3Com 4500 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742

Ir para a página of

Bom manual de uso

As regras impõem ao revendedor a obrigação de fornecer ao comprador o manual com o produto 3Com 4500. A falta de manual ou informações incorretas fornecidas ao consumidor são a base de uma queixa por não conformidade do produto com o contrato. De acordo com a lei, pode anexar o manual em uma outra forma de que em papel, o que é frequentemente utilizado, anexando uma forma gráfica ou manual electrónico3Com 4500 vídeos instrutivos para os usuários. A condição é uma forma legível e compreensível.

O que é a instrução?

A palavra vem do latim "Instructio" ou instruir. Portanto, no manual 3Com 4500 você pode encontrar uma descrição das fases do processo. O objetivo do manual é instruir, facilitar o arranque, a utilização do equipamento ou a execução de determinadas tarefas. O manual é uma coleção de informações sobre o objeto / serviço, um guia.

Infelizmente, pequenos usuários tomam o tempo para ler o manual 3Com 4500, e um bom manual não só permite conhecer uma série de funcionalidades adicionais do dispositivo, mas evita a formação da maioria das falhas.

Então, o que deve conter o manual perfeito?

Primeiro, o manual 3Com 4500 deve conte:
- dados técnicos do dispositivo 3Com 4500
- nome do fabricante e ano de fabricação do dispositivo 3Com 4500
- instruções de utilização, regulação e manutenção do dispositivo 3Com 4500
- sinais de segurança e certificados que comprovam a conformidade com as normas pertinentes

Por que você não ler manuais?

Normalmente, isso é devido à falta de tempo e à certeza quanto à funcionalidade específica do dispositivo adquirido. Infelizmente, a mesma ligação e o arranque 3Com 4500 não são suficientes. O manual contém uma série de orientações sobre funcionalidades específicas, a segurança, os métodos de manutenção (mesmo sobre produtos que devem ser usados), possíveis defeitos 3Com 4500 e formas de resolver problemas comuns durante o uso. No final, no manual podemos encontrar as coordenadas do serviço 3Com na ausência da eficácia das soluções propostas. Atualmente, muito apreciados são manuais na forma de animações interessantes e vídeos de instrução que de uma forma melhor do que o o folheto falam ao usuário. Este tipo de manual é a chance que o usuário percorrer todo o vídeo instrutivo, sem ignorar especificações e descrições técnicas complicadas 3Com 4500, como para a versão papel.

Por que ler manuais?

Primeiro de tudo, contem a resposta sobre a construção, as possibilidades do dispositivo 3Com 4500, uso dos acessórios individuais e uma gama de informações para desfrutar plenamente todos os recursos e facilidades.

Após a compra bem sucedida de um equipamento / dispositivo, é bom ter um momento para se familiarizar com cada parte do manual 3Com 4500. Atualmente, são cuidadosamente preparados e traduzidos para sejam não só compreensíveis para os usuários, mas para cumprir a sua função básica de informação

Índice do manual

  • Página 1

    3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V03.03.00 Manual Version: 6W101-20090 811 www.3com.com 3Com Corporation 350 Campus Drive, Marlborou gh, MA, USA 01752 3064[...]

  • Página 2

    Copyright © 2006-2009, 3Com Co rporation. All right s reserved. No part of this documentation may be reproduced in any form or by any means or u sed to make any derivative work (such as translation, transformation, or adaptation) without wr itten permission from 3Com Corporation. 3Com Corporation re serves the right to revise this docu mentation a[...]

  • Página 3

    About This Manual Organization 3Com Switch 4500 Family Config uration Guide is organized as follows: Part Contents 1 Login Introduces the ways to log into an Ethernet swit ch and CLI related configuration. 2 Configuration File Management Introduces conf iguration file and the re lated configuration. 3 VLAN Introduces VLAN and relat ed configuration[...]

  • Página 4

    Part Contents 27 UDP Helper Introduces UDP helper and the relate d configuration. 28 SNMP-RMON Introduces the configuratio n for network management through SNMP and RMON 29 NTP Introduces NTP and the related co nfiguration. 30 SSH Introduces SSH2.0 and the related co nfiguration. 31 File System Management Introduces basic config uration for file sy[...]

  • Página 5

    GUI conventions Convention Description < > Button names are inside angle bra ckets. For example, click <OK>. [ ] Window names, menu item s, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slash es. For example, [File/Create/Folder]. Symbols Co[...]

  • Página 6

    i Table of Contents 1 Logging In to an Ethernet Switch ····························································································· ··············· 1-1 Logging In to an Et hernet Sw itch ···················[...]

  • Página 7

    ii Switch Conf iguration··········································································································· ············· 4-2 Modem Connection Establishment ························?[...]

  • Página 8

    1-1 1 Logging In to an Ethernet Switch Go to these sections for information you are inte rested in: z Logging In to an Ethernet Switch z Introduction to the User Interface Logging In to an Ethernet Switch T o manage or configure a Switch 4500, you can lo g in to it in one of the following three methods: z Command Line Interface z Web-based Network [...]

  • Página 9

    1-2 Table 1-1 Description on user interfa ce User interface Applicable user Port used Remarks AUX Users logging in through the console port Console port Each switch can accommodate one AUX user. VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY users. One user interface corresp onds to one user interface view ,[...]

  • Página 10

    1-3 Common User Interface Configuration Follow these steps to co nfigur e common use r interface: To do… Use the command… Remarks Lock the current user interface lock Optional Available in user view A user interface is not locked by default. Specify to send messages to all user interfaces/a specified us er interfac e send { all | number | type [...]

  • Página 11

    2-1 2 Logging In Through the Console Port Go to these sections for information you are inte rested in: z Introduction z Setting Up a Login Environment for Login Through th e Console Port z Console Port Login Configuratio n z Console Port Login Configuratio n with Authentication Mode Being None z Console Port Login Configuratio n with Authentication[...]

  • Página 12

    2-2 2) If you use a PC to connect to the console port, l aunch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Window s 9X/Windows 20 00/Windows XP. The following assumes that you are ru nning Windows XP) and pe rform the configuratio n shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normal[...]

  • Página 13

    2-3 Figure 2-4 Set port parameters 3) Turn on the switch. You will be prompted to pr ess the Enter key if t he switch successfully completes POST (power-on self test ). The pr ompt appears after you press the Enter key. 4) You can then configure the switch or check t he information abo ut the switch by executing the correspondi ng commands. You can[...]

  • Página 14

    2-4 Configuration Remarks Set the maximum number of lines the screen can contain Optional By default, the screen can contain up to 24 lines. Set history command buffer size Optional By default, the history command buffer can contain up to 10 commands. Set the timeout time of a user interface Optional The default timeout time is 10 minutes. The chan[...]

  • Página 15

    2-5 To do… Use the command… Remarks Set the maximum number of lines the screen can contai n screen-length screen-length Optional By default, the screen can contain up to 24 lines. You can use the screen-le ngth 0 command to disable the function to display information in pages. Set the history command buffer size history-command max-size value O[...]

  • Página 16

    2-6 Changes made to the authentication mode for cons ol e port login takes effect after you quit the command-line interfa ce and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to co nfigur e console port logi n with the authentication mode being none: To do… Use t[...]

  • Página 17

    2-7 Network diagram Figure 2-5 Network diagram for AUX user interface c onfigu ration (with the authentication mode bei ng none) Configuration PC running Telnet Ethernet G E1/0/1 Configuration procedure # Enter system view . <Sysname> system-view # Enter AUX user interface view . [Sysname] user-interface aux 0 # S pecify not to authenticate u[...]

  • Página 18

    2-8 To do… Use the command… Remarks Enter syst em view system-view — Enter AUX user interface view user-interface aux 0 — Configure to authenticate users using the local password authentication-m ode password Required By default, users logging in to a switch through the console port are not authenticated; while those logging in through Mode[...]

  • Página 19

    2-9 <Sysname> system-view # Enter AUX user interface view . [Sysname] user-interface aux 0 # S pecify to authenticate users logging in throu gh the console port using the local p assword. [Sysname-ui-aux0] authentication-mode password # Set the local password to 12345 6 (in plain text). [Sysname-ui-aux0] set authentication password simple 123[...]

  • Página 20

    2-10 To do… Use the command… Remarks Enter the default ISP domain view domain d omain-name Specify the AAA scheme to be applied to the domain scheme { local | none | radius-scheme radius-scheme-n ame [ local ] } Configure the authenticati on mode Quit to system view quit Optional By default, the local AAA scheme is applied. If you specify to ap[...]

  • Página 21

    2-11 z Set the service type of the local user to Terminal and the comman d level to 2. z Configure to authenticate the users in the scheme mode. z The baud rate of the console po rt is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 comm ands. z The timeout time of the AUX user interface is 6 min[...]

  • Página 22

    2-12 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box show n in Figure 2-4 to log in to the switch successf[...]

  • Página 23

    3-1 3 Logging In Through Telnet Go to these sections for information you are inte rested in: z Introduction z Telnet Configuration with Authentication Mode Being Non e z Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 support s T elnet. Y ou can manage and maintain a switch remotely by T elnetting to the switch[...]

  • Página 24

    3-2 Configuration Description Configure the protocols the user interface support s Optional By default, Telnet and SSH protocol are supported. Set the commands to be executed automatically after a user log in to the user interface successfully Optional By default, no command is executed automatically after a user logs into the VTY user interface. M[...]

  • Página 25

    3-3 To do… Use the command… Remarks Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10, that is, the history command buffer of a user can store up to 10 commands by default. Set the timeout time of the VTY user inte rface idle-timeout minutes [ seconds ] Optional The default[...]

  • Página 26

    3-4 To improve security and prevent attacks to the unus ed Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enable d or disabled after correspondi ng configurations. z If the authentication mode is none , TCP 23 will be enabled, and T CP 22 will be disabled. z If the authentication mode is password , and the corre[...]

  • Página 27

    3-5 Network diagram Figure 3-1 Network diagram for Telnet configu ratio n (with the authentication mode being n one) Configuration procedure # Enter system view . <Sysname> system-view # Enter VTY 0 use r interface view . [Sysname] user-interface vty 0 # Configure not to authenticate T elnet users logging in to VTY 0. [Sysname-ui-vty0] authen[...]

  • Página 28

    3-6 When the authentication mode is p assw ord, the command level available to users logging in to the u ser interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the con sol e port and the current user level is set to the administrator level (level 3). Perform the[...]

  • Página 29

    3-7 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to co nfigure T elnet with the authentication mo de being scheme: To do… Use the command… Remarks Enter syst em view system-vie w — Enter one or more VTY user interface views user-interfac e vty first - number [ last-num ber ] — Configu[...]

  • Página 30

    3-8 Refer to the AAA part of this manual for information about AAA, RADIUS. Configuration Example Network requirements Assume current user logins through the con sole port and the user level is set to the administrator level (level 3). Perform the following configurations fo r users logging in to VTY 0 using T elnet. z Configure the local user name[...]

  • Página 31

    3-9 # Set the maximum number of lines the screen can cont ain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the hi story command buf fer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch f[...]

  • Página 32

    3-10 Figure 3-5 Network diagram for Telnet conne ction establishment Configuration PC running Telnet Ethernet Workstation Server Workstation Ethern et por t Ethernet Switch 4) Launch Teln et on your PC, with the IP addres s of VLAN-interface 1 of the switch as the parameter, as shown in Figure 3-6 . Figure 3-6 Launch Telnet 5) If the password authe[...]

  • Página 33

    3-11 Telnetting to another Switch from the Current Switch Y ou can T elnet to another switch from the current swit ch . In this case, the current switch operates as the client, and the other operates as the server . If the in terconnected Ethernet ports o f the two switches are in the same LAN segment , make sure the IP addres se s of the two manag[...]

  • Página 34

    4-1 4 Logging In Using a Modem Go to these sections for information you are inte rested in: z Introduction z Configuration on the Switch Side z Modem Connection Establishment Introduction The administrator can log in to the consol e port of a remote switch using a modem through public switched telephone net work (PSTN) if the rem ote switch is conn[...]

  • Página 35

    4-2 Y ou can verify your configuration by executing the AT & V command. The configuration commands a nd the output of diffe rent modems m ay differ. Refer to the user manual of the modem when performing the ab ove configuration. Switch Configuration After logging in to a swit ch through its console po rt b y using a modem, you will enter the AU[...]

  • Página 36

    4-3 Figure 4-1 Establish the connection by using modems Console port PSTN Telephone line Modem serial cable Telephone number of the romote end: 82882285 Modem Modem 4) Launch a terminal emulation utility on the PC a nd set the telephone number t o call the modem directly connected to the switch, as sh own in Figure 4-2 through Figure 4-4 . Note tha[...]

  • Página 37

    4-4 Figure 4-3 Set the telephone number Figure 4-4 Call the modem 5) If the password authentication mode is specif ied, enter the password when prompted. If the password is correct, the prompt (such as <Sysna me>) appears. You can then configure or man age the switch. You can also enter the ch aracter ? at any time for help. Refer to the rela[...]

  • Página 38

    5-1 5 CLI Configuration When configuring CLI, go to these sections for information you are interested in: z Introduction to the CLI z Command Hierarchy z CLI Views z CLI Fea tures Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Throu gh the CLI on a switch, a user can enter commands to configure[...]

  • Página 39

    5-2 z Monitor level (level 1): Commands at this level are mainly use d to maintain the system and diagnose service faults, and they cannot be save d in configuration file. Such commands i nclude debugging and terminal . z System level (level 2): Commands at this level are mainly used to configure se rvices. Commands concerning routing and net work [...]

  • Página 40

    5-3 To do… Use the command… Remarks Enter syst em view sy stem-view — Configure the level of a command in a specific view command-privilege level level view view command Required z You are recommend ed to use the default comm and level or modify the co mmand level under the guidance of professional staff; otherwise, the change of command leve[...]

