 Seiten
- 13.15 mb
Zur Seite of
Ähnliche Gebrauchsanleitungen
-
Switch
3Com 3CR13500
30 Seiten 0.44 mb -
Switch
3Com 16 Plus
32 Seiten 3.22 mb -
Switch
3Com WX1200 3CRWX120695A
728 Seiten 6.24 mb -
Switch
3Com DUA1750-2BAA01
773 Seiten 4.8 mb -
Switch
3Com 5500G
336 Seiten 4.68 mb -
Switch
3Com 3C16702A
22 Seiten 1.94 mb -
Switch
3Com 2200
200 Seiten 0.93 mb -
Switch
3Com 2426-PWR
108 Seiten 2.29 mb
Richtige Gebrauchsanleitung
Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung 3Com 4500 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von 3Com 4500, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.
Was ist eine Gebrauchsanleitung?
Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung 3Com 4500 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.
Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung 3Com 4500. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.
Was sollte also eine ideale Gebrauchsanleitung beinhalten?
Die Gebrauchsanleitung 3Com 4500 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts 3Com 4500
- Den Namen des Produzenten und das Produktionsjahr des Geräts 3Com 4500
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts 3Com 4500
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen
Warum lesen wir keine Gebrauchsanleitungen?
Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von 3Com 4500 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von 3Com 4500 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service 3Com finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von 3Com 4500 zu überspringen, wie es bei der Papierform passiert.
Warum sollte man Gebrauchsanleitungen lesen?
In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts 3Com 4500, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.
Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von 3Com 4500 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.
Inhaltsverzeichnis der Gebrauchsanleitungen
-
Seite 1
3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V03.03.00 Manual Version: 6W101-20090 811 www.3com.com 3Com Corporation 350 Campus Drive, Marlborou gh, MA, USA 01752 3064[...]
-
Seite 2
Copyright © 2006-2009, 3Com Co rporation. All right s reserved. No part of this documentation may be reproduced in any form or by any means or u sed to make any derivative work (such as translation, transformation, or adaptation) without wr itten permission from 3Com Corporation. 3Com Corporation re serves the right to revise this docu mentation a[...]
-
Seite 3
About This Manual Organization 3Com Switch 4500 Family Config uration Guide is organized as follows: Part Contents 1 Login Introduces the ways to log into an Ethernet swit ch and CLI related configuration. 2 Configuration File Management Introduces conf iguration file and the re lated configuration. 3 VLAN Introduces VLAN and relat ed configuration[...]
-
Seite 4
Part Contents 27 UDP Helper Introduces UDP helper and the relate d configuration. 28 SNMP-RMON Introduces the configuratio n for network management through SNMP and RMON 29 NTP Introduces NTP and the related co nfiguration. 30 SSH Introduces SSH2.0 and the related co nfiguration. 31 File System Management Introduces basic config uration for file sy[...]
-
Seite 5
GUI conventions Convention Description < > Button names are inside angle bra ckets. For example, click <OK>. [ ] Window names, menu item s, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slash es. For example, [File/Create/Folder]. Symbols Co[...]
-
Seite 6
i Table of Contents 1 Logging In to an Ethernet Switch ····························································································· ··············· 1-1 Logging In to an Et hernet Sw itch ···················[...]
-
Seite 7
ii Switch Conf iguration··········································································································· ············· 4-2 Modem Connection Establishment ························?[...]
-
Seite 8
1-1 1 Logging In to an Ethernet Switch Go to these sections for information you are inte rested in: z Logging In to an Ethernet Switch z Introduction to the User Interface Logging In to an Ethernet Switch T o manage or configure a Switch 4500, you can lo g in to it in one of the following three methods: z Command Line Interface z Web-based Network [...]
-
Seite 9
1-2 Table 1-1 Description on user interfa ce User interface Applicable user Port used Remarks AUX Users logging in through the console port Console port Each switch can accommodate one AUX user. VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY users. One user interface corresp onds to one user interface view ,[...]
-
Seite 10
1-3 Common User Interface Configuration Follow these steps to co nfigur e common use r interface: To do… Use the command… Remarks Lock the current user interface lock Optional Available in user view A user interface is not locked by default. Specify to send messages to all user interfaces/a specified us er interfac e send { all | number | type [...]
-
Seite 11
2-1 2 Logging In Through the Console Port Go to these sections for information you are inte rested in: z Introduction z Setting Up a Login Environment for Login Through th e Console Port z Console Port Login Configuratio n z Console Port Login Configuratio n with Authentication Mode Being None z Console Port Login Configuratio n with Authentication[...]
-
Seite 12
2-2 2) If you use a PC to connect to the console port, l aunch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Window s 9X/Windows 20 00/Windows XP. The following assumes that you are ru nning Windows XP) and pe rform the configuratio n shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normal[...]
-
Seite 13
2-3 Figure 2-4 Set port parameters 3) Turn on the switch. You will be prompted to pr ess the Enter key if t he switch successfully completes POST (power-on self test ). The pr ompt appears after you press the Enter key. 4) You can then configure the switch or check t he information abo ut the switch by executing the correspondi ng commands. You can[...]
-
Seite 14
2-4 Configuration Remarks Set the maximum number of lines the screen can contain Optional By default, the screen can contain up to 24 lines. Set history command buffer size Optional By default, the history command buffer can contain up to 10 commands. Set the timeout time of a user interface Optional The default timeout time is 10 minutes. The chan[...]
-
Seite 15
2-5 To do… Use the command… Remarks Set the maximum number of lines the screen can contai n screen-length screen-length Optional By default, the screen can contain up to 24 lines. You can use the screen-le ngth 0 command to disable the function to display information in pages. Set the history command buffer size history-command max-size value O[...]
-
Seite 16
2-6 Changes made to the authentication mode for cons ol e port login takes effect after you quit the command-line interfa ce and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to co nfigur e console port logi n with the authentication mode being none: To do… Use t[...]
-
Seite 17
2-7 Network diagram Figure 2-5 Network diagram for AUX user interface c onfigu ration (with the authentication mode bei ng none) Configuration PC running Telnet Ethernet G E1/0/1 Configuration procedure # Enter system view . <Sysname> system-view # Enter AUX user interface view . [Sysname] user-interface aux 0 # S pecify not to authenticate u[...]
-
Seite 18
2-8 To do… Use the command… Remarks Enter syst em view system-view — Enter AUX user interface view user-interface aux 0 — Configure to authenticate users using the local password authentication-m ode password Required By default, users logging in to a switch through the console port are not authenticated; while those logging in through Mode[...]
-
Seite 19
2-9 <Sysname> system-view # Enter AUX user interface view . [Sysname] user-interface aux 0 # S pecify to authenticate users logging in throu gh the console port using the local p assword. [Sysname-ui-aux0] authentication-mode password # Set the local password to 12345 6 (in plain text). [Sysname-ui-aux0] set authentication password simple 123[...]
-
Seite 20
2-10 To do… Use the command… Remarks Enter the default ISP domain view domain d omain-name Specify the AAA scheme to be applied to the domain scheme { local | none | radius-scheme radius-scheme-n ame [ local ] } Configure the authenticati on mode Quit to system view quit Optional By default, the local AAA scheme is applied. If you specify to ap[...]
-
Seite 21
2-11 z Set the service type of the local user to Terminal and the comman d level to 2. z Configure to authenticate the users in the scheme mode. z The baud rate of the console po rt is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 comm ands. z The timeout time of the AUX user interface is 6 min[...]
-
Seite 22
2-12 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box show n in Figure 2-4 to log in to the switch successf[...]
-
Seite 23
3-1 3 Logging In Through Telnet Go to these sections for information you are inte rested in: z Introduction z Telnet Configuration with Authentication Mode Being Non e z Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 support s T elnet. Y ou can manage and maintain a switch remotely by T elnetting to the switch[...]
-
Seite 24
3-2 Configuration Description Configure the protocols the user interface support s Optional By default, Telnet and SSH protocol are supported. Set the commands to be executed automatically after a user log in to the user interface successfully Optional By default, no command is executed automatically after a user logs into the VTY user interface. M[...]
-
Seite 25
3-3 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10, that is, the history command buffer of a user can store up to 10 commands by default. Set the timeout time of the VTY user inte rface idle-timeout minutes [ seconds ] Optional The default[...]
-
Seite 26
3-4 To improve security and prevent attacks to the unus ed Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enable d or disabled after correspondi ng configurations. z If the authentication mode is none , TCP 23 will be enabled, and T CP 22 will be disabled. z If the authentication mode is password , and the corre[...]
-
Seite 27
3-5 Network diagram Figure 3-1 Network diagram for Telnet configu ratio n (with the authentication mode being n one) Configuration procedure # Enter system view . <Sysname> system-view # Enter VTY 0 use r interface view . [Sysname] user-interface vty 0 # Configure not to authenticate T elnet users logging in to VTY 0. [Sysname-ui-vty0] authen[...]
-
Seite 28
3-6 When the authentication mode is p assw ord, the command level available to users logging in to the u ser interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the con sol e port and the current user level is set to the administrator level (level 3). Perform the[...]
-
Seite 29
3-7 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to co nfigure T elnet with the authentication mo de being scheme: To do… Use the command… Remarks Enter syst em view system-vie w — Enter one or more VTY user interface views user-interfac e vty first - number [ last-num ber ] — Configu[...]
-
Seite 30
3-8 Refer to the AAA part of this manual for information about AAA, RADIUS. Configuration Example Network requirements Assume current user logins through the con sole port and the user level is set to the administrator level (level 3). Perform the following configurations fo r users logging in to VTY 0 using T elnet. z Configure the local user name[...]
-
Seite 31
3-9 # Set the maximum number of lines the screen can cont ain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the hi story command buf fer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch f[...]
-
Seite 32
3-10 Figure 3-5 Network diagram for Telnet conne ction establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethern et por t Ethernet Switch 4) Launch Teln et on your PC, with the IP addres s of VLAN-interface 1 of the switch as the parameter, as shown in Figure 3-6 . Figure 3-6 Launch Telnet 5) If the password authe[...]
-
Seite 33
3-11 Telnetting to another Switch from the Current Switch Y ou can T elnet to another switch from the current swit ch . In this case, the current switch operates as the client, and the other operates as the server . If the in terconnected Ethernet ports o f the two switches are in the same LAN segment , make sure the IP addres se s of the two manag[...]
-
Seite 34
4-1 4 Logging In Using a Modem Go to these sections for information you are inte rested in: z Introduction z Configuration on the Switch Side z Modem Connection Establishment Introduction The administrator can log in to the consol e port of a remote switch using a modem through public switched telephone net work (PSTN) if the rem ote switch is conn[...]
-
Seite 35
4-2 Y ou can verify your configuration by executing the AT & V command. The configuration commands a nd the output of diffe rent modems m ay differ. Refer to the user manual of the modem when performing the ab ove configuration. Switch Configuration After logging in to a swit ch through its console po rt b y using a modem, you will enter the AU[...]
-
Seite 36
4-3 Figure 4-1 Establish the connection by using modems Console port PSTN Telephone line Modem serial cable Telephone number of the romote end: 82882285 Modem Modem 4) Launch a terminal emulation utility on the PC a nd set the telephone number t o call the modem directly connected to the switch, as sh own in Figure 4-2 through Figure 4-4 . Note tha[...]
-
Seite 37
4-4 Figure 4-3 Set the telephone number Figure 4-4 Call the modem 5) If the password authentication mode is specif ied, enter the password when prompted. If the password is correct, the prompt (such as <Sysna me>) appears. You can then configure or man age the switch. You can also enter the ch aracter ? at any time for help. Refer to the rela[...]
-
Seite 38
5-1 5 CLI Configuration When configuring CLI, go to these sections for information you are interested in: z Introduction to the CLI z Command Hierarchy z CLI Views z CLI Fea tures Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Throu gh the CLI on a switch, a user can enter commands to configure[...]
-
Seite 39
5-2 z Monitor level (level 1): Commands at this level are mainly use d to maintain the system and diagnose service faults, and they cannot be save d in configuration file. Such commands i nclude debugging and terminal . z System level (level 2): Commands at this level are mainly used to configure se rvices. Commands concerning routing and net work [...]
-
Seite 40
5-3 To do… Use the command… Remarks Enter syst em view sy stem-view — Configure the level of a command in a specific view command-privilege level level view view command Required z You are recommend ed to use the default comm and level or modify the co mmand level under the guidance of professional staff; otherwise, the change of command leve[...]
-
Seite 41
5-4 T o avoid misoperations, the administrat ors are reco mmended to log in to the device by using a lower privilege level and view device op erating parameters , and when they have to maint ain the device, they can switch to a higher lev el temporarily; when the administrators nee d to leave for a while or ask someone else to manage the device tem[...]
-
Seite 42
5-5 To do… Use the command… Remarks Switch to a specified user level super [ level ] Required Execute this command in user view. z If no user level is specified in the super password command or the super command, level 3 is used by default. z For security purpose, the password entered is not di splayed whe n you switch to another user level. Yo[...]
-
Seite 43
5-6 Table 5-1 CLI views View Available operation Prompt example Enter method Quit method User view Display operation status and statistical information of the switch <Sysname> Enter user view once logging into the switch. Execute the quit command to log out of the switch. System view Configure system parameters [Sysname] Execute the system-vi[...]
-
Seite 44
5-7 View Available operation Prompt example Enter method Quit method FTP client view Configure FTP client parameters [ftp] Execute the ftp command in user view. SFTP client view Configure SFTP client parameters sftp-c lient> Execute the sftp command in system view. MST region view Configure MST region parameters [Sysname-mst-regi on] Execute the[...]
-
Seite 45
5-8 View Available operation Prompt example Enter method Quit method RADIUS scheme view Configure RADIUS scheme parameters [Sysname-radius-1 ] Execute the radius scheme command in system view. ISP domain view Configure ISP domain parameters [Sysname-isp-aaa 123.net] Execute the domain command in system view. Remote-ping test group view Configure re[...]
-
Seite 46
5-9 cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information <Other information is omitted> 2) Enter a command, a space, and a que stion ma[...]
-
Seite 47
5-10 Table 5-2 Display-related operations Operation Function Press <Ctrl+C> Stop the display output and execution of the command. Press any character except <Space>, <Enter>, /, +, and - when the display output pau ses Stop the display output. Press the space key Get to the next page. Press <Enter> Get to the next line. Comm[...]
-
Seite 48
5-11 Table 5-3 Common error messa ges Error message Remarks The command does not exist. The keyword does not exist. The parameter type is wrong. Unrecognized comm and The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many. Ambiguous command The parameters en[...]
-
Seite 49
6-1 6 Logging In Through the Web-based Network Management Interface Go to these sections for information you are inte rested in: z Introduction z Establishing an HTTP Connection z Configuring the Login Ban ner z Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in. It enables you to log in to Switch 4500 through a We[...]
-
Seite 50
6-2 3) Establish an HTTP connection between y our PC and the switch, as shown in Figure 6-1 . Figure 6-1 Establish an HTTP connection bet ween your PC and the switch 4) Log in to the switch through IE. Launch IE on t he Web-based network man agement terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the ad[...]
-
Seite 51
6-3 Configuration Example Network requirements z A user logs in to the switch through Web. z The banner page is desi red when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login bann er configuration Configuration Procedure # Enter system view . <Sysname> system-view # Configure the banner Welc o m e to be displa[...]
-
Seite 52
6-4 To do… Use the command… Remarks Enter syst em view system-vie w — Enable the Web server ip http shutdo w n Required By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack t o the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after th[...]
-
Seite 53
7-1 7 Logging In Through NMS Go to these sections for information you are inte rested in: z Introduction z Connection Establishment Usi ng NMS Introduction Y ou can also log in to a switch through a Networ k Management S tation (NMS), an d then configure and manage the switch throug h the agent softwa re on the switch. Simple Network Manageme nt Pr[...]
-
Seite 54
8-1 8 Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are inte rested in: z Overview z Configuring Source IP Addres s for Telnet Service Packets z Displaying Source IP Address Configuration Overview Y ou can configure source IP addre ss or source interf ace for the T elnet se rver and T elnet client[...]
-
Seite 55
8-2 Operation Command Description Specify a source interface for Telnet server telnet-server source -interface interface-type interface-num ber Optional Specify source IP address for Telnet client telnet source-ip ip-address Optional Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional To per[...]
-
Seite 56
9-1 9 User Control Go to these sections for information you are inte rested in: z Introduction z Controlling Telnet Users z Controlling Network Management Us ers by Source IP Addresses z Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction Y ou can control users logging in through T elnet, SNMP an[...]
-
Seite 57
9-2 z If no ACL is configured on the VTY user interfac e, users are not controlled wh en establishing a Telnet connection using this user interface. z If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configu red on the VTY user interface, the c[...]
-
Seite 58
9-3 To do… Use the comm and… Remarks Apply a basic or advanced ACL to control Telnet us ers acl acl-numb er { inbound | outbound } Apply an ACL to control Telnet users by ACL Apply a Layer 2 ACL to control Telnet us ers acl acl-numb er inbound Required Use either command z The inbound keyword specifies to filter the users trying to Telnet to th[...]
-
Seite 59
9-4 z Defining an ACL z Applying the ACL to control users a ccessing the switch throu gh SNMP T o control whether an NMS can manage the swit ch, you can use this function. Prerequisites The controlling policy against network managem ent users is determined, including the source IP addresses to be controll ed and the cont rolling actions (permitting[...]
-
Seite 60
9-5 Network diagram Figure 9-2 Network diagram for controlling SNMP use rs using ACLs Switch 10.110.100.46 Host A IP network Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the [...]
-
Seite 61
9-6 To do… Use the command… Remarks Enter syst em view system-vie w — Create a basic ACL or enter basic ACL view acl number acl-numbe r [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system[...]
-
Seite 62
9-7 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the W eb users sou rce d from the IP addre ss of 10.1 10.100.52 to access the switch. [Sysname] ip http acl 2030[...]
-
Seite 63
i Table of Contents 1 Configuration F ile Management ································································································ ··············· 1-1 Introduction to C onfigurati on File ················[...]
-
Seite 64
1-1 1 Configuration File Management When configuring co nfiguration file management, go to these sectio ns for information you are interested in: z Introduction to Configuration File z Configuration Task List Introduction to Configuration File A configuration file records and stor es user configurati ons performed to a switch. It also enables use r[...]
-
Seite 65
1-2 z When saving the current configuration, you can spe cify the file to be a main or backup or normal configuration file. z When removing a configuration file from a switch , you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attri[...]
-
Seite 66
1-3 When you use the sav e safely command to save the configuratio n file, if the switch reboot s or the power fails during the saving process, the switch init ializes it self in the following two conditions wh en it starts up next time: z If a configuration file with the extension .cfg exists in the Flash, the sw it ch uses the configuration file [...]
-
Seite 67
1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage switch reset saved-configuration [ backup | main ] Required Available in user view Y ou may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configurat ion file does not match the new software. z The star[...]
-
Seite 68
1-5 The configuration file must use .c fg as its extension name and the st artup con figuration file must be saved at the root dire ctory of the switch. Displaying Switch Configuratio n To do… Use the command… Remarks Display the initial configuration file saved in the Flash of a switch display saved - configuration [ unit unit-id ] [ by-linenu[...]
-
Seite 69
i Table of Contents 1 VLAN Ov erview ·········································································································································· 1-1 VLAN Ov erview ········?[...]
-
Seite 70
1-1 1 VLAN Overview This chapter covers these topics: z VLAN Overview z Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadca st network, wh ere all host s are in the same broadcast domain and connected with each othe r through hubs or switch e s. Hubs and switches, which are the basic network connection devices, [...]
-
Seite 71
1-2 Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the followin g advantages. z Broadcasts are confine d to VLANs. This decreas es ba ndwidth consumption and improve s network performance. z Network security is improved. Becau se each VLAN forms a broadcast domain, hosts in different VLANs c[...]
-
Seite 72
1-3 tag is encap sulated after the destination MAC ad dress and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3 , a VLAN tag cont ains four fields, including the t ag protocol identifier (TPID), priority , canonical fo rmat indicator (CFI), and VLAN ID. z TPID is a 16-bit field, indicating[...]
-
Seite 73
1-4 z Independent VLAN learnin g (IVL), where the sw itch maintains an indepen dent MAC address forwarding table for each VLAN. The source MAC addr ess of a packet received in a VLAN on a port is recorded to the MAC address forwa rding tabl e of this VLAN o nly, and packets received in a VLAN are forwarded according to the MA C address forwarding t[...]
-
Seite 74
1-5 A hybrid port allows the packets of m ultiple VLANs to be sent untagged, but a trunk p ort only allows the packets of the default VLAN to be sent untagged. The three types of port s can coexist on the same devi ce. Assigning an Ethernet Po rt to Specified VLANs Y ou can assign an Ethernet port to a VLAN to forward pa ckets for the VLAN, thus al[...]
-
Seite 75
1-6 Table 1-2 Packet processing of a trunk po rt Processing of an incoming packet For an untagged packet For a tagged packet Processing of an outgoing packet z If the port has already been added to its default VLAN, tag the packet with the default VLAN tag and then forward the packet. z If the port has not been added to its default VLAN, discard th[...]
-
Seite 76
2-1 2 VLAN Configuration When configuring VLAN, go to these section s for information you are interested in: z VLAN Configuration z Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following ta sks to configure VLAN: Task Remarks Basic VLAN Configuration Req uired Basic VLAN Interface Configuration Optional[...]
-
Seite 77
2-2 z VLAN 1 is the system default VLAN, whi ch needs not to be created and cannot be removed, either. z The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered thro ugh GVRP. For details, refer to “GVRP” part of this manual. z When you use the vlan command to create VLANs, i[...]
-
Seite 78
2-3 The operation of enabling/disabli ng a VLAN’ s VL AN interface does not influence the phy sical status of the Ethernet port s belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface information display interface Vlan-interface [ vlan-i d ] Display the VLAN information display vlan [[...]
-
Seite 79
2-4 Assigning an Ethernet Port to a VLAN Y ou can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view . z You can assign an access port to a VLAN in ei ther Ethernet port view or VLAN view. z You can assign a trunk po rt or hybrid port to a VLAN only in Ethernet port view. 1) In Ethernet port view Follow these steps to assig n an E[...]
-
Seite 80
2-5 Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, it s default VLAN is the VLAN it resides in and cannot be configured. This section describes ho w to configure a default VLAN for a trunk or hybrid port. Follow these steps to co nfigur e the default VLAN for a port: To do… Use the command… Remarks E[...]
-
Seite 81
2-6 Network diagram Figure 2-1 Network diagram for VLAN configuratio n SwitchA SwitchB PC1 PC2 GE1/0/1 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/12 GE1/0/13 Server2 Server1 Configuration procedure z Configure Switch A. # Create VLAN 100, specify it s descriptive string as Dept1 , and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA> system-view [SwitchA[...]
-
Seite 82
2-7 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 [SwitchB-GigabitEthernet1/0[...]
-
Seite 83
i Table of Contents 1 IP Addressing Configuration ·································································································· ·················· 1-1 IP Addressing Overview ···················?[...]
-
Seite 84
1-1 1 IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For detail s about IPv6 address, refer to IPv6 Managem ent . When configuring IP addressi ng, go to these se ctions for information you are interested in: z IP Addressing Overview Configuring IP Addresses z Displaying IP Addressing Configurati[...]
-
Seite 85
1-2 Table 1-1 IP address classe s and ranges Class Address ra nge Remarks A 0.0.0.0 to 127.255.255.255 The IP address 0.0.0.0 is used by a host at bootstrap for temporary communi cation. This address is never a valid de stination address. Addresses st arting with 127 are reserved for loopback test. Packets de stined to these addresses are pro cesse[...]
-
Seite 86
1-3 subnetting. When designing your net work, you should note that subnetting i s somewhat a tradeof f between subnet s and accommodated ho sts. For ex am ple, a Class B network can accommodate 65,534 (2 16 – 2. Of the two deduct ed Class B addresse s, one with an all-ones host ID is the broadcast address and the other with an all-zero host ID is[...]
-
Seite 87
1-4 z A newly specified IP address ove rwrites the previous one if there is any. z The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device. Configuring Static Domain Name Resolution Follow these steps to co nfigure static do main name resolution: To do… Use the command… Remarks Ente[...]
