Go to page of
Similar user manuals
-
Switch
3Com 3000 TX
144 pages 1.65 mb -
Switch
3Com 4210 PWR 9-PORT
74 pages 1.69 mb -
Switch
3Com NJ220
82 pages 1.62 mb -
Switch
3Com LANplex 6000
16 pages 0.22 mb -
Switch
3Com LANplex 2500
4 pages 0.1 mb -
Switch
3Com DUA1770-0AAA04
83 pages 3.56 mb -
Switch
3Com NJ240FX
76 pages 6.31 mb -
Switch
3Com II Hub 10
8 pages 0.49 mb
A good user manual
The rules should oblige the seller to give the purchaser an operating instrucion of 3Com WX3000, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.
What is an instruction?
The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of 3Com WX3000 one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.
Unfortunately, only a few customers devote their time to read an instruction of 3Com WX3000. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.
What should a perfect user manual contain?
First and foremost, an user manual of 3Com WX3000 should contain:
- informations concerning technical data of 3Com WX3000
- name of the manufacturer and a year of construction of the 3Com WX3000 item
- rules of operation, control and maintenance of the 3Com WX3000 item
- safety signs and mark certificates which confirm compatibility with appropriate standards
Why don't we read the manuals?
Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of 3Com WX3000 alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of 3Com WX3000, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the 3Com service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of 3Com WX3000.
Why one should read the manuals?
It is mostly in the manuals where we will find the details concerning construction and possibility of the 3Com WX3000 item, and its use of respective accessory, as well as information concerning all the functions and facilities.
After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.
Table of contents for the manual
-
Page 1
3Com WX3000 Series Unified Switches Switching Engine Operation Manual Manual Version: 6W100 www.3com.com 3Com Corporation 350 Campus Drive, Marlborou gh, MA, USA 01752 3064[...]
-
Page 2
Copyright © 2009, 3Com Corporatio n. All rights reserved. No part of this documentation may be reprodu ced in any form or by any means or used to make any de riva tive work (such as translation, transform ation, or adaptation) without written permiss ion from 3Com Corporation. 3Com Corporation re serves the right to revise this docu mentation and [...]
-
Page 3
About This Manual Organization 3Com WX3000 Serie s Unified Switches consist s of three models: the WX3024 , the WX301 0 and the WX3008. 3Com WX3000 Series Unified Switche s Switching Engi ne Ope ration Manu al is organized a s follows: Part Contents 1 CLI Introduces the comm and h ierarchy, command view and CLI features of the WX3000 Series Unified[...]
-
Page 4
Part Contents 24 SNMP-RMON Introduces the configuratio n for network mana gement through SNMP and RMON 25 Multicast Introduces IGMP snooping and the relate d configuration. 26 NTP Introduces NTP and the related co nfiguration. 27 SSH Introduces SSH2.0 and the related co nfiguration. 28 File System Management Introduces basic config uration for file[...]
-
Page 5
Convention Description &<1-n> The argument(s) befo re the ampersa nd (&) sign can be entered 1 to n times. # A line starting with the # sign is comments. GUI conventions Convention Description Boldface Window names, button names, field names, and me nu items are in Boldface. For example, the New User window appears; click OK . > Mu[...]
-
Page 6
Manual Description 3Com WX3000 Series Unified Switch es Web-Based Configuration Manual Introduces the Web-b ased functions of the access control engine of WX300 0 se ries unified switches access controller engines. Obtaining Documentation You can access the most u p -to-date 3Com product documentation on the Wo rld Wide Web at this URL: http://www.[...]
-
Page 7
i Table of Contents 1 CLI Config uration ············································································································ ·························· 1-1 Introduction to the CLI ·····?[...]
-
Page 8
1-1 1 CLI Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to the CLI A command line interface (CLI) is a user interface to interact with a device. Throug h the CLI on a device, a user can enter comma nds to configure the dev ice an d check output in[...]
-
Page 9
1-2 z Manage level (level 3): Command s at this level are associated with the basic operation mod ules and support modules of the system. Th ese comman ds provide su pport for services. Comma nds concerning file system, FT P/TFTP/XModem downloading, user management, and level setting are at this level. Users logged into the device fall into four us[...]
-
Page 10
1-3 Configuration example After a general user telnet s to the device, his/her user level is 0. Now , the network admi nist rator want s to allow general users to switch to level 3, so that they are able to configure the device. # A level 3 user sets a swit ching passwo rd for u ser level 3. <device> system-view [device] super password level [...]
-
Page 11
1-4 # Change the tftp g e t command in user view (sh ell) from level 3 to level 0. (Originally , only level 3 user s can change the level of a comm and.) <device> system-view [device] command-privilege level 0 view shell tftp [device] command-privilege level 0 view shell tftp 192.168.0.1 [device] command-privilege level 0 view shell tftp 192.[...]
-
Page 12
1-5 View Available operation Prompt example Enter method Quit method 1000 Mbps Ethernet port view: [device-Gi gabitEth ernet1/0/1] Execute the interface gigabitethernet command in system view. Ethernet port view Configure Ethernet port parameters 10 Gigabit Ethernet port view: [device-TenGigabit Ethernet1/1/1] Execute the interface tengigabitethern[...]
-
Page 13
1-6 View Available operation Prompt example Enter method Quit method Edit the RSA public key for SSH users [device-rsa-key- co de] Public key editing view Edit the RSA or DSA public key for SSH users [device-peer-key-c ode] Execute the public-key-code begin command in public key view. Execute the public-key-c ode end command to return to public key[...]
-
Page 14
1-7 View Available operation Prompt example Enter method Quit method QinQ view Configure QinQ parameters [device-Gi gabitEth ernet1/0/1-vid-20] Execute the vlan-vpn vid command in Ethernet port view. The vlan-vpn enable command should be first executed. Execute the quit command to return to Ethernet port view. Execute the return command to return t[...]
-
Page 15
1-8 timezone Configure time zone If the question mark (?) is at an argument positio n in the command, the descripti on of the argument will be displayed on your terminal. [device] interface vlan-interface ? <1-4094> VLAN interface number If only <cr> is displayed after you enter a question mark (?), it means no p arameter is avail able [...]
-
Page 16
1-9 By default, the CLI can store up to 10 latest ex e cuted commands for each user . Y ou can view the command history by performing the operations listed i n T able 1-3 . Table 1-3 View history commands Purpose Operation Remarks Display the latest executed history command s Execute the display history-command command This comm and displays the co[...]
-
Page 17
1-10 Table 1-5 Edit operations Press… To… A common key Insert the corresponding characte r at the cursor po sition and move the cursor one character to the right if the comm and is shorter than 254 characters. Backspace key Delete the chara cter o n the left of the cursor a nd mo ve the cursor one character to the left. Left arrow key or Ctrl+B[...]
-
Page 18
i Table of Contents 1 Logging In to the Switching Engine ··························································································· ············· 1-1 Logging In to the Sw itching Engine······················[...]
-
Page 19
ii Configuring Source IP Address for Telnet Service Packets ··································································· 6-1 Displaying Source IP A ddress Config uration ·····················································[...]
-
Page 20
1-1 1 Logging In to the Switching Engine The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Logging In to the Switching Engine Y ou can log in to the switching engine of the device in one of the following ways: z Logging in through OAP z Logging in locally or remotely through a [...]
-
Page 21
1-2 User Interface Index T wo kinds of user interface index exist: absolute user interface index and relative user interfac e index. 1) The absolute user interface indexes are as follo ws: z The absolute AUX user interfa ces is nu mbered 0. z VTY user interface indexes follow AUX user interf ace indexes. The first absolute VTY user interface is num[...]
-
Page 22
1-3 To do… Use the command… Remarks Display the information about the current user interface/all user inte rfaces display users [ all ] Display the physical attributes and configuration of the current/a specified user inte rface display user-interface [ type number | number ] Display the information about the current web users display web users[...]
-
Page 23
2-1 2 Logging In Through OAP OAP Overview As an open sof tware and hardware system, Ope n App lication Architecture (OAA) provides a set of complete st andard sof tware and hardware inte rf aces. The third party vendors can develop product s with special functions. Th ese product s can be compatible with ea ch other as long as they confo rm to the [...]
-
Page 24
2-2 Therefore, when you use the NMS to manage the a ccess control engin e and the switching e ngine on the same interface, you must first obtain the m anagement IP addresses of the two SNMP agents and obtain the link rel ationship between them, and t hen you can a ccess the two agent s. By default, the management IP address of an OAP module is not [...]
-
Page 25
2-3 Resetting the OAP Software System If the operating system works abnorm all y or is un der other anom ali es, you ca n reset the OAP sof tware system. Follow these step s to reset the OAP softwa re system: To do… Use the command… Remarks Reset the OAP software system oap reboot slot 0 Required Available in user view The reset operation may c[...]
-
Page 26
3-1 3 Logging In Through Telnet Introduction The device support s T elnet. Y ou can manage and mainta in the switching engine remotely by T elnetting to the switching engine. T o log in to the switching engine through T elnet, the corresponding configu ration is required on both the switching engine and the T elnet terminal. Y ou can also log in to[...]
-
Page 27
3-2 Configuration Description Make terminal s ervices availa ble Optional By default, terminal services are available in all user interfaces Set the maximum number of lines the screen can contai n Optional By default, the screen can contain up to 24 lines. Set history command buffer size Optional By default, the history command buffer can contain u[...]
-
Page 28
3-3 To improve security and prevent attacks to the unus ed Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enable d or di sabled after correspondi ng configu rations. z If the authentication mode is none , TCP 23 will be enabled, and T CP 22 will be disabled. z If the authentication mode is password , and the cor[...]
-
Page 29
3-4 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Set the timeout time of the VTY user interface idle-timeout minutes [ seconds ] Optional The default timeout time[...]
-
Page 30
3-5 # S pecify co mmand s of level 2 are available to users logging in through VTY 0. [device-ui-vty0] user privilege level 2 # Configure T elnet protocol is supported. [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can cont ain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the [...]
-
Page 31
3-6 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default. Set the timeout time of the user interface idle-timeout minutes [ seconds ] Optional The default timeout time of [...]
-
Page 32
3-7 [device-ui-vty0] authentication-mode password # Set the local password to 12345 6 (in plain text). [device-ui-vty0] set authentication password simple 123456 # S pecify co mmand s of level 2 are available to users logging in to VTY 0. [device-ui-vty0] user privilege level 2 # Configure T elnet protocol is supported. [device-ui-vty0] protocol in[...]
-
Page 33
3-8 To do… Use the command… Remarks Enter one or more VTY user interface views user-inter face vty first - number [ last-num ber ] — Configure to authenticate users locally or remotely authentication-m ode scheme [ command- authorization ] Required The specified AAA scheme determines whether to authenticate users locally or remotely. Users ar[...]
-
Page 34
3-9 Table 3-4 Determine the command l evel whe n users logging in to the switching engi ne a re authenticated in the scheme mode Scenario Authentication mode User type Command Command level The user privilege level level command is not executed, and the service-ty pe command does not specify the available command level. Level 0 The user privilege l[...]
-
Page 35
3-10 Refer to AAA Operation and SSH Operation of this manual for inform ation about AAA, RADIUS, and SSH. Configuration Example Network requirements As shown in Figure 3-3 , assume a curre nt user logs in using the oap connect slot 0 command and the user level is set to the manage level (level 3). Perfor m the following configurations for use rs lo[...]
-
Page 36
3-11 [device-ui-vty0] protocol inbound telnet # Set the maximum number of lines the screen can cont ain to 30. [device-ui-vty0] screen-length 30 # Set the maximum number of commands the hi story command buf fer can store to 20. [device-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [device-ui-vty0] idle-timeout 6 Telnetti[...]
-
Page 37
3-12 z Perform the following operations i n the terminal window to assi gn IP address 202.38.160.9 0/24 to VLAN–interface 1 of the access cont rol engine. <device> system-view [device] interface Vlan-interface 1 [device-Vlan-interface1] ip address 202.38.160.90 255.255.255.0 z Log in to the switching engine of the device using the oap conn [...]
-
Page 38
3-13 Figure 3-7 Launch Telnet 5) If the password authentication mode is specified, enter the password when the Telnet wi ndow displays “Login authentication” and prompt s fo r login password. The CLI prompt (su ch as <System_LSW>) appears if the passw ord is correct. If all VTY user interfaces of the switching engine are in use, you will [...]
-
Page 39
3-14 1) Perform Teln et-related configur ation on the switchin g engine opera ting as the Telnet server. For details, refer to Telnet Configuration with Authentication Mode Bei ng None , Telnet Configuration with Authentication Mode Being Password , and Telnet Configuration with Authenticatio n Mode Being Scheme . 2) Telnet to the access control en[...]
-
Page 40
4-1 4 Logging In from the Web-Based Network Management System When logging in from the W eb-based network manag ement system, go to these sections fo r information you are interested in: z Introduction z Setting Up a Web Configuration Environment z Configuring the Login Ban ner z Enabling/Disabling the WEB Server Introduction The device has a W eb [...]
-
Page 41
4-2 Setting Up a Web Configuration Environment Your WX series a ccess controller products were del ivered with a factory default configuration. This configuration allows you to log into the b uilt-in We b-based management sy stem of the access controller product from a Web browse r on a PC by inputting http ://192.168.0.101 in the addres s bar of t[...]
-
Page 42
4-3 Figure 4-1 Web interface of the access cont roller engine 3) Set up a Web configuration environment, as shown in Figure 4-2 . Figure 4-2 Set up a Web configuration environment 4) Log in to the switching engine through IE. Launch IE on the Web-based network management terminal (your PC) and enter h ttp://192.168.0.101 in the address bar. (Make s[...]
-
Page 43
4-4 configured by the header command, a user logging in throu gh Web directly enters the user login authentication page. Follow these steps to co nfigure the login banner: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the banner to be displayed when a user logs in through Web header login text Required By defaul[...]
-
Page 44
4-5 Figure 4-5 Banner page displayed when a user lo gs in to the switching engin e through Web Click Continue to enter u ser login authe ntication p age. Y ou will enter the main page of the W eb-based network management syst em if the authentication su cceeds. Enabling/Disabling the WEB Server Follow these steps to ena b le/disable the WEB server:[...]
-
Page 45
5-1 5 Logging In from NMS Introduction Y ou can also log in to the switching engine fr om a network management st ation (NMS), and then configure and manage the swit ching engine through the agent module on the switch. Simple network management protocol (SNMP) is applie d between the NMS and the agent. Refer to the SNMP-RMON part for related inform[...]
-
Page 46
6-1 6 Configuring Source IP Address for Telnet Service Packets Overview Y ou can configure source IP address or source interf ace for the T elnet server and T elnet client. This provides a way to manage service s and enhan ces security . The source IP address specified for T elnet service p acket s is the IP address of a Loopback interfa ce or VLAN[...]
-
Page 47
6-2 To do… Use the command… Remarks Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional When configuring a source IP addre ss fo r Telnet packets, ensure that: z The source IP address m ust be one on the local device. z The source interface must already exist. z A reachable route is avai[...]
-
Page 48
7-1 7 User Control Refer to the ACL part for information about ACL. Introduction The switching engine provides ways to control di f ferent types of login users, as listed in T able 7-1 . Table 7-1 Ways to control different types of login users Login mode Control method Implementation Reference By source IP address Through basic ACLs Controlling Tel[...]
-
Page 49
7-2 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a basic ACL or enter basic ACL view acl number acl-number [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system[...]
-
Page 50
7-3 Controlling Telnet Users by Source MAC Addresses Controlling T elnet users by source MAC addresses is achi eved by applying Layer 2 ACLs, which are numbered from 4000 to 4999. Follow these steps to co ntrol T elnet users by sou rce MAC addre sses: To do… Use the command… Remarks Enter syst e m view system-vie w — Create or enter Layer 2 A[...]
-
Page 51
7-4 Controlling Network Management Users by Source IP Addresses Y ou can manage the device through network ma nagement sof tware. Network m anagement users can access switching engines throu gh SNMP . Y ou need to perform the following two operations to control net work managem ent users by source IP addresses. z Defining an ACL z Applying the ACL [...]
-
Page 52
7-5 You can specify different ACLs while co nfiguri ng the SNMP comm unity name, SNMP group name, and SNMP user name. As SNMP co mmunity name is a feature of SNMPv1 and SNMPv2c, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) t ake ef fect in the network management syst ems that ad opt SNMPv[...]
-
Page 53
7-6 z Applying the ACL to control Web users Prerequisites The controlling policy against W eb users is deter mined, includ ing the source IP addresses to be controlled and the cont rolling actions (p ermitting o r denying). Controlling Web Users by Source IP Addresses Controlling W eb users by source IP addre sses is achieved by applying b asic ACL[...]
-
Page 54
7-7 Configuration procedure # Define a basic ACL. <device> system-view [device] acl number 2030 [device-acl-basic-2030] rule 1 permit source 10.110.100.52 0 [device-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sou rce d from the IP addre ss of 10.1 10.10 0.52 to access the switching engine. [device] ip http acl 2030[...]
-
Page 55
i Table of Contents 1 Configuration F ile Management ································································································ ··············· 1-1 Introduction to C onfigurati on File ················[...]
-
Page 56
1-1 1 Configuration File Management The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to Configuration File A configuration file records and store s user conf igurations performed to the device. It also enables users to check device configuration s ea sily . Types [...]
-
Page 57
1-2 can configure a file to have both main a nd backup attribute, but only one file of either main or backup attribute is allowed on a device. The following three situations a re con cerned with the main/ba ckup attributes: z When saving the current configuration, you can spe cify the file to be a main or backup or normal configuration file. z When[...]
-
Page 58
1-3 z Safe mode. This is the mode when yo u use the save command with the safely keyword. The mode saves the file slower but can retain the original configuration file in t he device even if the device reboots or the power fails during the proce ss. The configuration file to be used for ne xt startup may be lost if the device reboots or the power f[...]
-
Page 59
1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage device reset saved-configuration [ backup | main ] Required Available in user view Y ou may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configurat ion file d oes not match the new software. z The sta[...]
-
Page 60
1-5 The configuration file must use “. cfg” as its extension name and the st artup configuration file must be saved at the root directory of the device. Displaying and Maintain ing Device Configuration To do… Use the command… Remarks Display the initial configuration file saved in the storage device display saved - configurati on [ unit uni[...]
-
Page 61
i Table of Contents 1 VLAN Ov erview ·········································································································································· 1-1 VLAN Ov erview ········?[...]
-
Page 62
1-1 1 VLAN Overview z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. VLAN Overview Introduction to VLAN The trad[...]
-
Page 63
1-2 of network layer devices , such as routers and Layer 3 switch es. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation Sw itch Rou te r Sw i t ch VL AN A VLAN B VLA N A VLANB VLAN A VL AN B Advantages of VLANs Compared wi th the traditional Ethernet, VLAN enjoys the followin g advant ages. z Broadcasts are confine d to[...]
-
Page 64
1-3 Figure 1-2 Encapsulation format of traditional Ethernet frames Ty pe Dat a DA & SA In Figure 1-2 DA refers to the destination MAC address, SA refers to the sou rce MAC address, and T ype refers to the upper layer protocol type of the packe t. IEEE 802.1Q protocol defines that a 4-byte VLAN tag is encap sulated after the destination MAC ad d[...]
-
Page 65
1-4 After VLANs are configu red on a switch, the MAC addr ess learni ng of the switch has the following two modes. z Shared VLAN learning (SVL): the switch records all the MAC addre ss entries learnt by ports in all VLANs to a shared MAC address fo rwarding table. Pa ckets receive d on any port of any VLAN are forwarded according to this table. z I[...]
-
Page 66
1-5 The link type of a port on the device can be one of the fo llowing: access, trunk, and hybrid. For the three types of ports, the pro cess of being added into a VLAN and the way of forwarding p ackets are dif ferent. For details, re fer to the “Port Basic C onfi guration” part of the manua l. Port-based VLANs are easy to implement and man ag[...]
-
Page 67
1-6 The switch identifies whether a packet is an Ethern et II packet or an 80 2.2/802.3 packet according to the ranges of the two fields. Extended encapsulation formats of 802.2/802.3 packets 802.2/802.3 packet s have the following th re e extended encap sul ation formats: z 802.3 raw encapsulation: only the length field is encap sulated after the [...]
-
Page 68
1-7 Procedure for the Switch to Judge Packet Protocol Figure 1-9 Procedure for the switch to judge packet protocol Receive packet s Type (Length) field Ethernet II encaps ulat ion Match th e ty pe va lu e Inval id packe ts that ca nn ot be matched 802.2 /802.3 encap sulatio n Contr ol field Inva lid pa ckets that can not be matched dsap /ssap value[...]
-
Page 69
1-8 The protocol template is the st andard to determine th e protocol to which a p acket belongs. Protocol templates include st andard templates and user-define d template s: z The standard template adopts the RFC-defined packe t encap sul ation formats a nd values of som e specific fields as the matching criteria. z The user-defined template adopt[...]
-
Page 70
2-1 2 VLAN Configuration VLAN Configuration Configuration Task List Complete the following ta sks to configure VLAN: Task Remarks Basic VLAN Configuration Req uired Basic VLAN Interface Configuration Optional Displaying and Maintaining VLAN Optional Basic VLAN Configuration Follow these steps to ma ke basi c VLAN configuration: To do… Use the com[...]
-
Page 71
2-2 Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interfac e, create the corre sponding VLAN. Configuration procedure Follow these steps to ma ke basi c VLAN interface configuration: To do… Use the command… Remarks Enter syst e m view system-view — Create a VLAN interface and enter VLAN interface vie[...]
-
Page 72
2-3 Configuring a Port-Based VLAN Configuring a Port-Based VLAN Configuration prerequisites Create a VLAN before configuring a po rt-ba sed VLAN. Configuration procedure Follow these steps to co nfigure a port-based VLAN: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN view vlan vlan-id — Add Ethernet ports to [...]
-
Page 73
2-4 Configuration procedure z Configure Switch A. # Create VLAN 101, specify it s descriptive string as “DMZ”, and add GigabitEthernet 1/0/1 to V LAN 101. <SwitchA> system-view [SwitchA] vlan 101 [SwitchA-vlan101] description DMZ [SwitchA-vlan101] port GigabitEthernet 1/0/1 [SwitchA-vlan101] quit # Create VLAN 201, and add GigabitEthern e[...]
-
Page 74
2-5 For the command of configuri ng a port l ink type ( port link-ty pe ) and the command of allowing packets of certain VLANs to pass t hrough a port ( por t trunk permit ), refer to the se ction of configuring Ethernet ports in the “Port Basic Configuration” part of this do cument. Configuring a Protocol-Based VLAN Configuration Task List Com[...]
-
Page 75
2-6 z Because the IP protocol is cl osely asso ciated with the ARP protocol, you are recommended to configure the ARP protocol type when configur ing the IP protocol ty pe and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure[...]
-
Page 76
2-7 For the operation of adding a hybrid port to a VLAN in the untag ged way (when forwarding a packet, the port removes the VLAN tag of the packet), refer to t he section of configuring Ethernet ports in the “Port Basic Configuration” pa rt of this manu al. Displaying and Maintaining Protocol-Based VLAN To do… Use the command… Remarks Disp[...]
-
Page 77
2-8 Configuration procedure # Create VLAN 100 an d VLAN 200, and add Gi gabi tEthernet 1/0/1 1 and GigabitEthernet 1/0/12 to VLAN 100 and VLAN 200 respectively . <device> system-view [device] vlan 100 [device-vlan100] port GigabitEthernet 1/0/11 [device-vlan100] quit [device] vlan 200 [device-vlan200] port GigabitEthernet 1/0/12 # Configure p[...]
-
Page 78
2-9 VLAN ID Protocol-Index Protocol-Type 100 0 ip 100 1 ethernetii etype 0x0806 200 0 at The above output information indi cates that Giga bitEthernet 1/0/10 has already been associated with the corresponding protocol templates of VLAN 100 and VLAN 200. Thu s, packet s from the IP and AppleT alk workstations can be aut omatically assigned to VLAN 1[...]
-
Page 79
i Table of Contents 1 Auto Detect Configuration ···································································································· ···················· 1-1 Introduction to the Au to Detect Function·······?[...]
-
Page 80
1-1 1 Auto Detect Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. When configuring the auto detec[...]
-
Page 81
1-2 Auto Detect Configuration Complete the following t a sks to configure auto detect: Task Remarks Auto Detect Basic Configuration Required Auto Detect Implementation in Static Routing Optional Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to co nfi gure the auto detect function: To[...]
-
Page 82
1-3 Auto Detect Implementation in Static Routing Y ou can bind a static route with a detected g rou p. The Auto Detect function will then detect the reachability of the static ro ute through the p ath specif ied in the detected group. z The static route is valid if the detected group is reachable . z The static route is invalid if the detected grou[...]
-
Page 83
1-4 To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN interface view interface Vlan-interface vlan - id — Enable the auto detect function to implement VLAN interface backup standby detect-grou p group-number Required This operation is only needed on the secondary VLAN interface. Auto Detect Configuration Examples[...]
-
Page 84
1-5 <SwitchC> system-view # Configure a static route to Switch A. [SwitchC] ip route-static 192.168.1.1 24 10.1.1.3 Configuration Example for Auto Detect Implementation in VLAN Interface Backup Network requirements z As shown in Figure 1-2 , make sure the routes between Switch A, Switch B, and Switch C, and between Switch A, Switch D, and Swi[...]
-
Page 85
i Table of Contents 1 Voice VLAN Co nfiguration ····································································································· ··················· 1-1 Voice VLAN Overview ··················[...]