  • Página 41

    5-4 T o avoid misoperations, the administrat ors are reco mmended to log in to the device by using a lower privilege level and view device op erating parameters , and when they have to maint ain the device, they can switch to a higher lev el temporarily; when the administrators nee d to leave for a while or ask someone else to manage the device tem[...]

  • Página 42

    5-5 To do… Use the command… Remarks Switch to a specified user level super [ level ] Required Execute this command in user view. z If no user level is specified in the super password command or the super command, level 3 is used by default. z For security purpose, the password entered is not di splayed whe n you switch to another user level. Yo[...]

  • Página 43

    5-6 Table 5-1 CLI views View Available operation Prompt example Enter method Quit method User view Display operation status and statistical information of the switch <Sysname> Enter user view once logging into the switch. Execute the quit command to log out of the switch. System view Configure system parameters [Sysname] Execute the system-vi[...]

  • Página 44

    5-7 View Available operation Prompt example Enter method Quit method FTP client view Configure FTP client parameters [ftp] Execute the ftp command in user view. SFTP client view Configure SFTP client parameters sftp-c lient> Execute the sftp command in system view. MST region view Configure MST region parameters [Sysname-mst-regi on] Execute the[...]

  • Página 45

    5-8 View Available operation Prompt example Enter method Quit method RADIUS scheme view Configure RADIUS scheme parameters [Sysname-radius-1 ] Execute the radius scheme command in system view. ISP domain view Configure ISP domain parameters [Sysname-isp-aaa 123.net] Execute the domain command in system view. Remote-ping test group view Configure re[...]

  • Página 46

    5-9 cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information <Other information is omitted> 2) Enter a command, a space, and a que stion ma[...]

  • Página 47

    5-10 Table 5-2 Display-related operations Operation Function Press <Ctrl+C> Stop the display output and execution of the command. Press any character except <Space>, <Enter>, /, +, and - when the display output pau ses Stop the display output. Press the space key Get to the next page. Press <Enter> Get to the next line. Comm[...]

  • Página 48

    5-11 Table 5-3 Common error messa ges Error message Remarks The command does not exist. The keyword does not exist. The parameter type is wrong. Unrecognized comm and The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many. Ambiguous command The parameters en[...]

  • Página 49

    6-1 6 Logging In Through the Web-based Network Management Interface Go to these sections for information you are inte rested in: z Introduction z Establishing an HTTP Connection z Configuring the Login Ban ner z Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in. It enables you to log in to Switch 4500 through a We[...]

  • Página 50

    6-2 3) Establish an HTTP connection between y our PC and the switch, as shown in Figure 6-1 . Figure 6-1 Establish an HTTP connection bet ween your PC and the switch 4) Log in to the switch through IE. Launch IE on t he Web-based network man agement terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the ad[...]

  • Página 51

    6-3 Configuration Example Network requirements z A user logs in to the switch through Web. z The banner page is desi red when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login bann er configuration Configuration Procedure # Enter system view . <Sysname> system-view # Configure the banner Welc o m e to be displa[...]

  • Página 52

    6-4 To do… Use the command… Remarks Enter syst em view system-vie w — Enable the Web server ip http shutdo w n Required By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack t o the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after th[...]

  • Página 53

    7-1 7 Logging In Through NMS Go to these sections for information you are inte rested in: z Introduction z Connection Establishment Usi ng NMS Introduction Y ou can also log in to a switch through a Networ k Management S tation (NMS), an d then configure and manage the switch throug h the agent softwa re on the switch. Simple Network Manageme nt Pr[...]

  • Página 54

    8-1 8 Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are inte rested in: z Overview z Configuring Source IP Addres s for Telnet Service Packets z Displaying Source IP Address Configuration Overview Y ou can configure source IP addre ss or source interf ace for the T elnet se rver and T elnet client[...]

  • Página 55

    8-2 Operation Command Description Specify a source interface for Telnet server telnet-server source -interface interface-type interface-num ber Optional Specify source IP address for Telnet client telnet source-ip ip-address Optional Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional To per[...]

  • Página 56

    9-1 9 User Control Go to these sections for information you are inte rested in: z Introduction z Controlling Telnet Users z Controlling Network Management Us ers by Source IP Addresses z Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction Y ou can control users logging in through T elnet, SNMP an[...]

  • Página 57

    9-2 z If no ACL is configured on the VTY user interfac e, users are not controlled wh en establishing a Telnet connection using this user interface. z If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configu red on the VTY user interface, the c[...]

  • Página 58

    9-3 To do… Use the comm and… Remarks Apply a basic or advanced ACL to control Telnet us ers acl acl-numb er { inbound | outbound } Apply an ACL to control Telnet users by ACL Apply a Layer 2 ACL to control Telnet us ers acl acl-numb er inbound Required Use either command z The inbound keyword specifies to filter the users trying to Telnet to th[...]

  • Página 59

    9-4 z Defining an ACL z Applying the ACL to control users a ccessing the switch throu gh SNMP T o control whether an NMS can manage the swit ch, you can use this function. Prerequisites The controlling policy against network managem ent users is determined, including the source IP addresses to be controll ed and the cont rolling actions (permitting[...]

  • Página 60

    9-5 Network diagram Figure 9-2 Network diagram for controlling SNMP use rs using ACLs Switch 10.110.100.46 Host A IP network Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the [...]

  • Página 61

    9-6 To do… Use the command… Remarks Enter syst em view system-vie w — Create a basic ACL or enter basic ACL view acl number acl-numbe r [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system[...]

  • Página 62

    9-7 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the W eb users sou rce d from the IP addre ss of 10.1 10.100.52 to access the switch. [Sysname] ip http acl 2030[...]

  • Página 63

    i Table of Contents 1 Configuration F ile Management ································································································ ··············· 1-1 Introduction to C onfigurati on File ················[...]

  • Página 64

    1-1 1 Configuration File Management When configuring co nfiguration file management, go to these sectio ns for information you are interested in: z Introduction to Configuration File z Configuration Task List Introduction to Configuration File A configuration file records and stor es user configurati ons performed to a switch. It also enables use r[...]

  • Página 65

    1-2 z When saving the current configuration, you can spe cify the file to be a main or backup or normal configuration file. z When removing a configuration file from a switch , you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attri[...]

  • Página 66

    1-3 When you use the sav e safely command to save the configuratio n file, if the switch reboot s or the power fails during the saving process, the switch init ializes it self in the following two conditions wh en it starts up next time: z If a configuration file with the extension .cfg exists in the Flash, the sw it ch uses the configuration file [...]

  • Página 67

    1-4 To do… Use the command… Remarks Erase the startup configuration file from the storage switch reset saved-configuration [ backup | main ] Required Available in user view Y ou may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configurat ion file does not match the new software. z The star[...]

  • Página 68

    1-5 The configuration file must use .c fg as its extension name and the st artup con figuration file must be saved at the root dire ctory of the switch. Displaying Switch Configuratio n To do… Use the command… Remarks Display the initial configuration file saved in the Flash of a switch display saved - configuration [ unit unit-id ] [ by-linenu[...]

  • Página 69

    i Table of Contents 1 VLAN Ov erview ·········································································································································· 1-1 VLAN Ov erview ········?[...]

  • Página 70

    1-1 1 VLAN Overview This chapter covers these topics: z VLAN Overview z Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadca st network, wh ere all host s are in the same broadcast domain and connected with each othe r through hubs or switch e s. Hubs and switches, which are the basic network connection devices, [...]

  • Página 71

    1-2 Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the followin g advantages. z Broadcasts are confine d to VLANs. This decreas es ba ndwidth consumption and improve s network performance. z Network security is improved. Becau se each VLAN forms a broadcast domain, hosts in different VLANs c[...]

  • Página 72

    1-3 tag is encap sulated after the destination MAC ad dress and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3 , a VLAN tag cont ains four fields, including the t ag protocol identifier (TPID), priority , canonical fo rmat indicator (CFI), and VLAN ID. z TPID is a 16-bit field, indicating[...]

  • Página 73

    1-4 z Independent VLAN learnin g (IVL), where the sw itch maintains an indepen dent MAC address forwarding table for each VLAN. The source MAC addr ess of a packet received in a VLAN on a port is recorded to the MAC address forwa rding tabl e of this VLAN o nly, and packets received in a VLAN are forwarded according to the MA C address forwarding t[...]

  • Página 74

    1-5 A hybrid port allows the packets of m ultiple VLANs to be sent untagged, but a trunk p ort only allows the packets of the default VLAN to be sent untagged. The three types of port s can coexist on the same devi ce. Assigning an Ethernet Po rt to Specified VLANs Y ou can assign an Ethernet port to a VLAN to forward pa ckets for the VLAN, thus al[...]

  • Página 75

    1-6 Table 1-2 Packet processing of a trunk po rt Processing of an incoming packet For an untagged packet For a tagged packet Processing of an outgoing packet z If the port has already been added to its default VLAN, tag the packet with the default VLAN tag and then forward the packet. z If the port has not been added to its default VLAN, discard th[...]

  • Página 76

    2-1 2 VLAN Configuration When configuring VLAN, go to these section s for information you are interested in: z VLAN Configuration z Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following ta sks to configure VLAN: Task Remarks Basic VLAN Configuration Req uired Basic VLAN Interface Configuration Optional[...]

  • Página 77

    2-2 z VLAN 1 is the system default VLAN, whi ch needs not to be created and cannot be removed, either. z The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered thro ugh GVRP. For details, refer to “GVRP” part of this manual. z When you use the vlan command to create VLANs, i[...]

  • Página 78

    2-3 The operation of enabling/disabli ng a VLAN’ s VL AN interface does not influence the phy sical status of the Ethernet port s belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface information display interface Vlan-interface [ vlan-i d ] Display the VLAN information display vlan [[...]

  • Página 79

    2-4 Assigning an Ethernet Port to a VLAN Y ou can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view . z You can assign an access port to a VLAN in ei ther Ethernet port view or VLAN view. z You can assign a trunk po rt or hybrid port to a VLAN only in Ethernet port view. 1) In Ethernet port view Follow these steps to assig n an E[...]

  • Página 80

    2-5 Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, it s default VLAN is the VLAN it resides in and cannot be configured. This section describes ho w to configure a default VLAN for a trunk or hybrid port. Follow these steps to co nfigur e the default VLAN for a port: To do… Use the command… Remarks E[...]

  • Página 81

    2-6 Network diagram Figure 2-1 Network diagram for VLAN configuratio n SwitchA SwitchB PC1 PC2 GE1/0/1 GE1/0/2 GE1/0/10 GE1/0/11 GE1/0/12 GE1/0/13 Server2 Server1 Configuration procedure z Configure Switch A. # Create VLAN 100, specify it s descriptive string as Dept1 , and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA> system-view [SwitchA[...]

  • Página 82

    2-7 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 [SwitchB-GigabitEthernet1/0[...]

  • Página 83

    i Table of Contents 1 IP Addressing Configuration ·································································································· ·················· 1-1 IP Addressing Overview ···················?[...]

  • Página 84

    1-1 1 IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For detail s about IPv6 address, refer to IPv6 Managem ent . When configuring IP addressi ng, go to these se ctions for information you are interested in: z IP Addressing Overview Configuring IP Addresses z Displaying IP Addressing Configurati[...]

  • Página 85

    1-2 Table 1-1 IP address classe s and ranges Class Address ra nge Remarks A 0.0.0.0 to 127.255.255.255 The IP address 0.0.0.0 is used by a host at bootstrap for temporary communi cation. This address is never a valid de stination address. Addresses st arting with 127 are reserved for loopback test. Packets de stined to these addresses are pro cesse[...]

  • Página 86

    1-3 subnetting. When designing your net work, you should note that subnetting i s somewhat a tradeof f between subnet s and accommodated ho sts. For ex am ple, a Class B network can accommodate 65,534 (2 16 – 2. Of the two deduct ed Class B addresse s, one with an all-ones host ID is the broadcast address and the other with an all-zero host ID is[...]

  • Página 87

    1-4 z A newly specified IP address ove rwrites the previous one if there is any. z The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device. Configuring Static Domain Name Resolution Follow these steps to co nfigure static do main name resolution: To do… Use the command… Remarks Ente[...]

  • Página 88

    1-5 Network diagram Figure 1-3 Network diagram for IP address co nfiguration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 Static Domain Name Resolution Configuration Example Network requirements The s[...]

  • Página 89

    1-6 round-trip min/avg/max = 2/3/5 ms[...]

  • Página 90

    2-1 2 IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are intere sted in: z IP Performance Overview z Configuring IP Performance Optimization z Displaying and Maintaining IP Performance O ptimization Configuration IP Performance Overview Introduction to IP Performance Configuration [...]

  • Página 91

    2-2 z synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval , the TCP connection cannot be created. z finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. If no FIN packet is received within the timer timeout, the TC[...]

  • Página 92

    2-3 z If the destination of a packet is local while the transport layer protocol of the packet is not supp orted by the local device, the device sends a “protoco l unreachabl e” ICMP error packet to the source. z When receiving a pa cket with the destination being lo cal and transport laye r protocol being UDP, if the packet’s port number doe[...]

  • Página 93

    2-4 To do… Use the command… Remarks Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket [ socktype sock-type ] [ task-id socket-id ] Display the forwarding information base (FIB) entries display fib Display the FIB entries matching the destination IP address display fib [...]

  • Página 94

    i Table of Contents 1 Voice VLAN Co nfiguration ····································································································· ··················· 1-1 Voice VLAN Overview ··················[...]

  • Página 95

    1-1 1 Voice VLAN Configuration When configuring voice VLAN, go to these sectio ns for information you are intere sted in: z Voice VLAN Overview z Voice VLAN Configuration z Displaying and Maintaining Voice VLAN z Voice VLAN Configuration Example Voice VLAN Overview V oice VLANs are allocated specially fo r voice traf fic. After creating a voice V L[...]