-
Seite 88
1-5 Network diagram Figure 1-3 Network diagram for IP address co nfiguration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 Static Domain Name Resolution Configuration Example Network requirements The s[...]
-
Seite 89
1-6 round-trip min/avg/max = 2/3/5 ms[...]
-
Seite 90
2-1 2 IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are intere sted in: z IP Performance Overview z Configuring IP Performance Optimization z Displaying and Maintaining IP Performance O ptimization Configuration IP Performance Overview Introduction to IP Performance Configuration [...]
-
Seite 91
2-2 z synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval , the TCP connection cannot be created. z finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. If no FIN packet is received within the timer timeout, the TC[...]
-
Seite 92
2-3 z If the destination of a packet is local while the transport layer protocol of the packet is not supp orted by the local device, the device sends a “protoco l unreachabl e” ICMP error packet to the source. z When receiving a pa cket with the destination being lo cal and transport laye r protocol being UDP, if the packet’s port number doe[...]
-
Seite 93
2-4 To do… Use the command… Remarks Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket [ socktype sock-type ] [ task-id socket-id ] Display the forwarding information base (FIB) entries display fib Display the FIB entries matching the destination IP address display fib [...]
-
Seite 94
i Table of Contents 1 Voice VLAN Co nfiguration ····································································································· ··················· 1-1 Voice VLAN Overview ··················[...]
-
Seite 95
1-1 1 Voice VLAN Configuration When configuring voice VLAN, go to these sectio ns for information you are intere sted in: z Voice VLAN Overview z Voice VLAN Configuration z Displaying and Maintaining Voice VLAN z Voice VLAN Configuration Example Voice VLAN Overview V oice VLANs are allocated specially fo r voice traf fic. After creating a voice V L[...]
-
Seite 96
1-2 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1 , the IP phone needs to work in conj unction with the DHCP server an d the NCP to establish a path for voice dat a transmission. An IP phone goe s through the following thre e phases to become capa ble of transmitting voice dat a. 1) After the IP phone is powered o n, it sends an u[...]
-
Seite 97
1-3 z An untagged packet carries no VLAN tag. z A tagged packet carries the tag of a VLAN. T o set an IP a ddress and a voice VLAN f or an IP pho ne manually , just ma ke sure that the voi ce VLAN ID to be set is consistent with that of the switch and the NCP is rea chable to the IP addre ss to be set. How Switch 4500 Ser i es Sw itches Identify Vo[...]
-
Seite 98
1-4 Configuring Voice VLAN Assi gnment Mode of a Port A port can work in automatic voice VLAN assignm ent mode or ma nual voice VLAN assignment mode. Y ou can configure the voice VLAN assignment mode for a port according to dat a traffic p assing through the port. Processing mode of untagged packets sent by IP voice devices z Automatic voice VLAN a[...]
-
Seite 99
1-5 Table 1-2 Matching relationship bet ween port types and vo ice d evices capable of acquiri ng IP address and voice VLAN automatically Voice VLAN assignment mode Voice traffic ty pe Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN, and the access po rt permits t[...]
-
Seite 100
1-6 Table 1-3 Matching relationshi p between port types and voice devices acqui ring voice VLAN through manual configuration Voice VLAN assignment mode Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN, and the access port permit s the traffic of the default VLAN. A[...]
-
Seite 101
1-7 Voice VLAN Mode Packet Type Processing Method Packet carrying the voice VLAN tag matches the OUI list, the packet is transmitted in the voice VLAN. Otherwise, the packet is dropped. Packet carrying any other VLAN tag The packet is forwarded or dropped based on whether the receiving port is assigned to the carried VLAN. The processing method is [...]
-
Seite 102
1-8 To do… Use the command… Remarks Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes. Enable the voice VLAN function globally voice vlan vlan-id enable Required Enter Ethernet port view interface interface-type interface-number Required Enable the voice VLAN function on a port voice vlan e[...]
-
Seite 103
1-9 To do… Use the command… Remarks Enable the voice VLAN security mode voice vlan security enable Optional By default, the voice VLAN security mode is enabled. Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1,440 minutes. Enable the voice VLAN function globally v oice vlan vlan-id enable Required En[...]
-
Seite 104
1-10 z The voice VLAN function can be enabled for only one VLAN at one time. z If the Link Aggregation Control Protocol (LACP) is enabled on a port , voice VLAN feature cannot be enabled on it. z Voice VLAN function can be enabled only for t he static VLAN. A dynamic VLAN cannot be configured as a voice VLAN. z When ACL number ap plied to a port re[...]
-
Seite 105
1-11 Voice VLAN Configuration Example Voice VLAN Configuration Example (A utomatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2 , The MAC address of IP phone A is 001 1-1 100-0001 . The phone connect s to a downstream device named PC A whose MAC add ress is 0022-1 1 00-0002 and to GigabitEthernet 1/0/1 on an up stream dev[...]
-
Seite 106
1-12 # Configure the allowe d OUI addresses a s MAC addresses p refixed by 001 1-1 1 00-0000 or 001 1-2200-0000. In this way , Device A identifie s packets whose MAC addres ses match any of the configured OUI addresses as voice packet s. [DeviceA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A [DeviceA] voice vlan [...]
-
Seite 107
1-13 Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configu re it to operate in manual voi ce VLAN assignment mode. Add the por t to which an IP phone is connected to the voice VLA N to enable voice traf fic to be transmitted within the voice VLAN. z Create VLAN 2 and configure it a[...]
-
Seite 108
1-14 [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 2 [DeviceA-Ethernet1/0/1] port hybrid vlan 2 untagged # Enable the voice VLAN function on Ethernet 1/0/1. [DeviceA-Ethernet1/0/1] voice vlan enable Verification # Display the OUI addresses, the corresponding OU I address ma sks and the corresponding de scription strings that th e system support s. [...]
-
Seite 109
i Table of Contents 1 Port Basic Co nfiguration ····································································································· ····················· 1-1 Ethernet Port C onfiguration ···········?[...]
-
Seite 110
1-1 1 Port Basic Configuration When performing basi c port configur ation, go to these sections for information y ou are interested in: z Ethernet Port Configuration z Ethernet Port Configuration Example z Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can ope[...]
-
Seite 111
1-2 To do... Use the command... Remarks Enter syst em view s ystem-vie w — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown Optional By default, the port is enabled. Use the shutdo wn command to disable the port. Set the description string for the Ethernet port description text Optional[...]
-
Seite 112
1-3 Follow these steps to co nfigure aut o-negotiation speeds for a port : To do... Use the command... Remarks Enter syste m view system-v iew — Enter Ethernet interface view interface interface-type interface-number — Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* Optional z By default, the port [...]
-
Seite 113
1-4 To do... Use the command... Remarks Limit unknown unicast traffic received on the current port unicast-suppression { ratio | pps max-pp s } Optional By default, the switch does not suppress unknown unica st traffic. Enabling Flow Control on a Port Flow control is enabled on both the local and pee r sw itches. If congestion occu rs on the local [...]
-
Seite 114
1-5 z If you specify a source ag gregation group ID, the system will us e the port with the smallest port number in the aggregation group as the sou rce. z If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configu[...]
-
Seite 115
1-6 z To enable loopback detection on a sp ecific port, you must use the loopback-detection enable command in both system view and the specific port view. z After you use the undo loopback-de tection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test Y ou can configure the Ethernet port to run lo[...]
-
Seite 116
1-7 To do... Use the command... Remarks Enter syst em view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable the system to test connected cables virtual-cable-te st Required Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the[...]
-
Seite 117
1-8 The port state change delay takes effe ct when the port goes down but not when the port goes up. Follow these steps to set the po rt state cha nge delay: To do … Use the command … Remarks Enter syst em view system-vie w — Enter Ethernet interface view interface interface-type interface-number — Set the port state change delay link-delay[...]
-
Seite 118
1-9 To do... Use the command... Remarks Clear port sta tistics reset coun te rs interface [ interface-type | interface-type interface-num ber ] Available in user view After 802.1x is enabled on a port, clearing the statistics on the port will not work. Ethernet Port Configuration Example Network requirements z Switch A and Switch B are connected to[...]
-
Seite 119
1-10 Troubleshooting Ethernet Port Configuration Symptom : Fail to configure the default VLAN ID of an Ethernet port. Solution : T ak e the following steps: z Use the display interface or display port comma nd to check if the port i s a trunk port or a hybrid port. z If the port is not a trunk or hybrid port, c onfigure it to be a trunk or hybrid p[...]
-
Seite 120
i Table of Contents 1 Link Aggregati on Configur ation ······························································································· ··············· 1-1 Overview ······························[...]
-
Seite 121
1-1 1 Link Aggregation Configuration When configuring link aggregation, go to these se ctions for information you are interested in: z Overview z Link Aggregation Classifi cation z Aggregation Group Categories z Link Aggregation Configuration z Displaying and Maintaining Link Agg regation Configuration z Link Aggregation Configuration Exampl e Over[...]
-
Seite 122
1-2 Table 1-1 Consistency consideration s for ports in an aggregation Category Considerations STP State of port-level STP (enabled or disa bled) Attribute of the link (point-to-point or otherwise) connected to the p ort Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edg e port) QoS Ra[...]
-
Seite 123
1-3 In a manual aggregation group, the syst em sets the p orts to selected o r unselected st ate according to the following rules. z Among the ports in an aggregation group that are in up state, the system det ermines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed[...]
-
Seite 124
1-4 z There is a limit on the number of selected ports in an aggregation g roup. Theref ore, if the number of the selected ports in an aggregation group exce eds the maximum number su pported by the device, those with lower port num bers operate as the se lected ports, and others a s unselected ports. Dynamic LACP Aggregation Group Introduction to [...]
-
Seite 125
1-5 Aggregation Group Categories Depending on wh ether or not load shari ng is implem ented, aggregation g roups can be load-sharing o r non-load-sharing aggregati on groups. When load sharing is implem ented, z For IP packets, the system will implement load-sharing based on source IP address and destination IP address; z For non-IP packets, the sy[...]
-
Seite 126
1-6 Link Aggregation Configuration z The commands of link a ggregation cannot be conf igured with the commands of port loop back detection feature at the same time. z The ports where the mac-addre ss max-mac-count command is config ured cannot be added to an aggregation group. Contrarily, the mac-addr ess max-mac-count command canno t be configured[...]
-
Seite 127
1-7 z When you change a dyn amic/static gro up to a manua l group, the system will automatically disable LACP on the member ports. When you change a dyn ami c group to a static group, the system will remain the member ports LACP-enabled. 2) When a manual or static aggregation group c ontains only one port, you cannot remove the port unless you remo[...]
-
Seite 128
1-8 Y ou need to enable LACP on the port s which you want to p articipate in dyna mic aggregation of the system, because, only when LACP is enabled on those ports at both end s, can the two parties re ach agreement in adding/removing port s to/from dynamic aggregation grou ps. You cannot enable LACP on a po rt which is already in a manual aggregati[...]
-
Seite 129
1-9 If you have saved the current configuration with the sav e command, after system reboot, the configuration concerning manual an d static aggregati on group s and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do… Use the com[...]
-
Seite 130
1-10 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar co nfiguration on Switch B to implement link aggregation. 1) Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add Ethernet 1/0/1 through E[...]
-
Seite 131
1-11 [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled port s can be aggregated into one dynamic aggregation grou p to implement load sharing only when they have the same basi c conf iguration (such as rate, duplex mode, and so on).[...]
-
Seite 132
i Table of Contents 1 Port Isolation Configuration ································································································· ···················· 1-1 Port Isolati on Overview ·················[...]
-
Seite 133
1-1 1 Port Isolation Configuration When configuring port isola tion, go to these sections for information you are intere sted in: z Port Isolation Overview z Port Isolation Configuration z Displaying and Maintaining Port Isolation Configu ration z Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to se [...]
-
Seite 134
1-2 z When a member p ort of an aggregation group join s/ leaves an isolation group, the other ports in the same aggregation group will join/leave the isol ation group at the same time. z For ports that belong to an aggregation group and an isolation gro up simultaneously, removing a port from the aggregation group has no effect on the other ports.[...]
-
Seite 135
1-3 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2][...]
-
Seite 136
i Table of Contents 1 Port Security Configuration ·································································································· ···················· 1-1 Port Security Overview··················[...]
-
Seite 137
1-1 1 Port Security Configuration When configuring port secu rity , go to these sections for information you are interested in: z Port Security Overview z Port Security Configuration Task List z Displaying and Maintaining Po rt Security Configuration z Port Security Configuration Examples Port Security Overview Introduction Port security is a secur[...]
-
Seite 138
1-2 Table 1-1 Description of port security mode s Security mode Description Feature noRestriction In this mode, access to the port is not restricted. In this mode, neither the NTK nor the intrusion protection feature is triggered. autolearn In this mode, a port can learn a specified number of MAC addre sses and save those addresses as security MAC [...]
-
Seite 139
1-3 Security mode Description Feature userlogin In this mode, port-based 802.1x authentication is performed for access users. In this mode, neither NTK nor intrusion protection will be triggered. userLoginSecure MAC-based 802.1x authentication i s performed on the access user. The port is enabled only after the authentication succeeds. When the por[...]
-
Seite 140
1-4 Security mode Description Feature macAddressElseUs erLoginSecure In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user i s authenticated. Otherwise, the port perfo rms 802.1x authentication of the user. In this mode, there can be only one 802.1x-authenticated user on the port, but the[...]
-
Seite 141
1-5 Task Remarks Configuring Security MAC Addre sses Optional Enabling Port Security Configuration Prerequisites Before enabling port securi ty , you need to di sable 802.1x and MAC authenti cation globally . Enabling Port Security Follow these steps to ena ble port security: To do... Use the command... Remarks Enter syst em view system-vie w — E[...]
-
Seite 142
1-6 This configuration is dif ferent from that of t he maximum number of MAC addresses that can be leaned by a port in MAC address manageme nt. Follow these steps to set the maximum number of MAC addresse s allowed on a port: To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type in[...]
-
Seite 143
1-7 z Before setting the port security mode to autolearn , you need to set the maximum number of MAC addresses allowe d on the port with the port-security max-mac-count command. z When the port operates in t he autolearn mode, you cannot change the maximum number of MAC addresses allowe d on the port. z After you set the port security mode to autol[...]
-
Seite 144
1-8 To do... Use the command... Remarks Set the timer during which the port remains disabled port-se curity timer disableport timer Optional 20 seconds by default The port-security timer disableport command i s used in conjunction wi th the port-security intrusion-mode disableport-temporarily command to set the length of time during whi ch the port[...]
-
Seite 145
1-9 Configuring Security MAC Addresses Security MAC addresses are special MA C addresse s that never age out. One se curity MAC address can be added to only one port in the same VLAN so th at you can bind a MAC address to one port in the same VLAN. Security MAC addresses can be le arned by the auto-learn function of port security or manually config[...]
-
Seite 146
1-10 Displaying and Maintaining Po rt Security Configuration To do... Use the command... Remarks Display information about port security configuration display port-security [ interface interface-list ] Display information about security MAC address configuration display mac-address security [ interface interface-type interface-nu mber ] [ vlan vlan[...]
-
Seite 147
1-11 [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seco nds af ter intrusion p rotection is triggered. [Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30[...]
-
Seite 148
i Table of Contents 1 DLDP Conf iguration ··········································································································· ······················· 1-1 Overview ················?[...]
-
Seite 149
1-1 1 DLDP Configuration When configuring DLDP , go to these sections for information you are interested in: z Overview z DLDP Fundamental s z DLDP Configuration z DLDP Configuration Example Overview Device link detection protocol (DL DP) is an tec hnology for dealing wit h unidirectional links that may occur in a network. If two switches, A and B,[...]
-
Seite 150
1-2 Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 Device B GE1/0/49 GE1/0/50 PC Device link detection protocol (DL DP) can detect the link st atus of an optical fiber ca ble or copper twisted pai r (such as super category 5 twisted p air). If DLDP finds a unidirection al link, it disables the related port automatically or prom[...]
-
Seite 151
1-3 DLDP packet ty pe Function RSY-Advertisement packets (referred to as RSY packets hereafter) Advertisement packet with the RSY flag set to 1. RSY advertisement packets are sent to request synchron izing the neig hbor information whe n neighbor information is not locally available or a neigh bor information entry ages out. Flush-Advertisement pac[...]
-
Seite 152
1-4 DLDP Status A link can be in one of these DLDP states: initial, ina ctive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status be fore DLDP is ena bled. Inactive DLDP is en abled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is[...]
-
Seite 153
1-5 Timer Description Entry aging timer When a new neighbor join s, a neighbor entry is created and the correspondi ng entry aging timer is enabled When an advertisement packet is receiv ed from a neighbor, the neighbor entry is updated and the correspondin g entry aging timer is updated In the normal mode, if no packet is received from the neigh b[...]
-
Seite 154
1-6 Table 1-4 DLDP operating mode and neighbor entry aging DLDP operating mode Detecting a neighbor after the corresponding neighbor entry ages out Removing the neighbor entry immediately after the Entry timer expires Triggering the Enhanced timer after an Entry timer expires Normal mode No Yes No Enhanced mode Yes No Yes (When the enhanced timer e[...]
-
Seite 155
1-7 Table 1-5 DLDP state and DLDP packet type DLDP state Ty pe of the DLDP packe ts sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets 2) A DLDP packet received is processed as follows: z In authentication mode, the DLDP packet is authe nticated and is then dropped if it fail[...]
-
Seite 156
1-8 Table 1-7 Processing procedure when no echo pack et is re ceived from the neighbor No echo packet receiv ed from the neighbor Processing procedure In normal mode, no echo packet is re ceived when the echo waiting timer expires. In enhanced mode, no echo packet is received when the enhanced timer expi res DLDP switches to the disable state, outp[...]
-
Seite 157
1-9 DLDP Configuration Performing Basic DLDP Configuration Follow these steps to pe rform basic DLDP configuration: To do … Use the command … Remarks Enter syst em view system-vie w — Enable DLDP on all optical ports of the switch dldp enable Enter Ethernet port view interface interface-type interface-number Enable DLDP Enable DLDP on the cur[...]
-
Seite 158
1-10 z When connecting two DLDP-e nabled devices, make sure the software runnin g on them is of the same version. Otherwi se, DLDP may operate improperly. z When you use the dldp enable/dldp disable command in system view to en able/disable DLDP on all optical ports of the switch, the configuration ta kes effect on the existing o ptical ports, inst[...]
-
Seite 159
1-11 DLDP Configuration Example Network requirements As shown in Figure 1-4 , z Switch A and Switch B are connected through two pai rs of fibers. Both of them suppo rt DLDP. All the ports involved operate in mand atory full duplex mode, with their rates all being 1,000 Mbps. z Suppose the fibers between Switch A and Switch B are cross-connected. DL[...]
-
Seite 160
1-12 # Set the DLDP han dling mode for unidirectional links to auto . [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibe rs in a crossed way , two or three ports may be in the disable st ate, and the rest in the inactive state. When a fiber is connected to a dev[...]
-
Seite 161
i Table of Contents 1 MAC Address Tabl e Management································································································· ··········· 1-1 Overview ··································[...]
-
Seite 162
1-1 1 MAC Address Table Management When MAC address t able mana gement functions, go to these sections for information you are interested in: z Overview z MAC Address Table Management z Displaying MAC Address Table Information z Configuration Example This chapter describes the management of stat ic, dynami c, and blackhole MAC address entries. For [...]
-
Seite 163
1-2 Generally , the majority of MAC addres s entries are created and maint ained through MAC addres s learning. The followin g describes the MA C add ress learning process of a swit ch: 1) As shown in Figure 1-1 , User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the sw itch on GigabitEthe[...]
-
Seite 164
1-3 Figure 1-4 MAC address learning diag ram (3) 4) At this time, the MAC address table of the switch include s two forwarding entries shown in Figure 1-5 . When forwarding the response p acket from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/ 1 (technically called unicast), be cause MAC-A is already in the[...]
-
Seite 165
1-4 z The MAC address aging timer only takes effect on dy namic MAC address entries. z With the “destination MAC address tri ggered upd ate functio n” enabled, when a switch fin ds a packet with a destination address matching one M A C address entry withi n the aging time, it updates the entry and restarts the aging timer. Entries in a MAC addr[...]
-
Seite 166
1-5 Task Remarks Enabling Destination MAC Addre ss Triggered Update Optional Configuring a MAC Address Entry Y ou can add, modify , or remove a MAC address entry , remove all MAC address entries concerning a specific port, or remove specific type of MAC addre ss entries (dynamic or st at ic MAC addre ss entries). Adding a MAC address entry in syste[...]
-
Seite 167
1-6 z When you add a MAC addre ss entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherw ise, the entry will not be added. z If the VLAN specified by the vl an argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN. Setting the MAC Address Aging Timer Setting an a[...]
-
Seite 168
1-7 By setting the maximum number of MAC addre sses that can be learned from individual ports, the administrator can control the number of the MAC address entrie s the MAC address table ca n dynamically maintai n. When the number of the MAC add re ss entries learnt from a port reaches the set value, the port stops le arning MAC ad dresses. Follow t[...]
-
Seite 169
1-8 To do… Use the com mand… Remarks Display the aging time of the dynamic MAC address entries in the MAC addre ss table display mac-address aging-time Display the configured start port MAC address display port-mac Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connect s to the switch through G[...]
-
Seite 170
i Table of Contents 1 Auto Detect Configuration ···································································································· ···················· 1-1 Introduction to the Au to Detect Function·······?[...]
-
Seite 171
1-1 1 Auto Detect Configuration When configuring the auto detect function, go to t hese sections for information you are interested in: z Introduction to the Auto Detect Function z Auto Detect Configuration z Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Me ssage Protocol [...]
-
Seite 172
1-2 Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to co nfi gure the auto detect function: To do… Use the command… Remarks Enter syst em view system-vie w — Create a detected group and enter detected group view detect-group group-num ber Required Add an IP address [...]
-
Seite 173
1-3 T o avoid such problems, you can config ure another route to back up the st atic route and use the Auto Detect function to judge the validity of the st atic rout e. If the static route is valid, packet s are forwarded according to the st atic route, and the ot her route is st andby . If the st atic route is invalid, p ackets a re forwarded acco[...]
-
Seite 174
1-4 Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interf a ces backup. When dat a can be transmitted through two VLAN interfaces on the switch to the sam e desti nation, configure one of the VLAN inte rface as the active interface and the other as the st andby interf ace. The st andby interface is [...]
-
Seite 175
1-5 z On switch A, configure a static route to Switch C. z Enable the static route wh en the detected group 8 i s reachable . z To ensure normal operating of the auto detect func tion, configure a static route to Switch A on Switch C. Network diagram Figure 1-2 Network diagram for implementing the a u to detect function in static route Configuratio[...]
-
Seite 176
1-6 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3 . The confi guration procedure is omitted. # Enter system view . <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10 .1[...]
-
Seite 177
i Table of Contents 1 MSTP Conf iguration ··········································································································· ······················· 1-1 Overview ················?[...]
-
Seite 178
ii Configuring Di gest Snooping ···································································································· ····· 1-39 Configuring Rapi d Transition ···································?[...]
-
Seite 179
1-1 1 MSTP Configuration Go to these sections for information you are inte rested in: z Overview z MSTP Configuration Task List z Configuring Root Bridge z Configuring Leaf Nod es z Performing mCheck Opera tion z Configuring Guard Functions z Configuring Digest Snooping z Configuring Rapid Transition z MSTP Maintenance Configuration z Enabling Trap[...]
-
Seite 180
1-2 In STP , BPDUs come in two types: z Configuration BPDUs, used to calculate span ning trees and maintain the spanning tree topol ogy. z Topology change notification (TCN) BPDUs, used to notify concerned devices o f network topology changes, if any. Basic concepts in STP 1) Root bridge A tree network must have a root; hence the concept of root br[...]
-
Seite 181
1-3 Figure 1-1 A schematic diagram of design ated bridges and desi gnated ports All the ports on the root bridge are desig nated ports. 4) Bridge ID A bridge ID consists of eig ht bytes, where the first tw o bytes represent the bridge priority of th e device, and the latter six bytes represent the MAC addre ss of the device. The default bridge prio[...]