-
Page 86
1-1 1 Voice VLAN Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Voice VLAN Overview V oice VLANs are VLANs co nfigured sp ecially for voice traf fic. By adding the ports connected wit h voice devices to voice VLANs, you can h ave voice traf fic transmitted with[...]
-
Page 87
1-2 Figure 1-1 Network diagram for IP phones DHCP Server1 DHCP Server2 Call agent IP Phone ② ① ③ As shown in Figure 1-1 , the IP phone n eeds to wo rk in conjun ction with the DHCP server a nd the NCP to establish a path for voice data tran smission. An IP phone goes through the follo wing three phases to become capa ble of tran smitting voic[...]
-
Page 88
1-3 3) After the IP phone acquires the IP addre ss assigned by DHCP Serv er2, the IP phone establishes a connection to the NCP specified by DHCP Server 1 and do wnloads correspondi ng software. After that, the IP phone can communicate pr ope rly. z An untagged packet carries no VLAN tag. z A tagged packet carries the tag of a VLAN. How the Device I[...]
-
Page 89
1-4 Processing mode of untagged packets sent by IP voice devices z Automatic mode. A WX3000 device automatically add s a port connecting an IP voice devi ce to the voice VLAN by learning the source M AC address in the untagged packet sent by the IP voice device when it is powered on. The voice VLAN uses t he aging me chanism to maintain the nu mber[...]
-
Page 90
1-5 Table 1-2 Matching relationshi p between po rt types and voice traffic types Port voice VLAN mode Voice traffic type Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the traffic of the default VLAN. Tagged voice traffic Hybrid Suppo[...]
-
Page 91
1-6 Voice VLAN Configuration Configuration Prerequisites z Create the correspondi ng VLAN before configuring a voice VLAN. z VLAN 1 (the default VLAN) cannot be configured a s a voice VLAN. Configuring a Voice VLAN to Operate in Automatic Mode Follow these steps to co nfigure a voice VLAN to operate in automatic mode: To do… Use the command… Re[...]
-
Page 92
1-7 When the voice VLAN is working normally, if the devic e restarts, in ord er to make the established voice connections work no rmally, the system does not need to be triggered by the voice traffic to add the port in automatic mode to the local devices of the voice VLAN but do es so immedi ately after the restart. Configuring a Voice VLAN to Oper[...]
-
Page 93
1-8 To do… Use the command… Remarks Enter VLAN view vlan vlan-id Access port Add the port to the VLAN port interface-list Enter port view interface interface-type interface-num Add the port to the VLAN port trunk permit vlan vlan-id port hybrid vlan vlan-id { tagged | untagged } Required By default, all the ports belong to VLAN 1. Add a port in[...]
-
Page 94
1-9 Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display the information about ports on which voice VLAN configuration fails display voice vlan error-info Display the voice VLAN configuration status display v oice vlan status Display the currently valid OUI addresses dis pl a y voi ce vla n oui Display the ports operati[...]
-
Page 95
1-10 [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 001 1-2200-000 an d set the descri ption string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globa lly . [DeviceA] voice vlan 2 enable # Configure the vocie VLAN to operate in automatic mode on[...]
-
Page 96
1-11 <DeviceA> system-view [DeviceA] voice vlan security enable # Add a user-defined OUI address 001 1-2200-000 an d set the descri ption string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2 and configure it as a voice VLA N. [DeviceA] vlan 2 [DeviceA-vlan2] quit [DeviceA] [...]
-
Page 97
i Table of Contents 1 GVRP Conf iguration ··········································································································· ······················· 1-1 Introduction to GVRP ··········?[...]
-
Page 98
1-1 1 GVRP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Introduction to GVRP GARP VLAN registr[...]
-
Page 99
1-2 Leave messages, LeaveAll messa ges, together with Jo in message s ensure attribute information can be deregistered and re-regist ered. Through message exch ange, all the attribute information to be regi stered can be propag ated to all the GARP-enabled switches in the sam e LAN. 2) GARP timers T imers determine the intervals of sending diff ere[...]
-
Page 100
1-3 Figure 1-1 Format of GARP packets Et her net F ram e PDU DA DA le ng t h DSA P Ctrl SSAP Protoc ol ID Message 1 Mes s age N ... End Mar k 1 3 N Attr ibu t e T ype Attr ibut e List 12 N At t r ibu t e 1 Att r ibu te N ... End Ma r k 1N Attribut e Lengt h Attribute E v e nt Attr ibute Vlaue 12 3 N G ARP PDU st ruct ure Messag e struct ure Att rib[...]
-
Page 101
1-4 GVRP As an implement ation of GARP , GARP VLAN registration protocol (GVRP) m aintains dyna mic VLAN registration information a nd propagates t he in formation to the other devices through GARP . With GVRP enable d on a device, the VLAN registrati on information received by the device from other devices is used to dynamically update the local V[...]
-
Page 102
1-5 Configuration procedure Follow these steps to ena b le GVRP on a n Ethernet po rt: To do… Use the com mand… Remarks Enter syst e m view system-view — Enable GVRP globally gvrp Required By default, GVRP is disabled globally. Enter Ethernet port view interface interface-type interface-number — Enable GVRP on the port gvrp Req uired By def[...]
-
Page 103
1-6 Table 1-2 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is le ss than or equal to one-half of the timeout time of the Join timer. You can change the thre sh old by changing the timeout time of the Join timer. Join This lower threshold is greater than or equal to twice the timeout ti[...]
-
Page 104
1-7 GVRP Configuration Example GVRP Configuration Example Network requirements z Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches i n the network, thus implementing dynami c VLAN information registration and refre sh, as shown in Figu re 1-2 . z By configuring the[...]
-
Page 105
1-8 [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all # Enable GVRP on GigabitEthernet 1/0/3. [SwitchA-GigabitEthernet1/0/3] gvrp [SwitchA-GigabitEthernet1/0/3] quit 2) Configure Switch B # The configuration p ro ced ure of Switch B is sim ilar to that of Switch A and is thus omitted. 3) Configure Switch C # Enable GVRP on Switch C, which i[...]
-
Page 106
1-9 [SwitchE-GigabitEthernet1/0/1] gvrp registration fixed # Display the VLAN information dynamically registe r ed on Switch A. [SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically register ed on Swit ch B. [SwitchB] display vlan dynamic Total 3 dynamic [...]
-
Page 107
i Table of Contents 1 Basic Port Co nfiguration ····································································································· ····················· 1-1 Ethernet Port Over view ··············[...]
-
Page 108
1-1 1 Basic Port Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Ethernet Port Overview Types and[...]
-
Page 109
1-2 Link Types of Ethernet Ports An Ethernet port of the devic e can operate in one of the following three link types: z Access: An access port can belong to only one VL AN, and is generally used to connect user PCs. z Trunk: A trunk port can bel ong to more than one VLA N . It can receive/send pa ckets from/to multiple VLANs, and is generally used[...]
-
Page 110
1-3 Table 1-3 Processing of incoming/outgoing p acket s Processing of an incoming packet Port ty pe If the p acket does not carry a VLAN tag If the packet carries a VLAN tag Processing of an outgoing packet Access z If the VLAN ID is just the default VLAN ID, receive the packet. z If the VLAN ID is not the default VLAN ID, discard the packet. Depri[...]
-
Page 111
1-4 To do… Use the command… Remarks Enter syst e m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown By default, the port is enabled. Use the shutdo wn command to disable the port. Set the description of the Ethernet port description text By default, no descriptio[...]
-
Page 112
1-5 To do… Use the command… Remarks Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* Optional By default, the port speed is auto-negotiated. z Only ports on the front panel of the device suppor t the auto-negotiation speed configuration feature. And ports on the extended interface card do not sup po[...]
-
Page 113
1-6 To do… Use the command… Remarks Enter syst e m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable flow control on the Ethernet port flow-control Required By default, flow control is not enabled on a port. Configuring Access Port Attribute Follow these steps to co nfi gure access port attribut[...]
-
Page 114
1-7 To do… Use the command… Remarks Enter syst e m view Sy stem-view — Enter Ethernet port view interface interface-type interface-number — Set the link type for the port as trunk port link-type trunk Required Set the default VLAN ID for the trunk port port trunk pvid vlan vlan-id Optional By default, the VLAN of a trunk port is VLAN 1. Add[...]
-
Page 115
1-8 <device> system-view [device] interface GigabitEthernet 1/0/1 [device-GigabitEthernet1/0/1] shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:14:220 2000 device L2INF/5/PORT LINK STATUS CHANGE:- 1 - GigabitEthernet1/0/1 is DOWN [device-GigabitEthernet1/0/1] undo shutdown [device-GigabitEthernet1/0/1] %Apr 2 08:11:32:253 2000 device L2IN[...]
-
Page 116
1-9 configuration command on ce on one port and that con figuration will apply to all p ort s in the port grou p. This effe ctively redu ces redundant configurations. A Port group coul d be manually created by users. Mult iple Ethernet ports can b e added to the same port group but one Ethernet port can only be added to on e port group. Follow thes[...]
-
Page 117
1-10 To do… Use the command… Remarks Configure the system to run loopback detection on all VLANs for the trunk and hybrid ports loopback-detection per-v l an enable Optional By default, the system runs loopback detection only on the default VLAN for the trunk and hybrid ports. z To enable loopback detection on a sp ecific port, you must use the[...]
-
Page 118
1-11 Enabling the System to Test Connected Cable Y ou can enable the system to test the cable connected to a specif ic port. The test result will be returned in five minutes. The system can test these attributes of the cable: Receive and tran smit directions (RX and TX), short circuit/open circuit or n o t, the length of the faulty cable. Follow th[...]
-
Page 119
1-12 Displaying and Maintaining Ethernet Ports To do… Use the command… Remarks Display port configuration information display interface [ interface-type | interface-type interface-num ber ] Display information for a specified port grou p display port-group group-id Display port loopback detection state display loopback-detecti on Display brief [...]
-
Page 120
1-13 [device] vlan 100 # Configure the default VLAN ID of GigabitEthernet 1/0/1 as 100. [device-GigabitEthernet1/0/1] port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom : Default VLAN ID configuration failed. Solution : T ake the following steps. z Use the display interface or display port comma nd t o check if the port i [...]
-
Page 121
i Table of Contents 1 Link Aggregati on Configur ation ······························································································· ··············· 1-1 Overview ······························[...]
-
Page 122
1-1 1 Link Aggregation Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Overview Introduction to L[...]
-
Page 123
1-2 Operation Key An operation key of an aggregation po rt is a conf iguration combination gen erated by system depending on the configurations of the port (rate, duplex mode, other basi c configuration, and management key) when the port is aggregated. 1) The selected ports in a manual/static ag gre gation group have the same operation key. 2) The [...]
-
Page 124
1-3 For an aggregation grou p: z When the rate or duplex mode of a port in the aggregation group changes, packet loss may o ccur on this port; z When the rate of a port decreases, if the port belongs to a man ual or static LACP aggrega tion group, the port will be switched to the unselected state; if the port bel ongs to a dynamic LACP aggregation [...]
-
Page 125
1-4 Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LA CP aggregati on group is automatically created and removed by th e system. Users cann ot add/remove ports to/from it. A port can particip at e in dynamic link aggregation only when it is LACP-enabled. Port s can be aggregated into a dy nami c aggregation [...]
-
Page 126
1-5 Changing the system pri ority of a device may cha nge the preferred device betw een the two parties, and may further change the states (sel ected or unsele cted) of the member ports of dynamic agg regation groups. Configuring port priority LACP determine s the selected and unselected st at es of the dynamic aggregation group members according t[...]
-
Page 127
1-6 A load-sharing aggregation gro up contains at least two selected port s, but a non-load-sharing aggregation group ca n only have one selected port at most, while others are un selected ports. Link Aggregation Configuration z The commands of link a ggregation cannot be conf igured with the commands of port loop back detection feature at the same[...]
-
Page 128
1-7 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group agg-i d description agg-name Optional By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-number — Add the Ethernet port to the aggregation group port link-aggregation gro up[...]
-
Page 129
1-8 To do… Use the command… Remarks Configure a description for the aggregation group link-aggregation group a gg-id description agg-name Optional By default, an aggregation group has no description. Enter Ethernet port view interface interface-type interface-number — Add the port to the aggregation group port link-aggregation group agg-id Re[...]
-
Page 130
1-9 To do… Use the command… Remarks Enable LACP on the port lacp enable Required By default, LACP is disabled on a port. Configure the port priority lacp port - priority port-priority Optional By default, the port priority is 32,768. Displaying and Maintaining Link Aggregation To do… Use the command… Remarks Display summary information of a[...]
-
Page 131
1-10 Figure 1-1 Network diagram for link aggregatio n co nfiguration Switch A Link aggregation Switch B Configuration procedure 1) Adopting manual aggregation mode # Create manual aggregation group 1. <device> system-view [device] link-aggregation group 1 mode manual # Add GigabitEthernet 1/0/1 through Gig abitEthernet 1/0/3 to aggregation gr[...]
-
Page 132
1-11 Note that, the three LACP-enabled ports ca n be aggregated into a dyn amic aggregation group to implement load sharing only when they have the same basic co nfiguration (such as rate and duplex mode and so on).[...]
-
Page 133
i Table of Contents 1 Port Isolation Configuration ································································································· ···················· 1-1 Port Isolati on Overview ·················[...]
-
Page 134
1-1 1 Port Isolation Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Port Isolation Overview Intr[...]
-
Page 135
1-2 z When a member port of an agg regation group i s added to an i solation grou p, the other po rts in the same aggregation group are added to the isol ation group automatically. z When a member port of an aggregation group is del et ed from an isolation group, the other ports in the same aggregation group are d eleted fr om the isolation group a[...]
-
Page 136
1-3 <device> system-view System View: return to User View with Ctrl+Z. [device] interface GigabitEthernet1/0/2 [device-GigabitEthernet1/0/2] port isolate [device-GigabitEthernet1/0/2] quit [device] interface GigabitEthernet1/0/3 [device-GigabitEthernet1/0/3] port isolate [device-GigabitEthernet1/0/3] quit [device] interface GigabitEthernet1/0[...]
-
Page 137
i Table of Contents 1 Port Security Configuration ·································································································· ···················· 1-1 Port Security Overview··················[...]
-
Page 138
1-1 1 Port Security Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Port Security Overview Introd[...]
-
Page 139
1-2 Port Security Modes T able 1-1 describes the available port security modes. Table 1-1 Description of port security mode s Security mode Description Feature noRestriction Port security is disabled on the port and access to the port is not restricted. In this mode, neither the NTK nor the intrusion protection feature is triggered. autolearn In th[...]
-
Page 140
1-3 Security mode Description Feature userLoginSecure In this mode, a port pe rforms 802.1x au thenticatio n of users and services only one user passing 802. 1x authentication at a time. userLoginSecure Ext In this mode, a port performs 802.1x authentication of users and services users passi n g 802.1x authentication. userLoginWithOU I Similar to t[...]
-
Page 141
1-4 Port Security Configuration Complete the following tasks to configure port security: Task Remarks Enabling Port Security Required Setting the Maximum Number of MAC Addresse s Allowed on a Port Optional Setting the Port Security Mode Required Configuring the NTK feature Configuring intrusion p rote ction Configuring Port Security Features Config[...]
-
Page 142
1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port. The number of authenticated users allowed, howeve r , ca nnot exceed the configured uppe r limit. By setting the maximum number of MA C addresses allowed on a p ort, you can z Control the maximum number of u sers [...]
-
Page 143
1-6 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Set the port security mode port-security port-mode { autolearn | mac-and-userlogin-secu re | mac-and-userlogin-secu re-e xt | mac-authentication | mac-else-userlogin-secu re | mac-else-userlogin-s ecure-e xt | secure | userlogin | userlogi[...]
-
Page 144
1-7 The WX3000 series devices do not supp ort the ntko nly NTK feature. Configuring intrusion protection Follow these steps to co nfigure t he intrusion protection feature: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view interface interface-type interface-number — Set the corresponding action to b[...]
-
Page 145
1-8 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable sending trap s for the specified type of event port-security trap { addresslearned | intrusi on | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure } Required By default, no trap is sent. Ignoring the Authorization Info rmation fro[...]
-
Page 146
1-9 The security MAC addresses manually configured are written to the config uratio n file; they will not get lost when the port is up or down. As long as the c onfig uration file is saved, the secu rity MAC addresses can be restored after the device reboots. Configuration prerequisites z Port security is enabled. z The maximum number of security M[...]
-
Page 147
1-10 z To ensure that Host can access the netwo rk, add the MAC address 0001 -0002-0003 of Host as a security MAC address to the port in VLAN 1. z After the number of security MAC addresses reache s 80, the port stops learning MAC addresses. If any frame with an unkno wn MAC add ress arrives, int rusion prote ction is tri ggere d and the po rt will[...]
-
Page 148
2-1 2 Port Binding Configuration Port Binding Overview Introduction Port binding enables th e network administrator to bin d the MAC address and IP address of a user to a specific port. Af ter the binding, the switch forwar ds only the packet s received on the po rt whose MAC address and IP address a re identical with the bound MAC addre ss and IP [...]
-
Page 149
2-2 Port Binding Configuration Example Network requirements As shown in Figure 2-1 , it is required to bind the MAC and IP addresses of Ho st 1 to GigabitEthernet 1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from Host 1 to access the net work. Figure 2-1 Network diagram for port binding config uration Swi[...]
-
Page 150
i Table of Contents 1 DLDP Conf iguration ··········································································································· ······················· 1-1 DLDP Overview··············?[...]
-
Page 151
1-1 1 DLDP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. DLDP Overview Y ou may have encountere[...]
-
Page 152
1-2 Figure 1-2 Fiber correct conne ction/disconnection in one dire ction GE1/0/10 SwitchA GE1/0/11 GE1/0/10 SwitchB GE1/0/11 PC DLDP provid es the following features: z As a link layer protocol, it works together with the physical layer protocol s to monitor the link status of a device. While the auto-negotiatio n mechanism on the physi cal layer d[...]
-
Page 153
1-3 Status Description Probe DHCP sends packets to check if it is a unidirectio nal link. It enables the probe sending timer and an echo waiting timer for each target neighbor. Disable DLDP detects a unidirectional link, or finds (in enhanced mod e) that a neighbor disap pears. In this ca se, DL DP do es not receive or se nd DLDP packets. Delaydown[...]
-
Page 154
1-4 Timer Des cription Enhanced timer In enhanced mode, if no packet is received from the neigh bor when the entry aging timer expires, DLDP enable s the enhan ced timer for the neighbor. The timeout time for the enhanced timer i s 10 seconds. The enhanced timer then sends one p robe packets every one second and totally eight packets contin uou sly[...]
-
Page 155
1-5 Table 1-4 Types of packets sent by DLDP DLDP status Packet types Active Advertisement packets, incl uding tho se with or without RSY tags Advertisement Advertisement packets Probe Probe packets 2) DLDP analyzes and processes re ceived packets as follows: z In authentication mode, DLDP authenticates t he packets, and discards those do not pass t[...]
-
Page 156
1-6 DLDP neighbor state A DLDP neighbor ca n be in one of these two st ates: two way and u nkn own. Y ou can check the state of a DLDP neig hbor by using the display dld p command. Table 1-7 Description on the two DLDP neig hbor states DLDP neighbor state Description two way The link to the neighbor operates properly. unknown The device is detectin[...]
-
Page 157
1-7 To do… Use the command… Remarks Set the delaydown timer dldp delaydown-timer delaydown-tim e Optional By default, the delaydown timer expires after 1 second it is triggered. Set the DLDP handling mode wh en an unidirectional link is dete ct ed dldp unidirectional-shutdown { auto | manual } Optional. By default, the handling mode is auto. Se[...]
-
Page 158
1-8 To do… Use the command… Remarks Enter syst e m view system-v iew Reset the DLDP status of the system dldp reset Enter Ethernet port view interface interface-type interface-number Reset the DLDP status of a port dldp reset Optional This command only applies to the ports i n DLDP down status. DLDP Network Example Network requirements As shown[...]
-
Page 159
1-9 [SwitchA-GigabitEthernet1/0/11] duplex full [SwitchA-GigabitEthernet1/0/11] speed 1000 [SwitchA-GigabitEthernet1/0/11] quit # Enable DLDP globally [SwitchA] dldp enable DLDP is enabled on all fiber ports except fabric ports. # Set the interval of sending DLDP packet s to 15 seconds [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced[...]
-
Page 160
i Table of Contents 1 MAC Address Tabl e Management································································································· ··········· 1-1 Overview ··································[...]
-
Page 161
1-1 1 MAC Address Table Management z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. z This chapter describes the[...]
-
Page 162
1-2 1) As shown in Figure 1-1 , User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmi tted to GigabitEthernet 1/0/1. At this time, the device records the source MAC addr ess of the packet, that is, the address “MAC-A” of User A to the MAC address table of the switch, forming an en[...]
-
Page 163
1-3 Figure 1-4 MAC address learning diag ram (3) Geth 1/0/1 Geth 1/0/3 Geth 1/0/4 User A User B User C 4) At this time, the MAC address table of the device in cludes two forwarding entri es shown in Figure 1-5 . When forwarding the response p acket, the dev ice unicasts the packet in stead of broadcas ting it to User A through GigabitEthernet 1/0/ [...]
-
Page 164
1-4 Aging timer only takes effect on dynamic MAC address e ntries. Entries in a MAC address table Entries in a MAC address t able fall into the following categories according to their characteri stics and configuration methods: z Static MAC address entry: Also known as perma n ent MAC address entry. This type of MAC address entries are ad ded/remov[...]
-
Page 165
1-5 Configuring a MAC Address Entry Y ou can add, modify , or remove a MAC address entry , remove all MAC address entries concerning a specific port, or remove specific type of MAC addre ss entries (dyn amic or st at ic MAC addre ss entries). Y ou can add a MAC address entry in either system view or Ethernet port view . Adding a MAC address entry i[...]
-
Page 166
1-6 Setting the Aging Time of MAC Address Entries Setting aging time properly helps ef fective utilization of MAC address aging. The aging time that is too long or too short af fects the performance of the device. z If the aging time is too long, excessive invalid MA C address entries maintained by the device may fill up the MAC address table. This[...]
-
Page 167
1-7 To do… Use the comm and… Remarks Set the maximum number of MAC addresses the port can learn mac-add ress max-mac-count count Required By default, the number of the MAC addresses a port can learn is not limited. Specifying the maximum number of MA C addresses a port can lea rn disables centralized MAC ad dress authentication and port secu ri[...]
-
Page 168
1-8 Displaying and Maintaining MAC Address Table To do… Use the command… Remarks Display information about the MAC address table display mac-address [ display-option ] Display the aging time of the dynamic MAC address entries in the MAC address table display mac-address aging-time The display command can be executed in any view. Configuration E[...]
-
Page 169
i Table of Contents 1 MSTP Conf iguration ··········································································································· ······················· 1-1 STP Over view ··············[...]
-
Page 170
ii Configuring R oot Guard········································································································· ········ 1-37 Configuring Loop Guard ··································[...]
-
Page 171
1-1 1 MSTP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. The output inform ation on your device may vary. STP Overview STP Overview Functions of[...]
-
Page 172
1-2 Upon network convergence, the root bridge gen erat es and sends out configu ration BPDUs periodically . Other devices just forward the configura tion BPDUs received. This mechanism e nsures the topologica l stability . 2) Root port On a non-root bridge devi ce, the root port is the po rt with the lowest path cost to the root bridge. The root po[...]
-
Page 173
1-3 4) Path cost Path cost is a value used for measuring link cap acity . By comparing the p ath costs of dif ferent links, STP select s the most robu st links and blocks the ot her links to prune the netwo rk into a tree. How STP works STP identifie s the network topology by transmi tting config uration BPDUs between network devices. Configuration[...]
-
Page 174
1-4 Step Description 2 The device compares the config uration BPDUs of all the ports and choose s the optimum configuration BPDU. Principle for configuration BPDU com parison: z The configuration BPDU that has the lowe st root bridge ID has the highest priori ty. z If all the configuration BPDUs have the same root bridge ID, they will be compared f[...]
-
Page 175
1-5 When the network top ology is stable, only the root port and design ated ports forward traffic, while other ports are all in the blocked state – they only re ce ive STP packets but do not forward user traffic. Once the root bridge, the ro ot port on each non-ro ot bridge and desi gnated port s have been successfully elected, the entire tree -[...]
-
Page 176
1-6 Table 1-5 Comparison proce ss and result on each device Device Comparison process BPDU of por t after comparison Device A z Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the configuration received message, an d discards the received[...]
-
Page 177
1-7 Device Comparison process BPDU of por t after comparison z Port CP1 receives the con figur ation BPDU of Devi ce A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configurat ion BPDU of the local port {2, 0, 2, CP1}, and updates the configuratio n BPDU of CP1. z Port CP2 receives the confi guration BPDU of[...]
-
Page 178
1-8 Figure 1-3 The final calculated spanning tree AP 1 A P 2 D e vi ce A Wi th p ri ori ty 0 Dev i c e B D e vi ce C BP 1 BP 2 CP 2 5 4 Wi th p ri ori ty 1 Wi th p ri o r i ty 2 To facilitate description, the sp anning tree calculation process in this example is simplified, while the actual process is more complicated. 2) The BPDU forwarding mechan[...]
-
Page 179
1-9 For this reason, the protocol use s a state transitio n me chanism. Namely , a newly elected root port and the designated port s must go through a peri od, which is twice the forward delay time, before they transit to the forwarding state. The peri od allows the ne w configuration BPDUs to be propag ated throughout the entire network. z Hello t[...]