  • Página 96

    1-2 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1 , the IP phone needs to work in conj unction with the DHCP server an d the NCP to establish a path for voice dat a transmission. An IP phone goe s through the following thre e phases to become capa ble of transmitting voice dat a. 1) After the IP phone is powered o n, it sends an u[...]

  • Página 97

    1-3 z An untagged packet carries no VLAN tag. z A tagged packet carries the tag of a VLAN. T o set an IP a ddress and a voice VLAN f or an IP pho ne manually , just ma ke sure that the voi ce VLAN ID to be set is consistent with that of the switch and the NCP is rea chable to the IP addre ss to be set. How Switch 4500 Ser i es Sw itches Identify Vo[...]

  • Página 98

    1-4 Configuring Voice VLAN Assi gnment Mode of a Port A port can work in automatic voice VLAN assignm ent mode or ma nual voice VLAN assignment mode. Y ou can configure the voice VLAN assignment mode for a port according to dat a traffic p assing through the port. Processing mode of untagged packets sent by IP voice devices z Automatic voice VLAN a[...]

  • Página 99

    1-5 Table 1-2 Matching relationship bet ween port types and vo ice d evices capable of acquiri ng IP address and voice VLAN automatically Voice VLAN assignment mode Voice traffic ty pe Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN, and the access po rt permits t[...]

  • Página 100

    1-6 Table 1-3 Matching relationshi p between port types and voice devices acqui ring voice VLAN through manual configuration Voice VLAN assignment mode Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN, and the access port permit s the traffic of the default VLAN. A[...]

  • Página 101

    1-7 Voice VLAN Mode Packet Type Processing Method Packet carrying the voice VLAN tag matches the OUI list, the packet is transmitted in the voice VLAN. Otherwise, the packet is dropped. Packet carrying any other VLAN tag The packet is forwarded or dropped based on whether the receiving port is assigned to the carried VLAN. The processing method is [...]

  • Página 102

    1-8 To do… Use the command… Remarks Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes. Enable the voice VLAN function globally voice vlan vlan-id enable Required Enter Ethernet port view interface interface-type interface-number Required Enable the voice VLAN function on a port voice vlan e[...]

  • Página 103

    1-9 To do… Use the command… Remarks Enable the voice VLAN security mode voice vlan security enable Optional By default, the voice VLAN security mode is enabled. Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1,440 minutes. Enable the voice VLAN function globally v oice vlan vlan-id enable Required En[...]

  • Página 104

    1-10 z The voice VLAN function can be enabled for only one VLAN at one time. z If the Link Aggregation Control Protocol (LACP) is enabled on a port , voice VLAN feature cannot be enabled on it. z Voice VLAN function can be enabled only for t he static VLAN. A dynamic VLAN cannot be configured as a voice VLAN. z When ACL number ap plied to a port re[...]

  • Página 105

    1-11 Voice VLAN Configuration Example Voice VLAN Configuration Example (A utomatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2 , The MAC address of IP phone A is 001 1-1 100-0001 . The phone connect s to a downstream device named PC A whose MAC add ress is 0022-1 1 00-0002 and to GigabitEthernet 1/0/1 on an up stream dev[...]

  • Página 106

    1-12 # Configure the allowe d OUI addresses a s MAC addresses p refixed by 001 1-1 1 00-0000 or 001 1-2200-0000. In this way , Device A identifie s packets whose MAC addres ses match any of the configured OUI addresses as voice packet s. [DeviceA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A [DeviceA] voice vlan [...]

  • Página 107

    1-13 Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configu re it to operate in manual voi ce VLAN assignment mode. Add the por t to which an IP phone is connected to the voice VLA N to enable voice traf fic to be transmitted within the voice VLAN. z Create VLAN 2 and configure it a[...]

  • Página 108

    1-14 [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 2 [DeviceA-Ethernet1/0/1] port hybrid vlan 2 untagged # Enable the voice VLAN function on Ethernet 1/0/1. [DeviceA-Ethernet1/0/1] voice vlan enable Verification # Display the OUI addresses, the corresponding OU I address ma sks and the corresponding de scription strings that th e system support s. [...]

  • Página 109

    i Table of Contents 1 Port Basic Co nfiguration ····································································································· ····················· 1-1 Ethernet Port C onfiguration ···········?[...]

  • Página 110

    1-1 1 Port Basic Configuration When performing basi c port configur ation, go to these sections for information y ou are interested in: z Ethernet Port Configuration z Ethernet Port Configuration Example z Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can ope[...]

  • Página 111

    1-2 To do... Use the command... Remarks Enter syst em view s ystem-vie w — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown Optional By default, the port is enabled. Use the shutdo wn command to disable the port. Set the description string for the Ethernet port description text Optional[...]

  • Página 112

    1-3 Follow these steps to co nfigure aut o-negotiation speeds for a port : To do... Use the command... Remarks Enter syste m view system-v iew — Enter Ethernet interface view interface interface-type interface-number — Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* Optional z By default, the port [...]

  • Página 113

    1-4 To do... Use the command... Remarks Limit unknown unicast traffic received on the current port unicast-suppression { ratio | pps max-pp s } Optional By default, the switch does not suppress unknown unica st traffic. Enabling Flow Control on a Port Flow control is enabled on both the local and pee r sw itches. If congestion occu rs on the local [...]

  • Página 114

    1-5 z If you specify a source ag gregation group ID, the system will us e the port with the smallest port number in the aggregation group as the sou rce. z If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configu[...]

  • Página 115

    1-6 z To enable loopback detection on a sp ecific port, you must use the loopback-detection enable command in both system view and the specific port view. z After you use the undo loopback-de tection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test Y ou can configure the Ethernet port to run lo[...]

  • Página 116

    1-7 To do... Use the command... Remarks Enter syst em view system-v iew — Enter Ethernet port view interface interface-type interface-number — Enable the system to test connected cables virtual-cable-te st Required Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the[...]

  • Página 117

    1-8 The port state change delay takes effe ct when the port goes down but not when the port goes up. Follow these steps to set the po rt state cha nge delay: To do … Use the command … Remarks Enter syst em view system-vie w — Enter Ethernet interface view interface interface-type interface-number — Set the port state change delay link-delay[...]

  • Página 118

    1-9 To do... Use the command... Remarks Clear port sta tistics reset coun te rs interface [ interface-type | interface-type interface-num ber ] Available in user view After 802.1x is enabled on a port, clearing the statistics on the port will not work. Ethernet Port Configuration Example Network requirements z Switch A and Switch B are connected to[...]

  • Página 119

    1-10 Troubleshooting Ethernet Port Configuration Symptom : Fail to configure the default VLAN ID of an Ethernet port. Solution : T ak e the following steps: z Use the display interface or display port comma nd to check if the port i s a trunk port or a hybrid port. z If the port is not a trunk or hybrid port, c onfigure it to be a trunk or hybrid p[...]

  • Página 120

    i Table of Contents 1 Link Aggregati on Configur ation ······························································································· ··············· 1-1 Overview ······························[...]

  • Página 121

    1-1 1 Link Aggregation Configuration When configuring link aggregation, go to these se ctions for information you are interested in: z Overview z Link Aggregation Classifi cation z Aggregation Group Categories z Link Aggregation Configuration z Displaying and Maintaining Link Agg regation Configuration z Link Aggregation Configuration Exampl e Over[...]

  • Página 122

    1-2 Table 1-1 Consistency consideration s for ports in an aggregation Category Considerations STP State of port-level STP (enabled or disa bled) Attribute of the link (point-to-point or otherwise) connected to the p ort Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edg e port) QoS Ra[...]

  • Página 123

    1-3 In a manual aggregation group, the syst em sets the p orts to selected o r unselected st ate according to the following rules. z Among the ports in an aggregation group that are in up state, the system det ermines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed[...]

  • Página 124

    1-4 z There is a limit on the number of selected ports in an aggregation g roup. Theref ore, if the number of the selected ports in an aggregation group exce eds the maximum number su pported by the device, those with lower port num bers operate as the se lected ports, and others a s unselected ports. Dynamic LACP Aggregation Group Introduction to [...]

  • Página 125

    1-5 Aggregation Group Categories Depending on wh ether or not load shari ng is implem ented, aggregation g roups can be load-sharing o r non-load-sharing aggregati on groups. When load sharing is implem ented, z For IP packets, the system will implement load-sharing based on source IP address and destination IP address; z For non-IP packets, the sy[...]

  • Página 126

    1-6 Link Aggregation Configuration z The commands of link a ggregation cannot be conf igured with the commands of port loop back detection feature at the same time. z The ports where the mac-addre ss max-mac-count command is config ured cannot be added to an aggregation group. Contrarily, the mac-addr ess max-mac-count command canno t be configured[...]

  • Página 127

    1-7 z When you change a dyn amic/static gro up to a manua l group, the system will automatically disable LACP on the member ports. When you change a dyn ami c group to a static group, the system will remain the member ports LACP-enabled. 2) When a manual or static aggregation group c ontains only one port, you cannot remove the port unless you remo[...]

  • Página 128

    1-8 Y ou need to enable LACP on the port s which you want to p articipate in dyna mic aggregation of the system, because, only when LACP is enabled on those ports at both end s, can the two parties re ach agreement in adding/removing port s to/from dynamic aggregation grou ps. You cannot enable LACP on a po rt which is already in a manual aggregati[...]

  • Página 129

    1-9 If you have saved the current configuration with the sav e command, after system reboot, the configuration concerning manual an d static aggregati on group s and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do… Use the com[...]

  • Página 130

    1-10 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar co nfiguration on Switch B to implement link aggregation. 1) Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add Ethernet 1/0/1 through E[...]

  • Página 131

    1-11 [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled port s can be aggregated into one dynamic aggregation grou p to implement load sharing only when they have the same basi c conf iguration (such as rate, duplex mode, and so on).[...]

  • Página 132

    i Table of Contents 1 Port Isolation Configuration ································································································· ···················· 1-1 Port Isolati on Overview ·················[...]

  • Página 133

    1-1 1 Port Isolation Configuration When configuring port isola tion, go to these sections for information you are intere sted in: z Port Isolation Overview z Port Isolation Configuration z Displaying and Maintaining Port Isolation Configu ration z Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to se [...]

  • Página 134

    1-2 z When a member p ort of an aggregation group join s/ leaves an isolation group, the other ports in the same aggregation group will join/leave the isol ation group at the same time. z For ports that belong to an aggregation group and an isolation gro up simultaneously, removing a port from the aggregation group has no effect on the other ports.[...]

  • Página 135

    1-3 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2][...]

  • Página 136

    i Table of Contents 1 Port Security Configuration ·································································································· ···················· 1-1 Port Security Overview··················[...]

  • Página 137

    1-1 1 Port Security Configuration When configuring port secu rity , go to these sections for information you are interested in: z Port Security Overview z Port Security Configuration Task List z Displaying and Maintaining Po rt Security Configuration z Port Security Configuration Examples Port Security Overview Introduction Port security is a secur[...]

  • Página 138

    1-2 Table 1-1 Description of port security mode s Security mode Description Feature noRestriction In this mode, access to the port is not restricted. In this mode, neither the NTK nor the intrusion protection feature is triggered. autolearn In this mode, a port can learn a specified number of MAC addre sses and save those addresses as security MAC [...]

  • Página 139

    1-3 Security mode Description Feature userlogin In this mode, port-based 802.1x authentication is performed for access users. In this mode, neither NTK nor intrusion protection will be triggered. userLoginSecure MAC-based 802.1x authentication i s performed on the access user. The port is enabled only after the authentication succeeds. When the por[...]

  • Página 140

    1-4 Security mode Description Feature macAddressElseUs erLoginSecure In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user i s authenticated. Otherwise, the port perfo rms 802.1x authentication of the user. In this mode, there can be only one 802.1x-authenticated user on the port, but the[...]

  • Página 141

    1-5 Task Remarks Configuring Security MAC Addre sses Optional Enabling Port Security Configuration Prerequisites Before enabling port securi ty , you need to di sable 802.1x and MAC authenti cation globally . Enabling Port Security Follow these steps to ena ble port security: To do... Use the command... Remarks Enter syst em view system-vie w — E[...]

  • Página 142

    1-6 This configuration is dif ferent from that of t he maximum number of MAC addresses that can be leaned by a port in MAC address manageme nt. Follow these steps to set the maximum number of MAC addresse s allowed on a port: To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type in[...]

  • Página 143

    1-7 z Before setting the port security mode to autolearn , you need to set the maximum number of MAC addresses allowe d on the port with the port-security max-mac-count command. z When the port operates in t he autolearn mode, you cannot change the maximum number of MAC addresses allowe d on the port. z After you set the port security mode to autol[...]

  • Página 144

    1-8 To do... Use the command... Remarks Set the timer during which the port remains disabled port-se curity timer disableport timer Optional 20 seconds by default The port-security timer disableport command i s used in conjunction wi th the port-security intrusion-mode disableport-temporarily command to set the length of time during whi ch the port[...]

  • Página 145

    1-9 Configuring Security MAC Addresses Security MAC addresses are special MA C addresse s that never age out. One se curity MAC address can be added to only one port in the same VLAN so th at you can bind a MAC address to one port in the same VLAN. Security MAC addresses can be le arned by the auto-learn function of port security or manually config[...]

  • Página 146

    1-10 Displaying and Maintaining Po rt Security Configuration To do... Use the command... Remarks Display information about port security configuration display port-security [ interface interface-list ] Display information about security MAC address configuration display mac-address security [ interface interface-type interface-nu mber ] [ vlan vlan[...]

  • Página 147

    1-11 [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seco nds af ter intrusion p rotection is triggered. [Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30[...]

  • Página 148

    i Table of Contents 1 DLDP Conf iguration ··········································································································· ······················· 1-1 Overview ················?[...]

  • Página 149

    1-1 1 DLDP Configuration When configuring DLDP , go to these sections for information you are interested in: z Overview z DLDP Fundamental s z DLDP Configuration z DLDP Configuration Example Overview Device link detection protocol (DL DP) is an tec hnology for dealing wit h unidirectional links that may occur in a network. If two switches, A and B,[...]