-
Seite 182
1-4 6) Port ID A port ID used on a 3Com switch 4500 consi sts of tw o bytes, that is, 16 bits, where the first six bit s represent the port priority , and the latter ten bits represent the port number . The default priority of all Ethernet ports on 3Com switche s 4500 is 128. You can use commands to configure port priorities. For details, see Confi[...]
-
Seite 183
1-5 Table 1-2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU o n a port, the device performs the following processing: z If the received configuration BPDU ha s a lower priority than that of the configuration BPDU gene rated by the port, the device will discard the received configuration BPDU with[...]
-
Seite 184
1-6 Step Description 3 The device compares the calculated confi guration BPDU with the co nfiguration BPDU on the port whose role is to be determined, and acts as follows based on the comparison r esult: z If the calculated configuration BPDU is s uperior, this port will serve as the designated port, and the configuration BP DU on the port will be [...]
-
Seite 185
1-7 Device Port name BPDU of port BP1 {1, 0, 1, BP1} Device B BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} Device C CP2 {2, 0, 2, CP2} z Comparison proce ss and result on each device The following t able shows the comp arison process an d result on each device. Table 1-5 Comparison proce ss and result on each device Device Comparison process BPDU of por t[...]
-
Seite 186
1-8 Device Comparison process BPDU of por t after comparison z Port CP1 receives the configuratio n BPDU of Device A {0, 0, 0, AP2}. Device C finds that the re ceived configuration BPDU is superior to the configuration BPDU of the local po rt {2, 0, 2, CP1}, and updates the configuratio n BPDU of CP1. z Port CP2 receives the confi guration B PDU of[...]
-
Seite 187
1-9 Figure 1-3 The final calculated spanning tree To facilitate description, the sp anning tree calculation process in this example is simplified, while the actual process is more complicated. 3) The BPDU forwarding mechanism in STP z Upon network initiation, e very switch regards itse lf as the root bridge, gen erates configuration BPDUs with itse[...]
-
Seite 188
1-10 For this reason, the protocol use s a state transitio n me chanism. Namely , a newly electe d root port and the designated port s must go through a peri od, which is twice the forward delay time, before they transit to the forwarding state. The peri od allows the ne w configuration BPDUs to be propag ated throughout the entire network. z Hello[...]
-
Seite 189
1-11 z MSTP supports mapping VLANs to Multi ple Span ning Tree (MST) instan ces (MSTIs) by means of a VLAN-to-instance m apping table. MSTP introduces instances (whi ch integrates multiple V LANs into a set) and can bind m ultiple VLANs to an instance, thus saving com munication overhead and improving resource utilization. z MSTP divides a switched[...]
-
Seite 190
1-12 2) MSTI A multiple spanning tree inst ance (MSTI) refers to a sp anning tree in an MST region. Multiple spanning trees ca n be establis hed in one MST region. These spannin g trees are independent of each other . For example, each region i n Figure 1-4 cont ains multiple sp anning trees known as MSTIs. Each of thes e spanning tree s corres pon[...]
-
Seite 191
1-13 z A region boundary port i s located on the boundary of an MST regio n and is used to connect one MST region to another MST region, an STP-ena bled region or an RSTP-enabl ed region. z An alternate port is a seconda ry port of a root port or master po rt and is used for rapid transition. With the root port or master port being blocked, the alt[...]
-
Seite 192
1-14 z Forwarding state. Ports in this state can forw ard user packets and receive/ send BPDU packet s. z Learning state. Ports in thi s state can receive/ send B PDU packets but do n ot forward user packets. z Discarding state. Ports in this st ate can only receive BPDU packet s. Port roles and port st ates are not mutually dependent. T able 1-6 l[...]
-
Seite 193
1-15 In addition to the basic MSTP functions, 3com Swit ch 4500 also provides the following functions for users to manage their switche s. z Root brid ge hold z Root brid ge backup z Root guard z BPDU guard z Loop guard z TC-BPDU attack guard Protocols and Standards MSTP is documente d in: z IEEE 802.1D: spanning tree protocol z IEEE 802.1w: rapid [...]
-
Seite 194
1-16 Task Remarks Configuring the Maximum Transmitting Rate on the Current Port Optional The default value is recom mended. Configuring the Current Port as an Edg e Port Optional Setting the Link Type of a Port to P2P Optional Enabling MSTP Required To prevent network topology jitter caused by other related configurations, you are recommended to en[...]
-
Seite 195
1-17 To do... Use the command... Remarks Configure the name of the MST region region-name name Required The default MST region name of a switch is its MAC address. instance instance-id vlan vlan-list Configure the VLAN-to-inst ance mapping table for the MST region vlan-mapping modulo modulo Required Both commands can b e used to configure VLAN-to-i[...]
-
Seite 196
1-18 Configuration example # Configure an MST region named info , the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through V LAN 30 being mapped to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10[...]
-
Seite 197
1-19 Using the stp root primary / stp root secondary command, you can specify the cu rrent switch as the root bridge or the secondary root bridge of the MSTI identified by the inst ance-id argument. If the value of the instance-id argument is set to 0, the stp root primary / stp root secondary command sp ecify the current switch as the root bridge [...]
-
Seite 198
1-20 To do... Use the command... Remarks Set the bridge priority for the current swit ch stp [ instance instan ce-id ] priority priority Required The default bridge priority of a switch is 32,7 68. z Once you specify a switch as the root bridge or a secondary root bridg e by using the stp root primary or stp root secondary command, the bri dge prio[...]
-
Seite 199
1-21 To do... Use the command... Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure how a port recognizes and se nds MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and send s MSTP packets in the automatic mode. That is, it determi[...]
-
Seite 200
1-22 <Sysname> system-view [Sysname] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count lim it s the size of the MST regi on. A configuration BPDU contains a field that maint a ins the remainin g hops[...]
-
Seite 201
1-23 To do... Use the command... Remarks Enter syst em view system-vie w — Configure the network di ameter of the switched network stp bridge-diameter bridgenumber Required The default network diame ter of a network is 7. The network diameter parameter indicates the size of a network. The bi gger the network diameter i s, the larger the network s[...]
-
Seite 202
1-24 z The forward delay para meter and the n etwork diameter a re correlated. Normally , a large network diameter corresponds to a large forward delay. A too small forward delay param eter may result in temporary redundant path s. And a too large forward delay pa rameter may cause a n etwork unable to resume the no rmal state in time after change [...]
-
Seite 203
1-25 Configuration procedure Follow these steps to co nfigur e the timeout time factor: To do... Use the command... Remarks Enter syst em view system-vie w — Configure the timeout time factor for the switch stp timer-factor number Required The timeout time factor defaults to 3. For a steady network, the timeout time can be five to seven times of [...]
-
Seite 204
1-26 As the maximum transmitting rate parameter dete rmines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting rate of Ethernet 1/0/1 to 15. 1) Configure the ma[...]
-
Seite 205
1-27 You are recommended to configure the Ethernet ports connected directly to terminal s as edge ports and enable the BPDU guard function at the sa me time. This not only enables these ports to turn to the forwarding state rapidly bu t also secures your netwo rk. Configuration example # Configure Ethernet 1/0/1 as an edge port. 1) Configure Ethern[...]
-
Seite 206
1-28 To do... Use the command... Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keywo rd is adopted by default. z If you configure the link connected to a port in an a ggregation group as a point -to-point link, the configuration will be synchron[...]
-
Seite 207
1-29 To do... Use the command... Remarks Enter syst em view system-vie w — Enable MSTP stp enable Required MSTP is enabled globally by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports. To enable a switch to operate more flexibly, [...]
-
Seite 208
1-30 Configuring the Path Cost for a Port The path co st parameter refle cts the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be dif fer ent in different MSTIs. Y ou can enable flows of different VLA Ns to travel along dif ferent physical links by config uring appropriate p ath cost s on port s, so[...]
-
Seite 209
1-31 When calculating the p ath cost of an aggregat ed link, the 802.1D-1998 st andard does not t ake the number of the port s on the aggreg ated link into account, whereas the 8 02.1T st andard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000,000 / link transmi ssion rate Where, “link tran[...]
-
Seite 210
1-32 [Sysname] undo stp interface Ethernet 1/0/1 instance 1 cost [Sysname] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo stp instance 1 cost [Sysname-Ethernet1/0/1] quit [Sysname] stp pathcost-standard dot1d-1998 Config[...]
-
Seite 211
1-33 1) Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 port priority 16 Setting the Link Type of a Port to[...]
-
Seite 212
1-34 To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-number — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on Ethernet 1/0/1. 1) Perform this configuration in system view <Sysname> system-view [Sysname[...]
-
Seite 213
1-35 To do... Use the command... Remarks Enter syst em view system-vie w — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard function is disabled by default. Configuration example # Enable the BPDU guard function. <Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be sh[...]
-
Seite 214
1-36 Configuration procedure Follow these steps to co nfigure the r oot guard function in system vi ew: To do... Use the command... Remarks Enter syst em view system-vie w — Enable the root guard function on specified ports stp interface interface-list root-protection Required The root guard function is disabled by default. Follow these steps to [...]
-
Seite 215
1-37 z You are recommended to enabl e loop guard on the ro ot port and alternate port of a non-root bri dge. z Loop guard, root guard, and edge port settings are m utually exclusiv e. With one of these functions enabled on a port, any of the other two functions can not take effect even if you have configured it on the port. Configuration Prerequisi[...]
-
Seite 216
1-38 maximum times for a switch to remove the MAC a ddress tabl e and ARP entries to 100 and the swit ch receives 200 TC-BPDUs in the period, the switch removes the MAC ad dress table an d ARP entries for only 100 times within the period. Configuration prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to co [...]
-
Seite 217
1-39 switch, and put them in the BPDUs to be sent to t he another manufacturer' s switch. In this way , the switch 4500 can communi cate with another manufacturer’s switche s in the same MST region. The digest snooping function is not ap plicable to edge ports. Configuring Digest Snooping Configure the digest snoo ping feature on a switch to[...]
-
Seite 218
1-40 z When the digest snooping feature is enabled on a por t, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping fea ture is needed only wh en your switch is connected to anothe r manufac[...]
-
Seite 219
1-41 Figure 1-6 The RSTP rapid transition mechanism Root port blocks oth er non- edge ports, changes to forwarding state and sends Agreement to upstream device Downstream switch Upstream switch Proposal for rapid trans ition A g r e e m e n t Designated port changes to forwarding state Root port Designated port Figure 1-7 The MSTP rapid transition [...]
-
Seite 220
1-42 Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8 , a 3Com switch 4 500 is connected to another manufacturer's switch. The former operates as the downstre am switch, and the latter operates as the up stream switch. The netwo rk operates normally . The upstream switch is running a propriet ary spanni ng tr ee [...]
-
Seite 221
1-43 z The rapid transition feature can b e enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. MSTP Maintenance Configuration Introduction In a large-scale network with MSTP enabled, there may be many MSTP instan ces, and so the statu s o[...]
-
Seite 222
1-44 Configuration procedure Follow these steps to ena ble trap messages conforming to 802.1d st andard: To do... Use the command... Remarks Enter syste m view system-v iew — Enable trap messages conforming to 802.1d standard in an instance stp [ instan c e instance-id ] dot1d-trap [ newroot | topologychange ] enable Required Configuration exampl[...]
-
Seite 223
1-45 Network diagram Figure 1-9 Network diagram for MSTP configuration The word “permit” shown in Figure 1- 9 means the correspondi ng link permits packets of spe cific VLANs. Configuration procedure 1) Configure Switch A # Enter MST regi on view . <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-[...]
-
Seite 224
1-46 # Activate the settings of the MST region manually . [Sysname-mst-region] active region-configuration # S pecify Switch B as the root bridge of MSTI 3. [Sysname] stp instance 3 root primary 3) Configure Switch C. # Enter MST regi on view . <Sysname> system-view [Sysname] stp region-configuration # Configure the MST regi on. [Sysname-mst-[...]
-
Seite 225
i Table of Contents 1 IP Routing Prot ocol Overview ································································································· ················· 1-1 Introduction to IP Rout e and Routin g Table ·········?[...]
-
Seite 226
ii Filters ························································································································ ······················· 4-1 IP Route Policy Conf iguration Task List···?[...]
-
Seite 227
1-1 1 IP Routing Protocol Overview Go to these sections for information you are inte rested in: z Introduction to IP Route and Routing Ta ble z Routing Protocol Overview z Displaying and Maintaining a Routing T able Introduction to IP Route and Routing Table IP Route Routers are used for route selection o n the Inter net. As a router receives a pac[...]
-
Seite 228
1-2 z Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing prot ocols, or be manually configure d static routes. The one with the highest preference (the smallest numerical value) will be sele cted as the current optimal route. According to dif ferent destinat[...]
-
Seite 229
1-3 Routing Protocol Overview Static Routing and Dynamic Routing S tatic routing is easy to configu re and requires le ss syst em resources. It works well in sm all, stable networks with simple topolo gies. It cannot adapt itse lf to any network topology ch ange automatically so that you must perform routing configu ration again whenever the netwo [...]
-
Seite 230
1-4 each routing protocol (including st atic routes) is assigned a priority . The route found by the routing protocol with the highest priority is preferred. The following t able lists some routin g protocols an d the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their d efault route Routing approach Pri[...]
-
Seite 231
1-5 routing information. Each routin g protocol shares routin g information discovered by oth er routing protocols through a route redist ribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about a routing table display ip routing-table [ | { begin | exclude | include } regula[...]
-
Seite 232
2-1 2 Static Route Configuration When configuring a st atic route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying and Mainta ining Static Routes z Static Route Configuration Example z Troubleshooting a Static Route The term router in this chapter refers to a route[...]
-
Seite 233
2-2 Default Route T o avoid too large a routing t able, you can configure a default route. When the destination address of a p acket fails to match any entry in the routing t able, z If there is default route in the routing table, the default route will be selected to forward the packet. z If there is no default route, the packet will be di scarded[...]
-
Seite 234
2-3 To do... Use the command... Remarks Display the brief information of a routing table display ip routing-table Display the detailed information of a routing table display ip routing-table verbose Display the information of static routes display ip routing-table protocol static [ inactive | verbose ] Delete all static routes delete static -routes[...]
-
Seite 235
2-4 1) Perform the following conf iguration s on the switch. # Approach 1: Configure st atic routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a st atic route o[...]
-
Seite 236
3-1 3 RIP Configuration When configuring RIP , go to these secti ons for information you are intere sted in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this chapter refers to a router i n a generic sense or an Eth ernet switch running a routing protocol. RIP Overvi[...]
-
Seite 237
3-2 z Interface: Outbound interface on thi s router, th rough which IP packets sh ould be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed si nce the routing entry was last upd ated. The time is reset to 0 every time the routing entry is updated. RIP timers As defined in RFC 105[...]
-
Seite 238
3-3 Task Remarks Enabling RIP on the interfaces attached to a spe cified network segment Req uired Setting the RIP operating status on an interface Optional Configuring Basic RIP Functions Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summari zation Optional[...]
-
Seite 239
3-4 z Related RIP commands configured in interfa ce view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a spe cified network segment. When RIP is disable d on an interface, it does not operate on the interface, that is, it neit her receives/sends routes on the interface, nor forwards any interface route. The[...]
-
Seite 240
3-5 z Set the preference of RIP to change the preference ord er of routing protocols. This orde r makes sense when more th an one route to the same des tination is d iscovered by multiple routing protocols. z Redistribute external route s in an environ ment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route co[...]
-
Seite 241
3-6 Follow these steps to co nfigur e RIP route summarizat ion: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable RIP-2 automatic route summarization summary Required Enabled by default Disabling the router from receiving host routes In some special cases, the router can re ceive a lot of host rou[...]
-
Seite 242
3-7 z The filter-polic y import command filters the RIP ro utes receiv ed from neigh bors, and the ro utes being filtered out will neither be added to the routing table no r be advertised to any neighbors. z The filter-policy export command filters all the routes to be advertised, including the ro utes redistributed with the import-route command an[...]
-
Seite 243
3-8 RIP Network Adjustment and Optimization In some special netwo rk environment s, some RI P features need to be c onfigure d and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implem ented: z Changing the converge nce speed of RI P network by adjusting RI[...]
-
Seite 244
3-9 Split horizon cannot be disabled on a po int-to-point link. Configuring RIP-1 packet zero field check Follow these steps to co nfigure RIP-1 p acket zero field chec k: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enab[...]
-
Seite 245
3-10 Configuring RIP to unicast RIP packets Follow these steps to co nfigure RIP to unicast RIP packets: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Configure RIP to unicast RIP packets peer ip-address Required When RIP runs on the link that does not supp ort broadcas t or multicast, you mu st conf[...]
-
Seite 246
3-11 Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/1 6 Configuration procedure Only the configuration related to RIP is listed below. Before the follo wing configuration, make sure the Ethernet link layer works normally and the IP addres se s of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP . <SwitchA&[...]
-
Seite 247
4-1 4 IP Route Policy Configuration When configuring an IP route policy , go to thes e sections for information you are interested in: z IP Route Policy Overview z IP Route Policy Configuration Task List z Displaying IP Route Policy z IP Route Policy Configuration Example z Troubleshooting IP Route Policy The term router in this chapter refers to a[...]
-
Seite 248
4-2 For ACL confi guration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understa nd. When IP-prefix list is applied to filter routing information, it s matching object is the destination addre ss field in routing information. Moreover , with IP-prefix li[...]
-
Seite 249
4-3 z if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching object s are some attributes of the routing information. z apply clause: Specifies actions, which are the c onf iguration commands executed after a route satisfies the filter[...]
-
Seite 250
4-4 To do... Use the command... Remarks Enter syste m view system-v iew — Enter the route-policy view route-policy route-policy-nam e { permit | deny } node node-number Required Define a rule to match the IP address of routing information if-match { acl acl-number | ip-prefix ip-prefix-name } Optional By default, no matching is performed on the a[...]
-
Seite 251
4-5 IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and ea sier to understand. When I P-prefix is applied to filtering routing information, it s matching object is the destination addre ss information field of routing information. Configuration Prerequisites Before configuring a filter list, prep are the follo[...]
-
Seite 252
4-6 IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dy namic Route Backup Network requirements The required speed of convergen ce in the small network of a compa ny is not high. The network provides two services. Mai n and backup links are provi ded for each service for the purpose of reliability . The main link of on[...]
-
Seite 253
4-7 z For the OA server, the main link is be tween Sw itch A and Switch C, while the backup link i s between Switch B and Switch C. z For the service server, the main link is between Swi tch B and Switch C, while the backup link is between Switch A and Switch C. z Apply a route policy to control the co st of routes receiv ed by Switch C to provide [...]
-
Seite 254
4-8 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode bein g permit in the route policy . Define if-match clauses. Apply the cost 6 to routes matching the outgoin g interface VLAN-interface 6 an[...]
-
Seite 255
4-9 2) Display data forwarding paths when the main link of the OA serve r between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 1.0.0.0/8 RIP 100 6 6.6.6.5 Vlan-interface2 3.0.0.0/8 RIP 100 5 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 0 0 6.6.6.6 [...]
-
Seite 256
i Table of Contents 1 Multicast Overview ··········································································································· ························· 1-1 Multicast Overview ··········[...]
-
Seite 257
ii Configuring IG MP S nooping ·········································································································· 1-17 Configuring Mu lticast VLAN ····································?[...]
-
Seite 258
1-1 1 Multicast Overview In this manual, the term “router” refers to a router in the generic sen se or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interactio n services such as data, voice, and video services are running on the network. In additi on, highly b[...]
-
Seite 259
1-2 Assume that Host s B, D and E need this informati on. The source server est ablishes transmissi on channels for the devi ces of these users respectively . As the transmitted traffic over the network is i n direct proportion to the number of users that receive this informat ion, when a large numbe r of users need the same information, the server[...]
-
Seite 260
1-3 Information Transmission in the Multicast Mode As described in the previous sectio ns, unicast is su it able for networ ks with sp arsely distributed users, whereas broadcast is suit able for networks with dense ly distributed users. When the number of users requiring information is not cert ain, unicast and broadcast not ef ficient. Multicast [...]
-
Seite 261
1-4 z All receivers interested in the same information form a multicast group. Multicast group s are not subject to geographic restriction s. z A router that supports Layer 3 multica st is called multicast router or Layer 3 multica st device. In addition to providing multicast routing, a mult icast router can also manage multicast group members. Fo[...]
-
Seite 262
1-5 z Distributive application: Multicast make s multiple-poi nt application possible. Application of multicast The multicast technology ef fectively addresses the is sue of point-to-multipoint dat a transmission. By enabling high-ef ficiency po int-to-multipoint dat a tran smission, over an IP network, multicast greatly saves network bandwid th an[...]
-
Seite 263
1-6 Multicast Architecture The purpose of IP multicast is to transmit information from a m ulticast source to receivers in the multicast mode and to satisfy information requiremen t s of receivers. Y ou should be concerne d about: z Host registration: What rece ivers reside on the network? z Technologies of discovering a multi cast source: Which mu[...]
-
Seite 264
1-7 z The membership of a group is dynamic. A host can joi n and leave a multicast group at any time. z A multicast group can be either permane nt or temporary. z A multicast group whose addresse s are assigned by IANA is a permanent multica st group. It is also called reserved multicast gro up. Note that: z The IP addresses of a permanent multicas[...]
-
Seite 265
1-8 Class D address range Description 224.0.0.13 All Protocol Independ ent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork band width management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router R edundancy Protocol (VRRP) 224.0.[...]
-
Seite 266
1-9 Multicast Protocols z Generally, we refer to IP multic ast working at the network layer as Laye r 3 multicast and the correspondi ng multicast protocols as Layer 3 mult ica st protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast worki ng at the data link layer as L ayer 2 multicast and the correspondi ng multicast protocols as[...]
-
Seite 267
1-10 Among a variety of mature intra-domain multic ast routing protocols, Protocol Independent Multicast (PIM) is a popul ar one. Based on the forwarding me chanism, PIM comes in two m odes – dense mode (often referred to as PIM-DM) and sp arse mode (often referred to as PIM-SM). z An inter-domain multicast routing protoc ol is used for delivery [...]
-
Seite 268
1-11 z In the network, multicast packet transmission is base d on the guidance of the multicast forwarding table derived from the unica st routing table or t he multicast routing table specially provided for multicast. z To process the same multicast information from di fferent peers received on different interfaces of the same device, every multic[...]
-
Seite 269
1-12 considers the path alo ng which the packet from t he RPF neighbor arrived on the RPF interface to be the shortest path that leads b ack to the source. Assume that unicast routes exis t in the network, as shown in Figure 1-7 . Multicast packet s travel along the SPT from the multicast source to the receivers. Figure 1-7 RPF check pr ocess Sourc[...]
-
Seite 270
1-1 2 Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sen se or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform comm on multicast configurations: Task Remarks Configuring Suppre ssion on the Multicast S[...]
-
Seite 271
1-2 To do... Use the command... Remarks Enter syst em view system - vie w — Enter Ethernet port view interface interface-type interface-number — Configure multicast source port suppress ion multicast-source-deny Optional Multicast sour ce port suppression is disabled by default. Configuring a Multicast MAC Address Entry In Layer 2 multicast, th[...]
-
Seite 272
1-3 z If the multicast MAC address entry to be created already exists, the system gives you a prompt. z If you want to add a port to a multicas t MAC address entry created through the mac-address multicast command, you need to remove the entry firs t, cre ate this entry again, and then add the specified port to the forwarding ports of this ent ry. [...]
-
Seite 273
1-1 3 IGMP Snooping Configuration When configuring IGMP snooping, go to these section s for information you are interested in: z IGMP Snooping Overview z Configuring IGMP Snooping z Displaying and Maintaining IGMP Snooping z IGMP Snooping Configuration Example s z Troubleshooting IGMP Snooping In this manual, the term “router” refers to a route[...]
-
Seite 274
1-2 Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast pack et transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer 2 switch Multicast packet transmission when IGMP Snooping runs Source Multicast router Host A Receiver Host B Host C Receiver Layer 2 s[...]
-
Seite 275
1-3 member ports. The switch record s all member ports on the lo cal device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snoopi ng and related messages and actions Table 3-1 Port aging timers in IGMP Snooping and related messag es and actions Timer Description Message before expiry Action after expiry Router port aging timer For[...]