-
Page 180
1-10 z MSTP supports mapping VLANs to MST instance s by means of a VLAN-to-instan ce mapping table. MSTP introduces “instance” (inte grates multiple VLANs int o a set) and can bind multiple VLA Ns to an instance, thus saving communication over head and improving re source utilization. z MSTP divides a switched network into multiple regions, eac[...]
-
Page 181
1-11 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree i n an MST region. Multiple spanning trees ca n be establis hed in one MST region. These spannin g trees are independent of each other . For example, each region in Figu re 1-4 contain s multiple spanning trees known as MSTIs. Each of thes e spanning tree s corresp onds to[...]
-
Page 182
1-12 z A region edge port is locat ed on the edge of an MST region and is used to conne ct one MST region to another MST region, an STP-enabled region or an RSTP-enabled regi on z An alternate port is a seconda ry port of a root port or master po rt and is used for rapid transition. With the root port or master port being blocked, the alternate por[...]
-
Page 183
1-13 z Forwarding state. Ports in this state can forw ard user packets and receive/ send BPDU packets. z Learning state. Ports in this st ate can receive/send B PDU packets. z Discarding state. Ports in this st ate can only receive BPDU packet s. Port roles and port st ates are not mutually dependent. T able 1-6 lists possible combinations of port [...]
-
Page 184
1-14 For MSTP , CIST configuration informatio n is generally expre ssed as follows: (Root bridge ID, External path cost, Ma ster bridge ID, Internal path cost, Desi gnated bridge ID, ID of sending port, ID of receiving por t), so the compared as follows z The smaller the Root bri dge ID of the configur ati on BPDU is, the higher the p riority of th[...]
-
Page 185
1-15 z BPDU guard z Loop guard z TC-BPDU attack guard z BPDU packet drop STP-related Standards STP-related standa rds include the following. z IEEE 802.1D: spanning tree protocol z IEEE 802.1w: rapid spanning tree protocol z IEEE 802.1s: multiple spanning tree protocol Configuring Root Bridge Complete the following t asks to configure a root bridge[...]
-
Page 186
1-16 In a network containing de vices with both GVRP and MSTP enabled, GVRP pa ckets are forwarded along the CIST. If you want to advertise packets of a specific VLAN through GV RP, be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table (the CIST of a network is spanning tree instance 0). Configuration Prerequisites The ro[...]
-
Page 187
1-17 Configuring MST region-related p arameters (especially the VLAN mapping t able) result s in spanning tree recalculation and network topolo gy jitter . T o reduce network topology jitter caused by the configuration, MSTP does not recal culate spanni ng tr ees immediately af ter the configuration; it does this only after you perf orm one of the [...]
-
Page 188
1-18 To do… Use the command… Remarks Enter syst em view system-vie w — Specify the current device as the root bridge of a spanning tree stp [ instance instance -id ] root primary [ bridge-diameter bridgenum ber [ hello-time centi-seconds ] ] Required Specify the current device as the secondary root bridge of a spanning tree Follow these steps[...]
-
Page 189
1-19 z You can configure a device as th e root bridges of multiple spanni ng tree instan ces. But you cannot configure two or more root bridge s for one span ning tree instance. So, do not configure root bridges for the sam e spanning tree instance on two or mo re devices using the stp root pri mary command. z You can configure multiple se condary [...]
-
Page 190
1-20 Configuration example # Set the bridge priority of the current de vice to 4,096 in sp anning tree inst ance 1. <device> system-view [device] stp instance 1 priority 4096 Configuring the Mode a Port R ecognizes and Sends MSTP Packets A port can be configured to recognize and send MSTP packet s in the following mode s. z Automatic mode. Po[...]
-
Page 191
1-21 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure the mode a port recognizes and send s MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and sends MSTP packets i n the automatic mode. That is, it de[...]
-
Page 192
1-22 Configuration example # S pecify the MSTP operation mode as STP-co mpatible. <device> system-view [device] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count lim it s the size of the MST regi on.[...]
-
Page 193
1-23 To do… Use the command… Remarks Enter syst em view system-vie w — Configure the network di ameter of the switched network stp bridge-diameter bridgenumber Required The default network diame ter of a network is 7. The network diameter parameter indicates the size of a network. The bigge r the network diameter i s, the larger the network s[...]
-
Page 194
1-24 z The forward delay para meter and the netwo rk diameter a re correlated. Normally , a large network diameter corresponds to a large forward delay. A too small forward delay param eter may result in temporary redundant path s. And a too large forward delay pa rameter may cause a netwo rk unable to resume the no rmal state in time after change [...]
-
Page 195
1-25 Configuration procedure Follow these steps to co nfigur e the timeout time factor: To do… Use the command… Remarks Enter syst em view system-vie w — Configure the timeout time factor for the device stp timer-factor number Required The timeout time factor defaults to 3. For a steady network, the timeout time can be five to seven times of [...]
-
Page 196
1-26 Configuration example # Set the maximum transmitting speed of GigabitEthernet 1/0/1 to 15. 1) Configure the maximum transmitting speed in system view <device> system-view [device] stp interface GigabitEthernet1/0/1 transmit-limit 15 2) Configure the maximum transmitting speed in Etherne t port view <device> system-view [device] int[...]
-
Page 197
1-27 You are recommended to configure the Ethernet ports connected directly to terminal s as edge ports and enable the BPDU guard function at the sa me time. This not only enables these ports to turn to the forwarding state rapidly bu t also secures your netwo rk. Configuration example # Configure GigabitEthernet 1/0/1 as an edge port. 1) Configure[...]
-
Page 198
1-28 To do… Use the command… Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keywo rd is adopted by default. z Among aggregated ports, you can onl y configu re the links of master ports as point-to-poi nt links. z If an auto-negotiating port o[...]
-
Page 199
1-29 To do… Use the command… Remar ks Enter syst em view system-vie w — Enable MSTP stp enable Required MSTP is disabled by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. To enable a dev[...]
-
Page 200
1-30 Task Remarks Configuring the Mode a Port Re cognizes and Sends MSTP Packet s Optional Configuring the Timeout Time Factor Optional Configuring the Maximum Transmitting Speed on the Current Port Optional The default value is recom mended. Configuring the Current Port as an Edg e Port Optional Configuring the Path Cost for a Port Optional Config[...]
-
Page 201
1-31 Configuring the Path Cost for a Port The path co st parameter reflect s the rate of the link con nected to the port. For a port on an MSTP-enabled device, the path cost m ay be differ ent in dif ferent sp anning tree inst ance s. Y ou can enable flows of dif ferent VLANs to travel along dif fer ent physi cal links by configuring a ppropriate p[...]
-
Page 202
1-32 When calculating the p ath cost of an aggregat ed link, the 802.1D-1998 st andard does not t ake the number of the port s on the aggregated link into account, whereas the 802.1T st andard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000/ link transmission speed, where ‘link transmissio[...]
-
Page 203
1-33 [device] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] undo stp instance 1 cost [device-GigabitEthernet1/0/1] quit [device] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an import[...]
-
Page 204
1-34 [device] stp interface GigabitEthernet1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp instance 1 port priority 16 Specifying Whether the Link Connected to a Port Is a Point-to-point Link Refer to S pecifyin[...]
-
Page 205
1-35 To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-num b er — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on GigabitEthern et 1/0/1. 1) Perform this configuration in system view <device> system-view[...]
-
Page 206
1-36 Loop guard A device maintains the st ates of the root port and other blocked por t s by receiving and pr ocessing BPDUs from the upstream device. These BPDUs ma y get lost because of network congestions or unidirectional link failure s. If a device does not rece ive BPDUs from the upst ream device for certai n period, the device selects a new [...]
-
Page 207
1-37 Configuration Prerequisites MSTP run s normally on the device. Configuring BPDU Guard Configuration procedure Follow these steps to co nfigure BPDU guard: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard function is disabled by default. Configurat[...]
-
Page 208
1-38 2) Perform this configuration in Ethernet port view <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] stp root-protection Configuring Loop Guard Configuration procedure Follow these steps to co nfigure loop guard: To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethern[...]
-
Page 209
1-39 # Set the maximum times for the device to remove the MAC address t able within 10 se conds to 5. <device> system-view [device] stp tc-protection threshold 5 Configuring BPDU Dropping Follow these steps to co nfigure BPDU dropping: To do… Use the command… Remarks Enter syst em view system-vie w — Enter Ethernet port view interface i[...]
-
Page 210
1-40 Configuring Digest Snooping Configure the digest snooping fe ature on a device to enable it to comm unicate with other devices adopting propriet ary protocols to calculate configu r ation digests in the same MST region through MSTIs. Configuration prerequisites The device to be configured is con nected to a dev ice of another ve ndor adopting [...]
-
Page 211
1-41 z When the digest snooping feature is enabled on a por t, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping feature is needed o nly when your device is connected to a device of ano t[...]
-
Page 212
1-42 Figure 1-6 The RSTP rapid transition mechanism Figure 1-7 The MSTP rapid transition mechanism The cooperation between MSTP and RSTP is limited in the p rocess of rapid transition. For example, when the upstream devi ce adopts RSTP , the downs tream device adopt s MSTP and the downstream device does not support RSTP-comp atible mode, t he root [...]
-
Page 213
1-43 Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8 , a WX3000 series device i s connected to a device of another ven dor . The former operates as the downstre am device, and the latte r operate s as the upst ream device. The network operates normally . The upstream device is running a proprie tary sp anning tr ee p[...]
-
Page 214
1-44 z The rapid transition feature can b e enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN T unnel f unction enables STP packet s to be transp arently transmitted between geographi[...]
-
Page 215
1-45 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number Make sure that you enter the Ethernet port view of the port for which you want to enable the VLAN-VPN tunnel function. Enable the VLAN VPN function for the Ethernet port vlan-vpn enable Required By default, the VLAN VPN function is disabled o[...]
-
Page 216
1-46 [device] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard The device sends trap messages conforming to 802. 1d standa rd to the network management device in the following two cases: z The device becomes the root bridge of an insta nce. z Network topology changes are detected. Configuration procedure Follow these steps to en[...]
-
Page 217
1-47 MSTP Configuration Example Network requirements Implement MSTP in the network show n in Figure 1-10 to enable p acket s of diff erent VLANs to be forwarded along dif ferent spanning tree i nstances. The det ailed configurations are as follows: z All switches in the network belong to the same MST region. z Packets of VLAN 10, VLAN 30, VLAN 40, [...]
-
Page 218
1-48 [SwitchA] stp instance 1 root primary 2) Configure Switch B # Enter MST regi on view . <SwitchB> system-view [SwitchB] stp region-configuration # Configure the region name, VLAN-to -MSTI mapping table, and revision level f or the MST region. [SwitchB-mst-region] region-name example [SwitchB-mst-region] instance 1 vlan 10 [SwitchB-mst-reg[...]
-
Page 219
1-49 VLAN-VPN tunnel Configuration Example Network requirements As shown in Figure 1-1 1 : z The WX3000 series devices operate a s the acce ss devices of the operator’s network, that is, Switch C and Switch D in the network di agram. z Devices of other series op erate as the access devi ce s of the user’s netwo rk, that is, Switch A and Switch [...]
-
Page 220
1-50 [SwitchC] stp enable # Enable the VLAN-VPN tunnel function. [SwitchC] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [SwitchC] vlan 10 [SwitchC-Vlan10] port GigabitEthernet1/0/1 [SwitchC-Vlan10] quit # Disable STP on GigabitEthernet 1/0/1 and then enable the VLA N VPN function on it. [SwitchC] interface GigabitEthernet1/0/1 [SwitchC-G[...]
-
Page 221
i Table of Contents 1 802.1x Confi guration ········································································································· ························ 1-1 Introduction to 802.1x··········[...]
-
Page 222
1-1 1 802.1x Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/W AN committee to address security issues of wi reless LANs. It was then use d in Ethernet as a common acce ss[...]
-
Page 223
1-2 z The authenticator sy stem, residing at t he other end of the LAN se gment link, is the entity that authenticates the connected su pplicant system. The authenticato r system is usually an 802.1x-supported network device. It pr ovides ports (phy sical or logical) for the supplicant system to access the LA N. z The authentication server system i[...]
-
Page 224
1-3 The Mechanism of an 802.1x Authentication System IEEE 802.1x authentication uses the ex tensible authenticatio n protocol (EAP) to exchange information between supplicant system s and the authentication servers. T o be compatibl e with 802.1X in a LAN environment, the client program mu st support t he Extensible Authentication Protocol over LAN[...]
-
Page 225
1-4 03: Indicates that the packet is an EAPoL-ke y packet, which carries key informati on. 04: Indicates that the packet is an EAPoL - encapsulat ed-ASF-Alert packe t, which is us ed to suppo rt the alerting messages of ASF (alerting standa rds forum). z The Length field indicate s the size of the Packet bo dy field. A value of 0 indicates that the[...]
-
Page 226
1-5 Fields added for EAP authentication T wo fields, EAP-message and Message- authenticator , are added to a RADIUS protocol packet for EAP authentication. (Refer to the Introdu ction to RADIUS protocol se ction in the AAA Operation Manual for information about the format of a RADIUS protocol p acket.) The EAP-message field, whos e format is shown [...]
-
Page 227
1-6 z EAP-TTLS is a kind of extended EAP-TLS. EAP-TLS implements bidirectional authentication between the client and authentic ation server. EAP-TTLS transm it message using a tunnel established using TLS. z PEAP creates and uses TLS security channels to en sure data integrity and then performs new EAP negotiations to verify supplicant sy stem s. F[...]
-
Page 228
1-7 password using a randomly -generated key, and se nds the key to the device through an RADIUS access-challenge packet. The device the n sen ds the key to the iNode client. z Upon receiving the key (en capsulated in an EAP -requ est/MD5 challenge packet ) from the device, the client program encrypt s the password of t he supplica nt system with t[...]
-
Page 229
1-8 Figure 1-9 802.1x authentication procedure (in EA P terminating mode) S uppl icant syst e m PAE Au the n ti c a to r syst e m P A E RA DI US se rve r EAPOL RA DI US EAPOL - Sta r t E A P- R equest /I dent i t y E A P- Respons e / I dent it y E A P - Reque st / MD 5 Chal lenge EAP - Suc c es s E A P - Res pons e / M D 5 Chal l enge RA DI US A cc[...]
-
Page 230
1-9 z RADIUS server timer ( server-timeout ). This timer sets the server -timeout pe riod. After sending an authentication request packet to the RADIUS server, the device sen d s another authentication request packet if it does not receive the response from the RADI US server when this timer times out. z Supplicant system timer ( supp-timeout ). Th[...]
-
Page 231
1-10 This function needs the cooperation of i Node client and a iMC server . z The iNode client needs to cap able of detecting multiple netwo rk ad apters, pr oxies, and IE proxies. z The iMC server is configured to disable the use of multiple network adapte rs, pr oxies, or IE proxies. By default, an iNode client program allo ws use of multiple ne[...]
-
Page 232
1-11 Refer to AAA Operation Ma nual for detailed inform atio n about the dynamic VLAN delivery function. Enabling 802.1x re-authentication 802.1x re-authentication is timer-triggered or p acket -triggered. It re-authe nticates users wh o have passed authentication. Wit h 802. 1x re-authentication enabl ed, the device can monitor th e connection sta[...]
-
Page 233
1-12 Figure 1-11 802.1x configuration ISP domai n configuration AA A scheme Local authenticatio n RADIUS scheme 802.1x configuration ISP domain configurati on AAA scheme Local authentication RADIUS scheme 802.1x configuration z An 802.1x user uses the domain name to associ ate with the ISP domain configu red on the device. z Configure the AAA schem[...]
-
Page 234
1-13 To do… Use the command… Remarks In system view dot1x [ interface interface-list ] interface interface-type interface-numb er dot1x Enable 802.1x for specified ports In port view quit Required By default, 802.1x is disabled on all ports. Set port authorization mode for specified ports dot1x port-control { authorized -force | unauthorized-fo[...]
-
Page 235
1-14 z 802.1x configurations take effect only after you enabl e 802.1x both globally and for specified ports. z If you enable 802.1x for a port, you cannot set t he maximum number of MAC addresses that can be learnt for the port. Meanwhile, if you set the maximum number of MAC addres ses that can be learnt for a port, it is prohibited to enable 802[...]
-
Page 236
1-15 To do… Use the command… Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-valu e | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeou t-value | tx-period tx-period-va lue | ver-period v er-period- value } Optional The settings of 802.1x timers are as follows. z handshake[...]
-
Page 237
1-16 To do… Use the comm and… Remarks In system view dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number dot1x supp-proxy-check { logoff | trap } Enable proxy checking for a port/specified ports In port view quit Required By default, the 802.1x proxy checking is disabl ed on a port. z [...]
-
Page 238
1-17 As for the dot1x version-user command, if you execute it in sy stem view without specifying the interface-list argument, the command a pplies to all ports. You can also execute this command in port view. In this case, this command applie s to the current port only and the interface-list argument is not needed. Enabling DHCP-triggered Authentic[...]
-
Page 239
1-18 Configuring 802.1x Re -Authentication Follow these steps to ena bl e 802.1x re-authentication: To do… Use the command… Remarks Enter syst e m view system-view — Enable 802.1x globally dot1x Required By default, 802.1x is disabled globally. In system vie w dot1x [ interface interface-list ] Enable 802.1x for specified ports In port view d[...]
-
Page 240
1-19 Follow these steps to co nfigure the re-authentication interval: To do… Use the command… Remarks Enter syst e m view system-view — Configure a re-authentication interval dot1x timer reauth-period reauth-period -value Optional By default, the re-authentication interval is 3,600 seconds. Displaying and Maintaining 802.1x To do… Use the c[...]
-
Page 241
1-20 Figure 1-12 Network diagram for AAA configurati on with 802.1x and RADIUS enabled Configuration procedure Following configuration covers the major AAA/ RADIUS configuration commands. Refer to AAA Operation Manual for the informatio n about these command s. Config uration on the client and the RADIUS servers is omitted . # Enable 802.1x globall[...]
-
Page 242
1-21 [device-radius-radius1] key accounting money # Set the interval and the number of the retries for th e switch to send p a ckets to the RADIUS servers. [device-radius-radius1] timer 5 [device-radius-radius1] retry 5 # Set the timer for the switch to send real-tim e accounting p acket s to the RADIUS servers. [device-radius-radius1] timer realti[...]
-
Page 243
2-1 2 Quick EAD Deployment Configuration Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an endpoint admissio n defense (EAD) solution can improve the overall defense power of a network. In real applications , however , deploying EAD clients proves to be time-consuming and incon v enient. The device ena[...]
-
Page 244
2-2 Configuration Procedure Configuring a free IP range A free IP range is an IP ran ge that users can access before p assing 802.1x authe ntication. Follow these steps to co nfigure a free IP range: To do… Use the command… Remarks Enter syst e m view system-view — Configure the URL for HTTP redirection dot1x url url-string Req uired Configur[...]
-
Page 245
2-3 Follow these steps to co nfigure the ACL timer: To do… Use the command… Remarks Enter syst e m view system-view — Set the ACL timer dot1x timer acl-timeout acl-timeout-value Required By default, the ACL timeout period is 30 minutes. Displaying and Maintaining Quick EAD Deployment To do… Use the command… Remarks Display configuration i[...]
-
Page 246
2-4 Configuration procedure Before enabling quick EAD deployment, make su re th at: z The Web server is configured properly. z The default gateway of the PC is configured as the IP addre ss of the Layer-3 virtual interface of the VLAN to which the port that is directly co nne cted with the PC belongs. # Configure the URL for HTTP redirection. <d[...]
-
Page 247
3-1 3 System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU i s under att ack to implement sy stem guard for the CP U. Y ou should not determine whether the CPU is unde r at tack just accordin g to whether congestion occurs in a queue. Instead, you must do that in the following ways: z According to the number[...]
-
Page 248
3-2 Displaying and Maintaining System-Guard To do… Use the command… Remarks Display the record of detected attacks display system-guard attack-record Available in any view Display the state of the system-guard feature display system-guard state Available in any view[...]
-
Page 249
i Table of Contents 1 AAA Ov erview ············································································································································ 1-1 Introducti on to AAA ····[...]
-
Page 250
ii Troublesho oting AAA ············································································································ ················ 2-30 Troubleshooting RADI US Config uration················?[...]
-
Page 251
1-1 1 AAA Overview The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. Introduction to AAA AAA is the acronym for the three security functions: authentication, author ization and acco unting. It provides a uniform framew ork for you to config ure th ese three functions to impleme[...]
-
Page 252
1-2 z Local authorization: Users are autho rized according to the related attribute s configured for their local accounts on this device . z RADIUS authorization: Users are autho rized after they pass RADIUS authenticati on. In RADIUS protocol, authentication and authori zation are combined togeth er, and authorization can not be performed alone wi[...]
-
Page 253
1-3 z The RADIUS server receives user co nnection request s, authenticates users, and retu rns all required information to the device. Generally , a RADIUS se rver maint ains the followi ng thre e databa ses (see Figure 1-1 ): z Users: This database stores in formation about users (su ch as us er name, password, protocol adopted and IP addres s). z[...]
-
Page 254
1-4 2) The RADIUS client receiv es the user name and password, and then sends an authentication request (Access-Request) to the RADIUS server. 3) The RADIUS server compares the rece ived user information with that in the Users database to authenticate the user. If the auth entication succeeds, the RADIUS server sends back to the RADIUS client an au[...]
-
Page 255
1-5 Code Message type Message description 3 Access-Reject Direction: server-> client. The server transmits this message to the client if any attribute value carried in the Access-Request me ssage is unacceptable (that is, the user fails the authentication). 4 Accounting-Requ est Direction: client->server. The client transmits this m essag e t[...]
-
Page 256
1-6 Type field value Attribute type Type field value Attribute type 8 Framed-IP-Address 30 Called-Station-Id 9 Framed-IP-Netmask 31 Calling-Station-Id 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compre ssion 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Fra[...]
-
Page 257
1-7 Compa red with RADIUS, HWT ACACS provides more reliable transmission and encryption, and therefore is more suit able for secu rity control. T able 1-3 lists the primary dif ferences betwe en HWT ACACS and RADIUS. Table 1-3 Differences between HWTA CACS an d RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable net work transmission. Adopts[...]
-
Page 258
1-8 Figure 1-6 AAA implementation procedure for a telnet user TACACS s e r v er Us er TAC ACS c lien t Reques ts t o l og in A ut hent icat i on s t art reques t A ut hent i cati on res pons e , reques t ing username Reques ts user name Ent ers user name A ut hent i cati on co nt i nuous mess age , ca rry ing use rname A ut hent i cati on res pons [...]
-
Page 259
1-9 9) After receivin g the response indicatin g an autho rizati on success, the TA CA CS client pushes the configuration interface of the device to the user. 10) The TACACS client sends an accountin g start request to the TACACS server. 11) The TACACS server returns an a ccounting response, indicating that it has receive d the accounting start req[...]
-
Page 260
2-1 2 AAA Configuration AAA Configuration Task List Configuration Introduction Y ou need to configure AAA to provide network acce ss se rvices for l egal users while protectin g network devices and preventing unautho rized a ccess and repudiation b ehavior . Complete the following t a sks to configure a combined AAA scheme for an ISP domain: Task R[...]
-
Page 261
2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring sepa rate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required z With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively. z You need to configure RADIUS or HWATACACS before performing [...]
-
Page 262
2-3 To do… Use the command… Remarks Set the accounting-optional switch accounting optional Optional By default, the accounting-optional switch is off. Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled. Set the self-service server location function self-service-u[...]
-
Page 263
2-4 this way , you cannot specify dif ferent schemes for authenticat ion, authorization and accounting respectively . Follow these steps to co nfigure a com bined AAA scheme: To do… Use the command… Remarks Enter syst e m view system-vie w — Create an ISP domain and enter its view, or enter the view of an existing ISP domain domain isp-name R[...]
-
Page 264
2-5 Y ou can use an arbitrary combination of the above im plement ations for your AAA scheme configuration. 2) For FTP users Only authentication is supported for FTP users. Authentication: RADIUS, local, or HWT ACACS. Follow these steps to co nfigure separat e AAA schemes: To do… Use the command… Remarks Enter syst e m view system-vie w — Cre[...]
-
Page 265
2-6 upon receiving an integer ID assigned by the RADIUS authentication serv er, the device adds the port to the VLAN whose VLAN ID is equal to the a ssigned integer ID. If no such a VLAN exists, the device first creates a VLAN with the assigned ID, and then adds the port to the newly creat ed VLAN. z String: If the RADIUS authenticatio n server ass[...]
-
Page 266
2-7 Follow these steps to co nfigure t he attributes of a local user To do… Use the command… Remarks Enter syst e m view system-vie w — Set the password display mod e of all local users local-user password-display-mode { cipher-force | auto } Optional By default, the password display mode of all access users is auto , indicating the passwords[...]
-
Page 267
2-8 z The following characters a re not allowed in the user-name stri ng: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user pass word-display -mode cipher-force com mand is executed, any p assword will be displayed in ciphe r mode even though you specify to display a user password in plain text by using [...]
-
Page 268
2-9 Complete the following t a sks configure RADIUS fo r the device functioning as a RADIUS client: Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authori zation Se rvers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS M essages Optional Configuring the Maximum Num ber of [...]