  • Página 150

    1-2 Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 Device B GE1/0/49 GE1/0/50 PC Device link detection protocol (DL DP) can detect the link st atus of an optical fiber ca ble or copper twisted pai r (such as super category 5 twisted p air). If DLDP finds a unidirection al link, it disables the related port automatically or prom[...]

  • Página 151

    1-3 DLDP packet ty pe Function RSY-Advertisement packets (referred to as RSY packets hereafter) Advertisement packet with the RSY flag set to 1. RSY advertisement packets are sent to request synchron izing the neig hbor information whe n neighbor information is not locally available or a neigh bor information entry ages out. Flush-Advertisement pac[...]

  • Página 152

    1-4 DLDP Status A link can be in one of these DLDP states: initial, ina ctive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status be fore DLDP is ena bled. Inactive DLDP is en abled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is[...]

  • Página 153

    1-5 Timer Description Entry aging timer When a new neighbor join s, a neighbor entry is created and the correspondi ng entry aging timer is enabled When an advertisement packet is receiv ed from a neighbor, the neighbor entry is updated and the correspondin g entry aging timer is updated In the normal mode, if no packet is received from the neigh b[...]

  • Página 154

    1-6 Table 1-4 DLDP operating mode and neighbor entry aging DLDP operating mode Detecting a neighbor after the corresponding neighbor entry ages out Removing the neighbor entry immediately after the Entry timer expires Triggering the Enhanced timer after an Entry timer expires Normal mode No Yes No Enhanced mode Yes No Yes (When the enhanced timer e[...]

  • Página 155

    1-7 Table 1-5 DLDP state and DLDP packet type DLDP state Ty pe of the DLDP packe ts sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets 2) A DLDP packet received is processed as follows: z In authentication mode, the DLDP packet is authe nticated and is then dropped if it fail[...]

  • Página 156

    1-8 Table 1-7 Processing procedure when no echo pack et is re ceived from the neighbor No echo packet receiv ed from the neighbor Processing procedure In normal mode, no echo packet is re ceived when the echo waiting timer expires. In enhanced mode, no echo packet is received when the enhanced timer expi res DLDP switches to the disable state, outp[...]

  • Página 157

    1-9 DLDP Configuration Performing Basic DLDP Configuration Follow these steps to pe rform basic DLDP configuration: To do … Use the command … Remarks Enter syst em view system-vie w — Enable DLDP on all optical ports of the switch dldp enable Enter Ethernet port view interface interface-type interface-number Enable DLDP Enable DLDP on the cur[...]

  • Página 158

    1-10 z When connecting two DLDP-e nabled devices, make sure the software runnin g on them is of the same version. Otherwi se, DLDP may operate improperly. z When you use the dldp enable/dldp disable command in system view to en able/disable DLDP on all optical ports of the switch, the configuration ta kes effect on the existing o ptical ports, inst[...]

  • Página 159

    1-11 DLDP Configuration Example Network requirements As shown in Figure 1-4 , z Switch A and Switch B are connected through two pai rs of fibers. Both of them suppo rt DLDP. All the ports involved operate in mand atory full duplex mode, with their rates all being 1,000 Mbps. z Suppose the fibers between Switch A and Switch B are cross-connected. DL[...]

  • Página 160

    1-12 # Set the DLDP han dling mode for unidirectional links to auto . [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibe rs in a crossed way , two or three ports may be in the disable st ate, and the rest in the inactive state. When a fiber is connected to a dev[...]

  • Página 161

    i Table of Contents 1 MAC Address Tabl e Management································································································· ··········· 1-1 Overview ··································[...]

  • Página 162

    1-1 1 MAC Address Table Management When MAC address t able mana gement functions, go to these sections for information you are interested in: z Overview z MAC Address Table Management z Displaying MAC Address Table Information z Configuration Example This chapter describes the management of stat ic, dynami c, and blackhole MAC address entries. For [...]

  • Página 163

    1-2 Generally , the majority of MAC addres s entries are created and maint ained through MAC addres s learning. The followin g describes the MA C add ress learning process of a swit ch: 1) As shown in Figure 1-1 , User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the sw itch on GigabitEthe[...]

  • Página 164

    1-3 Figure 1-4 MAC address learning diag ram (3) 4) At this time, the MAC address table of the switch include s two forwarding entries shown in Figure 1-5 . When forwarding the response p acket from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/ 1 (technically called unicast), be cause MAC-A is already in the[...]

  • Página 165

    1-4 z The MAC address aging timer only takes effect on dy namic MAC address entries. z With the “destination MAC address tri ggered upd ate functio n” enabled, when a switch fin ds a packet with a destination address matching one M A C address entry withi n the aging time, it updates the entry and restarts the aging timer. Entries in a MAC addr[...]

  • Página 166

    1-5 Task Remarks Enabling Destination MAC Addre ss Triggered Update Optional Configuring a MAC Address Entry Y ou can add, modify , or remove a MAC address entry , remove all MAC address entries concerning a specific port, or remove specific type of MAC addre ss entries (dynamic or st at ic MAC addre ss entries). Adding a MAC address entry in syste[...]

  • Página 167

    1-6 z When you add a MAC addre ss entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherw ise, the entry will not be added. z If the VLAN specified by the vl an argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN. Setting the MAC Address Aging Timer Setting an a[...]

  • Página 168

    1-7 By setting the maximum number of MAC addre sses that can be learned from individual ports, the administrator can control the number of the MAC address entrie s the MAC address table ca n dynamically maintai n. When the number of the MAC add re ss entries learnt from a port reaches the set value, the port stops le arning MAC ad dresses. Follow t[...]

  • Página 169

    1-8 To do… Use the com mand… Remarks Display the aging time of the dynamic MAC address entries in the MAC addre ss table display mac-address aging-time Display the configured start port MAC address display port-mac Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connect s to the switch through G[...]

  • Página 170

    i Table of Contents 1 Auto Detect Configuration ···································································································· ···················· 1-1 Introduction to the Au to Detect Function·······?[...]

  • Página 171

    1-1 1 Auto Detect Configuration When configuring the auto detect function, go to t hese sections for information you are interested in: z Introduction to the Auto Detect Function z Auto Detect Configuration z Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Me ssage Protocol [...]

  • Página 172

    1-2 Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to co nfi gure the auto detect function: To do… Use the command… Remarks Enter syst em view system-vie w — Create a detected group and enter detected group view detect-group group-num ber Required Add an IP address [...]

  • Página 173

    1-3 T o avoid such problems, you can config ure another route to back up the st atic route and use the Auto Detect function to judge the validity of the st atic rout e. If the static route is valid, packet s are forwarded according to the st atic route, and the ot her route is st andby . If the st atic route is invalid, p ackets a re forwarded acco[...]

  • Página 174

    1-4 Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interf a ces backup. When dat a can be transmitted through two VLAN interfaces on the switch to the sam e desti nation, configure one of the VLAN inte rface as the active interface and the other as the st andby interf ace. The st andby interface is [...]

  • Página 175

    1-5 z On switch A, configure a static route to Switch C. z Enable the static route wh en the detected group 8 i s reachable . z To ensure normal operating of the auto detect func tion, configure a static route to Switch A on Switch C. Network diagram Figure 1-2 Network diagram for implementing the a u to detect function in static route Configuratio[...]

  • Página 176

    1-6 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3 . The confi guration procedure is omitted. # Enter system view . <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10 .1[...]

  • Página 177

    i Table of Contents 1 MSTP Conf iguration ··········································································································· ······················· 1-1 Overview ················?[...]

  • Página 178

    ii Configuring Di gest Snooping ···································································································· ····· 1-39 Configuring Rapi d Transition ···································?[...]

  • Página 179

    1-1 1 MSTP Configuration Go to these sections for information you are inte rested in: z Overview z MSTP Configuration Task List z Configuring Root Bridge z Configuring Leaf Nod es z Performing mCheck Opera tion z Configuring Guard Functions z Configuring Digest Snooping z Configuring Rapid Transition z MSTP Maintenance Configuration z Enabling Trap[...]

  • Página 180

    1-2 In STP , BPDUs come in two types: z Configuration BPDUs, used to calculate span ning trees and maintain the spanning tree topol ogy. z Topology change notification (TCN) BPDUs, used to notify concerned devices o f network topology changes, if any. Basic concepts in STP 1) Root bridge A tree network must have a root; hence the concept of root br[...]

  • Página 181

    1-3 Figure 1-1 A schematic diagram of design ated bridges and desi gnated ports All the ports on the root bridge are desig nated ports. 4) Bridge ID A bridge ID consists of eig ht bytes, where the first tw o bytes represent the bridge priority of th e device, and the latter six bytes represent the MAC addre ss of the device. The default bridge prio[...]

  • Página 182

    1-4 6) Port ID A port ID used on a 3Com switch 4500 consi sts of tw o bytes, that is, 16 bits, where the first six bit s represent the port priority , and the latter ten bits represent the port number . The default priority of all Ethernet ports on 3Com switche s 4500 is 128. You can use commands to configure port priorities. For details, see Confi[...]

  • Página 183

    1-5 Table 1-2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU o n a port, the device performs the following processing: z If the received configuration BPDU ha s a lower priority than that of the configuration BPDU gene rated by the port, the device will discard the received configuration BPDU with[...]

  • Página 184

    1-6 Step Description 3 The device compares the calculated confi guration BPDU with the co nfiguration BPDU on the port whose role is to be determined, and acts as follows based on the comparison r esult: z If the calculated configuration BPDU is s uperior, this port will serve as the designated port, and the configuration BP DU on the port will be [...]

  • Página 185

    1-7 Device Port name BPDU of port BP1 {1, 0, 1, BP1} Device B BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} Device C CP2 {2, 0, 2, CP2} z Comparison proce ss and result on each device The following t able shows the comp arison process an d result on each device. Table 1-5 Comparison proce ss and result on each device Device Comparison process BPDU of por t[...]

  • Página 186

    1-8 Device Comparison process BPDU of por t after comparison z Port CP1 receives the configuratio n BPDU of Device A {0, 0, 0, AP2}. Device C finds that the re ceived configuration BPDU is superior to the configuration BPDU of the local po rt {2, 0, 2, CP1}, and updates the configuratio n BPDU of CP1. z Port CP2 receives the confi guration B PDU of[...]

  • Página 187

    1-9 Figure 1-3 The final calculated spanning tree To facilitate description, the sp anning tree calculation process in this example is simplified, while the actual process is more complicated. 3) The BPDU forwarding mechanism in STP z Upon network initiation, e very switch regards itse lf as the root bridge, gen erates configuration BPDUs with itse[...]

  • Página 188

    1-10 For this reason, the protocol use s a state transitio n me chanism. Namely , a newly electe d root port and the designated port s must go through a peri od, which is twice the forward delay time, before they transit to the forwarding state. The peri od allows the ne w configuration BPDUs to be propag ated throughout the entire network. z Hello[...]

  • Página 189

    1-11 z MSTP supports mapping VLANs to Multi ple Span ning Tree (MST) instan ces (MSTIs) by means of a VLAN-to-instance m apping table. MSTP introduces instances (whi ch integrates multiple V LANs into a set) and can bind m ultiple VLANs to an instance, thus saving com munication overhead and improving resource utilization. z MSTP divides a switched[...]

  • Página 190

    1-12 2) MSTI A multiple spanning tree inst ance (MSTI) refers to a sp anning tree in an MST region. Multiple spanning trees ca n be establis hed in one MST region. These spannin g trees are independent of each other . For example, each region i n Figure 1-4 cont ains multiple sp anning trees known as MSTIs. Each of thes e spanning tree s corres pon[...]

  • Página 191

    1-13 z A region boundary port i s located on the boundary of an MST regio n and is used to connect one MST region to another MST region, an STP-ena bled region or an RSTP-enabl ed region. z An alternate port is a seconda ry port of a root port or master po rt and is used for rapid transition. With the root port or master port being blocked, the alt[...]

  • Página 192

    1-14 z Forwarding state. Ports in this state can forw ard user packets and receive/ send BPDU packet s. z Learning state. Ports in thi s state can receive/ send B PDU packets but do n ot forward user packets. z Discarding state. Ports in this st ate can only receive BPDU packet s. Port roles and port st ates are not mutually dependent. T able 1-6 l[...]

  • Página 193

    1-15 In addition to the basic MSTP functions, 3com Swit ch 4500 also provides the following functions for users to manage their switche s. z Root brid ge hold z Root brid ge backup z Root guard z BPDU guard z Loop guard z TC-BPDU attack guard Protocols and Standards MSTP is documente d in: z IEEE 802.1D: spanning tree protocol z IEEE 802.1w: rapid [...]

  • Página 194

    1-16 Task Remarks Configuring the Maximum Transmitting Rate on the Current Port Optional The default value is recom mended. Configuring the Current Port as an Edg e Port Optional Setting the Link Type of a Port to P2P Optional Enabling MSTP Required To prevent network topology jitter caused by other related configurations, you are recommended to en[...]

  • Página 195

    1-17 To do... Use the command... Remarks Configure the name of the MST region region-name name Required The default MST region name of a switch is its MAC address. instance instance-id vlan vlan-list Configure the VLAN-to-inst ance mapping table for the MST region vlan-mapping modulo modulo Required Both commands can b e used to configure VLAN-to-i[...]

  • Página 196

    1-18 Configuration example # Configure an MST region named info , the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through V LAN 30 being mapped to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10[...]

  • Página 197

    1-19 Using the stp root primary / stp root secondary command, you can specify the cu rrent switch as the root bridge or the secondary root bridge of the MSTI identified by the inst ance-id argument. If the value of the instance-id argument is set to 0, the stp root primary / stp root secondary command sp ecify the current switch as the root bridge [...]