-
Seite 276
1-4 A switch will not forward an IGMP report through a n on-router port for the fo llowing re ason: Due to the IGMP report suppre ssion mechanism, if member hosts of that multicast group still exist under non-router ports, the host s will stop sending report s when they receive the me ssage, and thi s prevents the switch from knowing if membe rs of[...]
-
Seite 277
1-5 Configuring IGMP Snooping Complete the following t asks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snoop ing Optional Configuring Timers Optional Configuring Fast Leave Proce ssing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Num ber of Multicast Gro[...]
-
Seite 278
1-6 z Although both Layer 2 and Layer 3 multicast protocol s can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VL AN interface. z Before enabling IGMP Snooping in a VLAN, be su re to enable IGMP Snooping globally in syst em view; otherwise the IGMP Snooping settings will not take effect. z If I[...]
-
Seite 279
1-7 Configuring Timers This section describes ho w to configure the aging timer of the router port, the aging timer of the multicast member port s, and the query response timer . Follow these steps to co nfigure timers: To do... Use the command... Remarks Enter syst em view system-v iew — Configure the aging timer of the router port igmp-snooping[...]
-
Seite 280
1-8 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number — Enable fast leave processi ng for specific VLANs igmp-snooping fast-leave [ vlan vlan-list ] Required By default, the fast leave processing feature is disabl ed. z The fast leave processing f unction works for a port on ly if the host atta[...]
-
Seite 281
1-9 To do... Use the command... Remarks Enter syst em view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure a multicast group filter igmp-snooping group-policy acl-number [ vlan vlan-list ] Optional No group filter is configured by default, namely hosts can join any multicast group. z A port can belo[...]
-
Seite 282
1-10 z To prevent bursting traffic in the network or p e rformance deterioration of the device cau sed by excessive multicast groups, you can set the maximu m number of m ulticast groups that the switch should pr ocess. z When the number of multicast group s exceeds the configured limit, the switch removes its multicast forwarding entries starting [...]
-
Seite 283
1-11 To do... Use the command... Remarks Enable IGMP Snooping querier igmp-snooping querier Required By default, IGMP Snooping querier is disabled. Configuring IGMP query interval Follow these steps to co nfigure IGMP query interval: To do... Use the command... Remarks Enter syst em view system-vie w — Enter VLAN view vlan vlan-id — Configure t[...]
-
Seite 284
1-12 z If the function of dropping unknown multicast pack ets or the XRN fabri c function is enabled, you cannot enable unkno wn multicast flooding supp ression. z Unknown multicast floodin g suppression and multicas t source port suppre ssion cannot take effect at the same time. If both are enabled, on ly multicas t source port suppression takes e[...]
-
Seite 285
1-13 Configuring a Stat ic Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a st atic router port, so that the switch has a st atic conne ction to a multicast router and receives IGMP messages from that router . In Ethernet port view Follow these steps to co nfigure a static router port in[...]
-
Seite 286
1-14 Therefore, to ensure that IGMP entries will not age out, the port must receive IGMP general queries periodically. Follow these steps to co nfigure a port as a simulated group memb er: To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-number — Configure the curr[...]
-
Seite 287
1-15 Configuring Multicast VLAN In traditional multicast implement ations, when user s in dif ferent VLANs listen to the same multicast group, the multicast dat a is copied o n the multicast rout er for each V LAN that cont ains receivers. This is a big waste of network ban dwidth. In an IGMP Snooping environme nt, by configuring a multicast VLAN a[...]
-
Seite 288
1-16 To do... Use the command... Remarks Enter Ethernet port view for the Layer 3 switch interface interface-type interface-number — Define the port as a trunk or hybrid port port link-type { trunk | hyb rid } Required port hyb rid vlan vlan-list { tagged | untagged } Specify the VLANs to be allowed to pass the Ethernet port port trunk permit vla[...]
-
Seite 289
1-17 IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements T o prevent multicast traf fic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. z As shown in Figure 3-3 , Router A connects to a multicast source (Source) throu gh Ethernet 1/0/2, and to Switch A through Ethernet 1/0/1. z Run PIM-DM and[...]
-
Seite 290
1-18 3) Configure Switch A # Enable IGMP Snooping globally . <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign Ethernet 1/0/1 throu gh Ethernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/4 [SwitchA-vlan[...]
-
Seite 291
1-19 Table 3-2 Network devices and t heir configuration s Device Device description Net working description Switch A Layer 3 switch The interface IP address of VLAN 20 is 168.10.1.1. Ethernet 1/0/1 is connected to the workstation and belon gs to VLAN 20. The interface IP address of VLAN 10 is 168.10.2.1. Ethernet 1/0/10 belongs to VLAN 10. Ethernet[...]
-
Seite 292
1-20 Network diagram Figure 3-4 Network diagram for multicast VLAN configuratio n WorkStation SwitchA SwitchB Vlan-int20 168.10.1.1 Eth1/0/1 Eth1/0/10 V l a n2 V l an3 Eth1/0/10 Vlan10 E th 1 /0/1 E th 1 /0/2 HostA HostB Vlan-int10 168.10.2.1 Configuration procedure The following configuration is based on the p rerequi site that the devices are pro[...]
-
Seite 293
1-21 # Create VLAN 2, VLAN 3 and VLA N 10, configure VL AN 1 0 as the multicast VLAN, and then enable IGMP Snoopi ng on it. [SwitchB] vlan 2 to 3 Please wait.... Done. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN [...]
-
Seite 294
1-22 z If the multicast group set up by IGMP Snooping is not correct, contact your technical support personnel.[...]
-
Seite 295
i Table of Contents 1 802.1x Confi guration ········································································································· ························ 1-1 Introduction to 802.1x··········[...]
-
Seite 296
ii Layer 3 Erro r Cont rol ·········································································································· ············· 4-1 Configuring Sy stem Guard ··························?[...]
-
Seite 297
1-1 1 802.1x Configuration When configuring 802.1x, go to these section s for information you are interested in: z Introduction to 802.1x z Introduction to 802.1x Configuratio n z Basic 802.1x Configuration z Advanced 802.1x Configuration z Displaying and Maintaining 802.1x Confi guration z Configuration Example Introduction to 802.1x The 802.1x pr[...]
-
Seite 298
1-2 Figure 1-1 Architecture of 802.1x authentication z The supplicant system is the entity se eking acce ss to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator sy stem at the other end of the LAN segment. The supplicant system is usually a user termin al device. An 802.1x authenticat ion is triggered when a [...]
-
Seite 299
1-3 z The controlled port can be used to pass se rvice packet s when it is in authorized state. It is blocked when not in authorized state. In th is case, no packets can pass through it. z Controlled port and uncontrolle d port are two propert ies of a port. Packets reaching a port are visible to both the controlled port and uncont rolled port of t[...]
-
Seite 300
1-4 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: z The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. z The Protocol version field holds the version of t he protocol supp orted by the sender of the EAPoL packet. z The Type field can be one of the following: 00: Indicates that the packet i[...]
-
Seite 301
1-5 z The Length field indicates the si ze of an EAP packet, which includes the Code, Identifier, Length, and Data fields. z The Data field carries the EAP packet, whose format differs with the Code field. A Success or Failure packet does not co ntain the Data field, so the Length field of it is 4. Figure 1-5 shows the format of the Dat a field of [...]
-
Seite 302
1-6 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets a re encap sulated in higher level protoco l (such as EAPoR) packet s to enable t hem to successf ully reach the aut hentication server . Normally , this mode requires that the RA DIUS server support the two newl y-added fields: the EAP-message field (with a value of 79) a[...]
-
Seite 303
1-7 Figure 1-8 802.1x authentication procedure (in EA P relay mode) S uppl icant system PAE RA D UI S server EAPO L EAPO R EAPO L -S t a r t E A P - Request / I dent it y E A P - Res ponse / I dent it y E AP - Request / M D 5 c hal le nge EAP - Suc c e s s EAP - R e s p o n s e / M D 5 chall enge RADI US A ccess - Request ( EA P - Response / I dent[...]
-
Seite 304
1-8 feedbacks (through a RADIUS access-acc ept packet and an EAP-success pa cket) to the switch to indicate that the supplicant system is authenticated. z The switch changes the state of the correspo nding port to accepted state to allow the supplicant system to access the network. z The supplicant system can also terminate the aut henticated state[...]
-
Seite 305
1-9 Figure 1-9 802.1x authentication procedure (in EA P terminating mode) Supplicant system PAE Authenticator system PAE RADIU S server EAPOL RADIUS EAPOL - Start EAP - Request /Identity EAP - Response /Identity EAP - Request/ MD 5 Challenge EAP - Success EAP - Response / MD 5 Challenge RADIUS Access - R equest ( CHAP- Response / MD 5 Challenge ) R[...]
-
Seite 306
1-10 z Re-authentication timer ( reau th-period ). The switch initiates 8 02. 1x re-authentication at the interval set by the re-authentication timer. z RADIUS server timer ( server-timeout ). This timer sets the server -timeout period. After sending an authentication request packet to the RADIUS server, the swit ch send s another authentication re[...]
-
Seite 307
1-11 z Only disconnect s the supplicant sy st em but sends n o Trap packets. z Sends Trap packets withou t disco nnecting the supplicant system. This function needs the cooperation of 8 02.1x client and a CAMS server . z The 802.1x client needs to be capable of detecti ng multiple network adapters, proxie s, and IE proxies. z The CAMS server is con[...]
-
Seite 308
1-12 z After the maximum number retries h ave been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. z Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated. But they need to be authenticat ed when accessing external reso ur[...]
-
Seite 309
1-13 z The RADIUS server ha s the switch perfo rm 802.1x re-authentication of user s. The RADIUS server sends the switch an Acce ss-Accept p acket with t he Termination-Action attribut e field of 1. Upon receiving the packet, the switch re-aut h enticates the user periodically. z You enable 802.1x re-authentication on the switch. With 80 2.1x re-au[...]
-
Seite 310
1-14 Basic 802.1x Configuration Configuration Prerequisites z Configure ISP domain and the AAA scheme to be a dopted. You can specify a RADI US scheme or a local scheme. z Ensure that the service type is configured as lan-access (by using the serv ice-type command) if local authentication scheme is ado pted. Configuring Basic 802.1x Functions Follo[...]
-
Seite 311
1-15 To do… Use the command… Remarks Enable online user handshaking dot1x handshake enable Optional By default, online user handshaking is enabled. z 802.1x configurations take effect only after you enabl e 802.1x both globally and for specified ports. z The settings of 802.1x and MAC address learning lim i t are mutually exclusive. Enabling 80[...]
-
Seite 312
1-16 To do… Use the command... Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-valu e | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-per iod tx-period-valu e | ver-period ver-period-val ue } Optional The settings of 802.1x timers are as follows. 1) handshake[...]
-
Seite 313
1-17 To do... Use the command... Remarks Enable proxy checking function globally dot1x supp-proxy-check { logoff | trap } Required By default, the 802.1x proxy checking function is globall y disabled. In system view dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number dot1x supp-proxy-check[...]
-
Seite 314
1-18 As for the dot1x version-user command, if you execute it in sy stem view without specifying the interface-list argument, the command a pplies to all ports. You can also execute this command in port view. In this case, this command applie s to the current port only and the interface-list argument is not needed. Enabling DHCP-triggered Authentic[...]
-
Seite 315
1-19 z The guest VLAN function is available only wh en the switch operates in the port-based access control mode. z Only one guest VLAN can be configured for each switch. z The guest VLAN function cannot be i mplemented if you configure the d ot1x dhcp-launch command on the switch to enable DHCP -triggered authent ication. This is beca use the swit[...]
-
Seite 316
1-20 During re-aut hentication, the switch always uses the latest re-au thentication interval configure d, no matter which of the above-mentioned two ways is used to determin e the re-authentication interval. For example, if you configure a re- authentication interval on the swit ch and the switch re ceives an Access-Accept packet whose T erminatio[...]
-
Seite 317
1-21 a real-time accounting pa cket to the RADIUS serv ers on ce in every 15 minut es. A user name is sent to the RADIUS servers wi th the domain name truncated. z The user name and password for local 802.1x authent icatio n are “localuser” and “lo calpass” (in plain text) respectively. The idle disconnecting functio n is enabled. Network d[...]
-
Seite 318
1-22 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authent ication RADIUS servers to exchange me ssages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the ac counting RADIUS servers to exchan ge me[...]
-
Seite 319
2-1 2 Quick EAD Deployment Configuration When configuring quick EAD deploymen t, go to these sections for information you are inte rested in: z Introduction to Quick EAD Depl oyment z Configuring Quick EAD Deployment z Displaying and Maintaining Quick EAD Depl oyment z Quick EAD Deployment Configuration Example z Troubleshooting Introduction to Qui[...]
-
Seite 320
2-2 Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802.1x on the switch. z Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-con trol command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that user s can access before pa ssing 802.1x authentication. Fol[...]
-
Seite 321
2-3 large number of users log in but cannot pa ss authentic ation, the switch may r un out of ACL resources, preventing other users from loggin g in. A timer called ACL timer is designe d to solve this problem. Y ou can control the usage of ACL resources by setting the ACL timer . The ACL timer st arts once a u ser gets online. If the user ha s not[...]
-
Seite 322
2-4 Configuration procedure Before enabling quick EAD deployment, make su re sure that: z The Web server is configured properly. z The default gateway of the PC is configured as the IP addre ss of the Layer-3 virtual interface of the VLAN to which the port that is directly co nnected with the PC belongs. # Configure the URL for HTTP redirection. &l[...]
-
Seite 323
3-1 3 HABP Configuration When configuring HABP , go to these sections for information you are interested in: z Introduction to HABP z HABP Server Configuration z HABP Client Configuration z Displaying and Maintain ing HABP Configuration Introduction to HABP When a switch is configure d with the 802.1x function, 802.1x will authenticate and authoriz[...]
-
Seite 324
3-2 To do... Use the command... Remarks Configure the current switch to be an HABP server habp server vlan vlan-id Required By default, a switch operates as an HABP client after you enable HABP on the swit ch. If you want to use the switch as a management switch, you need to configure the switch to be an HABP server. Configure the interval to send [...]
-
Seite 325
4-1 4 System Guard Configuration When configuring System Guard, go to these se ctions for information you are interested in: z System Guard Overview z Configuring System Guard z Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to insp ect the IP packet s over 10-secon d inter[...]
-
Seite 326
4-2 To do... Use the command... Remarks Set the maximum number of infected hosts that can be concurrently monitored system-guard ip detect-maxnum num ber Optional 30 by default Set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit before an action is taken and the address isolation time (pr[...]
-
Seite 327
4-3 Enabling Layer 3 Error Control Follow these steps to ena ble Layer 3 error control: To do... Use the command... Remarks Enter syste m view system-v iew — Enable Layer 3 error control system-guar d l3err enabl e Required Enabled by default Displaying and Maintaining S ystem Guard Configuration To do... Use the command... Remarks Display the mo[...]
-
Seite 328
i Table of Contents 1 AAA Ov erview ················································································································· ··························· 1-1 Introducti on to AAA ···?[...]
-
Seite 329
1-1 1 AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, author ization and accounting. It provides a uniform framew ork for you to configure th ese three functions to implement network security management. z Authentication: Defines what users can acce ss the network, z Authorization: Defines wh at[...]
-
Seite 330
1-2 Introduction to ISP Domain An Internet service provider (ISP) domain is a gro up of users who belong to the same ISP . For a username in the format of userid @isp-name or userid.isp-name, the isp-na me following the " @" character is the ISP domain name. The access device us e s userid as the username for authenticatio n, and isp-name[...]
-
Seite 331
1-3 Figure 1-1 Databases in a RADI US server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication o r accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged betwe en a RADI US client (a switch, for exam ple) and a RADIUS server are verified through a shared key . Th[...]
-
Seite 332
1-4 4) The RADI US client accepts or denie s the user dependi ng on the received authent ication result. If it accepts the user, the RADI US client sends a st art-accounting request (Acco unting-Request, with the Status-Type attribute value = start) to the RADIUS server. 5) The RADIUS server return s a start-ac counting response (A ccounting-Respon[...]
-
Seite 333
1-5 Code Message type Message description 4 Accounting-Request Direction: client->server. The client transmits this m essage to the server to request the server to start or end the accounting (whether to start or to end the accounting is determin ed by the Acct-Status-Type attribute in the message). This message carries alm ost the same attribut[...]
-
Seite 334
1-6 Type field val ue Attribute type T ype field val ue Attribute t ype 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compre ssion 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Framed-AppleTalk-Link 16 Login-TCP-Port 38 Framed-AppleTal k-Network 17 (unassigne[...]
-
Seite 335
2-1 2 AAA Configuration AAA Configuration Task List Y ou need to configure AAA to provide network access services for legal users while protecting network devices and preventing unautho rized access and rep udiation behavior . Complete the following t asks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks Creating[...]
-
Seite 336
2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring sepa rate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively. You need to configure RADIUS or HWATACACS before performin g RAD[...]
-
Seite 337
2-3 To do… Use the command… Remarks Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled. Set the self-service server location function self-service-url { disable | enable url-string } Optional By default, the self-service server location function is disabled. Note[...]
-
Seite 338
2-4 To do… Use the comm and… Remarks Configure an AAA scheme for the ISP domain scheme { local | none | radius-scheme radius-scheme-n ame [ local ] } Required By default, an ISP domain uses the local AAA scheme. z You can execute the sche me radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all t[...]
-
Seite 339
2-5 To do… Use the command… Remarks Configure an authentication scheme for the ISP domain authentication { radius-scheme radius-scheme-n ame [ local ] | local | none } Optional By default, no separate authentication scheme is configured. Configure an authorization scheme for the ISP domain authorization { none } Optional By default, no separate[...]
-
Seite 340
2-6 Currently , the switch su pports the follo wing two ty pes of assigne d VLAN IDs: integer and string. z Integer: If the RADIUS authenticati on server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer o n the switch (thi s is also the default mode o n the switch). Then, upon receiving an integer I D assigned b y t[...]
-
Seite 341
2-7 The local users are users set on the switch, with each user uniquely identified by a username. T o make a user who is requesting ne twork service pass lo cal authentication, you should ad d an entry in the local user databa se on the switch for the user . Follow these steps to co nfigure t he attributes of a local user: To do… Use the command[...]
-
Seite 342
2-8 z The following characters a re not allowed in the user-nam e string: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user pass word-display -mode cipher-force com mand is executed, any p assword will be displayed in ciphe r mode even though you spe cify to display a user password in plain text by using[...]
-
Seite 343
2-9 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authori zation Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS M essages Optional Configuring the Maximum Num ber of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supp o[...]
-
Seite 344
2-10 creating a new RADIUS scheme, you should configu re the IP addr ess and UDP port number of each RADIUS server you want to use in this sche me. These RADIUS se rvers fall into two types: authentication/authorization, and ac counting. And fo r each type of server , you can configure two servers in a RADIUS sch eme: primary server an d seco ndary[...]
-
Seite 345
2-11 To do… Use the command… Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Set the IP address and port number of the primary RADIUS authentication/authorization server primary authentication ip-address [ p[...]
-
Seite 346
2-12 To do… Use the command… Remarks Set the IP address and port number of the seconda ry RADIUS accounting server secondary accounting ip-address [ port-num ber ] Optional By default, the IP address and UDP port number of the secondary accou nting server are 0.0.0.0 and 18 13 for a newly created RADIUS scheme. Enable stop-accounting request bu[...]
-
Seite 347
2-13 To do… Use the command… Remarks Enter syst em view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Set a shared key for RADIUS authentication/authorization messages key authenti cation string R[...]
-
Seite 348
2-14 To do… Use the command… Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Configure the type of RADIUS servers to be supported server-type { extended | standard } Optional z If you change the RADIUS serve[...]
-
Seite 349
2-15 To do… Use the command… Remarks Set the status of the secondary RADIUS authentication/authorization server state secondary authentication { block | active } Set the status of the secondary RADIUS accounting serve r state secondary accounting { block | activ e } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these st[...]
-
Seite 350
2-16 z Generally, the access users a re named in the userid@i sp-name format. Here, isp-name after the “ @” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADI US se rvers cannot accept t he username s that carry ISP domain names. In this case, it is necessar y to r[...]
-
Seite 351
2-17 z If you adopt the local RADIUS server function, the UDP port number of the authentication/authorization server must be 1645, the UDP po rt number of the accounting server must be 1646, and the IP addresses of the servers m ust be set to the addresses of this switch. z The message encryption key set by the local-serv er nas-ip ip-address key p[...]
-
Seite 352
2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is thr ee seconds. Set the time that the switch waits before it try to re-communicate with primary server and restore the stat us of the primary server to active tim[...]
-
Seite 353
2-19 online when the user re-l ogs into the network befo re the CAMS pe rforms online user detection, and the user cannot get authenti cated. In this case, the us er ca n access the network agai n only when the CAMS administrator manually rem oves the user's online information. The user re-authentication at rest art function is designed to res[...]
-
Seite 354
2-20 Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific or all ISP domains displa y domain [ isp-name ] Display information about user connectio ns display connection [ access-ty pe { dot1x | mac-authentication } | domain [...]
-
Seite 355
2-21 The configuration pro cedure for remote authentication of SSH users by RADIUS serv er i s similar to that for Telnet users. The following text only takes Tel n et users as example to descri be the configuration procedure for remote authentication. Network requirements In the network environment shown in Figure 2-1 , you are required to configu[...]
-
Seite 356
2-22 [Sysname-isp-cams] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] accounting optional [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] key authentication aabbcc [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius[...]
-
Seite 357
2-23 [Sysname-ui-vty0-4] quit # Create and configure a local user nam ed telnet. [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple aabbcc [Sysname-luser-telnet] quit # Configure an authentication scheme fo r the default “system” domain. [Sysname] domain system [Sysname-isp-system] sche[...]
-
Seite 358
3-24 z None or incorre ct RADIUS server IP address is set on the switch — Be sure to set a corr ect RADIUS server IP address. z One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as those on the RADIUS server. Symptom 3 : The user passes the authe ntication and get s authorized, but the accounting informat[...]
-
Seite 359
3-25 Figure 3-1 Typical network application of EAD EAD Configuration The EAD configuration include s: z Configuring the attributes of ac ce ss users (such as u sername, user type, and passwo rd). For local authentication, you need to configure th ese attributes on the switch; for remote authentication, you need to configure these attributes on the [...]
-
Seite 360
3-26 z You are required to configu re the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users. The following are the configuration t asks: z Connect the RADIUS auth entication server 10.110. 91.164 and the swit ch, and configure the switch to use port number 1812 to commu nicate with th[...]
-
Seite 361
3-27 [Sysname-isp-system] radius-scheme cams[...]
-
Seite 362
i Table of Contents 1 MAC Address Authenticat ion Confi guration ····················································································· ····· 1-1 MAC Address Authent ication Overview ·······························[...]
-
Seite 363
1-1 1 MAC Address Authentication Configuration When configuring MAC add ress authentication, go to these section s for inform ation you are interested: z MAC Address Authent ication Overview z Related Concepts z Configuring Basic MAC Ad dress Authentication Funct ions z MAC Address Authentication Enha nced Function Configuration z Displaying and Ma[...]
-
Seite 364
1-2 format configured with the mac-authenticati on authmode usernameasmacad dress usernameformat co mmand; otherwise, the authentication will fail. z In fixed mode, all users’ MAC addresses a r e automatically mapped to the configured local passwords and usernames. z The service type of a local user needs to be co nfigured as lan-access. Related [...]
-
Seite 365
1-3 To do... Use the command... Remarks quit Set the user name in MAC address mode for MAC address authentication mac-authentication authmode usernameasmacaddress [ usernameformat { w ith-hy phen | without-hy phen } { lowercase | uppercase } | fixedpass word password ] Optional By default, the MAC address of a user is used as the user name. Set the[...]
-
Seite 366
1-4 Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Num ber of MAC Address Aut hentication Users Allowed to Acce ss a Port Optional Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual , Guest VLANs mentioned in this section refer to Gue sts VLANs dedicated to MAC addr ess authen[...]