-
Page 269
2-10 secondary servers with the same configuration but dif ferent IP addresses) in a RADIUS sche me. After creating a new RADIUS scheme, you should configu re the IP addr ess and UDP port number of each RADIUS server you want to use in this sche me. These RADIUS se rvers fall into two types: authentication/authorization, and ac counting. And fo r e[...]
-
Page 270
2-11 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Set the IP address and port number of the primary RADIUS authentication/authorization server [...]
-
Page 271
2-12 To do… Use the command… Remarks Set the IP address and port number of the secondary RADIUS accounting serve r secondary accounting ip-address [ port-num ber ] Optional By default, the IP address and UDP port number of the secondary accounting serv er are 0.0.0.0 and 1813 for a newly created RADIUS scheme. Enable stop-accounting request buf[...]
-
Page 272
2-13 received from each other b y using the shared ke ys that have been set on them, and can accept and respond to the messages only when bo th p arties have the same shared key . Follow these steps to co nfigure sh ared keys for RADIUS messages: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and ent[...]
-
Page 273
2-14 To do… Use the command… Remarks Enter syst e m view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Configure the type of RADIUS servers to be supported server-type { exten ded | standard } Opt[...]
-
Page 274
2-15 To do… Use the command… Remarks Set the status of the primary RADIUS authentication/authorization server state primary authentication { block | activ e } Set the status of the primary RADIUS accounting serve r state primary accounting { block | activ e } Set the status of the secondary RADIUS authentication/authorization server state secon[...]
-
Page 275
2-16 z Generally, the access users are named in the userid@i sp-name or userid.isp-name format. Here, isp-name after the “ @” or “.” character represents the I SP domain name, by which the device determines which ISP domain a user belon gs to. However, some old RADIUS servers cannot accept the user names that carry ISP domain nam es . In th[...]
-
Page 276
2-17 z If you adopt the local RADIUS authentication se rv er function, the UDP port number of the authentication/authorization server must be 1645, the UDP po rt number of the accounting server must be 1646, and the IP addresses of the servers m ust be set to the add resses of this device. z The message encryption key set by the local-serv er nas-i[...]
-
Page 277
2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is thr ee seconds. Set the time that the device waits before it try to re-communicate with primary server and restore the stat us of the primary server to active tim[...]
-
Page 278
2-19 online when the user re-l ogs into the switching en gi ne before the iMC performs online u ser detection, and the user cannot get au thenticated. In this case, the u ser can access the netwo rk again only when the iMC administrator manually remo ves the user's online info rmat ion. The user re-authentication at rest art function is design[...]
-
Page 279
2-20 Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authenticatio n Servers Required Configuring TACACS Authori zation Servers Required Configuring TACACS Acco unting Serve rs Optional Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Servers Optional Configuring the TA[...]
-
Page 280
2-21 To do… Use the command… Remarks Set the IP address and port number of the primary TACACS authentication server primary authentication ip-address [ port ] Required By default, the IP address of the primary authentication server is 0.0.0.0, and the port number is 0. Set the IP address and port number of the secondary TACACS authentication se[...]
-
Page 281
2-22 z You are not allowed to co nfigure the same IP address for both p rimary and secondary autho rization servers. If you do this, the system will prompt that the c onfiguration fails. z You can remove a server only when it is not us ed by any active TCP connection for sending authorization messages. Configuring TACACS Accounting Servers Follow t[...]
-
Page 282
2-23 The T ACACS client and server adopt MD5 algo rith m to encrypt HWT ACACS messages before they are exchanged between the two p arties. The two p artie s verify the validity of the HWT ACACS messages received from each other b y using the shared ke ys that have been set on them, and can accept and respond to the messages only when bo th p arties[...]
-
Page 283
2-24 Generally, the access users a re named in the userid@i sp-name or userid.isp-nam e format. Where, isp-name after the “ @ ” or “.” character rep resents the ISP domain name. If the TACACS server does not accept the user names that carry ISP domain n ames, it is necessary to remove domain names fro m user names before they are sent to TA[...]
-
Page 284
2-25 Displaying and Maintaining AAA Displaying and maintaining AAA information To do… Use the command… Remarks Display configuration information about one specific or all ISP domains displa y domain [ isp-name ] Display information about user connectio ns display connection [ access-type { dot1x | mac-authen tication } | domain isp-name | inter[...]
-
Page 285
2-26 Displaying and maintaining HWTACACS protocol information To do… Use the command… Remarks Display the configuration or statistic information about one specific or all HWTACACS schemes display hwtacacs [ hwtacacs-scheme-name [ statis tics ] ] Display buffered non-response stop-accounting re que sts display stop-accounting-buffer hwtacacs-sch[...]
-
Page 286
2-27 Figure 2-1 Remote RADIUS authentication of Telnet users Intern et T elnet us er A ut hent i cati on serv er 10 . 110 . 91 . 164 Configuration procedure # Enter system view . <device> system-view # Adopt AAA authentication for T elnet users. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme [device-ui-vty0-4] q[...]
-
Page 287
2-28 Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-2 , you are req[...]
-
Page 288
2-29 z Change the server IP address, and the UDP port number of the authent ication server to 127.0.0.1, and 1645 respectively in the co nfiguratio n step "Configure a RADI US scheme" in Remote RADIUS Authentication of Telnet/SSH Users z Enable the local RADIUS server function, set the IP addre ss and shared key for the network access ser[...]
-
Page 289
2-30 Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operate s at the application laye r in the TCP/IP protocol suite. This protocol prescribes how the device and the RADIUS server of the ISP exchange u ser information with each other . Symptom 1 : User authentication/authorization always fails. Possible reasons and sol[...]
-
Page 290
3-1 3 EAD Configuration Introduction to EAD Endpoint admission defense (EAD) i s an attack def ens e solution. Using thi s solution, you can enhance the active defense cap ability of network end point s, prevent s viruses and worm s from spreading on the network, and protect s the entire network by limiting the access right s of insecure end points[...]
-
Page 291
3-2 After the clien t is patched and complia nt with the re quired security st andard, the security policy se rver reissues an ACL to the device, which then assigns access right to the client so that the client ca n access more network r esources. EAD Configuration The EAD configuration include s: z Configuring the attributes of access u sers (such[...]
-
Page 292
3-3 Figure 3-2 EAD configuration GE 1 / 0 / 1 In te r n e t Us e r Secur it y Polic y Ser ver s 10. 110. 9 1. 166 V i ru s P a tc h S erv ers 10. 110. 9 1. 168 Au then ti c ati on Se r v ers 10 . 1 10 . 91.164 Configuration procedure # Configure 802.1x on the device. Refer to the section ”Configuring 802.1x” of 802.1x Config uratio n . # Config[...]
-
Page 293
i Table of Contents 1 MAC Authen tication Conf iguration····························································································· ············· 1-1 MAC Authenticat ion Overview ·······················?[...]
-
Page 294
1-1 1 MAC Authentication Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. MAC Authentication Overview MAC authentication provides a way for authentic ating users based on p orts and MAC addresses, without requiring any client software to be inst alle d on the hos[...]
-
Page 295
1-2 included dependi ng on the format configured with the mac-authentication authmode usernameasmacaddress usernamefo r mat co mman d; otherwise, the authentication will fail. z If the username type is fixed username, you need to configure the fixed username and password on the device, which are used by the de vice to authenticate all use rs. The s[...]
-
Page 296
1-3 To do… Use the command… Remarks In system view mac-authentication inter f ace interface-list interface interface-type interface-number mac-authentication Enable MAC authentication for the specified port(s) or the current port In interface view quit Use either method Disabled by default Set the username in MAC address mode for MAC authentica[...]
-
Page 297
1-4 MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Tasks Complete the following t a sks to configure MAC address authenti cation enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Num ber of M AC Address Authentication Users Allo wed to Acc[...]
-
Page 298
1-5 z Guest VLANs are implemented in the mode of ad di ng a port to a VLAN. For example, when multiple users are connected to a port, if the first us er fails in the authenticat ion, the other users ca n access only the contents of the Guest VLAN. T he device will re-authenticate only the first user accessing this port, and the other users cannot b[...]
-
Page 299
1-6 z If more than one client is connected to a port, you ca nnot configure a Guest VLAN for this port . z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on th e number of MAC address aut hentication users to more than one, the configur ation does not take effect. [...]
-
Page 300
1-7 z If both the limit on the number of MAC address authentication user s and the limit on the numb er of users configured in the p ort security function are configured for a p ort, the smaller value of the two configured limits is adopted as th e maximum numb er of MAC address authenticat ion users allowed to access this port. Refer to the Port S[...]
-
Page 301
1-8 # Add a local user . z Specify the username and password. [device] local-user 00-0d-88-f6-44-c1 [device-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 z Set the service type to “lan-access”. [device-luser-00-0d-88-f6-44-c1] service-type lan-access [device-luser-00-0d-88-f6-44-c1] quit # Add an ISP domain named aabbcc.net. [devic[...]
-
Page 302
i Table of Contents 1 IP Addressing Configuration ·································································································· ·················· 1-1 IP Addressing Overview ···················?[...]
-
Page 303
1-1 z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of the WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. 1 IP Addressing Configuration IP Addressing Overview IP Address Classes IP [...]
-
Page 304
1-2 Table 1-1 IP address classe s and ranges Class Address range Remarks A 0.0.0.0 to 127.255.255.255 Address 0.0.0.0 means this host no this netwo rk. This address is used by a host at bootstrap when it does not know its IP address. This address is never a valid destination address. Addresses st arting with 127 are reserved for loopback test. Pack[...]
-
Page 305
1-3 adds an additional level, subnet ID, to the two-le vel hierarchy with IP addressing, IP routing now involves three steps: deliv ery to the site, de livery to the subnet, and delivery to the host. In the absence of subnetting, some speci al addresses su ch as the addresses with the net ID of all zeros and the addresses with the host ID of all on[...]
-
Page 306
1-4 z You can assign at most two IP address t o an inte rface, among which one is the primary IP address and another is secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any . z The primary and seconda ry IP addresses of an interface cannot reside on the same network segment; the IP address of a VL[...]
-
Page 307
1-5 IP Address Configuration Example II Network requirements As shown in Figure 1-4 , VLAN-interfa ce 1 on Switch is connected to a LAN com prising two segment s: 172.16.1.0/24 and 172.16.2.0/24. T o enable the hosts on the two network seg ments to comm unicate with the external networ k through Switch, and the host s o n the LAN can communicate wi[...]
-
Page 308
1-6 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output information shows that Switch can comm unicate with the host s on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 fr om Switch to check the con nectivity . <Switch> ping 172.16.2.2 PING 172.16.2.2: 56 data byt[...]
-
Page 309
2-1 2 IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network e nvironment s, you need to adjust the IP paramete rs to achieve best netwo rk performance. The IP performance config uratio n supported by the device include s: z Configuring TCP attributes z Disabling sending of ICMP error packe[...]
-
Page 310
2-2 To do… Use the comm and… Remarks Enter syst e m view system-view — Configure TCP synwait timer’s timeout value tcp timer syn-timeou t time-value Optional By default, the timeout value is 75 seconds. Configure TCP finwait timer’s timeout value tcp timer fin-timeout time-value Optional By default, the timeout value is 675 seconds. Confi[...]
-
Page 311
2-3 Displaying and Maintaining IP Performance Configuration To do… Use the command… Remar ks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statistics Display ICMP traffic statistics displa y [...]
-
Page 312
i Table of Contents 1 DHCP Ov erview·········································································································································· 1-1 Introduction to DHCP ······[...]
-
Page 313
1-1 z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of the WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. 1 DHCP Overview Introduction to DHCP With networks getting larger in size a[...]
-
Page 314
1-2 z Manual assignment. Th e administrator configures static IP-to-M AC bindings for some sp ecial clients, such as a WWW server. Then the DHCP server assign s these fixed IP addresses to the clients. z Automatic assignment. The DHCP serv er assigns IP add resses to DHCP cl ients. The IP addresse s will be occupied by the DH CP clients permanently[...]
-
Page 315
1-3 Updating IP Address Lease After a DHCP server dynamically assigns an IP address to a DHCP c lient, the IP address keeps valid only within a specified lease time and will be reclaime d by the DHCP server when the lease expires. If the DHCP cli ent wants to use the IP addres s fo r a longer time, it must update the IP lease. By default, a DHCP cl[...]
-
Page 316
1-4 z siaddr: IP address of the DHCP server. z giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet. z chaddr: Hardwa re ad dress of the DHCP client. z sname: Name of the DHCP server. z file: Path and name of the boot configuration file that the DHCP server spe cifies for the DHCP client. z o[...]
-
Page 317
2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these section s for i nformation you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Rel ay Agent z Displaying and Maintaining DHCP Rel ay Agent Config uratio n z DHCP Relay Agent Configuration Example z Troubleshooting DHCP Rel ay Agent C[...]
-
Page 318
2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DH CP relay age nt, the DHCP cl ient and DHCP serve r interoperate with each oth er in a similar way as they do without the DHCP relay agent. The following sections o nly describe the forwar ding process of the DHCP relay agent. For the i[...]
-
Page 319
2-3 Figure 2-2 Padding contents for sub-o ption 1 of Option 82 Figure 2-3 Padding contents for sub -o ption 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP serv er through a DHCP relay agent is similar to that for the client to obt ain an IP addre s s from a DHC[...]
-
Page 320
2-4 Configuring the DHCP Relay Agent If a device belongs to an I RF fabric, you need to enabl e the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Conf iguration Task List Complete the following t a sks to configure the DHCP relay agent: Task Remarks Correlating a DHCP Server Grou p with a Relay Agent Interf[...]
-
Page 321
2-5 To improve security and avoid maliciou s attack to the unused SOCKETs, the device provides the following functions: z UDP 67 and UDP 68 ports used by DHCP are e nabled only when DHCP is ena bled. z UDP 67 and UDP 68 ports are di sabled when DHCP is disable d. The corresponding implementation is a s follows: z When a VLAN interface is mapped to [...]
-
Page 322
2-6 To do… Use the command… Remarks Enter syst e m view system-view — Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type int erface-number — Enable the address checking function address-check enable Required Disabled by default. z The[...]
-
Page 323
2-7 To do… Use the comm and… Remarks Set the interval at which the DHCP relay agent dynamically updates the client address entries dhcp-security tracker { interval | auto } Optional By default, auto is adopted, that is, the interval is automatically calculated. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP se rver[...]
-
Page 324
2-8 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default. Configure the strat egy for the DHCP relay agent to process request packets containing Option 82 dhcp relay information strategy { drop | keep | replace } Optional [...]
-
Page 325
2-9 Figure 2-4 Network diagram for DHCP relay agent Configuration procedure # Create DHCP se rver g roup 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-view [SwitchA] dhcp-server 1 ip 10.1.1.1 # Map VLAN-interface 1 to DHCP serve r group 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp-server 1 z You [...]
-
Page 326
2-10 z Check if an address pool that is o n the same net work seg ment with the D HCP clients is configured on the DHCP server. z Check if a reachable route is configured bet ween the DHCP relay agent and the DHCP serve r. z Check the DHCP relay agent. Check if the corre ct DHCP server group is configu red on the interface connecting the network se[...]
-
Page 327
3-1 3 DHCP Snooping Configuration After DHCP snooping is enabl ed on a device, client s con nected with the device cann ot obtain IP addresses dynami cally through BO OTP . DHCP Snooping Overview Function of DHCP Snooping For security , the IP addre sses used by online DHCP client s need to be tracked for the administrator to verify the correspondi[...]
-
Page 328
3-2 Figure 3-1 Typical network diagram for DHCP snooping ap plication DHCP Cl ie nt Sw itch A (DHCP S noopi ng ) DHCP Cl ie nt DHCP Cl ie nt DHCP Cl i ent Sw itch B ( DHCP Rel ay ) In te r n e t G E 1/0/ 2 G E1/0/1 DHCP S erv er DHCP snoopi ng listens the following two types of packet s to retrieve the IP addresses the DHCP client s obtain from DHC[...]
-
Page 329
3-3 contents). That is, the circuit ID or remote ID sub-op tion defines the type and l ength of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storag e format. They are both set to “0” in the case of HEX format and to “1” in the case of ASCII format. Figure 3-2 Extended format of t[...]
-
Page 330
3-4 Table 3-1 Ways of handling a DHCP packet with Option 82 Handling policy Sub-op tion configuration The DHCP snooping device will… Drop — Drop the packet. Keep — Forward the packet without changing Option 82. Neither of the two sub-options is configured Forward the packet after replacing the original Optio n 82 with the default content. The[...]
-
Page 331
3-5 z The resources on the serv er are ex hausted, so the server does n ot respond to other requests. z After receiving such type of packets, a device ne eds to send them to the CPU for proce s sing. Too many request packets cause high CP U usage rate. As a result, the CPU cannot work n orm ally. The device can filter invalid IP packet s through th[...]
-
Page 332
3-6 To do… Use the command… Remarks Specify the current port as a trusted port dhcp-snoopi ng trus t Required By default, after DHCP snooping is enabled, all po rts of a device are untrusted ports. z You need to specify the ports connected to the va lid DHCP servers as tru sted to ensure that DHCP clients can obtain valid IP addre sses. The tru[...]
-
Page 333
3-7 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable DHCP-snooping Option 82 support dhcp-snooping information enable Required By default, DHCP snooping Option 82 support is disabled. Configure a handling policy for DHCP packets with Option 82 Follow these steps to co nfigure a handling policy for DHCP packet s with O[...]
-
Page 334
3-8 The dhcp-sn ooping information format command applies only to the default content of the Option 82 field. If you have configured the circuit ID or remote ID sub-option, the format of the sub-option is ASCII, instead of the one specified with the dhcp-s nooping information format comm and. Configure the circuit ID sub-option Follow these steps t[...]
-
Page 335
3-9 To do… Use the command… Remarks Enter syst e m view s ystem-vie w — Configure the remote ID sub-option in sy stem view dhcp-snooping information remote-id { sy sname | string string } Optional By default, the remote ID sub-option is the MAC addre ss of the DHCP snooping device that received the DHCP client’ s request. Enter Ethernet por[...]
-
Page 336
3-10 To do… Use the command… Remarks Enable IP filtering ip check source ip-address [ mac-address ] Required By default, this function is disabled. Create an IP static binding entry ip source static binding ip-address ip-addre ss [ mac-address mac-address ] Optional By default, no static binding entry is created. z Enable DHCP snooping and spec[...]
-
Page 337
3-11 Configuration procedure # Enable DHCP sn ooping on Switch. <Switch> system-view [Switch] dhcp-snooping # S pecify Gig abitEthern et 1/0/5 as the trusted port. [Switch] interface gigabitethernet 1/0/5 [Switch-GigabitEthernet1/0/5] dhcp-snooping trust [Switch-GigabitEthernet1/0/5] quit # Enable DHCP-snooping Option 82 su ppo rt. [Switch] d[...]
-
Page 338
3-12 Figure 3-7 Network diagram for IP filtering configuration Sw itch DHC P S n ooping GE1 / 0 / 2 Cl i e nt C GE 1 / 0 / 1 DHCP S e r ve r Cl i e n t B Hos t A IP : 1.1.1.1 MA C :0001- 0001-0001 GE1 / 0 / 3 GE1 / 0 / 4 Configuration procedure # Enable DHCP sn ooping on Switch. <Switch> system-view [Switch] dhcp-snooping # S pecify Gig abitE[...]
-
Page 339
3-13 Displaying and Maintaining DHCP Snooping Configuration To do… Use the command… Remarks Display the user IP-MAC address mapping entries recorded b y the DHCP snooping function display dhcp-snooping [ unit unit-id ] Display the (enabled/disabled) state of the DHCP snooping function and the trusted ports display dhcp-snooping trust Display th[...]
-
Page 340
4-1 4 DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VL AN interface as a DHCP cli ent, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server , which fac ilitates user configuration and management. Refer to Obtaining IP Addre sses Dynamically for the process of how a DHCP c[...]
-
Page 341
4-2 To do… Use the command… Remarks Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By default, no IP address is configured for the VLAN interface. Currently, the device operating a s a DHCP cli ent can use an IP addre ss for no m ore than 24 d ays; that is, it can obtain [...]
-
Page 342
4-3 Displaying and Maintaining DHCP/ BOOTP Client Configuration To do… Use the command… Remarks Display related information on a DHCP client displa y dhcp client [ verb os e ] Display related information on a BOOTP client display bootp client [ interface vlan-interface vlan-id ] Available in any view[...]
-
Page 343
i Table of Contents 1 ACL Confi guration ············································································································ ························· 1-1 ACL Overview ············[...]
-
Page 344
1-1 1 ACL Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a WX3 000. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. ACL Overview As the network scale and network traf fic are incr easi[...]
-
Page 345
1-2 z auto : where rules in an ACL are matched in the order dete rmined by the system, namely the “depth-first” rule. For depth-first rule, there are two case s: Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP addre ss range (that is, the more the number of zeros in the wildca rd mask ),[...]
-
Page 346
1-3 When applying an ACL in this way , you can specify t he order in which the rules in the ACL are matched . The match order cannot be modified once it is determi ned, unless you delete all the rules in the ACL and define the match order . An ACL can be referenced by uppe r-layer software: z Referenced by routing poli cies z Used to control Telnet[...]
-
Page 347
1-4 Configuration Procedure Follow these steps to co nfigure a time range: To do… Use the command… Remarks Enter syst e m view s ystem-vie w — Create a time range time-range time-nam e { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to en[...]
-
Page 348
1-5 Configuring Basic ACL A basic ACL filters p ackets based on their source IP addresses. A basic ACL can be numbered fro m 200 0 to 2999. Configuration Prerequisites z To configure a time range-based basi c ACL rule, you need to create the corre sponding time range first. For information about time range configuration, refer to Config uring Time [...]
-
Page 349
1-6 rule 0 deny source 192.168.0.1 0 Configuring Advanced ACL An advanced ACL can filter p acket s by their sou rce an d destination IP addresse s, the protocols carried by IP , and protocol-specific features such as TCP/UDP source and destinatio n ports, ICMP message type and message code. An advanced ACL can be numbe red fro m 3000 to 39 99. Note[...]
-
Page 350
1-7 z If the ACL is created with the auto keyword specified, the newly crea ted rules will be inserted in the existent ones by depth-first principle, but the num bers of the existen t rules are unaltered. Configuration Example # Configure ACL 3000 to permit the TCP p acket s so urced from the netwo rk 129.9.0.0/16 and destined for the network 202.3[...]
-
Page 351
1-8 Note that: z You can modify any existent rule of the Layer 2 ACL and the unmod ified part of the ACL re main s. z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0; ot herwise, it is the maximum rule number plus one. z The content of a m[...]
-
Page 352
1-9 z ACLs assigned globally take prec edence over those t hat are assi gned to VLANs. That is, when a packet matches a rule of a globally assi gned ACL an d a rule of an ACL assigned to a VLAN, the device will perform the acti on defined in the rule of the globally a ssigned ACL if the actions de fined in the two rules conflict. z When a packet ma[...]
-
Page 353
1-10 To do… Use the command… Remarks Enter syst e m view system-view — Apply an ACL to a VLAN packet-filter vlan vlan-id inbound acl-rule Required For description on the acl -rule argument, refer to ACL Command . Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packet s of VLAN 10 on all the port s. <device> syste[...]
-
Page 354
1-11 Assigning an ACL to a Port Configuration prerequisites Before applying ACL rules to a VLAN, you nee d to define the related ACLs. For info rmation about defining an ACL, refe r to Configuring Basic ACL , Configuring Advanced ACL , Con figur ing Layer 2 ACL . Configuration procedure Follow these steps to appl y an ACL to a port: To do… Use th[...]
-
Page 355
1-12 Examples for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements As shown in Figure 1-1 , apply an ACL to permit users with t he source IP address of 10.1 10.100.52 to telnet to the switching engine. Figure 1-1 Network diagram for controlling Telnet login u se rs by source IP Sw it[...]
-
Page 356
1-13 Configuration procedure # Define ACL 2001. <device> system-view [device] acl number 2001 [device-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [device-acl-basic-2001] quit # Reference ACL 20 01 to control users loggin g in to the W eb serv er . [device] ip http acl 2001 Examples for Applying ACLs to Hardware Basic ACL Configuratio[...]
-
Page 357
1-14 GigabitEthernet 1/0/1 of Switch. Apply an ACL to d eny requests from the R& D department and destin ed for the wage server durin g the working hours (8:00 to 18:00 ). Figure 1-4 Network diagram for advance d ACL configuration GEt h 1/ 0/ 1 Th e R & D Depart ment S witch T o the router W age qu ery s erv er 192. 1 68 . 1 . 2 GE th 1/ 0/[...]
-
Page 358
1-15 <device> system-view [device] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter p ackets with the sour ce MAC address of 000f-e20f -0101 and the destination MAC address of 000f-e20f-0303. [device] acl number 4000 [device-acl-ethernetframe-4000] rule 1 deny source 000f-e20f-0101 ffff-ffff-ffff dest 000f-e20f-0303 ffff-ffff-f[...]
-
Page 359
1-16 # Apply ACL 3000 to VLAN 10. [device] packet-filter vlan 10 inbound ip-group 3000[...]
-
Page 360
i Table of Contents 1 QoS Confi guration ············································································································ ························· 1-1 Overview ··············[...]
-
Page 361
ii Applying a Qo S Profile ········································································································· ··········· 2-2 Displaying and Mainta ining QoS Profile ······················?[...]
-
Page 362
1-1 1 QoS Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Overview Introduction to QoS Quality of service (QoS) is a [...]