  • Página 198

    1-20 To do... Use the command... Remarks Set the bridge priority for the current swit ch stp [ instance instan ce-id ] priority priority Required The default bridge priority of a switch is 32,7 68. z Once you specify a switch as the root bridge or a secondary root bridg e by using the stp root primary or stp root secondary command, the bri dge prio[...]

  • Página 199

    1-21 To do... Use the command... Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure how a port recognizes and se nds MSTP packets stp compliance { auto | dot1s | legacy } Required By default, a port recognizes and send s MSTP packets in the automatic mode. That is, it determi[...]

  • Página 200

    1-22 <Sysname> system-view [Sysname] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count lim it s the size of the MST regi on. A configuration BPDU contains a field that maint a ins the remainin g hops[...]

  • Página 201

    1-23 To do... Use the command... Remarks Enter syst em view system-vie w — Configure the network di ameter of the switched network stp bridge-diameter bridgenumber Required The default network diame ter of a network is 7. The network diameter parameter indicates the size of a network. The bi gger the network diameter i s, the larger the network s[...]

  • Página 202

    1-24 z The forward delay para meter and the n etwork diameter a re correlated. Normally , a large network diameter corresponds to a large forward delay. A too small forward delay param eter may result in temporary redundant path s. And a too large forward delay pa rameter may cause a n etwork unable to resume the no rmal state in time after change [...]

  • Página 203

    1-25 Configuration procedure Follow these steps to co nfigur e the timeout time factor: To do... Use the command... Remarks Enter syst em view system-vie w — Configure the timeout time factor for the switch stp timer-factor number Required The timeout time factor defaults to 3. For a steady network, the timeout time can be five to seven times of [...]

  • Página 204

    1-26 As the maximum transmitting rate parameter dete rmines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting rate of Ethernet 1/0/1 to 15. 1) Configure the ma[...]

  • Página 205

    1-27 You are recommended to configure the Ethernet ports connected directly to terminal s as edge ports and enable the BPDU guard function at the sa me time. This not only enables these ports to turn to the forwarding state rapidly bu t also secures your netwo rk. Configuration example # Configure Ethernet 1/0/1 as an edge port. 1) Configure Ethern[...]

  • Página 206

    1-28 To do... Use the command... Remarks Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Required The auto keywo rd is adopted by default. z If you configure the link connected to a port in an a ggregation group as a point -to-point link, the configuration will be synchron[...]

  • Página 207

    1-29 To do... Use the command... Remarks Enter syst em view system-vie w — Enable MSTP stp enable Required MSTP is enabled globally by default. Enter Ethernet port view interface interface-type interface-number — Disable MSTP on the port stp disable Optional By default, MSTP is enabled on all ports. To enable a switch to operate more flexibly, [...]

  • Página 208

    1-30 Configuring the Path Cost for a Port The path co st parameter refle cts the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be dif fer ent in different MSTIs. Y ou can enable flows of different VLA Ns to travel along dif ferent physical links by config uring appropriate p ath cost s on port s, so[...]

  • Página 209

    1-31 When calculating the p ath cost of an aggregat ed link, the 802.1D-1998 st andard does not t ake the number of the port s on the aggreg ated link into account, whereas the 8 02.1T st andard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000,000 / link transmi ssion rate Where, “link tran[...]

  • Página 210

    1-32 [Sysname] undo stp interface Ethernet 1/0/1 instance 1 cost [Sysname] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo stp instance 1 cost [Sysname-Ethernet1/0/1] quit [Sysname] stp pathcost-standard dot1d-1998 Config[...]

  • Página 211

    1-33 1) Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 port priority 16 Setting the Link Type of a Port to[...]

  • Página 212

    1-34 To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-number — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on Ethernet 1/0/1. 1) Perform this configuration in system view <Sysname> system-view [Sysname[...]

  • Página 213

    1-35 To do... Use the command... Remarks Enter syst em view system-vie w — Enable the BPDU guard function stp bpdu-protection Required The BPDU guard function is disabled by default. Configuration example # Enable the BPDU guard function. <Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be sh[...]

  • Página 214

    1-36 Configuration procedure Follow these steps to co nfigure the r oot guard function in system vi ew: To do... Use the command... Remarks Enter syst em view system-vie w — Enable the root guard function on specified ports stp interface interface-list root-protection Required The root guard function is disabled by default. Follow these steps to [...]

  • Página 215

    1-37 z You are recommended to enabl e loop guard on the ro ot port and alternate port of a non-root bri dge. z Loop guard, root guard, and edge port settings are m utually exclusiv e. With one of these functions enabled on a port, any of the other two functions can not take effect even if you have configured it on the port. Configuration Prerequisi[...]

  • Página 216

    1-38 maximum times for a switch to remove the MAC a ddress tabl e and ARP entries to 100 and the swit ch receives 200 TC-BPDUs in the period, the switch removes the MAC ad dress table an d ARP entries for only 100 times within the period. Configuration prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to co [...]

  • Página 217

    1-39 switch, and put them in the BPDUs to be sent to t he another manufacturer' s switch. In this way , the switch 4500 can communi cate with another manufacturer’s switche s in the same MST region. The digest snooping function is not ap plicable to edge ports. Configuring Digest Snooping Configure the digest snoo ping feature on a switch to[...]

  • Página 218

    1-40 z When the digest snooping feature is enabled on a por t, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping fea ture is needed only wh en your switch is connected to anothe r manufac[...]

  • Página 219

    1-41 Figure 1-6 The RSTP rapid transition mechanism Root port blocks oth er non- edge ports, changes to forwarding state and sends Agreement to upstream device Downstream switch Upstream switch Proposal for rapid trans ition A g r e e m e n t Designated port changes to forwarding state Root port Designated port Figure 1-7 The MSTP rapid transition [...]

  • Página 220

    1-42 Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8 , a 3Com switch 4 500 is connected to another manufacturer's switch. The former operates as the downstre am switch, and the latter operates as the up stream switch. The netwo rk operates normally . The upstream switch is running a propriet ary spanni ng tr ee [...]

  • Página 221

    1-43 z The rapid transition feature can b e enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. MSTP Maintenance Configuration Introduction In a large-scale network with MSTP enabled, there may be many MSTP instan ces, and so the statu s o[...]

  • Página 222

    1-44 Configuration procedure Follow these steps to ena ble trap messages conforming to 802.1d st andard: To do... Use the command... Remarks Enter syste m view system-v iew — Enable trap messages conforming to 802.1d standard in an instance stp [ instan c e instance-id ] dot1d-trap [ newroot | topologychange ] enable Required Configuration exampl[...]

  • Página 223

    1-45 Network diagram Figure 1-9 Network diagram for MSTP configuration The word “permit” shown in Figure 1- 9 means the correspondi ng link permits packets of spe cific VLANs. Configuration procedure 1) Configure Switch A # Enter MST regi on view . <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-[...]

  • Página 224

    1-46 # Activate the settings of the MST region manually . [Sysname-mst-region] active region-configuration # S pecify Switch B as the root bridge of MSTI 3. [Sysname] stp instance 3 root primary 3) Configure Switch C. # Enter MST regi on view . <Sysname> system-view [Sysname] stp region-configuration # Configure the MST regi on. [Sysname-mst-[...]

  • Página 225

    i Table of Contents 1 IP Routing Prot ocol Overview ································································································· ················· 1-1 Introduction to IP Rout e and Routin g Table ·········?[...]

  • Página 226

    ii Filters ························································································································ ······················· 4-1 IP Route Policy Conf iguration Task List···?[...]

  • Página 227

    1-1 1 IP Routing Protocol Overview Go to these sections for information you are inte rested in: z Introduction to IP Route and Routing Ta ble z Routing Protocol Overview z Displaying and Maintaining a Routing T able Introduction to IP Route and Routing Table IP Route Routers are used for route selection o n the Inter net. As a router receives a pac[...]

  • Página 228

    1-2 z Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing prot ocols, or be manually configure d static routes. The one with the highest preference (the smallest numerical value) will be sele cted as the current optimal route. According to dif ferent destinat[...]

  • Página 229

    1-3 Routing Protocol Overview Static Routing and Dynamic Routing S tatic routing is easy to configu re and requires le ss syst em resources. It works well in sm all, stable networks with simple topolo gies. It cannot adapt itse lf to any network topology ch ange automatically so that you must perform routing configu ration again whenever the netwo [...]

  • Página 230

    1-4 each routing protocol (including st atic routes) is assigned a priority . The route found by the routing protocol with the highest priority is preferred. The following t able lists some routin g protocols an d the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their d efault route Routing approach Pri[...]

  • Página 231

    1-5 routing information. Each routin g protocol shares routin g information discovered by oth er routing protocols through a route redist ribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about a routing table display ip routing-table [ | { begin | exclude | include } regula[...]

  • Página 232

    2-1 2 Static Route Configuration When configuring a st atic route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying and Mainta ining Static Routes z Static Route Configuration Example z Troubleshooting a Static Route The term router in this chapter refers to a route[...]

  • Página 233

    2-2 Default Route T o avoid too large a routing t able, you can configure a default route. When the destination address of a p acket fails to match any entry in the routing t able, z If there is default route in the routing table, the default route will be selected to forward the packet. z If there is no default route, the packet will be di scarded[...]

  • Página 234

    2-3 To do... Use the command... Remarks Display the brief information of a routing table display ip routing-table Display the detailed information of a routing table display ip routing-table verbose Display the information of static routes display ip routing-table protocol static [ inactive | verbose ] Delete all static routes delete static -routes[...]

  • Página 235

    2-4 1) Perform the following conf iguration s on the switch. # Approach 1: Configure st atic routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a st atic route o[...]

  • Página 236

    3-1 3 RIP Configuration When configuring RIP , go to these secti ons for information you are intere sted in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this chapter refers to a router i n a generic sense or an Eth ernet switch running a routing protocol. RIP Overvi[...]

  • Página 237

    3-2 z Interface: Outbound interface on thi s router, th rough which IP packets sh ould be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed si nce the routing entry was last upd ated. The time is reset to 0 every time the routing entry is updated. RIP timers As defined in RFC 105[...]

  • Página 238

    3-3 Task Remarks Enabling RIP on the interfaces attached to a spe cified network segment Req uired Setting the RIP operating status on an interface Optional Configuring Basic RIP Functions Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summari zation Optional[...]

  • Página 239

    3-4 z Related RIP commands configured in interfa ce view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a spe cified network segment. When RIP is disable d on an interface, it does not operate on the interface, that is, it neit her receives/sends routes on the interface, nor forwards any interface route. The[...]

  • Página 240

    3-5 z Set the preference of RIP to change the preference ord er of routing protocols. This orde r makes sense when more th an one route to the same des tination is d iscovered by multiple routing protocols. z Redistribute external route s in an environ ment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route co[...]

  • Página 241

    3-6 Follow these steps to co nfigur e RIP route summarizat ion: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable RIP-2 automatic route summarization summary Required Enabled by default Disabling the router from receiving host routes In some special cases, the router can re ceive a lot of host rou[...]

  • Página 242

    3-7 z The filter-polic y import command filters the RIP ro utes receiv ed from neigh bors, and the ro utes being filtered out will neither be added to the routing table no r be advertised to any neighbors. z The filter-policy export command filters all the routes to be advertised, including the ro utes redistributed with the import-route command an[...]

  • Página 243

    3-8 RIP Network Adjustment and Optimization In some special netwo rk environment s, some RI P features need to be c onfigure d and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implem ented: z Changing the converge nce speed of RI P network by adjusting RI[...]

  • Página 244

    3-9 Split horizon cannot be disabled on a po int-to-point link. Configuring RIP-1 packet zero field check Follow these steps to co nfigure RIP-1 p acket zero field chec k: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enab[...]

  • Página 245

    3-10 Configuring RIP to unicast RIP packets Follow these steps to co nfigure RIP to unicast RIP packets: To do... Use the command... Remarks Enter syste m view system-v iew — Enter RIP view rip — Configure RIP to unicast RIP packets peer ip-address Required When RIP runs on the link that does not supp ort broadcas t or multicast, you mu st conf[...]

  • Página 246

    3-11 Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/1 6 Configuration procedure Only the configuration related to RIP is listed below. Before the follo wing configuration, make sure the Ethernet link layer works normally and the IP addres se s of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP . <SwitchA&[...]

  • Página 247

    4-1 4 IP Route Policy Configuration When configuring an IP route policy , go to thes e sections for information you are interested in: z IP Route Policy Overview z IP Route Policy Configuration Task List z Displaying IP Route Policy z IP Route Policy Configuration Example z Troubleshooting IP Route Policy The term router in this chapter refers to a[...]

  • Página 248

    4-2 For ACL confi guration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understa nd. When IP-prefix list is applied to filter routing information, it s matching object is the destination addre ss field in routing information. Moreover , with IP-prefix li[...]

  • Página 249

    4-3 z if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching object s are some attributes of the routing information. z apply clause: Specifies actions, which are the c onf iguration commands executed after a route satisfies the filter[...]

  • Página 250

    4-4 To do... Use the command... Remarks Enter syste m view system-v iew — Enter the route-policy view route-policy route-policy-nam e { permit | deny } node node-number Required Define a rule to match the IP address of routing information if-match { acl acl-number | ip-prefix ip-prefix-name } Optional By default, no matching is performed on the a[...]

  • Página 251

    4-5 IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and ea sier to understand. When I P-prefix is applied to filtering routing information, it s matching object is the destination addre ss information field of routing information. Configuration Prerequisites Before configuring a filter list, prep are the follo[...]

  • Página 252

    4-6 IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dy namic Route Backup Network requirements The required speed of convergen ce in the small network of a compa ny is not high. The network provides two services. Mai n and backup links are provi ded for each service for the purpose of reliability . The main link of on[...]

  • Página 253

    4-7 z For the OA server, the main link is be tween Sw itch A and Switch C, while the backup link i s between Switch B and Switch C. z For the service server, the main link is between Swi tch B and Switch C, while the backup link is between Switch A and Switch C. z Apply a route policy to control the co st of routes receiv ed by Switch C to provide [...]