-
Seite 367
1-5 After a port is added to a Gue st VLAN, the switch will re-authenticate the first access user of this port (namely , the f irst user whose unicast M AC address is learned by the switch) p e riodically . If this user passes the re-a uthentication, this port will exit the Gue st VLAN, and thus the user can a ccess the network normally . z Guest V[...]
-
Seite 368
1-6 z If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on th e number of MAC address aut hentication users to more than one, the configur ation does not take effect. z[...]
-
Seite 369
1-7 z If both the limit on the number of MAC address authentication user s and the limit on the number of users configured in the p ort security function are configured for a p ort, the smaller value of the two configured limits is adopted as th e maximum numb er of MAC addre ss authentication use rs allowed to access this port. Refer to the Port S[...]
-
Seite 370
1-8 # Set the user name in MAC address mode for MAC address authentica tion, requir ing hyphened lowercase MAC add resses as the usernames an d passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user . z Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [[...]
-
Seite 371
i Table of Contents 1 ARP Confi gurati on············································································································ ························· 1-1 Introduction to ARP ········?[...]
-
Seite 372
1-1 1 ARP Configuration When configuring ARP , go to these secti ons for information you are interested in: z Introduction to ARP z Configuring ARP z Configuring Gratuitous ARP z Configuring ARP Source MAC Address Consistency Check z Displaying and Debuggi ng ARP z ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Proto[...]
-
Seite 373
1-2 Figure 1-1 ARP message format Hard wa re t ype (16 bit s ) Protocol typ e (16 bi ts) Length of ha rdware addr ess Length of prot ocol addres s Op era tor ( 16 bi ts ) Hardwa re ad dress o f th e s ender IP ad dress of th e send er Hardware address of th e receive r I P addr ess of the re ce iv er Hard wa re t ype (16 bit s ) Hard wa re t ype (1[...]
-
Seite 374
1-3 Value Description 5 Chaos 6 IEEE802.X 7 ARC netw ork ARP Table In an Ethernet, the MAC addresses of two host s must be available for the two host s to communicate with each other . Each host in an Ethernet main tains a n ARP t able, where the latest used IP address-to-MAC address mappi ng entri es are stored. S4500 series Ethernet switche s pro[...]
-
Seite 375
1-4 mode, all hosts on this su bnet can receive the requ est, but only the requested h ost (namely, Host B) will process the request. 3) Host B compares its own IP address wit h the des tination IP address in the ARP request. If they are the same, Host B saves the sou rce IP addre ss and source MA C address into i ts ARP mapping table, encapsulates[...]
-
Seite 376
1-5 z If they are not consistent, the ARP packet is considered invalid and the correspondi ng ARP entry is not learned. Configuring ARP Follow these steps to co nfigure ARP basic function s: To do… Use the command… Remarks Enter syst em view system-vie w — Add a static ARP entry arp static ip-address mac-address [ vlan-id interface-type inter[...]
-
Seite 377
1-6 The sending of gratuitous ARP packets is enabled as long as an S4500 switch o perates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets wh enever a VLAN interface is enabled (such as when a link is enabled or an IP add ress is configured for the VLAN interface) or whenever the IP address o f a VL[...]
-
Seite 378
1-7 Configuration procedure <Sysname> system-view [Sysname] undo arp check enable [Sysname] interface vlan 1 [Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.1 000f-e201-0000 1 Ethernet 1/0/10[...]
-
Seite 379
i Table of Contents 1 DHCP Ov erview·········································································································································· 1-1 Introduction to DHCP ······[...]
-
Seite 380
1-1 1 DHCP Overview When configuring DHCP , go to these sections for information you are interested in: z Introduction to DHCP z DHCP IP Address Assignment z DHCP Packet Format z Protocol Specification Introduction to DHCP With networks getting larger in size and more compli cated in structure, lack of available IP addresses becomes the common situ[...]
-
Seite 381
1-2 z Automatic assignment. The DHCP se rver assi gns IP addresses to DH CP clients. The IP addresses wil l be occupied by the DHCP clients perm anently. z Dynamic assignment. The DHCP se rver assigns IP addresse s to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of t[...]
-
Seite 382
1-3 By default, a DHCP client update s its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server whe n half of the leas e time elapse s. The DHCP server respo nds with a DHCP-ACK p acket to notify the DHCP client of a new IP lease if t he server can assign the same IP address to the client. Otherwi se, the DHCP serve[...]
-
Seite 383
1-4 z file: Path and name of the boot configuration file that the DHCP server specifie s for the DHCP client. z option: Optional variable-length fields, including packet type, valid lease time, IP addre ss of a DNS server, and IP address of the WINS server. Protocol Specification Protocol specifications related to DHCP include: z RFC2131: Dynami c [...]
-
Seite 384
2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these section s for information you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Rel ay Agent z Displaying and Maintaining DHCP Rel ay Agent Configuration z DHCP Relay Agent Configuration Example z Troubleshooting DHCP Rel ay Agent Conf[...]
-
Seite 385
2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP se rver interoperate with each other in a simila r way as they do without the DHCP rela y agent. The following sections only describe the forwar ding process of the DHCP relay agent. For th e int[...]
-
Seite 386
2-3 Figure 2-2 Padding contents for sub-o ption 1 of Option 82 Figure 2-3 Padding contents for sub-o ption 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP ad dress from a DHCP se[...]
-
Seite 387
2-4 If a switch belongs to an XRN fabri c, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Conf iguration Task List Complete the following t asks to configure the DHCP relay agent: Task Remarks Enabling DHCP Required Correlating a DHCP Server Group with a Relay Agent Interface Required [...]
-
Seite 388
2-5 To improve security and avoid malicious attack to th e unused SOCKETs, S4500 Ethernet swit ches provide the following functions: z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is ena bled. z UDP 67 and UDP 68 ports are disabled when DHCP i s disabled. The corresponding implementation is a s follows: z When a VLAN interface is[...]
-
Seite 389
2-6 To do… Use the command… Remarks Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type interface-number — Enable the address checking function address-che ck enable Required Disabled by default. z The address-check enab le command is in[...]
-
Seite 390
2-7 Currently, the DHCP relay agent handshake function on an S4500 se ries switch can only interoperate with a Windows 2000 DHCP se rver. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP serv er in the network, when a client applie s for an IP address, the unauthorized DHCP server may assign an incorrect IP addre ss to t[...]
-
Seite 391
2-8 To do… Use the command… Remarks Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default. Configure the strategy for the DHCP relay agent to process request packets containing Option 82 dhcp relay information strategy { drop | keep | replace } Optional By default, the replace strategy is ad[...]
-
Seite 392
2-9 Network diagram Figure 2-4 Network diagram for DHCP relay agent Switch B DHCP server Switch A DHCP relay DHCP client DHCP client DHCP client DHCP client Vlan-int2 10.1.1.2/24 Vlan-int1 10.10.1.1/24 Vlan-int2 10.1.1.1/24 Configuration procedure # Create DHCP se rver group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-v[...]
-
Seite 393
2-10 z Check if an address pool that is on the same network seg ment with the DHCP clients is configure d on the DHCP server. z Check if a reachable route is configured bet ween the DHCP relay agent and the DHCP server. z Check the DHCP relay agent. Check if the corr ect DHCP server group is configured o n the interface connecting the netwo rk segm[...]
-
Seite 394
3-1 3 DHCP Snooping Configuration When configuring DHCP snooping, go to these se ctions for information you are interested in: z DHCP Snooping Overview z Configuring DHCP Snooping z Displaying and Maintaining DHCP Snooping Configu ration z DHCP Snooping Configurat ion Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of sec[...]
-
Seite 395
3-2 Figure 3-1 Typical network diagram for DHCP snooping ap plication DHCP snoopi ng listens the following two types of pa ckets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: z DHCP-REQUEST packet z DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82 F[...]
-
Seite 396
3-3 Figure 3-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length ide ntifiers of the Circuit ID and Remote ID sub-options. T o interwork with these device s, S4500 Series Ethernet Switches suppo rt Option 82 in the standard format. Refer to Figure 3-4 and Figure 3-5 for the standard for[...]
-
Seite 397
3-4 When receiving a DHCP client’ s request without Option 82, the DHCP snooping device will add the option field with the configured sub-optio n and then forward the packet. For det ails, see T able 3-2 . Table 3-2 Ways of handling a DHCP packet withou t Option 82 Sub-option configuration The DHCP-S nooping device will … Neither of the two sub[...]
-
Seite 398
3-5 z If an S4500 Ethernet switch is e nabled with DHCP sno oping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. z You need to specify the ports connected to the valid DHCP servers as truste d to ensu re that DHCP clients can obtain valid IP addresses. Th e trust ed port and the port connected to the DHCP client [...]
-
Seite 399
3-6 Configuring a handling policy for DHCP packets with Option 82 Follow these steps to co nfigure a handling policy for DHCP packet s with Option 82: To do… Use the command… Remarks Enter syst em view system-vie w — Configure a global handling policy for requests that contain Option 82 dhcp-snooping information strategy { drop | keep | repla[...]
-
Seite 400
3-7 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Configure the circuit ID sub-option in Option 82 dhcp-snooping information [ vlan vlan-id ] circuit-id string string Optional By default, the circuit ID sub-option contains the VLAN ID and port index related to the port that receives DHCP [...]
-
Seite 401
3-8 z If you configure a remote ID sub-option in b oth system view and on a port , the remote ID sub-option configured on the port applie s when the port receives a packet, and the glob al remote ID applies to other interfaces that have no remote ID sub-option configured. z If you have configured a remote ID with the vlan vlan-id argument specified[...]
-
Seite 402
3-9 z Enable DHCP-snooping Option 82 support on the switch and set the remote ID field in Option 82 to the system name of the switch. Set the circuit ID sub-option to abcd in DHCP packets from VLAN 1 on Ethernet 1/0/3. Network diagram Figure 3-6 Network diagram for DHCP-snoopi ng Option 82 support configuration Configuration procedure # Enable DHCP[...]
-
Seite 403
4-1 4 DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to thes e sections for information you are interested in: z Introduction to DHCP Client z Introduction to BOOTP Client z Configuring a DHCP/BOOTP Client z Displaying DHCP/BOOTP Client Configuratio n Introduction to DHCP Client After you specify a VLAN i nterface as a D[...]
-
Seite 404
4-2 Configuring a DHCP/BOOTP Client Follow these steps to co nf igure a DHCP/BOOTP client: To do… Use the command… Remarks Enter syst em view system-vie w — Enter VLAN interface view interface vlan-interfa ce vlan-id — Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By[...]
-
Seite 405
4-3 Network diagram Figure 4-1 A DHCP network Configuration procedure The following describes only the configu ration on Switch A serving as a DHCP client. # Configure VLAN-int erface 1 to dynamically obt ai n an IP address by using DHCP . <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address dhcp-all[...]
-
Seite 406
i Table of Contents 1 ACL Confi guration ············································································································ ························· 1-1 ACL Overview ············[...]
-
Seite 407
1-1 1 ACL Configuration When configuring ACL, go to these secti ons for inform ation you are interested in: z ACL Overview z ACL Configuration Task List z Displaying and Maintain ing ACL Configuration z Examples for Upper-layer Software Ref erencing ACLs z Examples for Applying ACLs to Hardware ACL Overview As the network scale and network traf fic[...]
-
Seite 408
1-2 Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP address ran ge (that is, the more the number of zeros in the wildca rd mask ), the higher the match prio rity. 2) Fragment keyword: A rule with the fragment keyword is pri or to others. 3) If the above two conditions are identica l, the ear[...]
-
Seite 409
1-3 z Referenced by routing poli cies z Used to control Telnet, SNMP and Web login users z When an ACL is directly applied to hardware for packet filt ering, the switch will permit packets if the packets do not match the ACL. z When an ACL is referenced by upper-layer software to co ntrol Telnet, SNMP and Web logi n users, the switch will deny pack[...]
-
Seite 410
1-4 An absolute time range on Switch 4500 Serie s can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure Follow these steps to co nfigure a time range: To do... Use the command... Remarks Enter syst em view s ystem-vie w — Create a time range time-range time-nam e { start-time to end -time days-of-the-week [ from star[...]
-
Seite 411
1-5 <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packet s based on their source IP addresses. A basic AC[...]
-
Seite 412
1-6 Configuration example # Configure ACL 2000 to deny pa ckets who s e source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's st[...]
-
Seite 413
1-7 Note that: z With the config match order specified for the advan ced ACL, you can modify any existent rule. T he unmodified part of the rule remains. With the auto m atch order specified for the ACL, you cannot modify any existent rule; otherwise t he system prompts error information. z If you do not specify the rule-id argument when creating a[...]
-
Seite 414
1-8 To do... Use the command... Remarks Define an ACL rule rule [ rule-id ] { permit | deny } rule-string Required For information about rule-string , refer to ACL Commands . Assign a description stri ng to the ACL rule rule rule-id comment text Optional No description by default Assign a description stri ng to the ACL description text Optional No [...]
-
Seite 415
1-9 To do... Use the command... Remarks Enter syst em view system-vie w — Create a user-defined ACL and enter user-defined ACL view acl number acl-number Required Define an ACL rule rule [ rule-id ] { permit | deny } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ] Required For information about rule-string , refer to AC[...]
-
Seite 416
1-10 Acl's step is 1 rule 0 deny 06 ff 27 Applying ACL Rules on Ports By applying ACL rule s on ports, you can f ilter packet s on the corresponding po rts. Configuration prerequisites Y ou need to define an ACL before applying it on a port. For information abo ut defining an A CL, refer t o Configuring Basic ACL , Configuring Advanced ACL , C[...]
-
Seite 417
1-11 Configuration procedure Follow these steps to appl y ACL rule s to ports in a VLAN: To do... Use the command... Remarks Enter syst em view system-vie w — Apply ACL rules to ports in a VLAN packet-filter vlan vlan-id { inbound | outbound } acl-rule Required For information about acl-rule , refer to ACL Commands . Configuration example # Apply[...]
-
Seite 418
1-12 Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control T elnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for[...]
-
Seite 419
1-13 Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is ac tive from 8:00 to 18:00 everyday . <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter pa ckets with the so urce IP addre ss of 10.1.1.1. [Sysname] acl number[...]
-
Seite 420
1-14 Configuration procedure # Define a periodic time range that is ac tive from 8:00 to 18:00 everyday . <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter p ackets d estined for wage query serve r . [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 ti[...]
-
Seite 421
1-15 User-defined ACL Configuration Example Network requirements As shown in Figure 1-6 , PC 1 and PC 2 are co nnected to the swit ch through Ethernet 1/0/1 an d Ethernet 1/0/2 respectively . They be long to VLAN 1 and acce ss the Internet through the same gate way , which has an IP addre ss of 192.168.0.1 (the IP address of VLAN-interfa ce 1). Con[...]
-
Seite 422
1-16 Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Eth1/0/1 PC 1 PC 3 Database server PC 2 VLAN 10 Eth1/0/2 Eth1/0/3 192.168.1.2 Configuration procedure # Define a periodic time range that is a ctive from 8:00 to 18:00 in working days. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Defin[...]
-
Seite 423
i Table of Contents 1 QoS Confi guration ············································································································ ························· 1-1 Overview ··············[...]
-
Seite 424
1-1 1 QoS Configuration When configuring QoS, go to these secti ons fo r information you are interested in: z Overview z QoS Supported By Switch 4500 Series z QoS Configuration z Displaying and Maintaining QoS z QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) i s a co ncept concerning service deman d and supply . It[...]
-
Seite 425
1-2 and V oD. As for other applications, such as transaction processin g and T elnet, although bandwid th is not as critical, a too long delay may cause unexpected result s. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications de mand higher se rvice performance from IP networks. In addition to simply de[...]
-
Seite 426
1-3 QoS Supported By Switch 4500 Series The Switch 4500 series suppo rt the QoS features listed in T able 1-1 : Table 1-1 QoS features supported by Switch 4500 series QoS Feature Description Refer to … Traffic classificati on Classify incoming traffic based on ACLs. The Switch 4500 series support the following types of ACLs: z Basic ACL s z Advan[...]
-
Seite 427
1-4 protocol or the port number of an application. Normal ly , traffic classification is done by checking the information carried in p acket header . Packet p aylo ad is rarely adopted fo r traffic classification. The identifying rule is unlimited in ra nge. It can be a quin tuplet consisting of sour ce address, source port number , protocol number[...]
-
Seite 428
1-5 z Assured forwarding (AF) cl ass: This class is furt h er divided into four subclasse s (AF1/2/3/4) and a subclass is further divided i nto three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; z Class selector (CS ) class: This class comes from the IP ToS field and inc[...]
-
Seite 429
1-6 2) 802.1p priority 802.1p priority lies in Layer 2 p ack et headers and is a pplicable to occasions where the Layer 3 p acket header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure abov e, the 4-byte 802.1Q tag h eader consist s of the tag protocol i dentif[...]
-
Seite 430
1-7 Priority trust mode After a p acket enters a swit ch, the switch sets the 802.1p pri ority and local preceden ce for the packet according to it s own capabi lit y and the corresponding rules. 1) For a packet carrying no 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch use s the port priority as the 802.1p[...]
-
Seite 431
1-8 Priority Marking The priority marking function is to rea ssign priority for the traf fic matching an A CL referenced for traffic classificati on. z If 802.1p priority marking is configured, the traffic will be mapped to the local precedence correspondi ng to the re-marked 802.1p priority and assigne d to the output queue correspondi ng to the l[...]
-
Seite 432
1-9 enough to forward the pa ckets, the traf fic is conformi ng to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: z Average rate: The rate at which to kens are put in to the bucket, na mely, the permitted average rate of the traffic. It is generally set to committed information rate[...]
-
Seite 433
1-10 The Switch 4500 se ries support three queu e scheduling algorithms: S trict Priority (SP) queuing, Weighted Fai r Queuing (WFQ), and Wei ghted Round Robin (WRR) queuing. 1) SP queuing Figure 1-6 Diagram for SP queuing SP queue -scheduling algorithm is specially designe d fo r critical service application s. An important feature of critical ser[...]
-
Seite 434
1-11 Figure 1-7 Diagram for WFQ queuin g Before WFQ is introduced, you mu st understan d fair queuing (FQ) first. FQ i s designed for the p urpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: z Different queues are scheduled fai rly, so[...]
-
Seite 435
1-12 Figure 1-8 Diagram for WRR queuing WRR queue-scheduling al gorithm schedules all t he queues in turn and every qu eue can be assured of a certain service time. In a typical 3Com switch there are eight output queue s on each port. WRR config ures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2 , w1, and w0 respectively for qu[...]
-
Seite 436
1-13 In WRED algorithm, an up per limit and a lower limit are set for each queu e, and the packet s in a queue are processed as follows. z When the current queue length is smaller t han the lo wer limit, no packet is dropped; z When the queue length exceeds the up per limit, all the newly received packets are dropped; z When the queue length is bet[...]
-
Seite 437
1-14 Configuration procedure Follow these steps to co nfigure to trust port priority: To do… Use the command… Remarks Enter syst em view sy stem-view — Enter Ethernet port view interface interface-type interface-number — Configure to trust port priority and configure the port priority priority priority-level Optional By default, the switch [...]
-
Seite 438
1-15 Configuration procedure Follow these steps to co nfigure the mappi ng between 802.1p priority and local pr ecedence: To do… Use the command… Remarks Enter syste m view system-v iew — Configure the mapping between 802.1p priority and local prec edence qos cos-local-precedenc e-map cos0-map-lo cal-prec co s1 -map-local-pre c cos2-map-lo ca[...]
-
Seite 439
1-16 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to section Priority Marking[...]
-
Seite 440
1-17 To do… Use the command… Remarks Enter syst em view system-view — Mark the priorities for the packet s belonging to a VLAN and matching specific ACL rules traffic-priority v lan vlan-id { inbound | outbound } acl-rule { { ds cp dscp-value | ip-precedenc e { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-[...]
-
Seite 441
1-18 To do… Use the command… Remarks Configure traf fic policing traffic-limit inbound acl-rule [ union-effect ] target-rate [ burst-bucket burst -bucket-size ] [ exceed action ] Required Specify a committed information rate (CIR) for the target-r ate argument, and specify a committed bust size (CBS) for the burst-bucket -size argument. By defa[...]
-
Seite 442
1-19 To do… Use the command… Remarks Configure line rate line-rate { inbound | outbound } target-rate [ burst-bucket burst-bucket -size ] Required S pecify a committed information rate (CIR) for the target-rate argument, and specify a committed bust size (CBS) for the burst-bucket -size argument. By default, line rate is disabled. Configuration[...]
-
Seite 443
1-20 Configuration procedure Follow these steps to co nfigure queue scheduling in system view: To do… Use the command… Remarks Enter syste m view system-v iew — Configure queue scheduling queue-scheduler { strict-priority | wfq queue0-width queue 1-width queue2-width queue 3-width queue4-width queue 5-width queue6-width queue 7-width | wr r q[...]
-
Seite 444
1-21 z The queue scheduling algorithm sp ecified by using the queue-scheduler command in system view takes effect on all the ports. The qu eue scheduling algorithm configured in port view must be the same as that configured in system vi ew. Othe rwise, the system prompt s configuration errors. z If the weight (or bandwidth value) specified in syste[...]
-
Seite 445
1-22 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure WRED wre d qu eue-index qsta rt probability Required By default, WRED is not configured. Configuration example Configure WRED for queue 2 of Ethernet 1/0/1 to drop the p ackets in queu e 2 ran[...]
-
Seite 446
1-23 For information about the mirroring-gr oup monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example Network requirement s: z Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segme nt. z Duplicate the packets from network segment 10.1.1. 0/24 to the d estination mirroring port Eth[...]
-
Seite 447
1-24 QoS Configuration Examples Configuration Example of Traf fic policing and Line Rate Network requirement An enterprise network connect s all the departme nts through an E thernet switch. PC 1, with the IP address 192. 168.0.1 belongs to the R& D department and is conne cted to Ethernet 1/0/1 of the switch. The marketing dep artment is conne[...]
-
Seite 448
1-25 Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 1-10 , an enterprise netwo rk connects all the departme nts through an E thernet switch. Client s PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; client s PC 4 through PC 6 are connected to Eth ernet 1/0/3 of the switch. Serv[...]
-
Seite 449
1-26 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2] quit 3) Configure queue scheduling # Apply SP queue schedul ing algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration[...]
-
Seite 450
1-27 Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/1[...]
-
Seite 451
1-28 # Configure VLAN mapping on Ethernet 1/0/1 1 to replace VLAN tag 100 with VLAN t ag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-remark-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLA N tag 200 with VL AN tag 600. [SwitchA] inte[...]
-
Seite 452
i Table of Contents 1 Mirroring Conf iguration ······································································································ ······················ 1-1 Mirroring Overview ···············[...]
-
Seite 453
1-1 1 Mirroring Configuration When configuring mirro ring, go to these section s for information you are interested in: z Mirroring Overview z Mirroring Configuratio n z Displaying and Maintaining Port Mirroring z Mirroring Configuration Example s Mirroring Overview Mirroring is to duplicate pa ckets from a port to anot her port connected with a da[...]
-
Seite 454
1-2 Remote Port Mirroring Remote port mirroring does not requi re the source and destination port s to be on the same device. The source and destination p orts can be located on multiple devices across the net work. This allows an administrator to monitor traf fic on remote devices conveniently . T o implement remote port mirroring, a speci al VLAN[...]
-
Seite 455
1-3 Sw it ch Ports involved Function Intermediate switch T r unk por t Sends mirrored packet s to the destination switch. T wo trunk ports are necessary for the intermediate switch to connect the devi ces at the source switch side and the destination switch side. T runk po rt Receives remote mirr ored pa ckets. Destination switch Destination port R[...]
-
Seite 456
1-4 Configuring Local Port Mirroring Configuration prerequisites z The source port is determined a nd the direction in whi ch the packets are to be mirrored is determined. z The destination port is det ermined. Configuration procedure Follow these steps to co nfigure port mirroring on Switch 4500 serie s: To do… Use the command… Remarks Enter s[...]
-
Seite 457
1-5 Configuration on a switch acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN a re determined. z Layer 2 connectivity is ensured between t he source and destination switches over the remote-probe VLAN. z The direction of the packets to be monitored is dete rmined. 2) Configur[...]