-
Page 363
1-2 Video-on -Demand (V oD). Enterprise users expect to connect their regional b ranches together usi ng VPN techniques for coping with daily business, fo r insta nce, accessing datab ases or manage remote equipment s through T elnet. All these new applications have o ne thing in comm on, that is, they have special requi rements for bandwid th, del[...]
-
Page 364
1-3 information carried in p acket header . Packet paylo ad is rarely adopted for traf fic classification. The identifying rule is unlimited in ra nge. It can be a quin tuplet consisting of sour ce address, source port number , protocol number , destination address, and destination port number . It can also be simply a network segment. Precedence I[...]
-
Page 365
1-4 z Class selector (CS ) class: This class comes from the IP ToS field and includes ei ght subclasses; z Best Effort (BE) class: This class is a special cl ass without any assurance in the CS class. Th e AF class can be deg raded to the BE clas s if it exceed s the limit. Current IP net work traffic belongs to this class by default. Table 1-2 Des[...]
-
Page 366
1-5 As shown in the figure a bove, each host suppo rti ng 802.1Q protoc ol adds a 4-byte 802.1Q t ag header after the source address of the former Et hernet frame header whe n sending p acket s. The 4-byte 802.1Q t a g header consist s of the t ag pr otocol identifier (TPID, two bytes in len g th), whose value is 0x8100, and the t ag control in for[...]
-
Page 367
1-6 The device does not supp ort marking drop preceden ce for packets. A device can operate in one of the following two priority trust modes when assigning precedence to received packet s: z Packet priority trusted mode z Port priority trusted mode In terms of priority trust mode, the priority mapping pr oce ss is shown in Figure 1-4 . Figure 1-4 A[...]
-
Page 368
1-7 The devices provide COS-pre cedence-to-other-pr ecedence, DSCP-precedence-to-othe r-precedence, and DSCP-precedence -to-DSCP- precedence m apping tabl es for priority mapping. T able 1-4 through T able 1-6 list the default settings of these tables. Table 1-4 The default COS-precedence-to-oth er-pr ecedence m apping table of the devices 802.1p p[...]
-
Page 369
1-8 Protocol Priority Protocol packet s carry their own priority . Y ou can modi fy the priority of a prot ocol packet to implement QoS. Priority Marking The priority marking function is to use ACL rules i n traf fic classification and reassi gn the priority for the packet s matching the ACL rule s. Traffic Policing and Traffic Shaping The network [...]
-
Page 370
1-9 Evaluating the traffic with the token bucket When token bucket is used for traf fic evaluation, the number of the tokens in the token bucket determines the amount of the pa ckets that can be forw arded. If the number of token s in the bucket is enough to forward the pa ckets, the traf fic is conformi ng to the spe cification; otherwise, the tra[...]
-
Page 371
1-10 Figure 1-6 Diagram for traffic shaping Tok en buc k et Dr o p Pa ck et cl a ssif i ca ti o n P ac k et s t o be s ent t h roug h t h i s port Con tin u e to sen d Pu t to k e n s i n th e b u cket a t the set r a te Queu e For example, if the device A sends packet s to the device B. The dev ice B will perform traf fic pol icing on packet s fro[...]
-
Page 372
1-11 1) SP queuing Figure 1-7 Diagram for SP queuing P ac k et s t o be s ent th r o ug h th is po rt Pa cke t cla ssifi ca ti o n Queu e s c heduling Queue 2 w eig ht 2 Queue N - 1 w eight N -1 Queue N w eight N S e nt pa c k et s S en di ng qu eue In te r face …… Q ueue 7 Q ueue 6 Q ueue 1 Qu e u e 0 H i gh pri orit y Low pri orit y SP queue [...]
-
Page 373
1-12 Figure 1-8 Diagram for WRR queuing P ac k et s t o be s ent t hro ugh t hi s port Packe t cla ssifi ca tio n Queu e s c hedul ing Queue 2 w e ight 2 Queue N -1 w e i g h t N -1 Queue N w eight N Se n t p a cke ts S endin g queue In te r face …… Q ueue 1 Q ueue 2 W eight 2 Q ueue N - 1 W eight N-1 Qu e u e N We i g h t N W eight 1 WRR queue[...]
-
Page 374
1-13 Table 1-7 Queue-scheduling sequence of SDWRR Scheduling algorithm Queue-scheduling sequence Des cription WRR 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0 0 indicates packets in queue0 1 indicates packets in queue1 Flow-based Traffic Accounting The function of flow-based traf fic accounting[...]
-
Page 375
1-14 Task Remarks Enabling the Burst Function Optional Configuring Traffic Mirroring Optional Configuring Priority Trust Mode Refer to Priority T rust Mode for introduction to priority trust mode. Configuration prerequisites z The priority trust mode to be adopted is determi ned. z The port where priority trust mode is to be configured i s determin[...]
-
Page 376
1-15 Configuration example z Configure to trust port priority on GigabitEthernet 1/0/1 and set the priority of GigabitEthernet 1/0/1 to 7. Configuration procedure: <device> system-view [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] priority 7 z Configure to trust 802.1p preceden ce on GigabitEthernet 1/0/1. Configuratio[...]
-
Page 377
1-16 To do… Use the command… Remarks Configure COS-precedence-to-DSCP -precedence mapping table qos cos-dscp -map cos0-map-dscp cos1-map-d s cp cos2-map-dscp cos3-map-d s cp cos4-map-dscp cos5-map-d scp cos6-m ap -dscp cos7-m ap-dscp Required Follow these steps to co nfigur e the DSCP-precedence-to-other-pre ced ence mapping t abl e: To do… U[...]
-
Page 378
1-17 [device] qos dscp-local-precedence-map 8 9 10 11 12 13 14 15 : 3 [device] qos dscp-local-precedence-map 16 17 18 19 20 21 22 23 : 4 [device] qos dscp-local-precedence-map 24 25 26 27 28 29 30 31 : 1 [device] qos dscp-local-precedence-map 32 33 34 35 36 37 38 39 : 7 [device] qos dscp-local-precedence-map 40 41 42 43 44 45 46 47 : 0 [device] qos[...]
-
Page 379
1-18 37 : 7 38 : 7 39 : 7 40 : 0 41 : 0 42 : 0 43 : 0 44 : 0 45 : 0 46 : 0 47 : 0 48 : 5 49 : 5 50 : 5 51 : 5 52 : 5 53 : 5 54 : 5 55 : 5 56 : 6 57 : 6 58 : 6 59 : 6 60 : 6 61 : 6 62 : 6 63 : 6 Setting the Priority of Protocol Packets Refer to Protocol Priority for information about priority of protocol p ackets. Configuration prerequisites z The p[...]
-
Page 380
1-19 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <device> system-view [device] protocol-priority protocol-type icmp ip-precedence 3 [device] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to Priority Marking for inform[...]
-
Page 381
1-20 Follow these step s to mark the priority for packets t hat are of a port group and match specific ACL rules: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter port group view port-group group-id — Mark the priorities for packets matching specific ACL rules traffic-priority inbound acl-rule { dscp dscp-value | cos[...]
-
Page 382
1-21 Configuration prerequisites z The ACL rules used for traffic class ifi cation are defined. Refe r to the ACL module of this man ual for information about defining ACL rules. z The rate limit for traffic policing, and the actions for the packets exceeding the rate limit are determined. Configuration procedure Y ou can configure traf fic po lici[...]
-
Page 383
1-22 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-numb er — Configure traffic policing traffic-limit inbound acl-rule target-r ate [ conform con-action ] [ exceed exceed-actio n ] [ meter-statistic ] Required By default, traffic policing is disabled. Clear the [...]
-
Page 384
1-23 Configuration procedure Follow these steps to co nfigure traffic sh aping: To do… Use the com mand… Remarks Enter syst e m view s ystem-vie w — Enter Ethernet port view interface interface-type interface-number — Configure traffic shaping traffic-shape [ queue queue-id ] max-rate burst-size Required Traffic shaping is not enabled by de[...]
-
Page 385
1-24 Follow these steps to re direct packet s that ar e of a VLAN and match specific ACL rules: To do… Use the command… Remarks Enter syste m view system-v iew — Configure traffic redirecting tra ffic-redirect vlan vlan-i d inbound acl-rule interface interface-type interface-numb er Required Follow these steps to re direct packet s that are o[...]
-
Page 386
1-25 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-redirect inbound ip-group 2000 interface GigabitEthernet1/0/7 2) Method II <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] traffic-red[...]
-
Page 387
1-26 Configuration prerequisites The algorithm for queue scheduling to b e used and the related pa rameters are determined. Configuration procedure Follow these steps to co nfigure SP queu e sched uling algorithm: To do… Use the comm and… Remarks Enter syst e m view system-view — Configure SP queue scheduling algorithm undo queue-scheduler [ [...]
-
Page 388
1-27 Configuration example # Configure a device to adopt SP+SDWRR combi nation for queue sch eduling, assigning queu e 3, queue 4, and queue 5 to WRR scheduling gro up 1, wi th the weigh of 20, 20 an d 30; assigning queue 0, queue 1, and queue 2 to WRR scheduling group 2 , with the weight 20, 20, and 40; using SP for scheduling queue 6 and queue 7.[...]
-
Page 389
1-28 To do… Use the command… Remarks Collect the statistics on the packets matching specific ACL rules traffic-statistic vl an vlan-id inbound acl-rule Required Clear the statistics on the packets matching specific ACL rules reset traffic-statistic vlan vlan-id inbound acl-rule Optional Follow these step s to collect traffic st atistics on pa c[...]
-
Page 390
1-29 [device] acl number 2000 [device-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [device-acl-basic-2000] quit [device] interface GigabitEthernet1/0/1 [device-GigabitEthernet1/0/1] traffic-statistic inbound ip-group 2000 [device-GigabitEthernet1/0/1] reset traffic-statistic inbound ip-group 2000 2) Method II <device> system-view [de[...]
-
Page 391
1-30 Configuration procedure Y ou can configure traffic mirro ring on all the packet s matching spe cific ACL rules, or on pa ckets that match specific ACL rule s and are of a VLAN, of a port group, or pa ss a p ort. Follow these steps to co nfigure traffic mi rroring globally : To do… Use the command… Remarks Enter syst e m view system-vie w ?[...]
-
Page 392
1-31 Follow these steps to co nfigure traffic mi rroring for a port: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view of the destination port interface interface-type interface-number — Define the current port as the destination port monitor-port Required Exit current view quit — Enter Ethernet p[...]
-
Page 393
1-32 [device] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying and Maintaining Qo S To do… Use the command… Remarks Display the protocol packet priority configuration display protocol-priority Display the COS-precedence-to-Drop-preceden ce mapping relationship display qos cos-drop-precedence -map Display the COS-precedence-[...]
-
Page 394
1-33 To do… Use the command… Remarks Display VLAN mapping configuration of a port or all the ports display qos-interface { interface-type interface-num ber | unit-id } traffic-remark-v lanid Display traffic mirroring configuration of a port or all the ports display qos-interface { interface-type interface-num ber | unit-id } mirrored-to Display[...]
-
Page 395
1-34 # Create ACL 2000 and enter basi c ACL view to cl assify packet s sourced from the 192.1 68.1.0/24 network segment. <device> system-view [device] acl number 2000 [device-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [device-acl-basic-2000] quit # Create ACL 2001 and enter basi c ACL view to cl assify packet s sourced from the [...]
-
Page 396
2-1 2 QoS Profile Configuration Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration. A QoS profile can contain one or mult iple QoS functions. In networks where host s change their positions frequently , you can define QoS policies for the hosts and a[...]
-
Page 397
2-2 QoS Profile Configuration QoS Profile Configuration Task List Complete the following t a sks to configure a QoS profile: Task Remarks Configuring a QoS Profile Required Applying a QoS Profile Optional Applying a QoS Profile Optional Configuring a QoS Profile Configuration prerequisites z The ACL rules used for traffic class ifi cation are defin[...]
-
Page 398
2-3 Configuration procedure Follow these steps to co nfigure to apply a QoS profile dynamically: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view interface inte rface-type interface-number — Configure the mode to apply a QoS profile as port-based qos-profile port-based Specify the mode to apply a Q[...]
-
Page 399
2-4 Configuration Example QoS Profile Configuration Example Network requirements As shown in Figure 2-1 , the user name is “someone”, and the auth enticatio n password is “he llo”. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.net domain. It is required to configure a QoS profile to limit the ra te of all th[...]
-
Page 400
2-5 # Create the user domain test.net and specify radiu s 1 as you r RADIUS server group. [device] domain test.net [device-isp-test.net] radius-scheme radius1 [device-isp-test.net] quit # Create ACL 3000 to permit IP packet s destined for any IP address. [device] acl number 3000 [device-acl-adv-3000] rule 1 permit ip destination any [device-acl-adv[...]
-
Page 401
i Table of Contents 1 Mirroring Conf iguration ······································································································ ······················ 1-1 Mirroring Overview ···············[...]
-
Page 402
1-1 1 Mirroring Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Mirroring Overview Mirroring refe[...]
-
Page 403
1-2 z VLAN-based mirroring: a device copies packet s of a specified VLAN to the destination port. Local Port Mirroring In local port mirroring, packet s pa ssi ng through one or more source port s of a device are copied to the destination port on the same device for packet analy sis and monitoring. In this case, the source ports and the destination[...]
-
Page 404
1-3 Table 1-1 Ports involved in the mirroring operation Sw it ch Ports involved Function Source port Port monitored. It copies packets to the refle ctor po rt through local port mirroring. There can b e more than one source port. Reflector port Receives packets from the sou r ce port and broadcasts the packets in the rem ote-probe VLAN. Source swit[...]
-
Page 405
1-4 Mirroring Configuration Complete the following t a sks to configure mirroring: Task Remarks Configuring Local Port Mirrorin g Optional Configuring Remote Port Mirro rin g Optional Configuring MAC-Base d Mirroring Optional Configuring VLAN-Based Mirroring Optional Configuring Local Port Mirroring Configuration prerequisites z The source port is [...]
-
Page 406
1-5 Configuring Remote Port Mirroring The device can serve as a source switch, an intermedi ate switch, or a destination switch in a remote port mirroring networking e nvironm ent. Configuration on the device acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN a r e determined. z[...]
-
Page 407
1-6 When configuring the source swit ch, note that: z All ports of a remote source mirroring gro up are on the same device. Each remote sour ce mirroring group can be configured wi th only one re flector port. z The reflector port cannot be a membe r port of an existing mirroring group, a member port of an aggregation group, or a po rt enabled with[...]
-
Page 408
1-7 Follow these steps to co nfigure remote port mirroring on the destination switch: To do… Use the command… Remarks Enter syste m view system-v iew — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN. Configure the current VLAN as a remote-probe VLAN remote-prob e vlan enable Req uired Return to syst[...]
-
Page 409
1-8 Configuration prerequisites z The MAC address to be matched is det ermined. z The destination port is det ermined. Configuration procedure Follow these steps to co nfi gure MAC-based mirroring: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a local or remote source mirroring group mirroring-group group- id { loc[...]
-
Page 410
1-9 Configuration procedure Follow these steps to co nfigure VLAN-b ased mirroring: To do… Use the command… Remarks Enter syst e m view system-vie w — Create a local or remote source mirroring group mirroring-group group- id { local | remote-sour ce } Required Configuring VLAN-Based Mirroring mirroring-group group-id mirroring-vlan vlan-id in[...]
-
Page 411
1-10 Use the local port mirroring functio n to meet the requirement. Perform the follo wing configurations on Switch C. z Configure GigabitEthernet 1/0/1 and Gi gabitEt hernet 1/0/2 as mirroring source ports. z Configure GigabitEthernet 1/0/3 as the mirroring de stination po rt. Figure 1-3 Network diagram for local port mirroring Sw itch C D a t a [...]
-
Page 412
1-11 z Department 1 is connected to GigabitEthern et 1/0/1 of Switch A. z Department 2 is connected to GigabitEthern et 1/0/2 of Switch A. z GigabitEthernet 1/0/3 of Switch A connects to GigabitE thern et 1/0/1 of Switch B. z GigabitEthernet 1/0/2 of Switch B connects to GigabitE thern et 1/0/1 of Switch C. z The data detection device is conne cted[...]
-
Page 413
1-12 [device] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 inbound [device] mirroring-group 1 reflector-port GigabitEthernet 1/0/4 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/3 as trunk port, allowi ng packet s of VLAN 10 to pass. [device] interface GigabitEthernet 1/0/3 [device-Gi[...]
-
Page 414
1-13 # Configure the destination port and re mote-probe VL AN for the remote destination mirrorin g group. [device] mirroring-group 1 monitor-port GigabitEthernet 1/0/2 [device] mirroring-group 1 remote-probe vlan 10 # Configure GigabitEthernet 1/0/1 as the trun k port, allowing p ackets of VLAN 10 to p ass. [device] interface GigabitEthernet 1/0/1[...]
-
Page 415
i Table of Contents 1 ARP Confi gurati on············································································································ ························· 1-1 Introduction to ARP ········?[...]
-
Page 416
1-1 1 ARP Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Introduction to ARP ARP Function Address Resolution Protoco[...]
-
Page 417
1-2 Figure 1-1 ARP message format Hardwa re t ype (16 bits ) Protocol t yp e (1 6 bi ts) Length o f ha rdware addr ess Length of pr otocol addres s Op erator (16 bits) Hardware addres s o f the s ender IP ad dress o f the s ender Hardware ad dress of the rec eiver I P a dd re s s of th e r e ce i v er Hardwa re t ype (16 bits ) Hardwa re t ype (16 [...]
-
Page 418
1-3 Value Description 5 Chaos 6 IEEE802.X 7 ARC netw ork ARP Table In an Ethernet, the MAC addresses of two host s must be available for the two host s to communicate with each other . Each host in an Ethernet main tains an ARP table, where the late st used IP address-to-MAC address mappi ng entries ar e stored. The device provide s the display arp[...]
-
Page 419
1-4 mode, all hosts on this su bnet can receive the requ est, but only the requested h ost (namely, Host B) will process the request. 4) Host B compares its own IP address with the des tination IP address in the ARP request. If they are the same, Host B saves the sou rce IP address a nd source MAC address into i ts ARP mapping table, encapsulates i[...]
-
Page 420
1-5 After you enable the ARP attack detection function, the device will check the following items of an ARP packet: the source MAC a ddress, source IP addre ss, port number of the port receiving the ARP p acket, and the ID of the VLAN the port resi des. If these item s match the ent ries of the DHCP snoo ping table or the manual configured IP bindi[...]
-
Page 421
1-6 To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the device from learning ARP entries with multicast MAC addresses) arp check enable Optional By default, the ARP entry checking function is enabled. z Static ARP entries are valid as lo ng as the device operates normally. But some ope rations, such as r[...]
-
Page 422
1-7 To do… Use the command… Remarks Quit to system view quit — Enter VLAN view vlan vlan-id — Enable ARP restricted forwarding a rp rest ricted- forward ing enable Optional By default, the ARP restricted forwarding function is disabled. The device forwards legal ARP packets through all its ports. z You need to enable DHCP snooping and confi[...]
-
Page 423
1-8 Displaying and Maintaining ARP To do… Use the command… Remarks Display specific ARP mapping table entries display arp [ static | dynam ic | ip-address ] Display the ARP mapping entries related to a specified string in a specified way display arp [ dyna mic | static ] | { begin | include | exclude } text Display the number of the ARP entries[...]
-
Page 424
1-9 Figure 1-4 ARP attack detection configuration GE1 / 0 / 3 Cl i ent B GE 1 / 0/ 2 Cl i e nt A DHCP S er v er Sw itch A DHCP S noo pin g G E 1/0/1 Configuration procedure # Enable DHCP sn ooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # S pecify Gig abitEthern et 1/0/1 as the DHCP snoopi ng trusted port and the ARP truste[...]
-
Page 425
i Table of Contents 1 SNMP Conf iguration ··········································································································· ······················· 1-1 SNMP Overview ··············[...]
-
Page 426
1-1 1 SNMP Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. SNMP Overview The simple network man agement protocol (S[...]
-
Page 427
1-2 SNMP NMS and SNMP agent. Comm unity name functions as password. It can limit acce sses made by SNMP NMS to SNMP agent. Y ou can perform the fo llowing community name-related configuration. z Specifying MIB view that a community can access. z Set the permission for a community to access an MIB object to be read-only or read -write. Communities w[...]
-
Page 428
1-3 MIB attribute MIB content R elated RFC DHCP MIB QACL MIB MSTP MIB VLAN MIB IPV6 ADDRESS MIB MIRRORGROUP MIB QINQ MIB 802.x MIB HGMP MIB NTP MIB Device management Private MIB Interface management — Configuring Basic SNMP Functions Because the configuration of SNMPv3 is quite di f ferent from that of SNMPv1 and SNMPv2c, their configuration proc[...]
-
Page 429
1-4 To do… Use the command… Remarks Direct configura tion Set a community name snmp-agent community { read | write } community-nam e [ acl acl-number | mib-vie w view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ writ e-vi ew write-view ] [ noti fy- view notify-view ] [ acl acl-n umber ] Set a comm[...]
-
Page 430
1-5 To do… Use the command… Remarks Set an SNMP group snmp-agent group v3 group-name [ authentica tion | privacy ] [ read-view read-view ] [ writ e-vi ew write-view ] [ noti fy- view notify-view ] [ acl acl-num ber ] Required Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate-pass w ord plain-password mode { md5 | [...]
-
Page 431
1-6 To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the device to send Trap messages to NMS snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdo wn | linkup | warmstart ]* | system | ] Enter port view or interface view interface interface-type interface-number Enable the por[...]
-
Page 432
1-7 Enabling Logging for Network Management Follow these steps to ena b le logging for network managem ent: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default. Use the display logbuffer command to view the [...]
-
Page 433
1-8 z Perform the following configuration on Switch A: setting the community name and access permission, administrato r ID, contact and location of Switch A, and enabli ng the device to sent trap messages. Thus, the NMS is able to access Switch A and receive the trap messages sent by Switch A. Figure 1-2 Network diagram for SNMP configuration Et he[...]
-
Page 434
1-9 [device] snmp-agent trap enable standard linkdown [device] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS The device support s iMC NMS. SNMPv3 adopt s user name and p assword aut hentication. Whe n you use the iMC, you need to set user names and choose the security level in[...]
-
Page 435
2-1 2 RMON Configuration Introduction to RMON Remote monitoring (RMO N) is a kind of management informati on base (MIB) defined by Internet Engineering T ask Force (IETF). It is an important enhan cement made to MIB II st andards. RMON i s mainly used to monitor the data traf fic across a net work segment or even the e ntire network, and is current[...]
-
Page 436
2-2 Commonly Used RMON Groups Event group Event group is used to def ine the indexes of event s and the processing m ethods of the events. The events defined in a n event group are mainly u sed by entries in the alarm group an d extended alarm group to trigger alarms. Y ou can specify a network device to act in one of the following ways in response[...]
-
Page 437
2-3 The statistics include the numb er of the following it ems: collisions, packet s with cyclic redund ancy check (CRC) errors, und ersize (or oversize) packe t s, broadcast pa ckets, multicast p ackets, and received bytes and p acket s. With the RMON statistics mana gement function, y ou can monitor the use of a port and make st atistics on the e[...]
-
Page 438
2-4 Displaying and Maintaining RMON To do… Use the command… Remarks Display RMO N st at istics display rmon statistics [ interface-t ype interface-number | unit unit -number ] Display RMON history information display rmon history [ interface-t ype interface-number | unit unit-numbe r ] Display RMON alarm information display rmon alarm [ entry-n[...]
-
Page 439
2-5 [device] rmon prialarm 2 (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 # Display the RMON extended alarm entry numbere d 2. [device] display rmon prialarm 2 Prialarm table 2 owned by user1 is VALID. Samples type : changeratio Variable formula [...]
-
Page 440
i Table of Contents 1 Multicast Overview ··········································································································· ························· 1-1 Multicast Overview ··········[...]
-
Page 441
1-1 1 Multicast Overview z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series device s. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Multicast Overview With development of networks o[...]
-
Page 442
1-2 Figure 1-1 Information transmission in the unicast mode Sourc e Server Receiver Re ceiv er Receive r Host A Host B Host C Host D Host E Pack ets for Ho st B Packet s for Host D Pack ets for Ho st E Assume that Host s B, D and E need this informati on. The source serve r establishe s transmission channels for the devi ces of these users respecti[...]
-
Page 443
1-3 Figure 1-2 Information transmission in the broadcast mode Sourc e Server Receiver Re cei ver Rece iver Hos t A Host B Host C Host D Hos t E Packet s for all the network Assume that Hosts B, D, a nd E need the information. The source server broadcast s this information through routers, and Ho sts A and C on the net work also receive this informa[...]
-
Page 444
1-4 Figure 1-3 Information transmission in the multicast mode Sourc e Server Receiver Re cei ver Rece iver Hos t A Host B Host C Host D Hos t E Packets for the mul ticast group Assume that Host s B, D and E need the inform ation. T o transmit the information to the right users, it is necessary to group Host s B, D and E into a receiver set. The rou[...]
-
Page 445
1-5 Table 1-1 An analogy between TV transmission and multicast transmi ssion Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a television channel. A multicast source sends multicast data to a multicast group. 2 A user tunes the TV set to the channel . A receiver joins the multicast group. 3 The user starts [...]
-
Page 446
1-6 ASM model In the ASM model, any sender can become a multic ast source and send informatio n to a multicast group; numbers of re ceivers can join a multicast grou p identified by a group addre ss and obt ain multicast information addressed to that multicast gr oup. In this model, receive rs are not aware of the position of a multicast source in [...]