  • Página 254

    4-8 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode bein g permit in the route policy . Define if-match clauses. Apply the cost 6 to routes matching the outgoin g interface VLAN-interface 6 an[...]

  • Página 255

    4-9 2) Display data forwarding paths when the main link of the OA serve r between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 1.0.0.0/8 RIP 100 6 6.6.6.5 Vlan-interface2 3.0.0.0/8 RIP 100 5 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 0 0 6.6.6.6 [...]

  • Página 256

    i Table of Contents 1 Multicast Overview ··········································································································· ························· 1-1 Multicast Overview ··········[...]

  • Página 257

    ii Configuring IG MP S nooping ·········································································································· 1-17 Configuring Mu lticast VLAN ····································?[...]

  • Página 258

    1-1 1 Multicast Overview In this manual, the term “router” refers to a router in the generic sen se or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interactio n services such as data, voice, and video services are running on the network. In additi on, highly b[...]

  • Página 259

    1-2 Assume that Host s B, D and E need this informati on. The source server est ablishes transmissi on channels for the devi ces of these users respectively . As the transmitted traffic over the network is i n direct proportion to the number of users that receive this informat ion, when a large numbe r of users need the same information, the server[...]

  • Página 260

    1-3 Information Transmission in the Multicast Mode As described in the previous sectio ns, unicast is su it able for networ ks with sp arsely distributed users, whereas broadcast is suit able for networks with dense ly distributed users. When the number of users requiring information is not cert ain, unicast and broadcast not ef ficient. Multicast [...]

  • Página 261

    1-4 z All receivers interested in the same information form a multicast group. Multicast group s are not subject to geographic restriction s. z A router that supports Layer 3 multica st is called multicast router or Layer 3 multica st device. In addition to providing multicast routing, a mult icast router can also manage multicast group members. Fo[...]

  • Página 262

    1-5 z Distributive application: Multicast make s multiple-poi nt application possible. Application of multicast The multicast technology ef fectively addresses the is sue of point-to-multipoint dat a transmission. By enabling high-ef ficiency po int-to-multipoint dat a tran smission, over an IP network, multicast greatly saves network bandwid th an[...]

  • Página 263

    1-6 Multicast Architecture The purpose of IP multicast is to transmit information from a m ulticast source to receivers in the multicast mode and to satisfy information requiremen t s of receivers. Y ou should be concerne d about: z Host registration: What rece ivers reside on the network? z Technologies of discovering a multi cast source: Which mu[...]

  • Página 264

    1-7 z The membership of a group is dynamic. A host can joi n and leave a multicast group at any time. z A multicast group can be either permane nt or temporary. z A multicast group whose addresse s are assigned by IANA is a permanent multica st group. It is also called reserved multicast gro up. Note that: z The IP addresses of a permanent multicas[...]

  • Página 265

    1-8 Class D address range Description 224.0.0.13 All Protocol Independ ent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork band width management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router R edundancy Protocol (VRRP) 224.0.[...]

  • Página 266

    1-9 Multicast Protocols z Generally, we refer to IP multic ast working at the network layer as Laye r 3 multicast and the correspondi ng multicast protocols as Layer 3 mult ica st protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast worki ng at the data link layer as L ayer 2 multicast and the correspondi ng multicast protocols as[...]

  • Página 267

    1-10 Among a variety of mature intra-domain multic ast routing protocols, Protocol Independent Multicast (PIM) is a popul ar one. Based on the forwarding me chanism, PIM comes in two m odes – dense mode (often referred to as PIM-DM) and sp arse mode (often referred to as PIM-SM). z An inter-domain multicast routing protoc ol is used for delivery [...]

  • Página 268

    1-11 z In the network, multicast packet transmission is base d on the guidance of the multicast forwarding table derived from the unica st routing table or t he multicast routing table specially provided for multicast. z To process the same multicast information from di fferent peers received on different interfaces of the same device, every multic[...]

  • Página 269

    1-12 considers the path alo ng which the packet from t he RPF neighbor arrived on the RPF interface to be the shortest path that leads b ack to the source. Assume that unicast routes exis t in the network, as shown in Figure 1-7 . Multicast packet s travel along the SPT from the multicast source to the receivers. Figure 1-7 RPF check pr ocess Sourc[...]

  • Página 270

    1-1 2 Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sen se or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform comm on multicast configurations: Task Remarks Configuring Suppre ssion on the Multicast S[...]

  • Página 271

    1-2 To do... Use the command... Remarks Enter syst em view system - vie w — Enter Ethernet port view interface interface-type interface-number — Configure multicast source port suppress ion multicast-source-deny Optional Multicast sour ce port suppression is disabled by default. Configuring a Multicast MAC Address Entry In Layer 2 multicast, th[...]

  • Página 272

    1-3 z If the multicast MAC address entry to be created already exists, the system gives you a prompt. z If you want to add a port to a multicas t MAC address entry created through the mac-address multicast command, you need to remove the entry firs t, cre ate this entry again, and then add the specified port to the forwarding ports of this ent ry. [...]

  • Página 273

    1-1 3 IGMP Snooping Configuration When configuring IGMP snooping, go to these section s for information you are interested in: z IGMP Snooping Overview z Configuring IGMP Snooping z Displaying and Maintaining IGMP Snooping z IGMP Snooping Configuration Example s z Troubleshooting IGMP Snooping In this manual, the term “router” refers to a route[...]

  • Página 274

    1-2 Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast pack et transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer 2 switch Multicast packet transmission when IGMP Snooping runs Source Multicast router Host A Receiver Host B Host C Receiver Layer 2 s[...]

  • Página 275

    1-3 member ports. The switch record s all member ports on the lo cal device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snoopi ng and related messages and actions Table 3-1 Port aging timers in IGMP Snooping and related messag es and actions Timer Description Message before expiry Action after expiry Router port aging timer For[...]

  • Página 276

    1-4 A switch will not forward an IGMP report through a n on-router port for the fo llowing re ason: Due to the IGMP report suppre ssion mechanism, if member hosts of that multicast group still exist under non-router ports, the host s will stop sending report s when they receive the me ssage, and thi s prevents the switch from knowing if membe rs of[...]

  • Página 277

    1-5 Configuring IGMP Snooping Complete the following t asks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snoop ing Optional Configuring Timers Optional Configuring Fast Leave Proce ssing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Num ber of Multicast Gro[...]

  • Página 278

    1-6 z Although both Layer 2 and Layer 3 multicast protocol s can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VL AN interface. z Before enabling IGMP Snooping in a VLAN, be su re to enable IGMP Snooping globally in syst em view; otherwise the IGMP Snooping settings will not take effect. z If I[...]

  • Página 279

    1-7 Configuring Timers This section describes ho w to configure the aging timer of the router port, the aging timer of the multicast member port s, and the query response timer . Follow these steps to co nfigure timers: To do... Use the command... Remarks Enter syst em view system-v iew — Configure the aging timer of the router port igmp-snooping[...]

  • Página 280

    1-8 To do... Use the command... Remarks Enter Ethernet port view interface interface-type interface-number — Enable fast leave processi ng for specific VLANs igmp-snooping fast-leave [ vlan vlan-list ] Required By default, the fast leave processing feature is disabl ed. z The fast leave processing f unction works for a port on ly if the host atta[...]

  • Página 281

    1-9 To do... Use the command... Remarks Enter syst em view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure a multicast group filter igmp-snooping group-policy acl-number [ vlan vlan-list ] Optional No group filter is configured by default, namely hosts can join any multicast group. z A port can belo[...]

  • Página 282

    1-10 z To prevent bursting traffic in the network or p e rformance deterioration of the device cau sed by excessive multicast groups, you can set the maximu m number of m ulticast groups that the switch should pr ocess. z When the number of multicast group s exceeds the configured limit, the switch removes its multicast forwarding entries starting [...]

  • Página 283

    1-11 To do... Use the command... Remarks Enable IGMP Snooping querier igmp-snooping querier Required By default, IGMP Snooping querier is disabled. Configuring IGMP query interval Follow these steps to co nfigure IGMP query interval: To do... Use the command... Remarks Enter syst em view system-vie w — Enter VLAN view vlan vlan-id — Configure t[...]

  • Página 284

    1-12 z If the function of dropping unknown multicast pack ets or the XRN fabri c function is enabled, you cannot enable unkno wn multicast flooding supp ression. z Unknown multicast floodin g suppression and multicas t source port suppre ssion cannot take effect at the same time. If both are enabled, on ly multicas t source port suppression takes e[...]

  • Página 285

    1-13 Configuring a Stat ic Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a st atic router port, so that the switch has a st atic conne ction to a multicast router and receives IGMP messages from that router . In Ethernet port view Follow these steps to co nfigure a static router port in[...]

  • Página 286

    1-14 Therefore, to ensure that IGMP entries will not age out, the port must receive IGMP general queries periodically. Follow these steps to co nfigure a port as a simulated group memb er: To do... Use the command... Remarks Enter syst em view system-vie w — Enter Ethernet port view interface interface-type interface-number — Configure the curr[...]

  • Página 287

    1-15 Configuring Multicast VLAN In traditional multicast implement ations, when user s in dif ferent VLANs listen to the same multicast group, the multicast dat a is copied o n the multicast rout er for each V LAN that cont ains receivers. This is a big waste of network ban dwidth. In an IGMP Snooping environme nt, by configuring a multicast VLAN a[...]

  • Página 288

    1-16 To do... Use the command... Remarks Enter Ethernet port view for the Layer 3 switch interface interface-type interface-number — Define the port as a trunk or hybrid port port link-type { trunk | hyb rid } Required port hyb rid vlan vlan-list { tagged | untagged } Specify the VLANs to be allowed to pass the Ethernet port port trunk permit vla[...]

  • Página 289

    1-17 IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements T o prevent multicast traf fic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. z As shown in Figure 3-3 , Router A connects to a multicast source (Source) throu gh Ethernet 1/0/2, and to Switch A through Ethernet 1/0/1. z Run PIM-DM and[...]

  • Página 290

    1-18 3) Configure Switch A # Enable IGMP Snooping globally . <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign Ethernet 1/0/1 throu gh Ethernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/4 [SwitchA-vlan[...]

  • Página 291

    1-19 Table 3-2 Network devices and t heir configuration s Device Device description Net working description Switch A Layer 3 switch The interface IP address of VLAN 20 is 168.10.1.1. Ethernet 1/0/1 is connected to the workstation and belon gs to VLAN 20. The interface IP address of VLAN 10 is 168.10.2.1. Ethernet 1/0/10 belongs to VLAN 10. Ethernet[...]

  • Página 292

    1-20 Network diagram Figure 3-4 Network diagram for multicast VLAN configuratio n WorkStation SwitchA SwitchB Vlan-int20 168.10.1.1 Eth1/0/1 Eth1/0/10 V l a n2 V l an3 Eth1/0/10 Vlan10 E th 1 /0/1 E th 1 /0/2 HostA HostB Vlan-int10 168.10.2.1 Configuration procedure The following configuration is based on the p rerequi site that the devices are pro[...]

  • Página 293

    1-21 # Create VLAN 2, VLAN 3 and VLA N 10, configure VL AN 1 0 as the multicast VLAN, and then enable IGMP Snoopi ng on it. [SwitchB] vlan 2 to 3 Please wait.... Done. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN [...]

  • Página 294

    1-22 z If the multicast group set up by IGMP Snooping is not correct, contact your technical support personnel.[...]

  • Página 295

    i Table of Contents 1 802.1x Confi guration ········································································································· ························ 1-1 Introduction to 802.1x··········[...]

  • Página 296

    ii Layer 3 Erro r Cont rol ·········································································································· ············· 4-1 Configuring Sy stem Guard ··························?[...]

  • Página 297

    1-1 1 802.1x Configuration When configuring 802.1x, go to these section s for information you are interested in: z Introduction to 802.1x z Introduction to 802.1x Configuratio n z Basic 802.1x Configuration z Advanced 802.1x Configuration z Displaying and Maintaining 802.1x Confi guration z Configuration Example Introduction to 802.1x The 802.1x pr[...]

  • Página 298

    1-2 Figure 1-1 Architecture of 802.1x authentication z The supplicant system is the entity se eking acce ss to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator sy stem at the other end of the LAN segment. The supplicant system is usually a user termin al device. An 802.1x authenticat ion is triggered when a [...]

  • Página 299

    1-3 z The controlled port can be used to pass se rvice packet s when it is in authorized state. It is blocked when not in authorized state. In th is case, no packets can pass through it. z Controlled port and uncontrolle d port are two propert ies of a port. Packets reaching a port are visible to both the controlled port and uncont rolled port of t[...]

  • Página 300

    1-4 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: z The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. z The Protocol version field holds the version of t he protocol supp orted by the sender of the EAPoL packet. z The Type field can be one of the following: 00: Indicates that the packet i[...]

  • Página 301

    1-5 z The Length field indicates the si ze of an EAP packet, which includes the Code, Identifier, Length, and Data fields. z The Data field carries the EAP packet, whose format differs with the Code field. A Success or Failure packet does not co ntain the Data field, so the Length field of it is 4. Figure 1-5 shows the format of the Dat a field of [...]

  • Página 302

    1-6 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets a re encap sulated in higher level protoco l (such as EAPoR) packet s to enable t hem to successf ully reach the aut hentication server . Normally , this mode requires that the RA DIUS server support the two newl y-added fields: the EAP-message field (with a value of 79) a[...]

  • Página 303

    1-7 Figure 1-8 802.1x authentication procedure (in EA P relay mode) S uppl icant system PAE RA D UI S server EAPO L EAPO R EAPO L -S t a r t E A P - Request / I dent it y E A P - Res ponse / I dent it y E AP - Request / M D 5 c hal le nge EAP - Suc c e s s EAP - R e s p o n s e / M D 5 chall enge RADI US A ccess - Request ( EA P - Response / I dent[...]