-
Seite 458
1-6 cannot be configured with function s like VLAN-VPN , port loop back detection, packet filtering, QoS, port security, and so on. z You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port. z Only an existing static VLAN can be configur ed as the remote-prob e VLAN. To remove a remote-probe VLAN, you need to restor e it[...]
-
Seite 459
1-7 To do… Use the command… Remarks Enter syste m view system-v iew — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN. Configure the current VLAN as a remote-probe VLAN remote-prob e vlan enable Req uired Return to system view quit — Enter the view of the Ethernet port connecting to the source swit[...]
-
Seite 460
1-8 Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departm ents of a comp any connect to each other throug h Switch 4500 series: z Research and Develo pment (R&D) department is connected to Switch C through Ethernet 1/0/1. z Marketing department is connected to Switch C through Ethernet 1/0/[...]
-
Seite 461
1-9 Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all p ack ets received on and sent from the R&D dep artment and the marketing depa rtment on the data detection d evice. Remote Port Mirroring Configuration Example Network requirements The departm ents of a comp any connect to each o[...]
-
Seite 462
1-10 Configuration procedure 1) Configure the source switch (Switch A) # Create remote source mi rroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-pro be VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source port s, re fle[...]
-
Seite 463
1-11 [Sysname-Ethernet1/0/2] port trunk permit vlan 10 3) Configure the destination switch (Switch C) # Create remote destination mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-pro be VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] qu[...]
-
Seite 464
i Table of Contents 1 XRN Fabric Co nfiguration ····································································································· ···················· 1-1 Introduction to XRN ·················[...]
-
Seite 465
1-1 1 XRN Fabric Configuration When configuring XRN fabr ic, go to these sect ions for information you are interested in: z Introduction to XRN z XRN Fabric Configuration z Displaying and Maintaining XR N Fabric z XRN Fabric Configuration Example Introduction to XRN Expandable Re silient Networking (XRN), a feature p artic ular to 3Com Switch 4500 [...]
-
Seite 466
1-2 Figure 1-2 Port connection mode for Switch 4500 series bus topology XRN fabric Mode Green=Speed Y ellow=Dup lex RPS PWR Console Unit 1000 Base - X 1 Speed : Green=100Mbps , Y e llow=10Mbps 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 1 8 19 20 21 22 23 24 25 26 27 28 Duplx : Gre en=Full D upl x , Y ellow=Half Duplx H3C S3600 Series 10/100Base-TX Mod[...]
-
Seite 467
1-3 z The number of the existing devices in the fabric does not rea ch the maximum number of devices allowed by the fabric (up to eight devices can form a fabri c). z The fabric name of the device and the exis ting devices in the fabric are the same. z The software version of the device is the sam e as that of the existing devices in the fabric. z [...]
-
Seite 468
1-4 Status Analysis Solution of the fabric are not the same, or the password configured does not match. passwords for the local device and the fabric as the same. How XRN Works When a fabric is esta blished, the devices determine their respective roles in the fabric by comp aring their CPU MAC addresse s. The devi ce with the lowest CPU MAC addre s[...]
-
Seite 469
1-5 Task Remarks Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fa bric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch Y ou can specify the fabric port of a switch in either system view or Ethernet interface view . Confi[...]
-
Seite 470
1-6 z Establishing an XRN system requi res a high cons istency of the configuration of each device. Hence, before you enable the fabri c port, do not per form any configuration for the port, and d o not configure some functions that a ffect the XRN for other port s or globally. Otherwise, you cannot enable the fabric port. For detailed re striction[...]
-
Seite 471
1-7 Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will aut omatically number the switches to constitute an XRN fabric by default, so that ea ch switch has a unique unit ID in t he fabric. Y ou can use the command in the following t able to set unit IDs for switches. Ma ke sure to set different unit IDs for dif[...]
-
Seite 472
1-8 z If auto-numbering is sele cted, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numberi ng. The value of priority can be 5 or 10. Priority[...]
-
Seite 473
1-9 To do… Use the command… Remarks Enter syst em view system-vie w — Set the XRN fabric authentication mode for the switch xrn-fabric authentication-m ode { simple password | md5 key } Optional By default, no authentication mode is set on a switch. When an XRN fabric operates normally, you can rega rd the whole fabric as a single device and [...]
-
Seite 474
1-10 Network Diagram Figure 1-3 Network diagram for forming an XRN fabri c Configuration Procedure 1) Configure Switch A. # Configure fabric port s. <Sysname> system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable # Configure the unit name as Unit 1 . [Sysname] set unit 1 name Unit1 # Configure the fabric name as hello . [Sysname] sys[...]
-
Seite 475
1-11 # Configure the unit name as Unit 3 . [Sysname] set unit 1 name unit3 # Configure the fabric name as hello . [Sysname] sysname hello # Configure the fabric authentication mode as simple and the p assword as we l c o m e . [hello] xrn-fabric authentication-mode simple welcome 4) Configure Switch D. # Configure fabric port s. <Sysname> sys[...]
-
Seite 476
i Table of Contents 1 Cluster ······················································································································ ·································· 1-1 Cluster Ov[...]
-
Seite 477
1-1 1 Cluster When configuring cluster , go to these sections for information you a re interested in: z Cluster Overview z Cluster Configuration Task List z Displaying and Maintaining Cluster Confi guration z Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contain s a group of switches. Through cluster man agement, yo[...]
-
Seite 478
1-2 Figure 1-1 A cluster implementation HGMP V2 ha s the following advanta ges: z It eases the configuration and m anagement of mult iple switches: You just need to configure a public IP address for the manag ement device instead of for all th e devices in the cluster; and t hen you can configure and manage all the member dev i ces through the mana[...]
-
Seite 479
1-3 Table 1-1 Description o n cluster roles Role Configuration Function Management device Configured with a external IP address z Provides an interface for managing all the switches i n a cluster z Manages member devices through comma nd redirection, that is, it forwards the commands intended for specific member devices. z Discovers neighbors, coll[...]
-
Seite 480
1-4 z A candidate device beco mes a member device after b eing added to a cluster. z A member device becom es a candidate device after it is removed from the cluster. z A management device becomes a ca ndidate devic e only after the cluster is removed. After you create a cluster on a S witch 4500 sw itch, the switch collect s the network topology i[...]
-
Seite 481
1-5 packet data. The receiving devices store the info rm ation carried in the NDP packet into th e NDP table but do not forward the NDP packet. When they re ceive another NDP packet, if the information carried in the packet is different from the store d one, the corresponding entry in the NDP tabl e is updated, otherwise only the holdt ime of the e[...]
-
Seite 482
1-6 z To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP param eters. z On member/candidate devi ces, you only need to enable NTDP globally and on specifi c ports. z Member and candidate de vices adopt the NT DP settings of the manageme nt device. Introduction to Cluster A clu[...]
-
Seite 483
1-7 Figure 1-3 State machine of the connection between the manag ement device and a member device Receives the handshake or management packets Fails to receive handshake packets in three consecutive intervals State holdtime exceeds the specified value Disconnect state is recovered Active Connect Disconnect z After a cluster is created and a candid [...]
-
Seite 484
1-8 z Enabling the managemen t packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the manag ement VLAN only, through which the management pa ckets are isolated from other packets a nd netwo rk security is improved. z Enabling the management device and the member devices to communicate with each other in the ma[...]
-
Seite 485
1-9 downstream switch comp ares its own MAC add ress with the destination MAC add ress carried in the multicast packet: z If the two MAC addresses are the same, the downstr eam switch sends a response to the switch sending the tracemac command, indi cating the success of the tracemac com mand. z If the two MAC addresses are different, the downstre [...]
-
Seite 486
1-10 Task Remarks Enabling NDP globally and on specific port s Required Configuring NDP-related p arameters Optional Enabling NTDP globally and on a specific port Requir ed Configuring NTDP-related p arameters Optional Enabling the cluster function Required Configuring cluste r parame ters Required Configuring insid e-outside intera ction for a clu[...]
-
Seite 487
1-11 Configuring NDP-related parameters Follow these steps to co nfigure NDP-related param eters: To do… Use the command… Remarks Enter syst em view system-vie w — Configure the holdtime of NDP information ndp timer aging aging-in-seconds Optional By default, the holdtime of NDP information is 180 seconds. Configure the interval to send NDP p[...]
-
Seite 488
1-12 To do… Use the command… Remarks Launch topology information collection manually ntdp explore Optional Enabling the cluster function Follow these steps to ena ble the cluster function: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the cluster functio n globally cluster enable Required By default, the cluster[...]
-
Seite 489
1-13 2) Establish a cluster in automatic mod e Follow these steps to est ablish a cluster in automatic mode: To do… Use the command… Remarks Enter syst em view system-vie w — Enter cluster view cluste r — Configure the IP addre ss range for the cluster ip-pool administrator-ip-address { ip-mask | ip-mask-length } Req uired S tart automatic [...]
-
Seite 490
1-14 z The cluster switches a re properly connected; z The shared servers are properly conn ected to the manag ement switch. 2) Configuration procedure Follow these steps to co nfigure the netwo rk management interface for a cluste r: To do… Use the command… Remarks Enter syst em view system-vie w — Enter cluster view cluste r Required Config[...]
-
Seite 491
1-15 To reduce the risk of being attacked by malic ious users against o pened socket and enha nce switch security, the Switch 4500 series Ethernet switch es provide the following functions, so that a cluster socket is opened only when it is needed: z Opening UDP port 40000 (used for clu ster) only when the cluster function is imp lemented, z Closin[...]
-
Seite 492
1-16 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to ena ble the cluster function: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the cluster functio n globally c[...]
-
Seite 493
1-17 To do… Use the command… Remarks Return to system view quit — Return to user view quit — Switch between management device and member device cluster switch-to { member-nu mber | mac-add ress H-H-H | administrator } Optional Y ou can use this command switch to the view of a member device and switch back. Configure the MAC address of the m[...]
-
Seite 494
1-18 Configuring the enhanced cluster features Complete the following t asks to configure the enhanced cluster fea ture: Task Remarks Configuring cluste r topology manageme nt function Required Configuring cluste r device blacklist Required Configuring cluster topol ogy management function 1) Configuration prerequisites Before configuring the clust[...]
-
Seite 495
1-19 If the management device of a cluster is a slave de vice in an XRN fab ric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric. Configuring cluster device blacklist Follow these steps to co nfigure the cluste r device bla cklist on a management device: To do… Use the command… Remarks E[...]
-
Seite 496
1-20 z NDP and NTDP have b een enabled on the mana ge ment device and member device s, and NDP- and NTDP-related paramet ers have been configured. z A cluster is established, and you can manage the member devices th rough the management device. 2) Configuration procedure Perform the following operations o n the managemen t device to synchronize SNM[...]
-
Seite 497
1-21 z The MIB view name is mib_a , which includes all objec ts of the subtree org z The SNMPv3 user is user_a , which belong s to the group group_a . # Create a community with the name of read_ a , allowing read-only access right using this community name. [test_0.Sysname-cluster] cluster-snmp-agent community read read_a Member 2 succeeded in the [...]
-
Seite 498
1-22 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard z Configuration file content on a member device ( only the SNMP-related information is displaye[...]
-
Seite 499
1-23 z Perform the above operations on the m a nagement device of the cluster. z Creating a public local user is eq ual to execut ing these configurat ions on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configurati on files of the managem ent devic[...]
-
Seite 500
1-24 Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster , where: z A Switch 4500 series switch serve s as the management device. z The rest are member devices. Serving as the manageme nt device, the Switch 45 00 swit ch manages the two membe r devices. The configuration for the c[...]
-
Seite 501
1-25 [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable 2) Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2[...]
-
Seite 502
1-26 # Set the delay for a member device to forw ard topol ogy collection request s to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topolo gy collection request s to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology informa tion to 3 minutes. [Sysname] ntdp tim[...]
-
Seite 503
1-27 z After completing the above confi guration, you can execute the cluster sw itch-t o { member-number | mac-address H-H-H } command on the manage ment device to switch to member device view to maintain and manage a me mber device. After that, you can execute the cluster switch-to administrator command to return to management device view. z In a[...]
-
Seite 504
1-28 <Sysname> system-view [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.168.5.30 255.255.255.0 [Sysname-Vlan-interface3[...]
-
Seite 505
1-29 Network diagram Figure 1-6 Network diagram for the enhance d cluster feature configuration FTP server 192 . 168 . 0.4 2 4 3 1 9 2. 1 6 8. 0 . 1 0001 - 2034 - a0e5 Management device Member device Member device Member device 1 Configuration procedure # Enter cluster view . <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC a[...]
-
Seite 506
i Table of Contents 1 PoE Confi guration ············································································································ ························· 1-1 PoE Overview ············[...]
-
Seite 507
1-1 1 PoE Configuration When configuring PoE, go to these secti ons fo r information you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled device s use twisted pairs through electri cal ports to suppl y power to the remote powered devices (P D) in the[...]
-
Seite 508
1-2 z Through the fixed 24/48 Ethernet el ectrical ports , it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (32 8 feet). z Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. z When AC power input is adopted for the switch, the maximum total power that can be p rovided is 300 W.[...]
-
Seite 509
1-3 Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Softwar e of Fabric Switches Online Optional Displaying PoE Configuration Optional Enabling the PoE Feature on a Port Follow these steps to ena ble the PoE feature on a port: To do… Use the command… Remarks Enter syst em view system-vie w — Ent[...]
-
Seite 510
1-4 z auto : When the switch is close to its full load in su pplying power, it will first supply power to the PDs that are connected to the ports with critical pr iority, and then supp ly power to the PDs that are connected to the ports with high priority. For exampl e: Port A has the priority of critical. When the switch PoE is clo se to its full [...]
-
Seite 511
1-5 Configuring the PD Compat ibility Detection Function After the PD com patibility detection function is ena bled, the switch can det ect the PDs that do not conform to the 802.3af sta ndard and supply power to them. After the PoE feature is enabled, perform the follo wing configuration to ena ble the PD comp atibility detection function. Follow [...]
-
Seite 512
1-6 z When the internal tempe rature of the switch d ecreases from X (X>65° C, or X>149°F) to Y (60°C ≤ Y<65°C, or 140°F ≤ Y<149°F), the switch still keeps t he PoE function disabled on all the ports. z When the internal tempe rature of the switch increase s from X (X<60°C, or X<14 0°F) to Y (60°C<Y ≤ 65°C, or 1[...]
-
Seite 513
1-7 Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing software of the fabric switch online update fabric { file - url | devic e-name file - url } Optional Displaying PoE Configuration To do… Use the com mand… Remarks Display the current PD disconnection detection mod[...]
-
Seite 514
1-8 Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW . [SwitchA] interface Ethernet 1/0/1 [Switc[...]
-
Seite 515
2-1 2 PoE Profile Configuration When configuring PoE profile, go to these sect ions for information y ou are interested in: z Introduction to PoE Profile z PoE Profile Configuration z Displaying PoE Profile Configuration z PoE Profile Configuration Example Introduction to PoE Profile On a large-sized network or a network with mobile users, to help [...]
-
Seite 516
2-2 To do… Use the command… Remarks Enable the PoE feature on a port poe enable Required Disabled by default. Configure PoE mode for Ethernet ports poe mode { signal | spare } Optional signal by default. Configure the PoE priority for Ethernet ports poe priority { critical | high | low } Optional low by default. Configure the relevant features [...]
-
Seite 517
2-3 Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed information about the PoE profiles created on the switch display poe-profile { all-profile | interface interface-type interface-number | name profile-name } Available in any view PoE Profile Configuration Example PoE Profile Application Example Network[...]
-
Seite 518
2-4 Network diagram Figure 2-1 PoE profile application Network IP Phone Switch A AP IP Phone IP Phone IP Phone AP AP AP Eth1/0/1~Eth1/0/5 E th1/0/6~Eth1/0/10 Configuration procedure # Create Profile 1, and enter PoE profile view . <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configu ration applic abl[...]
-
Seite 519
2-5 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configu ration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority hig[...]
-
Seite 520
i Table of Contents 1 UDP Helper C onfigurat ion ························································································································ 1-1 Introduction to UDP Helper ··············?[...]
-
Seite 521
1-1 1 UDP Helper Configuration When configuring UDP helper , go to these sections for information you are interested in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintaining UDP Helper z UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcast s to obt ain network configu[...]
-
Seite 522
1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to co nfigure UDP He lper: To do… Use the command… Remarks Enter syst em view system-vie w — Enable UDP Helper udp-helper enable Required Disabled by default. Specify a UDP port number udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs |[...]
-
Seite 523
1-3 To do… Use the command… Remarks Clear statistics about packets forwarded by UDP Helper reset udp-helper packet Available in user view UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.168.1.0/24 and PC B on 192.168.10.0/24; they are connected through Sw[...]
-
Seite 524
i Table of Contents 1 SNMP Conf iguration ··········································································································· ······················· 1-1 SNMP Overview ··············[...]
-
Seite 525
1-1 1 SNMP Configuration When configuring SNMP , go to these sections for information you are interested in: z SNMP Overview z Configuring Basic SNMP F unctions z Configuring Trap-Related F unctions z Enabling Logging for Network Managem ent z Displaying SNMP z SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) i[...]
-
Seite 526
1-2 z Set the permission for a community to access an MIB object to be read-only or re ad-write. Communities with read-o nly permissions can only query the swit ch information, while those with read-write permission can config ure the switch as well. z Set the basic ACL specified by the community name. Supported MIBs An SNMP p acket carries managem[...]
-
Seite 527
1-3 To do… Use the command… Remarks Direct configura tion Set a community name snmp-agent community { read | wr i te } community - name [ acl acl-number | mib-vie w view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ writ e- view write-view ] [ noti fy- view notify-view ] [ acl acl-number ] Set a co[...]
-
Seite 528
1-4 To do… Use the command… Remarks Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate-p assword plain-password mode { md5 | sha } { local-engineid | specified-engineid engin eid } Optional This command is used if passwo rd in cipher-text is needed for adding a new use r . Add a user to an SNMP group snmp-agent usm[...]
-
Seite 529
1-5 To do… Use the command… Remarks Enable the switch to send traps to NMS snmp - agent trap enable [ configuration | flash | stand ard [ authentication | cold st art | linkdo w n | linkup | warmst art ]* | system ] Enter port view or interface view interface inte rface-type int erface-number Enable the port or interface to send traps enable sn[...]
-
Seite 530
1-6 To do… Use the command… Remarks Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default. z When SNMP logging is enabled on a device, SNMP logs are output to the informat ion center of the device. With the output destinations of the information center set, the output destinati[...]
-
Seite 531
1-7 z Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, conta ct and switch location, and enabling the switch to sent trap s. Thus, the NMS is able to access Switch A and receive the trap s sent by Switch A. Network diagram Figure 1-2 Network diagram for SNMP configuration 10.10.10.[...]
-
Seite 532
1-8 [Sysname] snmp-agent trap enable standard linkdown [Sysname] snmp-agent target-host trap address udp-domain 10 .10.10.1 udp -port 5000 params securityname public Configuring the NMS Authentication-related configuration on an NMS must be consi stent with that of the devices for the NMS to manage the devices successfully . For more info rmation, [...]
-
Seite 533
2-1 2 RMON Configuration When configuring RMON, go to these se ctions for information you are interested in: z Introduction to RMON z RMON Configuration z Displaying RMON z RMON Configuration Example Introduction to RMON Remote Monitoring (RMO N) is a kind of MIB defined by Internet En gineering T ask Force (IETF). It is an important en hancement m[...]
-
Seite 534
2-2 statistics and performance st atistics of the netwo rk seg ments to which the port s of the managed network devices are connected. Thus, t he NMS can further manage the netwo rks. Commonly Used RMON Groups Event group Event group is used to def ine the indexes of event s and the processing m ethods of the event s. The events defined in a n even[...]
-
Seite 535
2-3 Statistics group S tatistics group contai ns the st atistics of each moni to red port on a switch. An entry in a stati stics g roup is an accumulated value counting from the ti me when the st atistics group is created. The statisti cs include the number of th e following it ems: collision s, packet s with Cyclic Redundancy Check (CRC ) errors, [...]
-
Seite 536
2-4 z The rmon alarm and rmon prialarm commands take effect on existing no des only. z For each port, only one RM ON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to creat e another statistics e ntry with a different index for the same port. Displaying RMON To do… Use the [...]
-
Seite 537
2-5 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the ev ent t able, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the exte nded alarm t abl e to allow the system to cal culate the alarm variables with the (.1.3.6. 1[...]
-
Seite 538
i Table of Contents 1 NTP Confi guration ············································································································ ························· 1-1 Introduction to NTP ········?[...]
-
Seite 539
1-1 1 NTP Configuration When configuring NTP , go to these secti ons for information you are intere sted in: z Introduction to NTP z NTP Configuration Task Li st z Configuring NTP Implementation Modes z Configuring Access Control Right z Configuring NTP Authentication z Configuring Optional NTP Parameters z Displaying NTP Configuration z Configurat[...]
-
Seite 540
1-2 z Defining the accuracy of cloc ks by stratum to sy nchronize the clocks of all devices in a network quickly z Supporting access control (se e section Configuring Access Control Rig ht ) and MD5 en crypted authentication (see section Configuri ng NTP Authentication ) z Sending protocol packet s in unica st, multicast, or broadcast mode z The cl[...]
-
Seite 541
1-3 Figure 1-1 Implementation principle of NTP IP network IP network IP network IP network Device B Device A Device B Device A Device B Device A Device B Device A 10:00:00 am 11:00:0 1 am 10:00:00 am NTP message 10:00:0 0 am 11:00:01 am 11:00:02 am NTP message NTP message NTP message received at 10:00 :03 am 1. 3 . 2 . 4 . The procedure of synchron[...]
-
Seite 542
1-4 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Passive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode, both sides can be synchronized to each other Response packet In the symmetric peer mode, the local S4500 Ethe[...]
-
Seite 543
1-5 Multicast mode Figure 1-5 Multicast mode T able 1-1 describes how the above ment ioned NTP mode s are implemented on 3Com S4500 serie s Ethernet switches. Table 1-1 NTP implementation modes on 3Com S 4500 series Ethernet swit ches NTP implementation mode Configuration on S4500 series switches Server/client mode Configure the local S4500 Etherne[...]
-
Seite 544
1-6 z When a 3Com S4500 Ethern et switch works in se rver mode or symmetric passi ve mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. z The NTP server mode, NTP broadcast mode, or NTP multicast mode take s effect only after the local clock of the 3Com S4500 Ether net switch [...]
-
Seite 545
1-7 z Execution of one of the ntp-servi ce unicast-server , ntp-service unicast-peer , ntp-service broadcast-client , ntp-service broadca st-server , ntp-service multicast-client , and ntp-service multicast-server commands ena bles the NTP feature and ope ns UDP port 123 at the same time. z Execution of the undo form of one of the above six command[...]
-
Seite 546
1-8 To do… Use the command… Remarks Specify a symmetric-pa ssive peer for the switch ntp-service unicast-p eer { remote-ip | peer-name } [ authen tication-key id key-id | priority | source-inter face Vlan-interface vlan-id | vers io n number ]* Required By default, a switch is not configured to work in the symmetric mode. z In the symmetric pee[...]
-
Seite 547
1-9 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interfac e vlan-id — Configure the switch to work in the NTP broadcast server mode ntp-service broadcas t-server [ authentication-keyid key-i d | vers io n number ]* Required Not configured by default. Configuring a switch to work in the NTP broadcast client mode Fol[...]
-
Seite 548
1-10 To do… Use the command… Remarks Enter syst em view system-vie w — Enter VLAN interface view interface Vlan-interfac e vlan-id — Configure the switch to work in the NTP multicast client mode ntp-service multicast-client [ ip-address ] Required Not configured by default. Configuring Access Control Right With the following comma nd, you c[...]
-
Seite 549
1-11 The access-control right mechani sm provides only a mi nimum degree of se curity protection f or the local switch. A more secure met hod is identity authentication. Configuring NTP Authentication In networks with higher security requirement s, the NTP authentication function mu st be enabled to run NTP . Through password authenti cation on the[...]
-
Seite 550
1-12 Configuration Procedure Configuring NTP authentication on the client Follow these steps to co nfigure NTP aut hentication on the client: To do… Use the command… Remarks Enter syst em view system-view — Enable the NTP authentication function ntp-service authentication enable Required Disabled by default. Configure the NTP authentication k[...]