-
Page 447
1-7 As receivers are multiple host s in a multicast group, you should be concerned about the following questions: z What destination should th e informatio n source s end the information to in the multicast mo de? z How to select the destinati on address? These questions are about multicast addressing. T o enable the communication b etween the info[...]
-
Page 448
1-8 Class D address range Description 239.0.0.0 to 239.255.255.255 Administratively scoped multicast addresses, which are for specific local use only. As specified by IANA, the IP addre sses ranging from 224.0.0.0 to 224.0.0.255 ar e reserved for network protocols on local networ ks. The following t able lists commonly u se d re served IP multica s[...]
-
Page 449
1-9 multicast MAC address is used as the destination ad dress because the destin ation is a group with an uncertain number of mem bers. As stipulated by IANA, the high-order 24 bit s of a multicast MAC address are 0x01005e, while the low-order 23 bits of a MAC add ress are the low- ord er 23 bits of the multicast IP address. Figure 1-4 describes th[...]
-
Page 450
1-10 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 A S 2 Sour ce Receiver Re ceiv er Receiver PIM PIM MSDP IGMP IG MP IGMP 1) Multicast management protocols T ypically , the Internet Group Management Protoc ol (IGMP) is used between host s and Layer 3 multicast devices directly conn ected with the hosts. These protocols defin e the mecha[...]
-
Page 451
1-11 Figure 1-6 Positions of Layer 2 multicast protocols So u rce Rece iver R eceiver multic as t pack ets IG M P S noo pi n g 2) IGMP Snooping Running on Layer 2 devices, Internet Group M anagement Protocol Snoopi ng (IGMP Snooping) are multicast constraining mecha nisms that manage and control multicast group s by listening to and analyzing IGMP [...]
-
Page 452
1-12 2) If the corresponding (S, G) entry exists, but the in terface on which the packet actually arrived is not the incoming interface in the multicast forwardi ng t able, the multicast packet is subject to an RPF check. z If the result of the RP F check show s that the RPF interface is the in coming interface of the existing (S, G) entry, this me[...]
-
Page 453
1-13 z A multicast packet from Source arrives to VLAN -interface 1 of Switch C, and the corresponding forwarding entry doe s not exist in the mult icast forw arding table of Switch C. Switch C pe rforms an RPF check, and finds in its unicast routing table that the outgoing interfac e to 192.16 8.0.0/24 is VLAN-interface 2. This me ans that the inte[...]
-
Page 454
2-1 2 IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (I GMP Snooping) is a multicast constraini ng mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping est ablishes mappings[...]
-
Page 455
2-2 Figure 2-2 IGMP Snooping related ports Rou ter A Swi tc h A Sw it ch B Et h 1/ 0/ 1 Et h1/0 /2 Et h 1/0/ 3 Et h 1/0/ 1 Et h1/0 /2 Rece ive r Rece ive r Hos t A Hos t B Hos t C Hos t D So u rce Mu lt i c as t pac k e ts Rou ter port Member p or t Ports involved in IGMP Snooping, as shown in Figure 2-2 , are described as follows: z Router port: A[...]
-
Page 456
2-3 When receiving a general query The IGMP qu erier pe riodi cally sen ds IGMP general q ueri es to all h ost s and ro uters on the local su bne t to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query , the device forwards it through all ports in the VLAN except the receiving port and perform [...]
-
Page 457
2-4 immediately delete the forwarding entry corresponding to that port from the forwarding t able; instead, it reset s the agi ng timer of the membe r port. Upon receiving the IGMP leave message from a hos t, the IGMP querier resolves from the message the address of the multicast group that the host just lef t and sends an IGMP group-specific que r[...]
-
Page 458
2-5 Operation Remarks Configuring a VLAN Tag for Que ry Message s Optional Configuring Multicast VLAN Optional Enabling IGMP Snooping Follow these steps to ena b le IGMP Snooping: To do… Use the command… Remarks Enter syst e m view system-v iew — Enable IGMP Snooping globally igmp-snoopi ng enable Required By default, IGMP Snooping is disable[...]
-
Page 459
2-6 z Before configuring related IGMP Snooping func tions, you must enable IGMP Snooping in the specified VLAN. z Different multicast group addresse s should be conf ig ured for different multicast sources beca use IGMPv3 Snooping cannot distinguish multica st data from different sources to the same multicast group. Configuring Timers This section [...]
-
Page 460
2-7 Enabling fast leave processing in Ethernet port view Follow these steps to ena b le fast leave processing in Ethernet view: To do… Use the command… Remarks Enter syst e m view sy stem - view — Enter Ethernet port view interface interface-type interface-number — Enable fast leave processi ng for specific VLANs igmp-snooping fast-leav e [[...]
-
Page 461
2-8 Configuring a multicast group filter in system vie w Follow these steps to co nfigure a mult icast group filter in system view: To do… Use the command… Remarks Enter syst e m view system-view — Configure a multicast group filter igmp - snooping group - policy acl-number [ vlan vlan-list ] Required No group filter is configured by default,[...]
-
Page 462
2-9 Follow these steps to co nfigure the maximu m number of multicast group s on a port: To do… Use the command… Remarks Enter syst e m view system-view — Enter Ethernet port view interface interface-type interface-number — Limit the number of multicast groups on a port igmp-snooping group-limit limit [ vlan vlan - list [ overflow-replace ][...]
-
Page 463
2-10 To do… Use the command… Remarks Enable IGMP Snooping querier igmp-snooping querier Required By default, IGMP Snooping querier is disabled. Configure the interval of sending general querie s igmp-snooping query-interval seconds Optional By default, the interval of sending general querie s is 60 seconds. Configure the source IP address of ge[...]
-
Page 464
2-11 In Ethernet port view Follow these steps to co nfigure a static multicast gro up memb er port in Ethernet port view: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter Ethernet port view interface interface-type interface-number — Configure the current port as a static member port for a multicast group in a VLAN m[...]
-
Page 465
2-12 In VLAN view Follow these steps to co nfigure a st ati c router port in VLAN view: To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN view vlan vlan-id — Configure a specified port as a static router port multicast static-router-port interface-type interface-n umber Required By default, no static router port [...]
-
Page 466
2-13 z Before configuring a simulated host, enabl e IGMP Snooping in VL AN view first. z The port to be configured must belong to the specified VLAN; otherwise the conf iguration does not take effect. z You can use the source-i p sourc e-address com mand to specify a multicast source address that the port will join as a sim ulated host. This co nfi[...]
-
Page 467
2-14 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interface vlan-id — Enable IGMP igmp enable Required By default, the IGMP feature is disabled. Return to system view quit — Enter Ethernet port view for the Layer 2 device to be configured interface interface-type interface-number — Define the port as a trunk or[...]
-
Page 468
2-15 z One port can belong to only one multica st VLAN. z The port connected to a user terminal must be a hy brid port. z The multicast member ports must be in the sa me VLAN with the route r port. Otherwise, the multicast member port cannot receive multica st packets. z If a router port is in a multicast VL AN, the router port must be configured a[...]
-
Page 469
2-16 Figure 2-3 Network diagram for IGMP Snooping co nfiguration Mu lticast p acket s So u rc e Route r A Swi tch A Re ceiver Re ceiver Hos t B Hos t A Hos t C 1. 1. 1. 1/ 24 GE1/ 0/ 4 GE1/ 0/ 2 GE 1/ 0/ 3 IG M P querier GE1 / 0/1 GE 1/ 0/ 1 1 0 .1 .1 . 1 / 2 4 GE1/0/ 2 1 .1. 1. 2/ 24 VLAN 100 Configuration procedure 1) Configure the IP address of [...]
-
Page 470
2-17 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): GigabitEthernet1/0/3 GigabitEthernet1/0/4 MA[...]
-
Page 471
2-18 Configure a multicast VLAN, so that users in VLAN 2 and VLAN 3 can re ceive multicast streams through the multicast VLAN. Figure 2-4 Network diagram for multicast VLAN configuratio n Hos tA Hos tB Wor kSt a tio n Swit chA Sw itchB Vl an - i nt 20 168 .10 . 1. 1 GE 1/0 /1 G E1 / 0/ 10 V l a n 2 V l a n 3 G E 1/ 0 / 10 Vl an 10 G E 1 / 0 / 1 G E[...]
-
Page 472
2-19 # Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid po rt, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged p acket s for VL[...]
-
Page 473
3-1 3 Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicas t forwarding entries dynami cally through a Layer 2 multicast protocol. Alternatively , you can stati cally bind a port to a multica st MAC address entry by configuring a multicast MAC add r[...]
-
Page 474
3-2 Configuring Dropping Unknown Multicast Packets Generally , if the multicast address of the multica s t pa cket received on the device i s not registered on the local device, the packet will be flooded in the VLAN. When the functi on of dropping unknown multicast packet s is enabled, the device will drop any multicas t p ackets whose multicast a[...]
-
Page 475
i Table of Contents 1 NTP Confi guration ············································································································ ························· 1-1 Introduction to NTP ········?[...]
-
Page 476
1-1 1 NTP Configuration When configuring NTP , go to these secti ons for information you are intere sted in: z Introduction to NTP z NTP Configuration Task Li st z Configuring NTP Implementation Modes z Configuring Access Control Right z Configuring NTP Authentication z Configuring Optional NTP Parameters z Displaying and Maintain ing NTP Co nfigur[...]
-
Page 477
1-2 z In network management, the an alysis of the log information and debugging i nformation collected from different devices is meani ngful and valid only when netwo rk devices that generate t he information adopts the same time. z The billing system requires that the clocks of all network devices be consi stent. z Some functions, such as restarti[...]
-
Page 478
1-3 Figure 1-1 Implementation principle of NTP IP n e tw o r k IP n e tw o r k IP n e tw o r k IP n e tw o r k D e vi ce B D e vice A D e vi ce B D e vice A D e vi ce B D e vice A D e vi ce B D e vice A 10 :00:00 am 11:0 0:01 a m 10:00:0 0 am N T P m e ssa g e 10 :00: 00 am 11:00:01 am 11: 00: 02 am NTP m e s sa g e NT P mess age NT P mess age r ec[...]
-
Page 479
1-4 Server/client mode Figure 1-2 Server/client mode Ser ver Cl oc k sy n c hr oni z atio n re q u e s t R e sp o n se Net wo r k Cl i ent Wo r ks in se r ver m o d e au t o m a t ica l ly a n d send s a r espon se pack et F ilt er s a n d se le ct s a c lo ck and sync hron iz es t he loc al cl oc k to th at of the pr efer r ed ser ver Symmetric pe[...]
-
Page 480
1-5 Multicast mode Figure 1-5 Multicast mode Cl i e nt Mu lt ica st clo ck syn ch r o niza t i o n pac k ets pe ri od i c a l l y Net work Se r ver I nitia t es a client /se r ver mo d e r eq uest after r ecei v i ng the fi rst m u lt i c a s t p ac k e t Wo r ks in t h e se r ve r m o de a u t o m a t ica l ly a nd se nd s r e sp o n se s Cli ent/[...]
-
Page 481
1-6 NTP Configuration Task List Complete the following tasks to configure NTP: Task Remarks Configuring NTP Implementation Modes Req uired Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Displaying and Maintain ing NTP Co nfiguration Optional Configuring NTP Implementati[...]
-
Page 482
1-7 To do… Use the command… Remarks Enter syst e m view system-view — Configure an NTP client ntp-service unicast-s erver { remote-ip | server-name } [ authentic ation-keyid key-id | priority | source-interfac e Vlan-interface vlan-id | versi on number ]* Required By default, the device is not configured to work in the NTP client mode. z The [...]
-
Page 483
1-8 z In the symmetric peer mode, you need to execute the related NTP configuration comm and s (refer to Configuring NTP Implementation M odes for details) to enable NTP on a symmetric-p assive peer; otherwise, the symmetric-passive peer will not process NTP mess ages from the symmetric-active peer. z The remote device specified by rem ote-ip or pe[...]
-
Page 484
1-9 Configuring the device to work in the NTP broadcast client mode To do… Use the command… Remarks Enter syst e m view system-vie w — Enter VLAN interface view interface Vlan-in terface vlan-id — Configure the device to work in the NTP broadcast client mode ntp-service broadc ast-client Required Not configured by default. Configuring NTP M[...]
-
Page 485
1-10 Configuring Access Control Right With the following command, you ca n configure the NTP service access-control ri ght to the lo cal device for a peer device. There are four access-control right s, as follows: z query : Control query right. This level of right permits the peer device to perform control que ry to the NTP service on the local dev[...]
-
Page 486
1-11 synchronized only to that of the serv er that pa sses the authentication. Thi s improves network secu rity . T able 1-2 shows the roles of devices in the NTP auth entication function. Table 1-2 Description on the roles of devic es in NTP authentication functio n Role of device Working mode Client in the server/client mode Client in the broadca[...]
-
Page 487
1-12 To do… Use the command… Remarks Configure the NTP authentication key ntp-service authentication-k eyid key-id authentication-m odel md 5 value Required By default, no NTP authentication key is configured. Configure the specified key as a trusted key ntp-service reliable authenticati on-keyid key-id Required By default, no trusted key is co[...]
-
Page 488
1-13 To do… Use the command… Remarks Configure on the NTP broadc ast server ntp-service broadcas t-server authentication-k eyid key-id Associate the specified key with the correspondi ng broadcas t/m ulticast client Configure on the NTP multicast server ntp-service multicast-se rver authentication-k eyid key-id z In NTP broadcast server mode an[...]
-
Page 489
1-14 Configuring the Number of Dynamic Sessions Allowed on the Local Device Follow these steps to co nfigure the number of dynamic sessions all owed on the local device: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the maximum number of dynamic sessions that can be established on the local device ntp-service ma[...]
-
Page 490
1-15 Figure 1-6 Network diagram for the NTP se rver/client mode confi guration 1. 0. 1. 11/ 24 1 .0.1. 12/ 24 D e vice A D e vice B Configuration procedure Perform the following configurations on Device B. # View the NTP st atus of Devi ce B before synchronization. <DeviceB> display ntp-service status Clock status: unsynchronized Clock stratu[...]
-
Page 491
1-16 [12345]1.0.1.11 127.127.1.0 2 1 64 1 350.1 15.1 0.0 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : 1 Configuring NTP Symmetric Peer Mode Network requirements z As shown in Figure 1-7 , the local clock of Device A is set as the NTP master cloc k, with the clock stratum level of 2. z Device C (a WX[...]
-
Page 492
1-17 Reference clock ID: 3.0.1.32 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 7 2006 (BF422AE4.05AEA86C) The output information indicates that the clock of Device C is syn ch ro[...]
-
Page 493
1-18 Configuration procedure 1) Configure Device C. # Enter system view . <DeviceC> system-view # Set Device C as the broadca st server , which sends broadcast messages throu gh Vlan-i nterface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server 2) Configure Device A. (perform t he same configuration [...]
-
Page 494
1-19 Configuring NTP Multicast Mode Network requirements z As shown in Figure 1-9 , the local clo ck of Device C i s set as the NTP mast er clock, with a clock stratum level of 2. Configure Device C to work in the NTP multicast server mode and advertise multicast NTP messages through Vlan -i nterface2. z Device A and Device D are two WX3000 series [...]
-
Page 495
1-20 Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 60.0002 Hz Actual frequency: 60.0002 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 7 2006 (BF422AE4.05AEA86C) The output information i[...]
-
Page 496
1-21 # Configure an MD5 authentication key , with the key ID being 42 and the key being aNiceKey . [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # S pecify the key 42 a s a trusted key . [DeviceB] ntp-service reliable authentication-keyid 42 [DeviceB] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 After[...]
-
Page 497
i Table of Contents 1 SSH Confi guration ············································································································ ························· 1-1 SSH Overview ············[...]
-
Page 498
1-1 1 SSH Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary SSH Overview Introduction to SSH Secure Shell (SSH) is a p[...]
-
Page 499
1-2 Figure 1-1 Encryption and decryption En cr yp ti o n Ke y D e cr yp tio n Ciph er t ex t Pla in text Ke y P l ai n t ex t En cr yp ti o n Ke y D e cr yp tio n Ciph er t ex t Pla in text Ke y P l ai n t ex t Key-based algorithm is usually classifie d into sy mmetric key algori thm and asymmetric key algorithm. Asymmetric Key Algorithm Asymmetric[...]
-
Page 500
1-3 Version negotiation z The server opens port 22 to listen to connection requ ests from clie nts. z The client sends a TCP connection request to the server. After the TCP conn ection is esta blished, the server sends the first packet to the client, whic h includes a version identification string in the format of “SSH-<primary protocol vers i[...]
-
Page 501
1-4 z In password authentication, the c lient encrypts the use rname an d password, encapsulates them into a password authentication request, and sends t he reque st to the server. Upon receiving the request, the server decrypts the username and passw ord, compares them with those it maintains, and then informs the client of the authentication re s[...]
-
Page 502
1-5 SSH Server Configuration Tasks Complete the following tasks to configure SSH server: Task Remark Configuring the Protocol Suppo rt for the User Interface Required Generating/Destroying a RSA or DSA Key Pair Required Exporting the RSA or DSA Public Key Optional Creating an SSH User and Specify an Authentication Type Required Specifying a Service[...]
-
Page 503
1-6 z If you have configured a user interface to s upport SSH protocol, you must configure AAA authentication for the user interface by using the authentica tion-mode schem e command to ensure successful login. z On a user interface, if the authentication-mo de password or authentication-mode none command has been execut ed, the protocol inbound ss[...]
-
Page 504
1-7 Exporting the RSA or DSA Public Key Y ou can display the generated RSA or DSA key pair on the scree n in a specified format, or export it to a specified file for configuring the key at a remote end. Follow these steps to expo rt the RSA public key: To do… Use the command… Remarks Enter syst e m view system-view — Display the RSA key on th[...]
-
Page 505
1-8 z For pass word authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local use r name, so that there is no need to configure a local user in AAA. z If the default authentication type for SSH users i s password and local AAA authentic[...]
-
Page 506
1-9 To do… Use the command… Remarks Enter syst e m view system-vie w — Set SSH authentication timeout time ssh server timeout seconds Optional By default, the timeout time is 60 seconds. Set SSH authentication retry times ssh server authentication-re tries times Optional By default, the number of retry times is 3. Set RSA server key update in[...]
-
Page 507
1-10 To do… Use the command… Remarks Enter public key edit view public-key-code begin — Configure a public key for the client Enter the content of the public key When you input the key data, spaces are allowed betwee n the characters you input (because the system can remove the spaces automatically); you can also press <Enter> to contin[...]
-
Page 508
1-11 Follow these steps to impo rt the RSA public key from a public key file: To do… Use the command… Remarks Enter syst e m view system-vie w — Import the RSA public key from a public key file rsa peer-public-key keyname import sshkey filename Required The result of the display rsa local-key -pair public command or the public key converted w[...]
-
Page 509
1-12 Follow these steps to sp ecify a source IP address/interface for the S SH server: To do… Use the command… Remarks Enter syst e m view system-vie w — Specify a source IP address for the SSH server ssh-server source-ip ip-address Required By default, the system determines the IP address for clients to access. Specify a source interface for[...]
-
Page 510
1-13 z Selecting the protocol for remote con nection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH z Selecting the SSH version. Since the device suppor ts SSH Server 2 .0 now, select 2.0 or lower for the client. z Specifying the privat[...]
-
Page 511
1-14 Figure 1-3 Generate the client keys (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key ( public in this case) to save the public key . Figure 1-4 Generate the client keys (3)[...]
-
Page 512
1-15 Likewise, to save the priv ate key , click Sav e private key . A warning window pop s up to prompt you whether to save the private key witho ut any precaution. Cli ck Ye s and enter the name of the file for saving the private key (“pri vate” in this case ) to save the private key . Figure 1-5 Generate the client keys (4) T o generate RSA p[...]
-
Page 513
1-16 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of t he server . Note that there must be a route available between the IP addres s of the server and the client. Select a protocol for remote connection As shown in Figure 1-7 , select SSH under Protocol . Select an SSH version From [...]
-
Page 514
1-17 Figure 1-8 SSH client configuration interface 2 Under Protocol options , sele ct 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia c lient software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software support s DES algorithm negotiation ssh2. Open an SSH connection wi[...]
-
Page 515
1-18 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window , navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username. Once p assing the authentica ti on, the user can log onto the server . Figure 1[...]
-
Page 516
1-19 Open an SSH connection with passw ord authentication From the window shown in Figure 1-9 , click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to ent er the usern ame and password, as shown in Figure 1-1 1 . Figure 1-11 SSH client interface (2) Enter the username and p assword to establish [...]
-
Page 517
1-20 Follow these steps to ena ble the device to support first-time authent ication: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the device to support first-time authentication ssh client first-time enable Optional By default, the client is enabled to run initial authentication. Follow these steps to disa ble fir[...]
-
Page 518
1-21 When logging into the SSH server usi ng public key authentication, an SSH client needs to read the local private key for authentication. As two algor ithms (RS A or DSA) are available, the identity-key keyword must be used to specify one algorithm in orde r to get the correct private key. Specifying a Source IP address/Interface for the SSH cl[...]
-
Page 519
1-22 SSH Configuration Examples When the Device Acts as the SSH Server a nd the Authentication Type is Password Network requirements As shown in Figure 1-12 , est ablish an SSH conne ction between the host (SSH Client) and the device (SSH Server) for secure data exch ange. The ho st run s SSH2.0 client software. Pa ssword authentication is required[...]
-
Page 520
1-23 T ake SSH client software “Putty” (version 0.58) as an example: 1) Run PuTTY.exe to enter the fo llowing configuration interface. Figure 1-13 SSH client configuration interface In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . 2) As shown in Figure 1-13 , click Open to enter the following interface. If th[...]
-
Page 521
1-24 Figure 1-14 SSH client interface When the Device Acts as an SSH Server a nd the Authentication Type is Publickey Network requirements As shown in Figure 1-15 , establish an SSH connection between t he host (SSH client) and the device (SSH Server) for secure data excha nge. The ho st runs SSH2.0 client sof tware. Publickey authentication is req[...]
-
Page 522
1-25 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [device] user-inter[...]
-
Page 523
1-26 Figure 1-16 Generate a cl ient key pai r (1) While generating the key pair, you m ust move the mouse continuously and keep the m ouse off the green process b ar shown in Figure 1-17 . Otherwise, the process b ar stops moving and the key pair generating process is sto p ped.[...]
-
Page 524
1-27 Figure 1-17 Generate a cl ient key pai r (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key (“public” in this case). Figure 1-18 Generate a cl ient key pai r (3)[...]
-
Page 525
1-28 Likewise, to save the priv ate key , click Sav e private key . A warning window pop s up to prompt you whether to save the private ke y without any protection. Click Ye s and enter the name of the file for saving the private key (“pri vate” in this case ). Figure 1-19 Generate a cl ient key pai r (4) After a public key pair is generated, y[...]
-
Page 526
1-29 Figure 1-21 SSH client configuration interface (2 ) Click Browse… to bring up the file selection window , navigate to the private key file and click OK . 3) From the window shown in Figure 1-21 , click Ope n . The following SSH client interface appears. If the connection is normal, you will be pro mpted to enter the username and password, as[...]
-
Page 527
1-30 When the Switch Acts as an SSH Client and the Authentication Type is Password Network requirements As shown in Figure 1-23 , est ablish an SSH conne ction between Switch A (SSH Client) and Switch B (SSH Server) for secure dat a exchange. The user name for login is client001 a nd the SSH server ’s IP address is 10.165.87.13 6. Password authen[...]
-
Page 528
1-31 [device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [device-Vlan-interface1] quit # Establish a con nection to the server 10.165.87.136. [device] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... The Server is not authenticated. Do you continue to access it?(Y/N):y [...]
-
Page 529
1-32 <device> system-view [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [device] user-int[...]
-
Page 530
1-33 After the key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuratio n bef ore you continue to configure the client. # Establish an SSH con ne ction to the server 10.165.87.136. [device] ssh2 10.165.87.136 identity-key dsa Username: client001 Trying 10.165.87.136 ... [...]
-
Page 531
1-34 [device-Vlan-interface1] quit # Generate RSA and DSA key p airs. [device] public-key local create rsa [device] public-key local create dsa # Set AAA authentication on user interfaces. [device] user-interface vty 0 4 [device-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [device-ui-vty0-4] protocol inbound[...]
-
Page 532
1-35 [device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [device-Vlan-interface1] quit # Generate a DSA key pair [device] public-key local create dsa # Export the generated DSA key pair to a file named Switch001. [device] public-key local export dsa ssh2 Switch001 After generating the key pai r, you need to upload the ke y pair file to [...]
-
Page 533
i Table of Contents 1 File System Manage ment Confi guration ························································································· ········ 1-1 File System C onfiguration ·······························[...]
-
Page 534
1-1 1 File System Management Configuration The sample output inform ation in this manual wa s created on the WX3024. The output information on your device may vary. File System Configuration Introduction to File System T o facilitate management on the device memory , the device provides the file system functio n, allowing you to access and manage t[...]
-
Page 535
1-2 z Displaying the current work directo ry, or content s in a specified directory Follow these steps to pe rfo rm director y-related operations in user view: To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory rmdir directory Optional Display the current work directory pw d Optional Display the infor[...]
-
Page 536
1-3 To do… Use the command… Remarks Enter syst e m view system-vie w — Execute the specified batch file execute filename Optional This command sho uld be executed in system view. z For deleted files who se names are the same, only the latest del eted file is kept in the recycle bin and can be restored. z The files which are deleted by the del[...]