  • Página 304

    1-8 feedbacks (through a RADIUS access-acc ept packet and an EAP-success pa cket) to the switch to indicate that the supplicant system is authenticated. z The switch changes the state of the correspo nding port to accepted state to allow the supplicant system to access the network. z The supplicant system can also terminate the aut henticated state[...]

  • Página 305

    1-9 Figure 1-9 802.1x authentication procedure (in EA P terminating mode) Supplicant system PAE Authenticator system PAE RADIU S server EAPOL RADIUS EAPOL - Start EAP - Request /Identity EAP - Response /Identity EAP - Request/ MD 5 Challenge EAP - Success EAP - Response / MD 5 Challenge RADIUS Access - R equest ( CHAP- Response / MD 5 Challenge ) R[...]

  • Página 306

    1-10 z Re-authentication timer ( reau th-period ). The switch initiates 8 02. 1x re-authentication at the interval set by the re-authentication timer. z RADIUS server timer ( server-timeout ). This timer sets the server -timeout period. After sending an authentication request packet to the RADIUS server, the swit ch send s another authentication re[...]

  • Página 307

    1-11 z Only disconnect s the supplicant sy st em but sends n o Trap packets. z Sends Trap packets withou t disco nnecting the supplicant system. This function needs the cooperation of 8 02.1x client and a CAMS server . z The 802.1x client needs to be capable of detecti ng multiple network adapters, proxie s, and IE proxies. z The CAMS server is con[...]

  • Página 308

    1-12 z After the maximum number retries h ave been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. z Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated. But they need to be authenticat ed when accessing external reso ur[...]

  • Página 309

    1-13 z The RADIUS server ha s the switch perfo rm 802.1x re-authentication of user s. The RADIUS server sends the switch an Acce ss-Accept p acket with t he Termination-Action attribut e field of 1. Upon receiving the packet, the switch re-aut h enticates the user periodically. z You enable 802.1x re-authentication on the switch. With 80 2.1x re-au[...]

  • Página 310

    1-14 Basic 802.1x Configuration Configuration Prerequisites z Configure ISP domain and the AAA scheme to be a dopted. You can specify a RADI US scheme or a local scheme. z Ensure that the service type is configured as lan-access (by using the serv ice-type command) if local authentication scheme is ado pted. Configuring Basic 802.1x Functions Follo[...]

  • Página 311

    1-15 To do… Use the command… Remarks Enable online user handshaking dot1x handshake enable Optional By default, online user handshaking is enabled. z 802.1x configurations take effect only after you enabl e 802.1x both globally and for specified ports. z The settings of 802.1x and MAC address learning lim i t are mutually exclusive. Enabling 80[...]

  • Página 312

    1-16 To do… Use the command... Remarks Set 802.1x timers dot1x timer { handshake-period handshake-period-valu e | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-per iod tx-period-valu e | ver-period ver-period-val ue } Optional The settings of 802.1x timers are as follows. 1) handshake[...]

  • Página 313

    1-17 To do... Use the command... Remarks Enable proxy checking function globally dot1x supp-proxy-check { logoff | trap } Required By default, the 802.1x proxy checking function is globall y disabled. In system view dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number dot1x supp-proxy-check[...]

  • Página 314

    1-18 As for the dot1x version-user command, if you execute it in sy stem view without specifying the interface-list argument, the command a pplies to all ports. You can also execute this command in port view. In this case, this command applie s to the current port only and the interface-list argument is not needed. Enabling DHCP-triggered Authentic[...]

  • Página 315

    1-19 z The guest VLAN function is available only wh en the switch operates in the port-based access control mode. z Only one guest VLAN can be configured for each switch. z The guest VLAN function cannot be i mplemented if you configure the d ot1x dhcp-launch command on the switch to enable DHCP -triggered authent ication. This is beca use the swit[...]

  • Página 316

    1-20 During re-aut hentication, the switch always uses the latest re-au thentication interval configure d, no matter which of the above-mentioned two ways is used to determin e the re-authentication interval. For example, if you configure a re- authentication interval on the swit ch and the switch re ceives an Access-Accept packet whose T erminatio[...]

  • Página 317

    1-21 a real-time accounting pa cket to the RADIUS serv ers on ce in every 15 minut es. A user name is sent to the RADIUS servers wi th the domain name truncated. z The user name and password for local 802.1x authent icatio n are “localuser” and “lo calpass” (in plain text) respectively. The idle disconnecting functio n is enabled. Network d[...]

  • Página 318

    1-22 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authent ication RADIUS servers to exchange me ssages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the ac counting RADIUS servers to exchan ge me[...]

  • Página 319

    2-1 2 Quick EAD Deployment Configuration When configuring quick EAD deploymen t, go to these sections for information you are inte rested in: z Introduction to Quick EAD Depl oyment z Configuring Quick EAD Deployment z Displaying and Maintaining Quick EAD Depl oyment z Quick EAD Deployment Configuration Example z Troubleshooting Introduction to Qui[...]

  • Página 320

    2-2 Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802.1x on the switch. z Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-con trol command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that user s can access before pa ssing 802.1x authentication. Fol[...]

  • Página 321

    2-3 large number of users log in but cannot pa ss authentic ation, the switch may r un out of ACL resources, preventing other users from loggin g in. A timer called ACL timer is designe d to solve this problem. Y ou can control the usage of ACL resources by setting the ACL timer . The ACL timer st arts once a u ser gets online. If the user ha s not[...]

  • Página 322

    2-4 Configuration procedure Before enabling quick EAD deployment, make su re sure that: z The Web server is configured properly. z The default gateway of the PC is configured as the IP addre ss of the Layer-3 virtual interface of the VLAN to which the port that is directly co nnected with the PC belongs. # Configure the URL for HTTP redirection. &l[...]

  • Página 323

    3-1 3 HABP Configuration When configuring HABP , go to these sections for information you are interested in: z Introduction to HABP z HABP Server Configuration z HABP Client Configuration z Displaying and Maintain ing HABP Configuration Introduction to HABP When a switch is configure d with the 802.1x function, 802.1x will authenticate and authoriz[...]

  • Página 324

    3-2 To do... Use the command... Remarks Configure the current switch to be an HABP server habp server vlan vlan-id Required By default, a switch operates as an HABP client after you enable HABP on the swit ch. If you want to use the switch as a management switch, you need to configure the switch to be an HABP server. Configure the interval to send [...]

  • Página 325

    4-1 4 System Guard Configuration When configuring System Guard, go to these se ctions for information you are interested in: z System Guard Overview z Configuring System Guard z Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to insp ect the IP packet s over 10-secon d inter[...]

  • Página 326

    4-2 To do... Use the command... Remarks Set the maximum number of infected hosts that can be concurrently monitored system-guard ip detect-maxnum num ber Optional 30 by default Set the maximum number of addresses that the system can learn, the maximum number of times an address can be hit before an action is taken and the address isolation time (pr[...]

  • Página 327

    4-3 Enabling Layer 3 Error Control Follow these steps to ena ble Layer 3 error control: To do... Use the command... Remarks Enter syste m view system-v iew — Enable Layer 3 error control system-guar d l3err enabl e Required Enabled by default Displaying and Maintaining S ystem Guard Configuration To do... Use the command... Remarks Display the mo[...]

  • Página 328

    i Table of Contents 1 AAA Ov erview ················································································································· ··························· 1-1 Introducti on to AAA ···?[...]

  • Página 329

    1-1 1 AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, author ization and accounting. It provides a uniform framew ork for you to configure th ese three functions to implement network security management. z Authentication: Defines what users can acce ss the network, z Authorization: Defines wh at[...]

  • Página 330

    1-2 Introduction to ISP Domain An Internet service provider (ISP) domain is a gro up of users who belong to the same ISP . For a username in the format of userid @isp-name or userid.isp-name, the isp-na me following the " @" character is the ISP domain name. The access device us e s userid as the username for authenticatio n, and isp-name[...]

  • Página 331

    1-3 Figure 1-1 Databases in a RADI US server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication o r accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged betwe en a RADI US client (a switch, for exam ple) and a RADIUS server are verified through a shared key . Th[...]

  • Página 332

    1-4 4) The RADI US client accepts or denie s the user dependi ng on the received authent ication result. If it accepts the user, the RADI US client sends a st art-accounting request (Acco unting-Request, with the Status-Type attribute value = start) to the RADIUS server. 5) The RADIUS server return s a start-ac counting response (A ccounting-Respon[...]

  • Página 333

    1-5 Code Message type Message description 4 Accounting-Request Direction: client->server. The client transmits this m essage to the server to request the server to start or end the accounting (whether to start or to end the accounting is determin ed by the Acct-Status-Type attribute in the message). This message carries alm ost the same attribut[...]

  • Página 334

    1-6 Type field val ue Attribute type T ype field val ue Attribute t ype 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compre ssion 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Framed-AppleTalk-Link 16 Login-TCP-Port 38 Framed-AppleTal k-Network 17 (unassigne[...]

  • Página 335

    2-1 2 AAA Configuration AAA Configuration Task List Y ou need to configure AAA to provide network access services for legal users while protecting network devices and preventing unautho rized access and rep udiation behavior . Complete the following t asks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks Creating[...]

  • Página 336

    2-2 Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring sepa rate AAA schemes Required Configuring an AAA Scheme for an ISP Domain Required With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively. You need to configure RADIUS or HWATACACS before performin g RAD[...]

  • Página 337

    2-3 To do… Use the command… Remarks Set the messenger function messenger time { enable limit interval | disable } Optional By default, the messenger function is disabled. Set the self-service server location function self-service-url { disable | enable url-string } Optional By default, the self-service server location function is disabled. Note[...]

  • Página 338

    2-4 To do… Use the comm and… Remarks Configure an AAA scheme for the ISP domain scheme { local | none | radius-scheme radius-scheme-n ame [ local ] } Required By default, an ISP domain uses the local AAA scheme. z You can execute the sche me radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all t[...]

  • Página 339

    2-5 To do… Use the command… Remarks Configure an authentication scheme for the ISP domain authentication { radius-scheme radius-scheme-n ame [ local ] | local | none } Optional By default, no separate authentication scheme is configured. Configure an authorization scheme for the ISP domain authorization { none } Optional By default, no separate[...]

  • Página 340

    2-6 Currently , the switch su pports the follo wing two ty pes of assigne d VLAN IDs: integer and string. z Integer: If the RADIUS authenticati on server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer o n the switch (thi s is also the default mode o n the switch). Then, upon receiving an integer I D assigned b y t[...]

  • Página 341

    2-7 The local users are users set on the switch, with each user uniquely identified by a username. T o make a user who is requesting ne twork service pass lo cal authentication, you should ad d an entry in the local user databa se on the switch for the user . Follow these steps to co nfigure t he attributes of a local user: To do… Use the command[...]

  • Página 342

    2-8 z The following characters a re not allowed in the user-nam e string: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user pass word-display -mode cipher-force com mand is executed, any p assword will be displayed in ciphe r mode even though you spe cify to display a user password in plain text by using[...]

  • Página 343

    2-9 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authori zation Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS M essages Optional Configuring the Maximum Num ber of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supp o[...]

  • Página 344

    2-10 creating a new RADIUS scheme, you should configu re the IP addr ess and UDP port number of each RADIUS server you want to use in this sche me. These RADIUS se rvers fall into two types: authentication/authorization, and ac counting. And fo r each type of server , you can configure two servers in a RADIUS sch eme: primary server an d seco ndary[...]

  • Página 345

    2-11 To do… Use the command… Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Set the IP address and port number of the primary RADIUS authentication/authorization server primary authentication ip-address [ p[...]

  • Página 346

    2-12 To do… Use the command… Remarks Set the IP address and port number of the seconda ry RADIUS accounting server secondary accounting ip-address [ port-num ber ] Optional By default, the IP address and UDP port number of the secondary accou nting server are 0.0.0.0 and 18 13 for a newly created RADIUS scheme. Enable stop-accounting request bu[...]

  • Página 347

    2-13 To do… Use the command… Remarks Enter syst em view system-vie w — Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Set a shared key for RADIUS authentication/authorization messages key authenti cation string R[...]

  • Página 348

    2-14 To do… Use the command… Remarks Create a RADIUS scheme and enter its view radius scheme radius-scheme-n ame Required By default, a RADIUS scheme named "system" has alread y been created in the system. Configure the type of RADIUS servers to be supported server-type { extended | standard } Optional z If you change the RADIUS serve[...]

  • Página 349

    2-15 To do… Use the command… Remarks Set the status of the secondary RADIUS authentication/authorization server state secondary authentication { block | active } Set the status of the secondary RADIUS accounting serve r state secondary accounting { block | activ e } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these st[...]

  • Página 350

    2-16 z Generally, the access users a re named in the userid@i sp-name format. Here, isp-name after the “ @” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADI US se rvers cannot accept t he username s that carry ISP domain names. In this case, it is necessar y to r[...]

  • Página 351

    2-17 z If you adopt the local RADIUS server function, the UDP port number of the authentication/authorization server must be 1645, the UDP po rt number of the accounting server must be 1646, and the IP addresses of the servers m ust be set to the addresses of this switch. z The message encryption key set by the local-serv er nas-ip ip-address key p[...]

  • Página 352

    2-18 To do… Use the command… Remarks Set the response timeout time of RADIUS servers timer response-timeout seconds Optional By default, the response timeout time of RADIUS servers is thr ee seconds. Set the time that the switch waits before it try to re-communicate with primary server and restore the stat us of the primary server to active tim[...]

  • Página 353

    2-19 online when the user re-l ogs into the network befo re the CAMS pe rforms online user detection, and the user cannot get authenti cated. In this case, the us er ca n access the network agai n only when the CAMS administrator manually rem oves the user's online information. The user re-authentication at rest art function is designed to res[...]

  • Página 354

    2-20 Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific or all ISP domains displa y domain [ isp-name ] Display information about user connectio ns display connection [ access-ty pe { dot1x | mac-authentication } | domain [...]