-
Seite 551
1-13 To do… Use the command… Remarks Configure the specified key as a trusted key ntp-service reliable authenticati on-keyid key-id Required By default, no trusted authentication key is configured. Enter VLAN interface view interface Vlan-interface vl an-id — Configure on the NTP broadcast server ntp-service broadcas t-server authentication-k[...]
-
Seite 552
1-14 If you have specified an interface in the ntp-s ervice unicast-serv er or ntp-servi ce unicast-peer command, this interface wil l be used for sending NTP message s. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including st atic association s and [...]
-
Seite 553
1-15 To do… Use the command… Remarks Display the information about the sessions mai ntained by NTP display ntp-service sessions [ verbose ] Display the brief information about NTP servers along the path from the local device to the reference cl ock sour ce display ntp-service trace Configuration Examples Configuring NTP Server/Client Mode Netwo[...]
-
Seite 554
1-16 [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05A[...]
-
Seite 555
1-17 Configuration procedure z Configure Device C. # Set Device A as the NTP server . <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 z Configure Device B (after the Device C is syn chronized to Device A). # Enter system view . <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicas[...]
-
Seite 556
1-18 Configuring NTP Broadcast Mode Network requirements z The local clock of Device C is set as the NTP mast er clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NT P broadcast messages through VLAN-interface 2. z Device A and Device D are two S4500 Ethernet switche s. Configure Device A and Dev[...]
-
Seite 557
1-19 View the NTP status of Device D after th e clock synchronizatio n. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer disper[...]
-
Seite 558
1-20 Network diagram Figure 1-9 Network diagram for NTP multicast mode co nfiguration Configuration procedure z Configure Device C. # Enter system view . <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service mul[...]
-
Seite 559
1-21 Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicate s that Device D is sync hronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the i nformation about the NTP sessions of Device D (you can see th[...]
-
Seite 560
1-22 z To synchronize Device B, you need to perform the following configurations on De vice A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key , with the key ID being 42 and the key being aNiceKey . [DeviceA] ntp-service authentication-keyid 42 a[...]
-
Seite 561
i Table of Contents 1 SSH Confi guration ············································································································ ························· 1-1 SSH Overview ············[...]
-
Seite 562
1-1 1 SSH Configuration When configuring SSH, go to these secti ons fo r information you are interested: z SSH Overview z SSH Server and Client z Displaying and Maintain ing SSH Configuration z Comparison of SSH Command s with the Same Functions z SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that prov[...]
-
Seite 563
1-2 The same key is used for both encryption and de cryp tion. Supported symmetric key algorithms incl ude DES, 3DES, and AES, which can effectively prevent dat a eavesdropping. z Asymmetric key algorithm Asymmetric key algorithm is also called publi c key algorithm. Both ends have their own key p air , consisting of a private key and a public key [...]
-
Seite 564
1-3 Currently, the switch supports only SSH2 Version. Version negotiation z The server opens port 22 to listen to connection requ ests from cli ents. z The cli ent sends a TCP connection r equest to the se rver . Aft er the TCP connect ion is e stablished, the server sends the first pa cket to the client, wh ich includes a version id entification s[...]
-
Seite 565
1-4 z The server starts to authent icate the user. If aut hentication fails, the server sends an authentica tion failure message to the client, which con tains t he list of methods used for a new auth entication process . z The client selects an authentication type from the method list to perform authentication again. z The above process repeats un[...]
-
Seite 566
1-5 Figure 1-2 Network diagram for SSH connections Configure the devices accordin gly This docu ment describes two case s: z The 3Com switch acts as the SSH server to coope rate with softwa re that supports the SSH client functions. z The 3Com switch acts as the SSH serv er to coop erate with another 3Com swit ch that acts as an SSH client. Complet[...]
-
Seite 567
1-6 Task Remarks Configuring the User Interfaces for SSH Clients Required Preparation Configuring the SSH Managem ent Functions Optional Key Configuring Key Pairs Required Authentication Creating an SSH User and Specifying an Authentication Type Required Authorization Specifying a Service Type for an SSH User Optional By default, an SSH user can us[...]
-
Seite 568
1-7 To do... Use the command... Remarks S pecify the supported protocol(s) protocol inbound { all | ssh } Optional By default, both T elnet and SSH are supported. z If you have configured a user interface to s upport SSH protocol, you must configure AAA authentication for the user interface by using the authentica tion-mode schem e command to ensur[...]
-
Seite 569
1-8 z You can configure a login header only wh en the service type is stelnet . For configuratio n of service types, refer to Specifying a Service Type for an SSH User . z For details of the header command, refer to the corresp onding section in Login Com mand . Configuring Key Pairs The SSH server ’s key pairs are fo r generating sessi on keys a[...]
-
Seite 570
1-9 To do… Use the command… Remarks Destroy the RSA key pair public-key local destroy rsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an auth entication type. Specif ying an authentication type for a new user is a must to get the user login. An SSH user is represented as a s[...]
-
Seite 571
1-10 To do... Use the command... Remarks Create an SSH user, and specify an authentication type for it ssh user username authentication-type { all | passwo rd | password-publickey | publickey } are used and different authentication types are specified, the authentication type specified with the ssh user authentication-type command takes preceden ce[...]
-
Seite 572
1-11 If the ssh user service-type command is executed wit h a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessa ry if the password authentication mode[...]
-
Seite 573
1-12 To do... Use the command... Remarks Enter syst em view system-vie w — Import the public key from a public key file public-key peer keyname import sshkey filename Required Assigning a Public Key to an SSH User This configuration task is unnece ssary if the SSH user’s authentication mode is password . For the publickey authentication mode, y[...]
-
Seite 574
1-13 With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format. Configuring the SSH Client The configurations requi[...]
-
Seite 575
1-14 Task Remarks Opening an SSH co nnection with publickey authentication Required for publickey authenticatio n; unnecessary for pass word authentication z For putty, it is recommended to u se PuTTY releas e 0.53; PuTTY rele ase 0.58 is also suppo rted. For OpenSSH, it is recommended to use Ope n SSH_3.1p1; OpenSSH_4.2p1 is also supported. Any ot[...]
-
Seite 576
1-15 Note that while generating t he key pair , you must move the mouse continuou sly and keep the mouse off the green process bar in the blue box of shown in Figure 1-4 . Oth erwise, the process bar stop s moving and the key pair generating process is stopped. Figure 1-4 Generate the client keys (2) After the key pai r is generated, click Save pub[...]
-
Seite 577
1-16 Likewise, to save the priv ate key , cli ck Save private key . A warning window pop s up to prompt you whether to save the private key witho ut any precaution. Cli ck Ye s and enter the name of the file for saving the private key (“pri vate” in this case) to save the private ke y . Figure 1-6 Generate the client keys (4) T o generate RSA p[...]
-
Seite 578
1-17 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of t he se rver . Note that there must be a route available between the IP addres s of the server and the client. Selecting a protocol for remote connection As shown in Figure 1-8 , select SSH under Protocol . Selecting an SSH versio[...]
-
Seite 579
1-18 Figure 1-9 SSH client configuration interface 2 Under Protocol options , sele ct 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia c lient software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software support s DES algorithm negotiation ssh2. Opening an SSH connection[...]
-
Seite 580
1-19 Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window , navigate to the private key file and cli ck Open . If the connection is normal, a user will be prompted for a username. Once p assing the authenticat ion, the user can log in to the server . Configuring an SSH Client Assu med by an SSH2-Cap[...]
-
Seite 581
1-20 Configuring whether first-time authentication is supported When the device connect s to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. z With first-time authentication enabled, an SSH client that is not configured with the se rver host public key can continue accessi ng the server when[...]
-
Seite 582
1-21 Follow these steps to sp ecify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter syst em view system-vie w — S pecify a source IP address for the SSH client ssh2 source -ip ip-address Optional By default, no source IP address is configured. S pecify a source interface for the SSH client ssh2 source-i[...]
-
Seite 583
1-22 To do... Use the command... Remarks Display information about all SSH users display ssh user-inform ation [ username ] Display the current source IP address or the IP address of the source interface specified for the SSH server . display ssh-server source-ip Display the mappings bet ween host public keys and SSH servers saved on a client displ[...]
-
Seite 584
1-23 The results of t he display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they c annot be directly used as parameters in the public-key peer comman d. For the same reason, neither can the resul ts of the display public-key local rsa public co mmand[...]
-
Seite 585
1-24 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001 , and set the authentication passwo rd to abc , protocol type to SSH, and command privilege level to 3 for the clie nt. [Switch] local-user client001 [Switch-[...]
-
Seite 586
1-25 Figure 1-13 SSH client configuration interface (2 ) Under Protocol options , sele ct 2 from Preferred SSH protocol version . 3) As shown in Figure 1-13 , click Open . If the connection is normal, you will be prompted to enter the user name client001 and password ab c . Once authentication succeed s, you will log in to the server. 1.1.1 When Sw[...]
-
Seite 587
1-26 Network diagram Figure 1-14 Switch acts as server for p assword and RADIUS authentication Configuration procedure 1) Configure the RADIUS server This document takes CA MS Version 2.10 as an example to show the basi c RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and sele ct System Managem[...]
-
Seite 588
1-27 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Dev ice Management , and then in the right pane, cli ck Add to enter the Add Account pa ge and perform the following configuration s: z Add a user named hello , and specify the password. z Select SSH as th[...]
-
Seite 589
1-28 Generating the RSA key pair on the server is p rerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] proto[...]
-
Seite 590
1-29 Figure 1-17 SSH client configuration interface (1 ) In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . z From the category on the left pane of the window, select Connection > SSH . The window as shown in Figure 1-1 8 appears . Figure 1-18 SSH client configuration interface (2 )[...]
-
Seite 591
1-30 Under Protocol options , select 2 from Prefer red SSH protocol version . Then, click Open . If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the se rver . The level of commands that you can access af ter login is authorized by the CAMS server . Y o[...]
-
Seite 592
1-31 [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWT ACA CS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary a[...]
-
Seite 593
1-32 In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . 2) From the category on the le ft pane of the window, select Connection > SSH . The window as shown in Figure 1-2 1 appears . Figure 1-21 SSH client configuration interface (2 ) Under Protocol options , select 2 from Prefer red SSH protocol version . Then, [...]
-
Seite 594
1-33 Configuration procedure z Configure the SSH server # Create a VLAN interface on the switch and assign an IP addre ss, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Gen[...]
-
Seite 595
1-34 Figure 1-23 Generate a cl ient key pair (1) While generating the key pair, you m ust move the mouse continuously and keep the m ouse off the green process b ar show n in Figure 1-24 . Otherwise, the process bar sto ps moving and the key pair generating process is sto pped.[...]
-
Seite 596
1-35 Figure 1-24 Generate a cl ient key pair (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key ( public in this case). Figure 1-25 Generate a cl ient key pair (3) Likewise, to save the priv ate key , cli ck Save private key . A warning window pop s up to prompt you whether to save [...]
-
Seite 597
1-36 Figure 1-26 Generate a cl ient key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you contin ue to configure the client. # Establish a connection with the SSH server 2) Launch PuTTY.exe to enter the followin g interface. Fi[...]
-
Seite 598
1-37 Figure 1-28 SSH client configuration interface (2 ) Under Protocol options , sele ct 2 from Preferred SSH protocol version . 4) Select Connection / SSH / Auth . The following window appears. Figure 1-29 SSH client configuration interface (3 )[...]
-
Seite 599
1-38 Click Browse to bring up the file selection window , navigate to the private key file and click OK . 5) From the window shown in Figure 1 -29 , click Open . If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in Figure 1-30 , est ablish an[...]
-
Seite 600
1-39 [SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of use r client001 as passwo rd. [SwitchB] ssh user client001 authentication-type password z Configure Switch A # Create a VLAN interface on the switch and assi gn an IP address, wh[...]
-
Seite 601
1-40 Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and assign an IP addre ss, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Gen[...]
-
Seite 602
1-41 <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch 001. [SwitchA] public-key local export rsa ssh2 Switch001 Aft[...]
-
Seite 603
1-42 Network diagram Figure 1-32 Switch acts as client and first-ti me authentication is not suppo rted Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and as sign an IP address for it to se rve as the de stination of the client. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-inte[...]
-
Seite 604
1-43 # Import the client’s public key file Swit ch001 and name the public key as Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign public key Switch001 to user client001 [SwitchB] ssh user client001 assign publickey Switch001 # Export the generated RSA host public key pair to a file named Switch002. [SwitchB] public-[...]
-
Seite 605
1-44 # Import the public key pai r named Switch002 from the file Switch002. [SwitchA] public-key peer Switch002 import sshkey Switch002 # S pecify the host public key pair name of the server . [SwitchA] ssh client 10.165.87.136 assign publickey Switch002 # Establish the SSH con nection to server 10.165.87.136. [SwitchA] ssh2 10.165.87.136 Username:[...]
-
Seite 606
i Table of Contents 1 File System Manage ment Confi guration ························································································· ········ 1-1 File System C onfiguration ·······························[...]
-
Seite 607
1-1 1 File System Management Configuration When configuring file syste m management, go to thes e sections for information you are interested in: z File System Configuration z File Attribute Configuration z Configuration File Backup and Restorati on File System Configuration Introduction to File System T o facilitate manageme nt on the switch memor[...]
-
Seite 608
1-2 Directory Operations The file system provides direct ory-relate d functions, such as: z Creating/deleting a directory z Displaying the current work directo ry, or contents in a specified directory Follow these steps to pe rform directory-related operations: To do… Use the command… Remarks Create a directory mkdir directory Optional Availabl[...]
-
Seite 609
1-3 To do… Use the command… Remarks Rename a file rename fileurl - source fileurl - dest Optional Available in user view Copy a file copy fileurl - source fileurl - dest Optional Available in user view Move a file mo ve fileurl - source fileurl - dest Optional Available in user view Display the content of a file more file - url Optional Availab[...]
-
Seite 610
1-4 The format operation leads to the loss o f all files, including the conf iguration files, on the Flash memory and is irretrievable. Prompt Mode Configuration Y ou can set the prompt mode of the curre nt file system to alert or quiet . In alert mode, the fil e system will give a prompt for confirmation if you execut e a co mmand which may cause [...]
-
Seite 611
1-5 Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin 2 -rwh 4 Apr 01 2000 23:55:49 snmpboots 3 -rwh 428 Apr 02 2000 00:47:30 hostkey 4 -rwh 572 Apr 02 2000 00:47:38 serverkey 5 -rw- 1220 Apr 02 2000 00:06:57 song.cfg 6 -rw- 26103 Jan 01 1970 00:04:34 testv1r1.bin 7 -rwh 88 Apr 01 2000 23:55:53 private-data.txt 8 (*) -r[...]
-
Seite 612
1-6 Attribute name Des cription Feature Identifier backup Identifies backup startup files. The backup startup file is used after a switch fails to start up using the main startup file. In the Flash memory, there can be only one app file, o ne configuration file and one Web file with the backup attribute. (b) none Identifies files that are neither o[...]
-
Seite 613
1-7 Configuring File Attributes Y ou can configure and view the main attribute or back up attribute of the file us ed for the next startup of a switch, and change the m ain or backup attribute of the file. Follow these steps to co nfigure file attributes: To do… Use the command… Remarks Configure the app file with the main attribute for the nex[...]
-
Seite 614
1-8 Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly , you can o nly back up and restore the con fi guration file of the units one by one in a fabric system. By using the configuration file bac kup and restoratio n feat ure, you can easily back up and restore the configuration files in the[...]
-
Seite 615
i Table of Contents 1 FTP and SFTP Configur ation ··································································································· ················· 1-1 Introduction to FTP and SFTP ················?[...]
-
Seite 616
1-1 1 FTP and SFTP Configuration When configuring FTP and SFTP , go to these se ctions for information you are interested in: z Introduction to FTP and SFTP z FTP Configuration z SFTP Configuration Introduction to FTP and SFTP Introduction to FTP File T ransfer Protocol (FTP) is comm only used in IP-based networks to tran smit files. Before World W[...]
-
Seite 617
1-2 files from an FTP server, and stops rotating whe n the file downloading is finished, as shown in Figure 1-1 . Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is establish ed based on an SSH2 connec tion. It allows a remote user to log in to a switch to manage and transmit files, providing a [...]
-
Seite 618
1-3 To do… Use the command… Remarks Configure a password for the specified user password { simple | cipher } password Optional By default, no password is configured. Configure the service type as FTP service-ty pe ftp Required By default, no service is configured. Enabling an FTP server Follow these steps to ena ble an FTP se rver: To do… Use[...]
-
Seite 619
1-4 Follow these steps to co nfigure connection idle time: To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the FTP server ftp timeout minutes Optional 30 minutes by default Specifying the source interface and source IP address for an FTP server Y ou can specify the source interface and [...]
-
Seite 620
1-5 Disconnecting a specified user On the FTP serve r , you can disconnect a specified us er from the FTP server to secure the network. Follow these steps to disco nnect a specified use r: To do… Use the command… Remarks Enter syst em view system-vie w — On the FTP server, disconnect a specified user from the FTP server ftp disconnect user-na[...]
-
Seite 621
1-6 Figure 1-3 Process of displaying a shell banner Follow these steps to co nfigure the banner display for an FTP server: To do… Use the command… Remarks Enter syste m view system-v iew — Configure a login banner header login text Configure a shell banner header shell text Required Use either command or both. By default, no banner is configu[...]
-
Seite 622
1-7 To do… Use the command… Remarks Enter FTP client view ftp [ cluster | remote-server [ port-number ] ] — Specify to transfer files in ASCII charac ters ascii Specify to transfer files in binary streams binary Use either command. By default, files are transferred in ASCII characters. Set the data transfer mode to passive passive Optional pa[...]
-
Seite 623
1-8 To do… Use the command… Remarks Download a remote file from the FTP server get remotefile [ localfile ] Upload a local file to the remote FTP server put localfile [ remotefile ] Rename a file on the remote server rename remote - source remote-dest Log in with the specified user name and password user username [ password ] Connect to a remot[...]
-
Seite 624
1-9 z The specified interface must be a n existing one. Otherwise a prompt appears to sho w that the configuration fails. z The value of the ip-addre ss argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. z The source interface/source IP address set fo [...]
-
Seite 625
1-10 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp 2) Configure the PC (FTP client) Run an FTP client application on the P C to connect to the FTP server . Upload the application named switch.bin to the root directory of the Flash memory of the FTP server , and download the confi gu[...]
-
Seite 626
1-11 z If available space on the Flash memory of the switch i s not enough to hold the file to be uploaded, you need to delete files not in use fro m the Flas h memory to make room for the file, and then upload the file again. The files in u se cannot be deleted. If you have to delete the files in u se to make room for the file to be uploaded, you [...]
-
Seite 627
1-12 Configuration procedure 1) Configure the sw itch (FTP se rver) # Configure the login ban ner of t he switch as “login banner a ppears” and the shell ban ner as “shell banner appears”. For det ailed configu ration of other network requi rements, see se ction Configuration Example: A Switch Operating as an FTP Server . <Sysname> sy[...]
-
Seite 628
1-13 Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–related configuratio ns on the PC , that is, create a user account on the FT P serve r with username sw it ch and password hello . (For det ailed configuration, refer to the configuration instruction relevant to the FTP server sof tware.) 2) Configure the switch (FTP[...]
-
Seite 629
1-14 <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader com mand and how to specify the startup file for a switch, refer to the System Maintenan ce and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server Re[...]
-
Seite 630
1-15 To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SF TP server can interoperate with SFTP client sof tware, including SSH T e ctia Client v4.2.[...]
-
Seite 631
1-16 To do… Use the command… Remarks Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_grou p } | prefer_ctos_cipher { 3des | des | aes128 } | prefer_stoc_cipher { 3des | des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha[...]
-
Seite 632
1-17 If you specify to authenticate a client th rough public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for publi c key authentication, you need to use the ide ntity-key key word to spec ify the algorithms to get correct lo cal private key; otherwise you[...]
-
Seite 633
1-18 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP addre ss, which is used as the destination address for the client to conne ct to the SFTP server . [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # S pecify the[...]
-
Seite 634
1-19 sftp-client> # Display the current directory of the server . Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 n[...]
-
Seite 635
1-20 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey 2 from the server and rename it as public . sftp-client> get pubkey2[...]
-
Seite 636
2-1 2 TFTP Configuration When configuring TFTP , go to these sections for information you are interested in: z Introduction to TFTP z TFTP Configuration Introduction to TFTP Compared wi th FTP , Trivial File T ransfer Protocol (T FTP) features simple interactive access i nterface and no authentication control. Theref ore, TFTP i s applicable in the[...]
-
Seite 637
2-2 TFTP Configuration Complete the following t asks to configure TFTP: Task Remarks Basic configurations on a T FTP client — TFTP Configuration: A Switch Operating as a TFTP Client Specifying the sou rce interface or source IP address for an FTP client Optional TFTP server configuration For details, see the correspondi ng manual — TFTP Configu[...]
-
Seite 638
2-3 To do… Use the command… Remarks Specify the source IP address used for the current connection tftp tftp-server source-ip ip-address { get source-file [ dest-file ] | put source -file -url [ dest-file ] } Optional Not specified by default. Enter syst em view system-vie w — Specify an interface as the source interface a TFTP client uses eve[...]
-
Seite 639
2-4 Network diagram Figure 2-1 Network diagram for TFTP configuration s Configuration procedure 1) Configure the TFTP server (PC) S tart the TFTP server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switch. (Y o u can log in to a switch through the Console port or by telnetting the switch. See[...]
-
Seite 640
2-5 For information about the boot boot-loader com mand and how to specify the startup file for a switch, refer to the System Maintenan ce and Debugging module of this manual.[...]
-
Seite 641
i Table of Contents 1 Informatio n Cent er··········································································································· ·························· 1-1 Information Cent er Overview ···?[...]
-
Seite 642
1-1 1 Information Center When configuring information ce nter , go to these sections for information you are interested in: z Information Center Overview z Information Center Configuration z Displaying and Maintaining Information Center z Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting[...]
-
Seite 643
1-2 Information filtering by severity works this way: information with the seve ri ty value greater than the configured threshold is not output during the filtering. z If the threshold is set to 1, only information with the severity being emergencies will be output; z If the threshold is set to 8, inform ation of all severities will be output. Ten [...]
-
Seite 644
1-3 Outputting system information by source module The system information ca n be classified by source module and then filtered. Some module names and description are shown in T able 1-3 . Table 1-3 Source module name list Module name Description 8021X 802.1X module ACL Access control list module ADBM Address base module AM Access management module[...]
-
Seite 645
1-4 Module name Description SYSMIB System MIB module TAC HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VTY Virtual type terminal module XM XModem module default Default settings for all the modules T o sum up, the major task of the information center is to output the three types of information [...]
-
Seite 646
1-5 z If the address of the log host is specified in the information cent er of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host . z There is the syslog process on the Unix or Linux pl atform, you can start the pr[...]
-
Seite 647
1-6 Module The module field represent s the name of the module t hat generates system in formation. Y ou can enter the info-center source ? comm and in system view to view the module list. Refer to T able 1-3 for module name and descripti on. Between “module” and “level” is a “/ ”. Level (Severity) System information can be divided into[...]
-
Seite 648
1-7 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system informatio n such as log, trap, or debugging information is output when the user is in putting commands, the co mmand line prompt (in command editing mode a prom pt, or a [Y/N] string in interaction mode) and the input information [...]
-
Seite 649
1-8 To do… Use the command… Remarks Set to display the UTC time zone in the output information of the information center info-center timestamp utc Required By default, no UTC time zone is displayed in the output information Setting to Output System In formation to the Console Setting to output system information to the console Follow these step[...]
-
Seite 650
1-9 LOG TRAP DEBUG Output destination Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity Monitor terminal default (all modules) Enabled warning s Enabled debuggin g Enabled debuggin g Log host default (all modules) Enabled informati onal Enabled debuggin g Disabled debuggin g Trap buffer default (all [...]
-
Seite 651
1-10 Setting to output system information to a monitor terminal Follow these steps to set to output syst em information to a monitor terminal: To do… Use the command… Remarks Enter syste m view system-v iew — Enable the information center info-center enable Optional Enabled by default. Enable system information output to Telnet terminal or du[...]