-
Page 537
1-4 Follow these steps to pe rform configur ation on p rompt mode of file system: To do… Use the command… Remarks Enter syst e m view system-vie w — Configure the prompt mode of the file system file prompt { alert | quiet } Required By default, the prompt mode of the file system is alert . File System Configuration Example # Display all the f[...]
-
Page 538
1-5 <device> dir unit1>flash:/test/ Directory of unit1>flash:/test/ 1 -rw- 1443 Apr 02 2000 02:45:13 1.cfg 6858 KB total (6841 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following two st a rtup files supp ort file[...]
-
Page 539
1-6 attribute. If you download a valid file with t he same name as the deleted file to the flash memory , the file will possess the ma in attribute. Configuring File Attributes Y ou can configure and view the main at tribute or ba ckup attribute of the st artup file used for the next startup of a switch, and ch ange the m ain or backup attribute of[...]
-
Page 540
i Table of Contents 1 FTP and SFTP Configur ation ··································································································· ················· 1-1 Introduction to FTP and SFTP ················?[...]
-
Page 541
1-1 1 FTP and SFTP Configuration z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. z FTP banner is newly added. For detail s, see C[...]
-
Page 542
1-2 Introduction to SFTP Secure FTP (SFTP) is establish ed based on an SSH2 con nec tion. It allows a remote user to log in to the switching eng ine to manage and transmit files, prov iding a securer guarante e for data transmissi on. In addition, since the device can be used as a cli ent, you can log in to remote devices to transfer files securely[...]
-
Page 543
1-3 Enabling an FTP server Follow these steps to ena b le an FTP se rver: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the FTP server function ftp server enable Required Disabled by default. z Only one user can access the device at a given ti me whe n the latter op erate s as an FTP server. z Operating as an FTP s[...]
-
Page 544
1-4 Source interface refers to the existing V LAN inte rface or Loopback interface on the device. Source IP address refers to the IP a ddress configured for the i nterface on the device. Each source interface corresponds t o a source IP address. Th erefore, specifying a source inte rfa ce for the FTP server is the same as specifying the IP address [...]
-
Page 545
1-5 With the device acting as the FTP se rver, if a network administrator atte mpts to disconnect a user that is uploading/downloading d ata to/from the FTP server the d evice will disconnect the use r after the data transmission is complet e d. Configuring the banner for an FTP server Displaying a banner: With a banner configure d on t he FTP serv[...]
-
Page 546
1-6 To do… Use the command… Remarks Configure a shell banner header shell text Use either command o r both. By default, no banner is configured. For details about the header comman d, refer to the Login part of the manual. Displaying FTP server information To do… Use the command… Remarks Display the information about FTP server configuratio[...]
-
Page 547
1-7 To do… Use the command… Remarks Change the worki ng directory on the remote FTP server cd pathn ame Change the worki ng directory to be the parent directory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pw d Create a directory on the remote FTP server mkdir pathname Remove a directory [...]
-
Page 548
1-8 Specifying the source interface and source IP address for an FTP client Y ou can specify the source interface and source IP address for the device acting as an FTP client, so that it can connect to a remote FTP server . Follow these steps to sp ecify the source interface an d sou rce IP addre ss for an FTP client: To do… Use the command… Re[...]
-
Page 549
1-9 saved-configuration com mand to specify config.cfg as the main configuration file for next startup and then reboot the device. z Create a user account on the FTP server with t he user name “switch” an d password “hello”. z The IP addresses 1.1.1.1 for a VLAN interfa ce on the switching engine and 2.2.2.2 for the PC have been configured.[...]
-
Page 550
1-10 200 Port command okay. 150 Opening ASCII mode data connection for config.cfg. 226 Transfer complete. This example uses the command lin e window tool pr ovided by Windows. When you log in to the FTP server through another FTP client, refer to the corresponding instruction s for o p eration description. z If available space on the flash memory o[...]
-
Page 551
1-11 Figure 1-4 Network diagram for FTP banner di spl ay configuration Net work Switch PC FTP S e r ver FTP C lie n t Vlan-I nt 1 1.1. 1. 1 / 8 2. 2 . 2. 2/ 8 Configuration procedure 1) Configure the sw itch (FTP server ) # Configure the logi n banner of the switching e ngine as “l ogin banner a ppears” a nd the shell b anner as “shell banner[...]
-
Page 552
1-12 Figure 1-5 Network diagram for FTP configurations: the device operating a s an FTP client Switch A FTP Cl i e nt FTP S er ve r Vlan -I nt 1 1. 1. 1.1/ 8 2. 2.2 . 2/ 8 Net wo r k PC Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–rel ated configuratio ns on the PC , that is, creat e a user account on the FT P serve[...]
-
Page 553
1-13 <device> # After downloadi ng the file, use the st artup sav ed-configuration command to sp ecify the downloaded configuration file as th e main configuration file for next st artup, and then rest art the device. <device>startup saved-configuration config.cfg main Please wait........................................Done! For informa[...]
-
Page 554
1-14 To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default Supported SFTP client software The device operating as an SFTP server can intero perate with SFTP client sof tware, including SSH T ectia Client v4.2.0 (SFTP), [...]
-
Page 555
1-15 To do… Use the command… Remarks Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | m[...]
-
Page 556
1-16 If you specify to authenticate a client th rough public key on the server, the client need s to read the lo cal private key when logging in to the SFTP server. Since both RSA and DSA are available for publi c key authentication, you need to use the ide ntity-key key word to specify the algorit hms to get co rre ct local private key; otherwise [...]
-
Page 557
1-17 # Create a VLAN interface on the device and assign to it an IP address, which is used as the destination address for the client to conne ct to the SFTP server . [device] interface vlan-interface 1 [device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [device-Vlan-interface1] quit # S pecify the SSH authenti cation m ode as AAA. [device[...]
-
Page 558
1-18 sftp-client> # Display the current directory of the server . Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 n[...]
-
Page 559
1-19 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server a nd ren ame it as public. sftp-client> get pubkey2[...]
-
Page 560
2-1 2 TFTP Configuration Introduction to TFTP Compared with FTP , TFTP (trivial file transfer protocol ) features simple interactive access interface and no authentication control. Therefore, TFT P is appli cabl e in the networks where c lient-server interaction s are relatively simple. TFTP is implemented based on UDP . It transfers data through U[...]
-
Page 561
2-2 Task Remarks TFTP server configuration For details, see the corresponding manual — TFTP Configuration: The Device Operating as a TFTP Client Basic configurations on a TFTP client By default the device can operate as a T FTP client. In this case you can connect the devi ce to the TFTP server to perform TFTP-related o perations (such a s creati[...]
-
Page 562
2-3 To do… Use the command… Remarks Specify an interface as the source interface a TFTP client uses every time it connects to a TFTP server tftp source-interfac e interface-type interface-n umber Specify an IP address as the source IP address a TFTP client uses every time it connects to a TFTP server tftp source-ip ip-address Use either command[...]
-
Page 563
2-4 Configuration procedure 1) Configure the TFTP server (PC) S t art the TFT P server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switching engine. (Y ou can log in to the switching engine through the console port or by telnetting the device. See the “Login” module fo r detailed inform [...]
-
Page 564
i Table of Contents 1 Informatio n Cent er··········································································································· ·························· 1-1 Information Cent er Overview ···?[...]
-
Page 565
1-1 1 Information Center z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Information Center Overview Introduction to Information [...]
-
Page 566
1-2 Severity Sev erity v alue Description informational 7 Informational information to be recorded debugging 8 Information generated duri ng debugging Information filtering by severity works this way: information with the seve ri ty value greater than the configured threshold is not output during the filtering. z If the threshold is set to 1, only [...]
-
Page 567
1-3 Configurations for the six output directions function independe ntly and take effect only after the information center is enabled. Outputting system information by source module The system information ca n be classified by source module and t hen filtered. Some module names and description are shown in T able 1-3 . Table 1-3 Source module name [...]
-
Page 568
1-4 Module name Description NTP Network time protocol module PKI Public key infrastructure module RDS Radius module RMON Rem ote monitor module RSA Revest, Shamir and Adleman encryption mod ule SHELL User interface module SNMP Simple network management protocol m odule SOCKET Socket module SSH Secure shell module SYSMIB System MIB module TAC HWTACA[...]
-
Page 569
1-5 Priority The priority is calculated using the followi ng formula: facility*8+severity-1, in which z facility (the device name) defaults to local7 with the value being 23 (the value of local6 is 22, that of local5 is 21, and so on). z severity (the information level) ranges from 1 to 8. Table 1-1 details the value and meaning associated with eac[...]
-
Page 570
1-6 Y ou can use the sysname command to modify the system name. Refer to the System Maintenance an d Debugging p art of this manual for detail s) Note that there is a space betwe en the sysn ame and module fields. Module The module field represent s the n ame of the module t hat gen erates system in formation. Y ou can enter the info-center source [...]
-
Page 571
1-7 Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system informatio n such as log, trap, or debugging information is output when the user is in putting commands, the command lin e prompt (in command editing mode a[...]
-
Page 572
1-8 To do… Use the command… Remarks Log host direction info-center timestamp loghost date Set the time stamp format in the output direction of the information center to date Non log host direction info-center timestamp { log | trap | debugging } date Required Use either command Set to display the UTC time zone in the output information of the i[...]
-
Page 573
1-9 Table 1-4 Default output rules for differe nt output dire ction s LOG TRAP DEBUG Output direction Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity Console default (all modules) Enable d warning s Enabled debuggin g Enabled debuggin g Monitor terminal default (all modules) Enable d warning s Enab[...]
-
Page 574
1-10 Setting to Output System Info rmation to a Monitor Terminal System information can also be output to a monitor te rminal, whi ch is a user terminal that has login connections through the AUX, VTY , or TTY user interf ace. Setting to output system information to a monitor terminal Follow these steps to set to output syst em information to a mon[...]
-
Page 575
1-11 Follow these steps to ena b le the display of system information on a monitor termi nal: To do… Use the command… Remarks Enable the debugging/log/trap information terminal display function terminal monitor Optional Enabled by default Enable debugging informat ion terminal display function terminal debugging Optional Disabled by default Ena[...]
-
Page 576
1-12 To do… Use the command… Remarks Set the format of the time stamp to be sent to the log host info-center timestamp loghost { date | no-y ear-date | none } Optional By default, the time stamp format of the information output to the log host is date . Be sure to set the correct IP address when usin g the info-center loghost command. A loop ba[...]
-
Page 577
1-13 To do… Use the command… Remarks Enable information output to the log buffer info-center logbuffer [ channel { channel - number | channel - name } | size buffersize ]* Optional By default, the device uses information channel 4 to output log information to the log buffer, which can holds up to 512 items by default. Configure the output rules[...]
-
Page 578
1-14 Displaying and Maintaining Information Center To do… Use the command… Remarks Display information on an information channel display channel [ channel - number | channel - name ] Display the operation status of information center, the configuration of information channels, the format of time stamp display info-center [ unit unit-id ] Displa[...]
-
Page 579
1-15 # Configure the host whose IP address is 202.3 8.1.1 0 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log ho st. [Switch] info-center loghost 202.38.1.10 facility local4 [Switch] info-center source arp channel loghost log level informational debug state off trap state off [[...]
-
Page 580
1-16 Through combined configuration of the device name (facility), informatio n severity level threshold (severity), module name (filter) and the fil e “syslog.con f ”, you can sort inform ation precisely for fi ltering. Log Output to a Linux Log Host Network requirements As shown in Figure 1-2 , Switch send s the following log information to t[...]
-
Page 581
1-17 Note the following items when you edit file “/etc/syslo g.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used a s a separator instead of a space. z No space is permitted at the end of the file name. z The device name (facility) and received log informatio n severity sp ecified in [...]
-
Page 582
1-18 [Switch] info-center enable # Disable the function of outputting in formation to the console ch an nels. [Switch] undo info-center source default channel console # Enable log information output to the console. Pe rm it ARP and IP modules to output log informatio n with severity level higher than informatio nal to the con sole. [Switch] info-ce[...]
-
Page 583
i Table of Contents 1 Host Configurat ion File Loading ······························································································ ················ 1-1 Introduction to Loading Approaches ·················[...]
-
Page 584
1-1 1 Host Configuration File Loading z The term switch used throughout this docum ent re fers to a switching device in a generi c sense or the switching engine of a WX30 00 seri es. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. T raditionally , device software is loaded [...]
-
Page 585
1-2 Connected to OAP! <device_LSW> ftp 192.168.0.100 Trying ... Press CTRL+K to abort Connected. 220 3Com 3CDaemon FTP Server Version 2.0 User(none):admin 331 User name ok, need password Password: 230 User logged in [ftp]get config.cfg config.cfg 227 Entering passive mode (192,168,0,100,5,95) 125 Using existing data connection ..........226 C[...]
-
Page 586
1-3 Figure 1-2 Remote loading using FTP server Sw i tch PC Et hernet p ort In te r n e t F T P Ser ve 10 .1 . 1.1 FTP S erv e r 192 . 16 8 . 0.51 S tep 1: As shown in Figure 1-2 , connect Switch through an Ethernet por t to the PC (whose IP address is 10.1.1.1) S tep 2: Configure the IP address of VLAN-interface 1 on Switch to 192.168.0.51, and sub[...]
-
Page 587
1-4 S tep 6: Enter f tp 192.168.0.51 and enter the user name test , p assword pas s to log on to the FTP server . C:Documents and SettingsAdministrator>d: D:>cd update D:Update>ftp 192.168.0.51 Connected to 192.168.0.51. 220 FTP service ready. User (192.168.0.51:(none)): test 331 Password required for test. Password: 230 User logged in[...]
-
Page 588
1-5 z The steps listed ab ove are performed in the Windows operating system, if you use other F TP client software, refer to the corresponding user guid e before ope ration. z Only the configuration steps concerning loading are listed here. For detail ed description on the correspondi n g configuration commands, refer to the “FTP-SFTP-TFTP” par[...]
-
Page 589
2-1 2 Basic System Configuration and Debugging Basic System Configuration Follow these steps to pe rform basic system configuration: To do… Use the command… Remarks Set the current date and time of the system clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } Required Execute this command in user view. The default value is 23:55:00 04/01/200 0[...]
-
Page 590
2-2 Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system di sp l ay ve rs i on Display the information about users logging onto the device display users [ all ] Available in any view Debugging the System Enabling/Disabling System Debugging Th[...]
-
Page 591
2-3 Y ou can use the following commands to enable the two settings. Follow these steps to ena ble debugging and termi nal display for a specific module: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all modules by default. Enable terminal display fo[...]
-
Page 592
3-1 3 Network Connectivity Test Network Connectivity Test ping Y ou can use the ping command to check the network connectivity and the reachability of a host. Follow these steps to execute the ping comm and: To do… Use the command… Remarks Check the IP network connectivity and the reachability of a host ping [ -a ip-address ] [ -c count ] [ -d [...]
-
Page 593
4-1 4 Device Management Introduction to Device Management Device Management includes the following: z Reboot the device z Configure real-time monitoring of t he running status of the system z Specify the main configuration file to be used at the next reboot Device Management Configuration Device Management Configuration Tasks Complete the following[...]
-
Page 594
4-2 Scheduling a Reboot on the Device After you schedule a reb oot on the device, t he device will reboot at the specified time. Follow these steps to sche dul e a reboot on the device: To do… Use the command… Remarks Schedule a reboot on the device, and set the reboot date and time schedule reboot at hh:mm [ mm/dd/yyyy | yyy y/ mm/dd ] Optiona[...]
-
Page 595
4-3 Follow the step below to specify the main configuration file to be used at rebo ot: To do… Use the command… Remarks Specify the main configuration file to be used at next reboot startup sav ed-configuration filename [ main | backup ] Required Identifying and Diagnosing Pluggable Transceivers Introduction to pluggable transceivers At present[...]
-
Page 596
4-4 Follow these steps to ident ify pluggable transceivers: To do… Use the command… Remarks Display main parameters of the pluggable transceiver(s) display transceiver interfac e [ interface-type interface-number ] Available for all pluggable transceivers Diagnosing pluggable transceivers The system outputs alarm informatio n for you to diagnos[...]
-
Page 597
i Table of Contents 1 VLAN-VPN C onfigurat ion ·························································································································· 1-1 VLAN-VPN Overview ··················[...]
-
Page 598
1-1 1 VLAN-VPN Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. VLAN-VPN Overview Introduction to [...]
-
Page 599
1-2 Figure 1-2 Structure of packets with double-laye r VLAN tag s Des ti na ti o n MA C addres s 0 31 Dat a Sour ce MA C ad dr ess 15 Inn er VLAN T a g O uter VLAN T ag Compared wi th MPLS-based Layer 2 VPN, VLAN-VPN ha s the followin g features: z It provides Layer 2 VPN tunnels that are simple r. z VLAN-VPN can be implemented throug h manual conf[...]
-
Page 600
1-3 As the position of the TPID field in an Ethernet packe t is the same as that of the upper-layer protocol type field in a packet without VLAN T ag, to avoid confusion in the process of receiving/forwardin g a packet, the TPID value cannot be any of the protocol type value listed in T able 1-1 . Table 1-1 Commonly used protocol type values in Eth[...]
-
Page 601
1-4 TPID Adjusting Configuration Configuration Prerequisites z To change the global TPID value 0x8100, you need to specify a port on the device as a VLAN VPN uplink port. Before the configuration, ma ke sure that VLAN VPN is disabled on the port. z For proper packet transmi ssion, confirm the TPID value of the peer device in the public network befo[...]
-
Page 602
1-5 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements z As shown in Figure 1-4 , both Switch A and Switch B are the WX3000 series device s. They connect the users to the servers th rough the publ ic network. z PC users and PC serve rs are in VLAN 100 created in the[...]
-
Page 603
1-6 # Set the global TPID value of Switch A to 0x9200 and configure GigabitEthernet 1/0/12 a s a VLAN VPN uplink port, so that Switch A can interco mmunicate with devices in the public net work. [SwitchA] vlan-vpn tpid 9200 [SwitchA] interface GigabitEthernet1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12][...]
-
Page 604
1-7 1) As GigabitEthernet 1/0/11 of Switch A is a VLAN-VPN port, when a packet from the custo mer’s network side reaches this port, it is tagged with the default VLAN tag of the port (VLAN 1040). 2) The device sets the TPID value for the outer VL AN tags of packets to user-defined value 0x 9200 and then forwards these packets to the public networ[...]
-
Page 605
2-1 2 Selective QinQ Configuration Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced appli cation of the VLAN -VPN feature. With the selective QinQ feature, you can configure inner-to- outer VLAN t ag mapping, according to whi ch you can add dif ferent outer VLAN tags to the p acket s with dif ferent inner VLAN t ags. Th[...]
-
Page 606
2-2 In this way , you can configure dif ferent forwarding polici es for dat a of differ ent type of users, thus improving the flexibility of network management. On the other hand, network resources are well utilized, and users of the same type are also isolated by thei r inner VLAN t ags. This help s to improve network security . Inner-to-Outer Tag[...]
-
Page 607
2-3 You are recommended not to configure both the DHCP snooping and selective Q-in-Q function on the device, which may result in the DH CP snooping to function abno rm ally. Configuring the Inner-to-Outer Tag Priority Mapping Feature Configuration Prerequisites Enabling the VLAN-VPN feature on the current port Configuration Procedure Follow these s[...]
-
Page 608
2-4 Figure 2-2 Network diagram for select ive QinQ configuration Pu b l i c N e tw o r k VL AN 1 0 0 0 / VLAN 12 0 0 PC Us er VLAN 10 0 ~ 1 08 IP Phone User VLA N 200~ 2 30 G E1/0/3 GE1 / 0 / 5 Fo r P C U s e r V LAN 100~ 10 8 Fo r IP P h o ne VL AN 2 0 0 ~ 23 0 Sw it chA Sw itchB G E 1/ 0/11 G E 1/0/12 G E 1/0/13 Configuration procedure z Configur[...]
-
Page 609
2-5 [SwitchA-GigabitEthernet1/0/3] vlan-vpn enable # Enable the selective QinQ featur e on GigabitEthernet 1/0/3 to tag pa ckets of VLAN 100 through VLAN 108 with the tag of VLAN 1 000 as the outer VLAN tag, and tag p ackets of VLAN 200 thro ugh VLAN 230 with the tag of VLAN 1200 as the oute r VLAN tag. [SwitchA-GigabitEthernet1/0/3] vlan-vpn vid 1[...]
-
Page 610
2-6 T o make the packets fro m the servers be transmit ted to the client s in the same way , you need to configure the selective QinQ feature on GigabitEthernet 1/0/ 12 and GigabitEthernet 1/0/13. The configuration on Switch B is similar to that on Switch A and is thus omitted. z The port configuration on Switch B is only an exam ple for a specific[...]
-
Page 611
i Table of Contents 1 HWPing Conf iguration ········································································································· ····················· 1-1 HWPing Ov erview ···············?[...]
-
Page 612
1-1 1 HWPing Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a WX3 000. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. HWPing Overview Introduction to HWPing HWPing (pronounced Hua ’[...]
-
Page 613
1-2 Figure 1-1 HWPing illustration Sw itc h A Switch B HW P i ng Cl i en t I P net work H WPing Ser ver Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test HTTP test DNS test SNMP test For these types of tests, you need to configure HWPing client and corresponding ser[...]
-
Page 614
1-3 Test parameter Description Source interface ( source-interfac e ) z For DHCP test, you must spe cify a source interface, which will be used by HWPing client to send DHCP requests. If no source interfac e is specified for a DHCP test, the test will not succeed. z After a source interface is specified, HWPi ng client uses this source interface to[...]
-
Page 615
1-4 Test parameter Description File name for FTP operation ( filename ) Name of a file to be transferred between HWPing client and FTP server Number of jitter test packets to be se nt per probe ( jitter-packetnum ) z Jitter test is used to collect statis tics about delay jitter in UDP packet transmissi on z In a jitter probe, the HWPing cli ent sen[...]
-
Page 616
1-5 HWPing server configuration The following t able describes the configuration on HW Ping server , which is the same for HWPing test types that need to configure HWPing server . Follow these steps to co nf igure the HWPing server: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the HWPing server function hwping-ser[...]
-
Page 617
1-6 To do… Use the command… Remarks Configure the number of probes per test count times Optional By default, each test makes one probe. Configure the packet size datasize size Optional By default, the packet size is 56 bytes. Configure the maximum number of history records that can be s aved history-records number Optional By default, the maxim[...]
-
Page 618
1-7 To do… Use the command… Remarks Configure the source interface source-interface interface-type interface-number Required You can only configure a VLAN interface as the source interface. By default, no source interface is configured. Configure the test type test-type dhcp Required By default, the test type is ICMP. Configure the number of pr[...]
-
Page 619
1-8 To do… Use the comm and… Remarks Configure the number of probes per test count times Optional By default, each test makes one probe. Configure the maximum number of history records that can be s aved history-records number Optional By default, the maximum number is 50. Configure the automatic test interval frequency interval Optional By def[...]
-
Page 620
1-9 To do… Use the command… Remarks Configure the destination IP address destination-ip ip-address Required You can configure an IP address or a host name. By default, no destination address is configured. Configure dns-server dns-server ip-address Required when you use the destination-ip command to configure the destination address as the host[...]
-
Page 621
1-10 5) Configuring jitter test on HWPing client Follow these steps to co nfigur e jitter test on HWPing client: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabled. Create a HWPing test group and enter its view hwp[...]
-
Page 622
1-11 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the type of service tos value Optional By default, the service type is zero. Configure the number of test packets that will be sent in each jitter probe jitter-packetnum number Optional By defaul[...]
-
Page 623
1-12 To do… Use the command… Remarks Configure the maximum number of history records that can be s aved history-records number Optional By default, the maximum number is 50. Configure the automatic test interval frequency interval Optional By default, the automatic test interval is zero se conds, indicating no automatic test will be made. Confi[...]
-
Page 624
1-13 To do… Use the command… Remarks Configure the destination port destination -port port-number Required in a Tcpprivate test A Tcppublic test is a TCP connection test on port 7. Use the hwping-server tcpconnect ip-a ddress 7 command on the server to configure the listening service port; otherwise the test will fail. No port number needs to b[...]
-
Page 625
1-14 To do… Use the command… Remarks Enter syste m view system-v iew — Enable the HWPing client function hwping-agent enable Required By default, the HWPing client function is disabled. Create a HWPing test group and enter its view h w ping administrator-name operation- tag Required By default, no test group is configured. Configure the desti[...]
-
Page 626
1-15 To do… Use the command… Remarks Configure the automatic test interval frequency interval Optional By default, the automatic test interval is zero se conds, indicating no automatic test will be made. Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the service type tos value O[...]
-
Page 627
1-16 To do… Use the command… Remarks Configure the probe timeout time timeout time Optional By default, a probe times out in three second s. Configure the type of service tos value Optional By default, the service type is zero. Configure the domain name to be resolved dns resolve-targ etdomai domainname Required By default, the domain name to b[...]
-
Page 628
1-17 Displaying and Maintaining HWPing To do… Use the command… Remarks Display test history display hwping history [ administrator-nam e opera tion-tag ] Display the results of the latest test display hwping results [ administrator-nam e operation-tag ] Available in any view HWPing Configuration Example ICMP Test Network requirements As shown i[...]
-
Page 629
1-18 # Display test results. [device-hwping-administrator-icmp] display hwping results administrator icmp HWPing entry(admin administrator, tag icmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 3/6/3 Square-Sum of Round Trip Time: 145 Last succeeded test time: 200[...]
-
Page 630
1-19 # Create a HWPing test group, setting the admini strator name to "administrator" and test t ag to "DHCP". [device] Hwping administrator dhcp # Configure the test type as dhcp . [device-hwping-administrator-dhcp] test-type dhcp # Configure the source interfa ce, which must be a VLAN interface. Make sure the DHCP server re si[...]
-
Page 631
1-20 FTP Test Network requirements As shown in Figure 1-4 , both the HWPing client and the FTP server are WX3000 se ries devices. Perform a HWPing FTP test between the two devices to test the connectivity to the specified FTP server and the time required to uploa d a file to the serv er after the connection is est ablished. Both the username and p [...]
-
Page 632
1-21 [device-hwping-administrator-ftp] count 10 # Set the probe timeout time to 30 seconds. [device-hwping-administrator-ftp] timeout 30 # Configure the source IP address [device-hwping-administrator-ftp] source-ip 10.1.1.1 # S t art the test. [device-hwping-administrator-ftp] test-enable # Display test results [device-hwping-administrator-ftp] dis[...]
-
Page 633
1-22 HTTP Test Network requirements As shown in Figure 1-5 , Switch serves as the HWPing client, and a PC serves as the HTTP server . Perform a HWPing HTTP test betwe en Switch and the H TTP se rver to test the connectivity and the time required to download a file from the HT TP server af ter the conn ection to the server is established. Figure 1-5[...]
-
Page 634
1-23 SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Http result: DNS Resolve Time: 0 HTTP Operation Time: 675 DNS Resolve Min Time: 0 HT[...]
-
Page 635
1-24 Network diagram Figure 1-6 Network diagram for the Jitter test Sw itc h A Sw itc h B HW Pi ng Cl i en t I P net w ork 10.1 .1 .1/8 10 . 2.2.2/ 8 HWP in g S e r v er Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server an d co nfigure the IP ad dress and port to listen on. <device> system-view [device] [...]
-
Page 636
1-25 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Jitter result: RTT Number:100 Min Positive SD:1 Min Positive DS:1 Max Positive SD:6 Max Positive DS:8 Positive SD Number:38 [...]
-
Page 637
1-26 Network diagram Figure 1-7 Network diagram for the SNMP test Sw itc h A Sw it ch B HW Pi ng Cl i en t IP n e tw o rk 10.1 .1.1 /8 10.2 .2 .2/ 8 SN MP Agen t Configuration procedure z Configure SNMP Agent (Switch B): # S t art SNMP agent and set SNMP versi on to V2C, read-only community name to "public", and read-write community name [...]
-
Page 638
1-27 [device-hwping-administrator-snmp] test-enable # Display test results [device-hwping-administrator-snmp] display hwping results administrator snmp HWPing entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 9/11/10 Square-Sum of Ro[...]
-
Page 639
1-28 Configuration procedure z Configure HWPing Server (Switch B): # Enable the HWPing server an d co nfigure the IP ad dress and port to listen on. <device> system-view [device] hwping-server enable [device] hwping-server tcpconnect 10.2.2.2 8000 z Configure HWPing Client (Switch A): # Enable the HWPing client. <device> system-view [de[...]
-
Page 640
1-29 Index Response Status LastRC Time 1 4 1 0 2000-04-02 08:26:02.9 2 5 1 0 2000-04-02 08:26:02.8 3 4 1 0 2000-04-02 08:26:02.8 4 5 1 0 2000-04-02 08:26:02.7 5 4 1 0 2000-04-02 08:26:02.7 6 5 1 0 2000-04-02 08:26:02.6 7 6 1 0 2000-04-02 08:26:02.6 8 7 1 0 2000-04-02 08:26:02.5 9 5 1 0 2000-04-02 08:26:02.5 10 7 1 0 2000-04-02 08:26:02.4 For detail[...]
-
Page 641
1-30 [device-hwping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the HWPi ng server . [device-hwping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [device-hwping-administrator-udpprivate] count 10 # Set the probe timeout time to 5 seconds. [device-hwping-administrato[...]
-
Page 642
1-31 Network diagram Figure 1-10 Network diagram for the DNS test Swit ch HW P i ng Cl i en t IP n e tw o r k 10.1 .1. 1/8 10 . 2.2.2 /8 DN S Se r ver Configuration procedure z Configure DNS Server: Use Windows 2003 Serv er as the DNS server . For DNS server configuration, refer to the related instruction on Windows 2003 Serve r co nfiguration. z C[...]
-
Page 643
1-32 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Dns result: DNS Resolve Current Time: 10 DNS Resolve Min Time: 6 DNS Resolve Times: 10 DNS Resolve Max Time: 10 DNS Resolve Timeout Times: 0 DNS Resolve Failed Times: 0 [device-hwping-administrator-dns] disp[...]
-
Page 644
i Table of Contents 1 DNS Confi gurati on············································································································ ························· 1-1 DNS Overview ············[...]
-
Page 645
1-1 1 DNS Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of the WX 3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. z This chapter covers only IPv4 DNS configurat ion. For d e[...]
-
Page 646
1-2 Figure 1-1 Dynamic domain name resolution Req ue s t Response Re sp o n se Requ est Save Read DNS c lient DNS se rv e r Res olver Cac he Use r pr o gr a m Figure 1-1 shows the relationship betwe en user p rogram, DNS client, and DNS se rver . The resolver and ca che comprise th e DNS client. Th e user program and DNS client run on the same devi[...]
-
Page 647
1-3 To do… Use the command… Remarks Enter syst e m view system-view — Configure a mapping between a host name and an IP address ip host hostnam e ip-address Required No IP address is assigned to a host name by default. The IP address you assign to a host name last time will overwrite the previous one if there i s any. You may create up to 50 [...]
-
Page 648
1-4 Figure 1-2 Network diagram for stat ic DNS configuration 1 0 . 1 . 1 .1 /2 4 10 . 1. 1 . 2 / 24 hos t . c om Ho s t Sw it ch Configuration procedure # Configure a mapping betwee n ho st name host.com and IP address 10.1.1.2. <device> system-view [device] ip host host.com 10.1.1.2 # Execute the ping host.com command to verify that the devi[...]
-
Page 649
1-5 Configuration procedure Before doing the following configuration, make sure that: z The routes between the DNS server, Switch, an d Host are reachable. z Necessary configurations are don e on the devices. For the IP addresses of the interfaces, see the figure above. z There is a mapping between domai n na me host and IP address 3.1.1.1/16 on th[...]
-
Page 650
1-6 Displaying and Maintaining DNS To do… Use the com mand… Remarks Display static DNS database display ip host Display the DNS server information display dns server [ dy nam ic ] Display the DNS suffixes display dns domain [ dynam ic ] Display the information in the dynamic domain name cache display dns dynamic-host Available in any view Displ[...]
-
Page 651
i Table of Contents 1 Smart Link C onfigurat ion ························································································································· 1-1 Smart Link Overview ·················[...]
-
Page 652
1-1 1 Smart Link Configuration z The term switch used throughout this chapter refers to a switching device in a generi c sense or the switching engine of a unified swit ch in the WX3000 series. z The sample output information in this ma nual was created on the WX3024. Th e output information on your device may vary. Smart Link Overview As shown in [...]
-
Page 653
1-2 Master port The master port can be either an Ethernet port or a manually-configured or st atic LACP aggregation group. For example, you can configure GigabitEtherne t 1/0/1 of switch A in Figure 1-1 as the mas ter port through the comman d line. Slave port The slave port can be either an Ethernet port or a manually-configured or st atic LACP ag[...]
-
Page 654
1-3 Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operatin g mechani sm BLOC K Switch A Switch B GE 1/ 0 / 1 GE1 / 0/ 2 Switc h C Switc h D Switch E GE1 /0/1 GE1 /0/2 GE 1/ 0 / 3 G E 1/ 0/1 GE 1/ 0/ 2 GE1/0/ 3 GE 1/ 0/ 11 GE 1/ 0/ 12 As shown in Figure 1-2 , GigabitEthernet 1/0/1 on Switch A is ac tive and GigabitEthern[...]
-
Page 655
1-4 Task Remarks Create a Smart Link group Add member ports to the Smart Link group Configuring a Smart Link Device Enable the function of sending flush messages in the specified control VLAN Required Configuring Associated Devices Enable the function of processing flush messa ges received from the specified control VLAN Required Configuring a Smar[...]
-
Page 656
1-5 To do… Use the command… Remarks Enable the function of sending flush messages in the spe cified control VLAN flush enable control-vl an vlan-id Optional By default, no control VLAN for sending flush messages i s specified. Configuring Associated Devices An associated device mentioned in thi s document re fers to a device that supports Sma r[...]
-
Page 657
1-6 z When you copy a port, the Smart Link/Monitor Li nk group member informatio n configured on the port will not be copied to other ports. z If a single port is specifie d as a member of a Sm art Link/Monitor Link group, you cannot execute the lacp enable command on this port or add this po rt into other dynamic link aggregation g roups, because [...]
-
Page 658
1-7 Figure 1-3 Network diagram for Smart Link configuration Sw itch A G E 1 / 0 /1 G E 1 /0 /2 Swit ch C Ser ve r GE1/ 0/ 1 GE1/ 0/ 2 GE 1/ 0/ 2 PC Sw i t ch D Swi tch E GE 1/0 / 3 GE 1/ 0/ 2 GE 1/0 / 1 Configuration procedure 1) Configure a Smart Link group on Switch A and conf igure member ports for it. Enable the function of sending flush messag[...]
-
Page 659
1-8 # Enable the function of processing flu sh messages received from VLAN 1 on GigabitEthernet 1/0/2. <SwitchC> smart-link flush enable control-vlan 1 port GigabitEthernet 1/0/2 3) Enable the function of processing flush me ssages received from VLAN 1 on Swi tch D. # Enter system view . <SwitchD> system-view # Enable the function of pr[...]
-
Page 660
2-1 2 Monitor Link Configuration Introduction to Monitor Link Monitor Link is a collaborat ion scheme introduced to compleme nt for Smart Link. It is used to monitor uplink and to perfect the backup fun ction of Smart Link. A monitor Li nk consist s of an uplink port and on e or multiple downlink port s. When the link fo r the uplink port of a Moni[...]
-
Page 661
2-2 How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implem ent ation BLOC K Switch A Switch B GE 1/ 0 / 1 GE1 / 0/ 2 Switc h C Switc h D Switch E GE1 /0/1 GE1 /0/2 GE 1/ 0 / 3 G E 1/ 0/1 GE 1/ 0/ 2 GE1/0/ 3 GE 1/ 0/ 11 GE 1/ 0/ 12 As shown in Figure 2-2 , the devices S witch C and Switch D are con nected to the uplink dev[...]
-
Page 662
2-3 Configuring Monitor Link Before configuring a Monitor Link grou p, you mu st create a Monitor Link group and configure member ports for it. A Monitor Link gro up consists of an uplin k port and one or multipl e downlink port s. The uplink port can be a manually-co nfigured or static LACP lin k aggregation group, an Ethernet po rt, or a Smart Li[...]
-
Page 663
2-4 To do… Use the command… Remarks Configure the specified link aggregation group as the uplink port of the Monitor Link group link-aggregation group group-id uplink Configure the specified Smart Link group as the uplink port of the Monitor Link group smart-link group group-id uplink Monitor Link group view port interface-type interface-number[...]
-
Page 664
2-5 z A Smart Link/Monitor Link group with members cannot be deleted. A Smart Link group as a Monitor Link group member ca nnot be deleted. z The Smart Link/Monitor Link fun ction and the remote port mirrori ng function are incompatible with each other. z If a single port is specified as a Smart Li nk /Monitor Link group me mber, do not use the lac[...]
-
Page 665
2-6 Figure 2-3 Network diagram for Monitor Link configuration BLOC K Swi tc h A Swi tc h B GE1 / 0/1 GE 1 / 0 / 2 Sw i tch C Switch D Sw itch E GE1 / 0 / 1 GE1 / 0 / 2 GE1 / 0/3 Se r ver GE 1/ 0/ 2 GE 1/ 0/ 2 GE 1/ 0/ 1 GE1 /0/ 1 GE1 /0/ 3 GE 1/ 0/ 11 GE1/ 0/ 10 PC 1 PC 4 PC 3 PC 2 Configuration procedure 1) Enable Smart Link on S witch A and Switc[...]
-
Page 666
2-7 2) Enable Monitor Link on Switch C and Switch D and enable the function of proces sing flush messages received from VLAN 1. Perform the fo llowing configu ration on Switch C. The operation procedure on Switch D is the same a s that performe d on Switch C. # Enter system view . <SwitchC> system-view # Create Monitor Link group 1 and ente r[...]
-
Page 667
i Table of Contents 1 PoE Confi guration ············································································································ ························· 1-1 PoE Overview ············[...]
-
Page 668
1-1 1 PoE Configuration When configuring PoE, go to these secti ons fo r inform ation you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example The terms switching engine and Ethernet switch u sed throughout this documentation ref er to a switching device in a ge neric sense or the swit ching engine of a unified swit ch [...]
-
Page 669
1-2 PoE Features Supported by the Device Table 1-1 Power supply param eters of PoE device Device Input power supply Number of electrical ports supplying power Maximum PoE distance Maximum power provided by each electrical port Total Maximum PoE output power DC input 600 W WX3024 AC input 24 100 m (328.08 ft.) 25 W 370 W WX3010 DC in put 8 100 m (32[...]
-
Page 670
1-3 Task Remarks Enabling the PoE Feature on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Upgrading the PSE Processing Software Online Optional Displaying and Mai[...]
-
Page 671
1-4 Setting PoE Management Mode a nd PoE Priority of a Port When the device is close to it s full load in suppl ying power , you can adjust the power supply of the device through the cooperation of the PoE mana gement mode and the po rt PoE priority settings. The device support s two PoE manageme nt modes, auto and manual. The auto mo de is adopted[...]
-
Page 672
1-5 To do… Use the command… Remarks Set the PoE mode on the port to signal poe mode signal Optional signal by default. Configuring the PD Compat ibility Detection Function After the PD com patibility detection function is enabled, the devi ce can det ect the PDs that do not conform to the 802.3af sta ndard and supply power to them. After the Po[...]
-
Page 673
1-6 z In the case that the PSE processi ng software is damaged (that is, no PoE command can be executed successfully), use the full upd ate mode to upgrade and thus restore th e software. z The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software, while the full update mode i s to delete the [...]
-
Page 674
1-7 Figure 1-1 Network diagram for PoE Sw it ch A Net w or k GE 1/ 0 / 2 GE1 /0/ 1 GE1 / 0/ 8 Sw it ch B AP AP Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on GigabitEthernet 1/0/ 1, and set the PoE maximum output p ower of Gigabi[...]
-
Page 675
2-1 2 PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a n etwork with mobil e u sers, to help netwo rk admi nistrators to monitor the PoE features of the device, the dev ice provides the PoE profile featur es. A PoE profile is a set of PoE configurations, including multiple PoE features. Features of PoE profile: z [...]
-
Page 676
2-2 To do… Use the command… Remarks In system vie w apply poe-profile profile-n ame interface interface-type interface-number [ to interface-type interface-number ] Enter Ethernet port view interface interface-type interface-number Apply the existing PoE profile to the specified Ethernet port In Ethernet port view Apply the existing PoE profile[...]
-
Page 677
2-3 PoE Profile Configuration Example PoE Profile Application Example Network requirements As shown in Figure 2-1 , Switch A supports PoE. GigabitEthernet 1/0/1 through GigabitEthernet 1/0/10 of Switch A are used by users of group A, who have the following requirem ent s: z The PoE function can be enabled on all port s in use. z Signal mode is used[...]
-
Page 678
2-4 [SwitchA-poe-profile-Profile1] poe enable [SwitchA-poe-profile-Profile1] poe mode signal [SwitchA-poe-profile-Profile1] poe priority critical [SwitchA-poe-profile-Profile1] poe max-power 3000 [SwitchA-poe-profile-Profile1] quit # Display detailed configu r ation inform ation for Profile1. [SwitchA] display poe-profile name Profile1 Poe-profile:[...]
-
Page 679
i Table of Contents 1 IP Routing Prot ocol Overview ································································································· ················· 1-1 Introduction to IP Rout e and Routin g Table ·········?[...]
-
Page 680
ii Filters ························································································································ ······················· 4-1 IP Route Policy Conf iguration Task List···?[...]
-
Page 681
1-1 1 IP Routing Protocol Overview Go to these sections for information you are inte re sted in: z Introduction to IP Route and Routing Ta ble z Routing Protocol Overview z Displaying and Maintaining a Routing T a ble The term router in this cha pter refers to a router in a g eneric sense or a WX3000 serie s device running a routing protocol. Intro[...]
-
Page 682
1-2 host or router resides. For exam ple, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the desti nation ho st or router resides is 129.102.0.0. A mask consists of some consec utive 1s, represented either in dotted de cimal notation or by the number of t he consecutive 1s in the mas[...]
-
Page 683
1-3 Routing Protocol Overview Static Routing and Dynamic Routing S t atic routing is easy to configu re and requires le s s system resourc es. It works well in s mall, st able networks with simple topolo gies. It cannot adapt itse lf to any network topology ch ange automatically so that you must perform routing configu rati on again whenever the ne[...]
-
Page 684
1-4 each routing protocol (including st atic routes) is assigned a pri ority . The route found by the routing protocol with the highest priority is preferred. The following t able list s some routin g protocol s an d the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their d efault route Routing approach [...]
-
Page 685
1-5 routing information. Each routin g protocol shares routin g information discovered by oth er routing protocols through a route redist ribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about a routing table display ip routing-table [ | { begin | exclude | include } regula[...]
-
Page 686
2-1 2 Static Route Configuration When configuring a st atic route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying and Mainta ining Static Routes z Static Route Configuration Example z Troubleshooting a Static Route The term router in this cha pter refers to a rout[...]
-
Page 687
2-2 Default Route T o avoid too large a routing table, you can configure a default ro ute. When the destination address of a p acket fails to match any entry in the routing t able, z If there is default route in the routing table, the default route will be selected to forward the packet. z If there is no default route, the packet will be di scarded[...]
-
Page 688
2-3 Displaying and Maintaining Static Routes To do... Use the command... Remarks Display the current configuration information display current-configuration Display the brief information of a routing table display ip routing-table Display the detailed information of a routing table display ip routing-table verbose Display the information of static [...]
-
Page 689
2-4 Configuration procedure When only one interface of the device is interc onnected with another network se gment, you can implement network communication by configuri ng either a static route or default route. 1) Perform the following conf igurations on the device. # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [Sw[...]
-
Page 690
3-1 3 RIP Configuration When configuring RIP , go to these secti ons for information you are intere sted in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this cha pter refers to a router in a g eneric sense or a WX3000 serie s device running a routing protocol. RIP O[...]
-
Page 691
3-2 z Interface: Outbound interface on thi s router, th rough which IP packets shoul d be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed si nce the routing entry was last updated. T he time is reset to 0 every time the routing entry is updated. RIP timers As defined in RFC 105[...]
-
Page 692
3-3 RIP Configuration Task List Complete the following tasks to configure RIP: Task Remarks Enabling RIP on the interfaces attached to a spe cified network segment Req uired Setting the RIP operating status on an interface Optional Configuring Basic RIP Functions Specifying the RIP version on an interface Optional Setting the additional routing met[...]
-
Page 693
3-4 z Related RIP commands configured in interfa ce view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a spe cified netwo rk segment. Whe n RIP is disabled o n an interface, it does not operate on the interface, that is, it neit her receives/sends routes on the interface, nor forwards any interface route. T[...]
-
Page 694
3-5 z Set the preference of RIP to change the preference ord er of routing protocols. This orde r makes sense when more th an one route to the same des tination is d iscovered by multiple routing protocols. z Redistribute external route s in an envi ro n ment with multiple ro uting protocols. Configuration Prerequisites Before configuring RIP route[...]
-
Page 695
3-6 Follow these steps to co nfigur e RIP route summarizat ion: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable RIP-2 automatic route summarization summary Required Enabled by default Disabling the router from receiving host routes In some special cases, the router can re ceive a lot of host rou[...]
-
Page 696
3-7 z The filter-polic y import command filters the RIP ro utes receiv ed from neigh bors, and the ro utes being filtered out will neither be added to the routing table no r be advertised to any neighbors. z The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and[...]
-
Page 697
3-8 Configuration Prerequisites Before adjusting RIP , perform the following tasks: z Configuring the network l ayer addresses of interfaces so that adjace nt nodes are reachable to each other at the network layer z Configuring basi c RIP functions Configuration Tasks Configuring RIP timers Follow these steps to co nfigure RIP timers: To do... Use [...]
-
Page 698
3-9 To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enabled by default Some fields in a RIP-1 packet mu st be 0, and they are known a s must be zero field. For RIP-1, the must be zero field is checked for incoming packets, a[...]
-
Page 699
3-10 To do... Use the command... Remarks Configure RIP to unicast RIP packets peer ip-address Required When RIP runs on the link that does not support b roadcast or multicast, you must configure RIP to unicast RIP packets. Displaying and Maintaining RIP Configuration To do... Use the command... Remarks Display the current RIP running status and con[...]
-
Page 700
3-11 Configuration procedure Only the configuration related to RIP is listed below. Before the follo wing configuration, make sure the Ethernet link layer works normally and the IP addres se s of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP . <SwitchA> system-view [SwitchA] rip [SwitchA-rip] network 110.11.[...]
-
Page 701
4-1 4 IP Route Policy Configuration When configuring an IP route policy , go to thes e sections for inform ation you are intere sted in: z IP Route Policy Overview z IP Route Policy Configuration Task List z Displaying and Maintaining IP Route Policy z IP Route Policy Configuration Example z Troubleshooting IP Route Policy The term router in this c[...]
-
Page 702
4-2 For ACL configuration, refer to the p art discussing ACL. Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the conditions are satisfied. A route poli cy can comprise multiple nodes. Each no de is a unit for matching test, and the no des will be match[...]
-
Page 703
4-3 z Match conditions z Route attributes to be changed Defining a Route Policy Follow these steps to defin e a route p olicy: To do... Use the command... Remarks Enter syste m view system-v iew — Define a route policy and enter the route policy view route-policy route-policy-n ame { permit | deny } node node-n umber Required Not defined by defau[...]
-
Page 704
4-4 To do... Use the command... Remarks Define a rule to match the next-hop address of routing information if-match ip next-hop acl acl-number Optional By default, no matching is performed on the next-hop address of routing information. Apply a cost to routes satisfying matching rules apply cost value Optional By default, no cost is applied to rout[...]
-
Page 705
4-5 Figure 4-1 Network diagram Device Interface IP address Switch A Vlan-int 2 2.2.2.1/8 Vlan-int 3 3.3.3.254/8 Vlan-int 10 1.1.1.254/8 Switch B Vlan-int 3 3.3.3.253/8 Vlan-int 6 6.6.6.5/8 Vlan-int 10 1.1.1.253/8 Switch C Vlan-int 1 192.168.0.39/24 Vlan-int 2 2.2.2.2/8 Vlan-int 6 6.6.6.6/8 OA Server 1.1.1.1/32 Service Server 3.3.3.3/32 Host 192.168[...]
-
Page 706
4-6 [SwitchA-rip] network 2.0.0.0 [SwitchA-rip] network 3.0.0.0 2) Configure Switch B. # Create VLANs and co nfigure IP addresse s for the VLAN interfaces. The conf iguration procedure is omitted. # Configure RIP . <SwitchB> system-view [SwitchB] rip [SwitchB-rip] network 1.0.0.0 [SwitchB-rip] network 3.0.0.0 [SwitchB-rip] network 6.0.0.0 3) [...]
-
Page 707
4-7 # Create node 40 with the matching mode bein g permit in the route policy . Define if-match clauses. Apply the cost 5 to routes matching the outgoi n g interface VLAN-in terface 6 and ACL 2001. [SwitchC] route-policy in permit node 40 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match acl 2001 [SwitchC-rou[...]
-
Page 708
4-8 Precautions 1) When you configure the apply cost co mmand in a route policy: z The new cost should be greater than the original one to prevent RIP from generati ng routing loop in the case that a loop exists in the topology. z The cost will become 16 if you try to set it to a value greater than 16. z The cost will become the original one if you[...]
-
Page 709
i Table of Contents 1 UDP Helper C onfigurat ion ························································································································ 1-1 Introduction to UDP Helper ··············?[...]
-
Page 710
1-1 1 UDP Helper Configuration When configuring UDP helper , go to these sections for information you are intere sted in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintaining UDP Helper z UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcast s to obt ain network config[...]
-
Page 711
1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to co nfigure UDP He lper: To do… Use the command… Remarks Enter syst e m view system-vie w — Enable UDP Helper udp-helper enable Required Disabled by default. Specify a UDP port number udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs [...]
-
Page 712
1-3 Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UD P broadcast r elay forwarding information of a specified VLAN interface on the device display udp-helper server [ interface vlan-interface vlan-id ] Available in any view Clear statistics about packets forwarded by UDP Helper reset udp-helper packet Availab[...]
-
Page 713
i Table of Contents Appendix A Acronyms ············································································································ ···················· A-1[...]
-
Page 714
A-1 Appendix A Acronyms A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DDM Distributed Device Manage[...]
-
Page 715
A-2 L LSA Link State Advertisement LSDB Link State Da taBase M MAC Medium Access Control MIB Management Information B ase N NBMA Non Broadca st MultiAcc ess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM P PIM Protocol Independent Multi cast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Indepen[...]