-
Seite 652
1-11 To do… Use the command… Remarks Enable trap information terminal display function terminal trapping Optional Enabled by default Make sure that the debugging/log/trap information terminal disp lay function is enabled (use the terminal monitor command) before you enable the co rresponding terminal display function by using the terminal debug[...]
-
Seite 653
1-12 z After the switches form a fabric, you can use the info-ce nter switch-on command to enabl e the information output for the switches to make t he log, debugging and trap informatio n of each switch in the fabric synchronous. Each switch sends its ow n i nformation to other switches in the fabric and receives information sent by other switches[...]
-
Seite 654
1-13 To do… Use the command… Remarks Enable information output to the log buffer info-center logbuffer [ channel { channel - number | channel - name } | size buffersize ]* Optional By default, the switch uses information channel 4 to output log information to the log buffer, which can holds up to 512 items by default. Configure the output rules[...]
-
Seite 655
1-14 Displaying and Maintaining Information Center To do… Use the com mand… Remarks Display information on an information channel display channel [ channel - num ber | channel - name ] Display the operation status of information center, the configuration of information channels, the format of time stamp and the information output in case of fab[...]
-
Seite 656
1-15 # Disable the function of outputting information to log host channel s, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.1 0 as the log host. Permit ARP and IP modules to output information with severity lev[...]
-
Seite 657
1-16 Through combined configuration of the device name (facility), informatio n severity level threshold (severity), module name (filter) and the fil e “syslog.conf ”, you can sort information precisely for fi ltering. Log Output to a Linux Log Host Network requirements The switch sends the following log information to the Linux log ho st whose[...]
-
Seite 658
1-17 Note the following items when you edit file “/etc/syslo g.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used a s a separator instead of a space. z No space is permitted at the end of the file name. z The device name (facility) and received log informatio n severity sp ecified in [...]
-
Seite 659
1-18 <Switch> system-view [Switch] info-center enable # Disable the function of outputting in formation to the console ch annels. [Switch] undo info-center source default channel console # Enable log information output to the console. Pe rm it ARP and IP modules to output log inf ormation with severity level higher than informatio nal to the [...]
-
Seite 660
i Table of Contents 1 Boot ROM and Host Software Loading ··························································································· ········ 1-1 Introduction to Loading Approaches ···························[...]
-
Seite 661
1-1 1 Boot ROM and Host Software Loading T raditionally , switch sof tware is loaded through a se rial port. This approach is slow , time-consuming and cannot be used for remote loading. T o resolv e thes e problems, the TFTP and FTP modules are introduced into the switch. With these m odules, y ou can load/download sof tware/files conveniently to [...]
-
Seite 662
1-2 The loading process of the Boot RO M software is the same a s that of the host software, except that during the former proce ss, you should press “6 ” or <Ctrl+U> and <Enter> after entering the BOOT menu and the system gives different prompts. The following text mainly describes the Boot ROM loading process. BOOT Menu Starting..[...]
-
Seite 663
1-3 1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9. Set switch startup mode 0. Reboot Enter your choice(0-9): Loading by XModem through Conso[...]
-
Seite 664
1-4 0. Return Enter your choice (0-5): S tep 3: Choose an appropriate ba udrate for downl oading. For example, if you pre ss 5, the baudrate 1 15200 bp s is chosen and the system displays the following info rmation: Download baudrate is 115200 bit/s Please change the terminal's baudrate to 115200 bit/s and select XMODEM protocol Press enter ke[...]
-
Seite 665
1-5 Figure 1-2 Console port configuration dialog b ox S tep 5: Click the <Disconnect> button to disconne ct the HyperT erminal from the switch and then click the <Connect> button to reconnect the Hype rT erminal to the switch, as shown in Figure 1-3 . Figure 1-3 Connect and disconnect buttons The new baudrate take s effect after you dis[...]
-
Seite 666
1-6 Figure 1-4 Send file dialog box S tep 8: Click <Send>. The system displ ays the page, as sho wn in Figure 1-5 . Figure 1-5 Sending file page S tep 9: After the sending process comple tes, t he system displays the following information: Loading ...CCCCCCCCCC done! S tep 10: Reset HyperT erminal’s baud rate to 9600 bp s (refer to S tep 4 [...]
-
Seite 667
1-7 Loading host software Follow these steps to load the host software: S tep 1: Select <1> in BOOT Menu and pres s <Enter>. The sy stem displays the followin g information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): S tep 2: Enter 3 in the[...]
-
Seite 668
1-8 You can use one PC as both the configuration device and the TFTP server. S tep 2: Run the TFTP se rver program on the TFTP se rver , and specify the p ath of the program to be downloaded. TFTP server program is no t provided with the 3Com Series Ethernet Switches. S tep 3: Run the HyperT erminal prog ram on the configuration PC. S tart the swit[...]
-
Seite 669
1-9 0. Return to boot menu Enter your choice(0-3): S tep 2: Enter 1 in the above menu to download the host sof tware usin g TFTP . The subsequent step s are the same as those for loading the Boot ROM, except that t he system gives the prompt for host sof tware loading instead of Boot ROM loading. When loading Boot ROM and ho st software using TFTP [...]
-
Seite 670
1-10 Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): S tep 4: Enter 2 in the above menu to download the Boot ROM usin g FTP . Then set the following FTP-related param eters as required: Load File name :switch.btm Switch IP address :10.1[...]
-
Seite 671
1-11 Remote Boot ROM and Software Loading If your terminal is not directly connected to the swit ch, you can telnet to the switch, and use FTP or TFTP to load the Boot RO M and host software re motely . Remote Loading Using FTP Loading Procedure Using FTP Client 1) Loading the Boot ROM As shown in Figure 1-8 , a PC is used as b oth the configuratio[...]
-
Seite 672
1-12 Before restarting the switch, make sure you have save d all other configurations that you want, so as to avoid losing configuration information. 2) Loading host software Loading the host sof tware is the same as loa ding the Boot ROM program, except that the file to be downloaded is the host sof tware f ile, and that you need to use the boot b[...]
-
Seite 673
1-13 System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 S tep 3: Enable FTP servic e on the switch, and confi gur e the FTP user name to test and passwo rd to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New [...]
-
Seite 674
1-14 Figure 1-11 Enter Boot ROM directory S tep 6: Enter ftp 192.168.0 .28 and enter the user nam e test , password p ass , as shown in Figure 1-12 , to log on to the FTP serve r . Figure 1-12 Log on to the FTP server S tep 7: Use the put command to upload the file switch.btm to the switch, as sho wn in Figure 1-13 .[...]
-
Seite 675
1-15 Figure 1-13 Upload file switch.btm to the switch S tep 8: Configure switch.btm to be the Boot RO M at next startup, and then rest art the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname> reboot After the switch rest[...]
-
Seite 676
2-1 2 Basic System Configuration and Debugging When configuring basi c system configuration and de bu gging, go to these sections for information you are interested in: z Basic System Configuration z Displaying the System Status z Debugging the System Basic System Configuration Perform the following basi c system configuration: To do… Use the com[...]
-
Seite 677
2-2 Displaying the System Status To do… Use the command… Remar ks Display the current date and time of the system displa y clock Display the version of the system display version Display the information about users loggi ng onto the switch display users [ all ] Available in any view Debugging the System Enabling/Disabling System Debugging The d[...]
-
Seite 678
2-3 Y ou can use the following commands to enable the two switches. Follow these steps to ena ble debugging and termi nal display for a specific modu le: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all modules by default. Enable terminal display f[...]
-
Seite 679
3-1 3 Network Connectivity Test When config uring netw ork connec tivi ty test, go to these sections for information you are interested in: z ping z tracert Network Connectivity Test ping Y ou can use the ping command to check the network connectivity and the reachability of a host. To do… Use the command… Remarks Check the IP network connectiv[...]
-
Seite 680
4-1 4 Device Management When configuring device manag ement, go to these sections for information you are interested in: z Introduction to Device Management z Device Management Configuration z Displaying the Device Management Con figuration z Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management include[...]
-
Seite 681
4-2 Before rebooting, the system ch e cks whether there is any configur atio n change. If yes, it prompts whether or not to proceed. This prevent s the system from losing the configurations in case of shutting down the system without saving the configuratio ns Use the following command to reb oot the Ethernet switch: To do… Use the command… Rem[...]
-
Seite 682
4-3 Enabling of this function consumes some amount s of CPU resources. Therefore, if your network has a high CPU usage requi rement, you can disable this function to rele ase your CPU resource s. Specifying the APP to be Used at Reboot APP is the host sof tware of the switch. If multip le APPs exist in the Flash memory , you can use the command her[...]
-
Seite 683
4-4 Table 4-1 Commonly used pluggable transceivers Transceiver type Applied environment W hether can be an optical transceiver Whethe r can be an electrical transceiver SFP (Small Form-factor Pluggable) Generally used for 100M/1000M Ethernet interfaces or POS 155M/622M/2.5G interfaces Yes Yes GBIC (GigaBit Interface Converter) Generally used for 10[...]
-
Seite 684
4-5 To do… Use the command… Remarks Display the current alarm information of the pluggable transceiver(s) display transceiver alarm interface [ interface-type interface-num ber ] Available for all pluggable transceivers Display the currently measured value of the digital diagnosis parameters of the anti-spoofing optical transceiver(s) customize[...]
-
Seite 685
4-6 z Make configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the P C is reachable to each other. The host soft ware switch.app and the Boot ROM file boo t.btm of the switch are stored in the directory sw it c h on the PC. Use FTP to do wnload the switch. app an[...]
-
Seite 686
4-7 331 Give me your password, please Password: 230 Logged in successfully [ftp] 5) Enter the authorized path on the FTP server. [ftp] cd switch 6) Execute the get comm and to download the switch.a pp and boot.btm files on the FTP server to the Flash memory of the switch. [ftp] get switch.app [ftp] get boot.btm 7) Execute the quit command to termin[...]
-
Seite 687
i Table of Contents 1 VLAN-VPN C onfigurat ion ·························································································································· 1-1 VLAN-VPN Overview ··················[...]
-
Seite 688
1-1 1 VLAN-VPN Configuration When configuring VLAN-V PN, go to these sections for information you are inte rested in: z VLAN-VPN Overview z VLAN-VPN Configuration z Displaying and Maintaining VLAN-VPN Configuration z VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emer[...]
-
Seite 689
1-2 Figure 1-2 Structure of packets with double-laye r VLAN tags Destination MAC address 0 31 Data Source MAC address 15 Inner VLAN Tag Outer VLAN Tag Compared with MPLS-based Layer 2 VPN, VLAN-VPN ha s the following features: z It provides Layer 2 VPN tunnels that are simpler. z VLAN-VPN can be implemented throug h manual confi guration. That is, [...]
-
Seite 690
1-3 frame as needed. When doing that, you should set th e sam e TPID on both the customer-side port an d the service provider-side p ort. The TPID in an Ethernet frame has the same position with the pro tocol type field in a frame without a VLAN tag. T o avoid proble ms in packet forwardi ng and handli ng, you cannot set the TPID value to any of th[...]
-
Seite 691
1-4 Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-V PN Packets on a Port Optional Configuring the Inner-to-O uter Tag Priority Replicating and Mapping Feature Optional As XRN fabric is mutually exclusive with VLAN-VPN , make sure t hat XRN fabric is disabl ed on the switch before performin g any [...]
-
Seite 692
1-5 z Besides the default TPID 0x8100, you can confi gure only one TPID value on a Switch 4500 switch. z For the Switch 4500 series to exch ange packets with the public network d evice properly, you should configure the TPID value used by the pub lic network device on both the customer-side port and the service provider-side port. Configuring the I[...]
-
Seite 693
1-6 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in Figure 1-4 , Switch A and Switch B are both Switch 4500 serie s switches. They connect the users to the servers through the public netwo rk. z PC users and PC serve rs are in VLAN 100 create d in the[...]
-
Seite 694
1-7 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit # Set the TPID value of Ethernet 1/ 0/12 to 0x9200 (for intercommunication with the device s in the public network) and configure the port as a trunk po rt permitting packet s of VLAN 1040. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 [Swit[...]
-
Seite 695
1-8 2) The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. 3) The outer VLAN tag of the packet remains unchan ged whil e the packet travels in the publi c network, till it reaches Ethernet1/ 0/22 of Switch B. 4) After the packet reaches Switch B, it is forw a[...]
-
Seite 696
2-1 2 Selective QinQ Configuration When configuring selective QinQ, go to these se ctions for information you are interested in: z Selective QinQ Overview z Selective QinQ Configuration z Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced appli cation of the VLAN -VPN feature. With the[...]
-
Seite 697
2-2 telephone users (in VLAN 201 to VLAN 300). Packet s of all these users are forward ed by Switch A to the public network. After the selective QinQ feature an d the inner-to-outer t ag mapping feature are enabled o n the port connecting Switch A to these users, the port will add dif ferent outer VL AN tags to the packet s according to their inner[...]
-
Seite 698
2-3 device receives a packet from the service provider network, this devic e will find the path for the packet by searching the MAC ad dress table of th e VLAN corr e sponding to the outer t ag and unica st the pa cket. Thus, packet broad cast is reduced in selective QinQ applications. Likewise, the entries in the MAC add ress table of the o uter V[...]
-
Seite 699
2-4 Do not enable both the selective QinQ fu nction and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may opera te improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to ena ble the inter-V LAN MAC ad dress replicating feature: To do... Use the command... Remarks Enter syst em view [...]
-
Seite 700
2-5 z The public network permits packets of VLAN 1000 and VLAN 120 0. Apply QoS policies for these packets to reserve band width for packets of VL AN 1200. That is, packets of VLAN 120 0 have higher transmissi on priority over packets of VLAN 1000. z Employ the selective QinQ feature on Switch A and Swit ch B to differentiate tr affic of PC users f[...]
-
Seite 701
2-6 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hy brid port and configure VLA N 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN t ags when forwarding p ackets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] po[...]
-
Seite 702
2-7 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and con figure VLAN 12 as it s default VLAN . Configure Ethernet 1/0/12 to remove VLAN t ags when forw arding packets of VLAN 12 and VLAN 1000. [SwitchB] [...]
-
Seite 703
i Table of Contents 1 Remote-ping Co nfiguration ···································································································· ·················· 1-1 Introduction to remote-ping ···············?[...]
-
Seite 704
1-1 1 Remote-ping Configuration Introduction to remote-ping remote-ping is a network diagno stic tool used to test the performance of protocols (only ICM P by far) running on network. It is an enhanced altern ative to the ping command. remote-ping test group is a set of remote-ping test paramete rs. A test group contains sev eral test parameters a [...]
-
Seite 705
1-2 This paramet er is used to enable the sy stem to automat ically perform the sa me test at regular intervals. 5) Test timeout time T est timeout time is the durati on while the system waits for an EC HO-RESPONSE p acket after it sends out an ECHO-REQUEST p acket. If no ECHO-RESPONSE pa cket is received within this duration, this test is co nside[...]
-
Seite 706
1-3 Table 1-2 Display remote-ping configuration Operation Command Description Display the information of remote-ping test history display remote-ping history [ administrator-nam e operation-tag ] Display the latest remote-ping test results display remote-ping results [ administrator-nam e operation-tag ] The display command can be executed in any v[...]
-
Seite 707
1-4 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 [Sysname-remote-ping-administrator-icmp] display remote-ping history administrator icmp remote-ping entry(admin administrator[...]
-
Seite 708
i Table of Contents 1 IPv6 Conf iguration ··········································································································· ·························· 1-1 IPv6 Ov erview ··········?[...]
-
Seite 709
1-1 1 IPv6 Configuration When configuring IPv6, go to these secti ons for inform ation you are interested in: z IPv6 Overview z IPv6 Configuration Task List z IPv6 Configuration Example z The term “router” in this document refers to a r outer in a generic sense or an Ethernet switch running a routing protocol. z The 3com switch 4500 supports IP[...]
-
Seite 710
1-2 Figure 1-1 Comparison between IPv4 heade r format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 addr ess are bo th 128 bits (1 6 bytes) long. IPv6 can provide 3.4 x 10 38 addresses to completely meet the requirement s of hierarchical address division as well as allocation of public and private a [...]
-
Seite 711
1-3 Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemente d by a group of Internet Control Message Protocol V ersion 6 (ICMPv6) messages. The IPv6 neighbo r discovery protocol m anages message e xchange between neighbo r nodes (nodes on the sam e link). T he group of ICMPv6 messages t akes the place of Address Res[...]
-
Seite 712
1-4 z Multicast address: An ident ifier for a set of interf aces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a mu lticast address is delivered to all interfaces identified by that address. z Anycast address: An identifier for a set of interf aces (typically belonging to different nodes). A packet[...]
-
Seite 713
1-5 z Unassigned addre ss: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but ma y not use it as a destination IPv6 address. Multicast address Multicast addresses listed i n T able 1-2 are [...]
-
Seite 714
1-6 Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discov ery Protocol (NDP) use s five types of ICMPv6 messages to imple ment the following functions: z Address resolution z Neighbor unreachab ility detection z Duplicate address d etection z Router/prefix discovery z Address autoconfiguration z Redirection T able 1-3 lists the [...]
-
Seite 715
1-7 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighb or nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolutio n procedure is as follows: 1) Node A multicasts an NS message. T[...]
-
Seite 716
1-8 Figure 1-4 Duplicate address d etection The duplicate address detection procedu re is as follows: 1) Node A sends an NS message whose source ad dress is the unassi gned address :: and the destination address is the co rrespondin g solicite d-node multi cast address of the IPv6 address to be detected. The NS message also contains the IPv6 addre [...]
-
Seite 717
1-9 Task Remarks Configuring the Maximum Num ber of IPv6 ICMP Error Packets Sent within a Specified Time Optional Configuring the Hop Limit of ICMPv6 Reply Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address z An IPv6 address is required for a host to access an IPv6 network. A host can be assigned a global [...]
-
Seite 718
1-10 To do... Use the command... Remarks Automatically generate a link-local address ipv6 address auto link-local Configure an IPv6 link-local address Manually assign a link-local address for an interface. ipv6 address ipv6-addre ss link-local Optional By default, after an IPv6 site-local address or gl obal unicast address is configured for an inte[...]
-
Seite 719
1-11 Follow these steps to co nfi gure a static neigh bor entry: To do... Use the command... Remarks Enter syste m view system-v iew — Configure a static neighbor entry ipv6 neighbor ipv6-addre ss mac-address { vlan-id port-type port-number | interface interface-t ype interface-number } Required Configuring the maximum number of neighbors dynamic[...]
-
Seite 720
1-12 Configuring the NS Interval After a device sends a n NS message, if it does not receive a response within a specific period, the device will send another NS message. Y ou can conf igure the interval for sending NS messag es. Follow these steps to co nf igure the NS interval: To do… Use the command… Remarks Enter syst em view system-vie w ?[...]
-
Seite 721
1-13 packets are received, the I Pv6 TCP connection status becomes TI ME_WAIT. If other packets are received, the finwait timer is reset from t he last packet and the con nection is terminated after the finwait timer expires. z Size of IPv6 TCP receiving/sending buffer. Follow these steps to co nfi gure IPv6 TCP properties: To do… Use the command[...]
-
Seite 722
1-14 To do… Use the command… Remarks Enter syst em view system-vie w — Configure the hop limit of ICMPv6 reply packets ipv6 nd hop-limit value Optional 64 by default. Displaying and Maintaining IPv6 To do… Use the command… Remarks Display the FIB entries display ipv6 fib Display the mapping between host name and IPv6 address display ipv6 [...]
-
Seite 723
1-15 IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements T wo switches are directly connected th rough two Ethernet port s. The Ethernet po rts belong to VLAN 2. Differe nt types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches. The [...]
-
Seite 724
1-16 Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconf[...]
-
Seite 725
1-17 Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet l[...]
-
Seite 726
1-18 0.00% packet loss round-trip min/avg/max = 50/60/70 ms[...]
-
Seite 727
2-1 2 IPv6 Application Configuration When configuring IPv6 application, go to these sections for information you are interested in: z Introduction to IPv6 Application z Configuring IPv6 Application z IPv6 Application Configuration Example z Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and m ore applicat[...]
-
Seite 728
2-2 IPv6 Traceroute The traceroute ipv6 command is use d to record the route of IPv6 packet s from source to de stination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Tracer oute proc ess As Figure 2-1 shows, the traceroute process is as follows : z The source sends an IP datagram with the Hop Li mit [...]
-
Seite 729
2-3 To do… Use the command… Remarks Download/Upload files from TFTP server tftp ipv6 remote-system [ -i interface-type interface-number ] { get | put } source-filena me [ destination-filename ] Required Available in user view When you use the tftp ipv6 command to conne ct to the TFTP server, you must specify the “– i ” keyword if the dest[...]
-
Seite 730
2-4 Displaying and maintaining IPv6 Telnet To do… Use the command… Remarks Display the use information of the users who have logge d in displa y users [ all ] Available in any view IPv6 Application Configuration Example IPv6 Applications Network requirements In Figure 2-3 , SW A, SWB, and SWC are three switches, am ong which SW A is a 3com swit[...]
-
Seite 731
2-5 bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip[...]
-
Seite 732
2-6 Solution z Check that the IPv6 addresses are conf igured correctly. z Use the display ipv6 interface command to determine the interfa ces of the source and the destination and the link-layer protocol betwee n them are up. z Use the display ipv6 route-table command to verify that the destination is reachable. z Use the ping ipv6 -t timeout { des[...]
-
Seite 733
i Table of Contents 1 Access Management Configurat ion ·············································································· 1-1 Access Ma nagem ent Over view ····················································[...]
-
Seite 734
1-1 1 Access Management Configuration When configuring acc ess management, g o to these se ctions for informa tion you are interes ted in: z Access Managemen t Overview z Configuring Access Management z Access Manageme nt Configuration Examples Access Management Overview Normally , client PCs in a network are co nnected to switch es operatin g on t[...]
-
Seite 735
1-2 z A port without an access man agement IP addr ess pool configure d allows the hos ts to access external net works only if their IP add resses are not in the access manageme nt IP address p ools of othe r ports of the switch. Note that the IP addresses in the access management IP address pool configured on a port must be in th e same netw ork s[...]
-
Seite 736
1-3 Access Management Conf iguration Examples Access Management Configuration Example Network requiremen ts Client PCs are connec ted to the external netw ork through Sw itch A (an Ethern et switch). The IP addresses of the P Cs of Organi zation 1 are in th e range 202.10. 20.1/24 to 202.10. 20.20/24. The IP addre ss of PC 2 is 20 2.10.20.100/ 24, [...]
-
Seite 737
1-4 [Sysname-Ether net1/0/1] am ip-pool 202.10 .20.1 20 Combining Access Management with Port Isolation Network requiremen ts Client PCs are connec ted to the external netw ork through Sw itch A (an Ethern et switch). The IP addresses of the P Cs of Organi zation 1 are in th e range 202.10. 20.1/24 to 202.10. 20.20/24, and tho se of the PCs in Or g[...]
-
Seite 738
1-5 # Set the IP add ress of VLAN -interface 1 to 2 02.10.20.2 00/24. [Sysname] inte rface Vlan-interf ace 1 [Sysname-Vlan- interface1] ip ad dress 202.10. 20.200 24 [Sysname-Vlan- interface1] quit # Configure the a ccess management IP address po ol on Ethernet 1/0/1. [Sysname] inte rface Ethernet 1/ 0/1 [Sysname-Ether net1/0/1] am ip-pool 202.10 .[...]
-
Seite 739
i Table of Contents Appendix A Acronyms ············································································································ ···················· A-1[...]
-
Seite 740
A-1 Appendix A Acronyms A AAA Authentication, Authorization and A ccounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router B BDR Backup Designated Route r C CAR Committed Acces s Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configur[...]
-
Seite 741
A-2 LSDB Link State DataBase M MAC Medium Access Cont rol MIB Management Information Base N NBMA Non Broadca st MultiA ccess NIC Network Information Center NMS Network Management System NTP Network Tim e Protocol NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mo[...]
-
Seite 742
A-3 VPN Virtual private network W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandabl e Resilient Networking[...]