  • Página 355

    2-21 The configuration pro cedure for remote authentication of SSH users by RADIUS serv er i s similar to that for Telnet users. The following text only takes Tel n et users as example to descri be the configuration procedure for remote authentication. Network requirements In the network environment shown in Figure 2-1 , you are required to configu[...]

  • Página 356

    2-22 [Sysname-isp-cams] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] accounting optional [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] key authentication aabbcc [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius[...]

  • Página 357

    2-23 [Sysname-ui-vty0-4] quit # Create and configure a local user nam ed telnet. [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple aabbcc [Sysname-luser-telnet] quit # Configure an authentication scheme fo r the default “system” domain. [Sysname] domain system [Sysname-isp-system] sche[...]

  • Página 358

    3-24 z None or incorre ct RADIUS server IP address is set on the switch — Be sure to set a corr ect RADIUS server IP address. z One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as those on the RADIUS server. Symptom 3 : The user passes the authe ntication and get s authorized, but the accounting informat[...]

  • Página 359

    3-25 Figure 3-1 Typical network application of EAD EAD Configuration The EAD configuration include s: z Configuring the attributes of ac ce ss users (such as u sername, user type, and passwo rd). For local authentication, you need to configure th ese attributes on the switch; for remote authentication, you need to configure these attributes on the [...]

  • Página 360

    3-26 z You are required to configu re the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users. The following are the configuration t asks: z Connect the RADIUS auth entication server 10.110. 91.164 and the swit ch, and configure the switch to use port number 1812 to commu nicate with th[...]

  • Página 361

    3-27 [Sysname-isp-system] radius-scheme cams[...]

  • Página 362

    i Table of Contents 1 MAC Address Authenticat ion Confi guration ····················································································· ····· 1-1 MAC Address Authent ication Overview ·······························[...]

  • Página 363

    1-1 1 MAC Address Authentication Configuration When configuring MAC add ress authentication, go to these section s for inform ation you are interested: z MAC Address Authent ication Overview z Related Concepts z Configuring Basic MAC Ad dress Authentication Funct ions z MAC Address Authentication Enha nced Function Configuration z Displaying and Ma[...]

  • Página 364

    1-2 format configured with the mac-authenticati on authmode usernameasmacad dress usernameformat co mmand; otherwise, the authentication will fail. z In fixed mode, all users’ MAC addresses a r e automatically mapped to the configured local passwords and usernames. z The service type of a local user needs to be co nfigured as lan-access. Related [...]

  • Página 365

    1-3 To do... Use the command... Remarks quit Set the user name in MAC address mode for MAC address authentication mac-authentication authmode usernameasmacaddress [ usernameformat { w ith-hy phen | without-hy phen } { lowercase | uppercase } | fixedpass word password ] Optional By default, the MAC address of a user is used as the user name. Set the[...]

  • Página 366

    1-4 Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Num ber of MAC Address Aut hentication Users Allowed to Acce ss a Port Optional Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual , Guest VLANs mentioned in this section refer to Gue sts VLANs dedicated to MAC addr ess authen[...]

  • Página 367

    1-5 After a port is added to a Gue st VLAN, the switch will re-authenticate the first access user of this port (namely , the f irst user whose unicast M AC address is learned by the switch) p e riodically . If this user passes the re-a uthentication, this port will exit the Gue st VLAN, and thus the user can a ccess the network normally . z Guest V[...]

  • Página 368

    1-6 z If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on th e number of MAC address aut hentication users to more than one, the configur ation does not take effect. z[...]

  • Página 369

    1-7 z If both the limit on the number of MAC address authentication user s and the limit on the number of users configured in the p ort security function are configured for a p ort, the smaller value of the two configured limits is adopted as th e maximum numb er of MAC addre ss authentication use rs allowed to access this port. Refer to the Port S[...]

  • Página 370

    1-8 # Set the user name in MAC address mode for MAC address authentica tion, requir ing hyphened lowercase MAC add resses as the usernames an d passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user . z Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [[...]

  • Página 371

    i Table of Contents 1 ARP Confi gurati on············································································································ ························· 1-1 Introduction to ARP ········?[...]

  • Página 372

    1-1 1 ARP Configuration When configuring ARP , go to these secti ons for information you are interested in: z Introduction to ARP z Configuring ARP z Configuring Gratuitous ARP z Configuring ARP Source MAC Address Consistency Check z Displaying and Debuggi ng ARP z ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Proto[...]

  • Página 373

    1-2 Figure 1-1 ARP message format Hard wa re t ype (16 bit s ) Protocol typ e (16 bi ts) Length of ha rdware addr ess Length of prot ocol addres s Op era tor ( 16 bi ts ) Hardwa re ad dress o f th e s ender IP ad dress of th e send er Hardware address of th e receive r I P addr ess of the re ce iv er Hard wa re t ype (16 bit s ) Hard wa re t ype (1[...]

  • Página 374

    1-3 Value Description 5 Chaos 6 IEEE802.X 7 ARC netw ork ARP Table In an Ethernet, the MAC addresses of two host s must be available for the two host s to communicate with each other . Each host in an Ethernet main tains a n ARP t able, where the latest used IP address-to-MAC address mappi ng entri es are stored. S4500 series Ethernet switche s pro[...]

  • Página 375

    1-4 mode, all hosts on this su bnet can receive the requ est, but only the requested h ost (namely, Host B) will process the request. 3) Host B compares its own IP address wit h the des tination IP address in the ARP request. If they are the same, Host B saves the sou rce IP addre ss and source MA C address into i ts ARP mapping table, encapsulates[...]

  • Página 376

    1-5 z If they are not consistent, the ARP packet is considered invalid and the correspondi ng ARP entry is not learned. Configuring ARP Follow these steps to co nfigure ARP basic function s: To do… Use the command… Remarks Enter syst em view system-vie w — Add a static ARP entry arp static ip-address mac-address [ vlan-id interface-type inter[...]

  • Página 377

    1-6 The sending of gratuitous ARP packets is enabled as long as an S4500 switch o perates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets wh enever a VLAN interface is enabled (such as when a link is enabled or an IP add ress is configured for the VLAN interface) or whenever the IP address o f a VL[...]

  • Página 378

    1-7 Configuration procedure <Sysname> system-view [Sysname] undo arp check enable [Sysname] interface vlan 1 [Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.1 000f-e201-0000 1 Ethernet 1/0/10[...]

  • Página 379

    i Table of Contents 1 DHCP Ov erview·········································································································································· 1-1 Introduction to DHCP ······[...]

  • Página 380

    1-1 1 DHCP Overview When configuring DHCP , go to these sections for information you are interested in: z Introduction to DHCP z DHCP IP Address Assignment z DHCP Packet Format z Protocol Specification Introduction to DHCP With networks getting larger in size and more compli cated in structure, lack of available IP addresses becomes the common situ[...]

  • Página 381

    1-2 z Automatic assignment. The DHCP se rver assi gns IP addresses to DH CP clients. The IP addresses wil l be occupied by the DHCP clients perm anently. z Dynamic assignment. The DHCP se rver assigns IP addresse s to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of t[...]

  • Página 382

    1-3 By default, a DHCP client update s its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server whe n half of the leas e time elapse s. The DHCP server respo nds with a DHCP-ACK p acket to notify the DHCP client of a new IP lease if t he server can assign the same IP address to the client. Otherwi se, the DHCP serve[...]

  • Página 383

    1-4 z file: Path and name of the boot configuration file that the DHCP server specifie s for the DHCP client. z option: Optional variable-length fields, including packet type, valid lease time, IP addre ss of a DNS server, and IP address of the WINS server. Protocol Specification Protocol specifications related to DHCP include: z RFC2131: Dynami c [...]

  • Página 384

    2-1 2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these section s for information you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Rel ay Agent z Displaying and Maintaining DHCP Rel ay Agent Configuration z DHCP Relay Agent Configuration Example z Troubleshooting DHCP Rel ay Agent Conf[...]

  • Página 385

    2-2 Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP se rver interoperate with each other in a simila r way as they do without the DHCP rela y agent. The following sections only describe the forwar ding process of the DHCP relay agent. For th e int[...]

  • Página 386

    2-3 Figure 2-2 Padding contents for sub-o ption 1 of Option 82 Figure 2-3 Padding contents for sub-o ption 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP ad dress from a DHCP se[...]

  • Página 387

    2-4 If a switch belongs to an XRN fabri c, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Conf iguration Task List Complete the following t asks to configure the DHCP relay agent: Task Remarks Enabling DHCP Required Correlating a DHCP Server Group with a Relay Agent Interface Required [...]

  • Página 388

    2-5 To improve security and avoid malicious attack to th e unused SOCKETs, S4500 Ethernet swit ches provide the following functions: z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is ena bled. z UDP 67 and UDP 68 ports are disabled when DHCP i s disabled. The corresponding implementation is a s follows: z When a VLAN interface is[...]

  • Página 389

    2-6 To do… Use the command… Remarks Create a static IP-to-MAC binding dhcp-security static ip-address mac - address Optional Not created by default. Enter interface view interface interface-type interface-number — Enable the address checking function address-che ck enable Required Disabled by default. z The address-check enab le command is in[...]

  • Página 390

    2-7 Currently, the DHCP relay agent handshake function on an S4500 se ries switch can only interoperate with a Windows 2000 DHCP se rver. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP serv er in the network, when a client applie s for an IP address, the unauthorized DHCP server may assign an incorrect IP addre ss to t[...]

  • Página 391

    2-8 To do… Use the command… Remarks Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Disabled by default. Configure the strategy for the DHCP relay agent to process request packets containing Option 82 dhcp relay information strategy { drop | keep | replace } Optional By default, the replace strategy is ad[...]

  • Página 392

    2-9 Network diagram Figure 2-4 Network diagram for DHCP relay agent Switch B DHCP server Switch A DHCP relay DHCP client DHCP client DHCP client DHCP client Vlan-int2 10.1.1.2/24 Vlan-int1 10.10.1.1/24 Vlan-int2 10.1.1.1/24 Configuration procedure # Create DHCP se rver group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA> system-v[...]

  • Página 393

    2-10 z Check if an address pool that is on the same network seg ment with the DHCP clients is configure d on the DHCP server. z Check if a reachable route is configured bet ween the DHCP relay agent and the DHCP server. z Check the DHCP relay agent. Check if the corr ect DHCP server group is configured o n the interface connecting the netwo rk segm[...]

  • Página 394

    3-1 3 DHCP Snooping Configuration When configuring DHCP snooping, go to these se ctions for information you are interested in: z DHCP Snooping Overview z Configuring DHCP Snooping z Displaying and Maintaining DHCP Snooping Configu ration z DHCP Snooping Configurat ion Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of sec[...]

  • Página 395

    3-2 Figure 3-1 Typical network diagram for DHCP snooping ap plication DHCP snoopi ng listens the following two types of pa ckets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: z DHCP-REQUEST packet z DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82 F[...]

  • Página 396

    3-3 Figure 3-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length ide ntifiers of the Circuit ID and Remote ID sub-options. T o interwork with these device s, S4500 Series Ethernet Switches suppo rt Option 82 in the standard format. Refer to Figure 3-4 and Figure 3-5 for the standard for[...]

  • Página 397

    3-4 When receiving a DHCP client’ s request without Option 82, the DHCP snooping device will add the option field with the configured sub-optio n and then forward the packet. For det ails, see T able 3-2 . Table 3-2 Ways of handling a DHCP packet withou t Option 82 Sub-option configuration The DHCP-S nooping device will … Neither of the two sub[...]

  • Página 398

    3-5 z If an S4500 Ethernet switch is e nabled with DHCP sno oping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. z You need to specify the ports connected to the valid DHCP servers as truste d to ensu re that DHCP clients can obtain valid IP addresses. Th e trust ed port and the port connected to the DHCP client [...]

  • Página 399

    3-6 Configuring a handling policy for DHCP packets with Option 82 Follow these steps to co nfigure a handling policy for DHCP packet s with Option 82: To do… Use the command… Remarks Enter syst em view system-vie w — Configure a global handling policy for requests that contain Option 82 dhcp-snooping information strategy { drop | keep | repla[...]

  • Página 400

    3-7 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Configure the circuit ID sub-option in Option 82 dhcp-snooping information [ vlan vlan-id ] circuit-id string string Optional By default, the circuit ID sub-option contains the VLAN ID and port index related to the port that receives DHCP [...]

  • Página 401

    3-8 z If you configure a remote ID sub-option in b oth system view and on a port , the remote ID sub-option configured on the port applie s when the port receives a packet, and the glob al remote ID applies to other interfaces that have no remote ID sub-option configured. z If you have configured a remote ID with the vlan vlan-id argument specified[...]

  • Página 402

    3-9 z Enable DHCP-snooping Option 82 support on the switch and set the remote ID field in Option 82 to the system name of the switch. Set the circuit ID sub-option to abcd in DHCP packets from VLAN 1 on Ethernet 1/0/3. Network diagram Figure 3-6 Network diagram for DHCP-snoopi ng Option 82 support configuration Configuration procedure # Enable DHCP[...]

  • Página 403

    4-1 4 DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to thes e sections for information you are interested in: z Introduction to DHCP Client z Introduction to BOOTP Client z Configuring a DHCP/BOOTP Client z Displaying DHCP/BOOTP Client Configuratio n Introduction to DHCP Client After you specify a VLAN i nterface as a D[...]

  • Página 404

    4-2 Configuring a DHCP/BOOTP Client Follow these steps to co nf igure a DHCP/BOOTP client: To do… Use the command… Remarks Enter syst em view system-vie w — Enter VLAN interface view interface vlan-interfa ce vlan-id — Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By[...]

  • Página 405

    4-3 Network diagram Figure 4-1 A DHCP network Configuration procedure The following describes only the configu ration on Switch A serving as a DHCP client. # Configure VLAN-int erface 1 to dynamically obt ai n an IP address by using DHCP . <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address dhcp-all[...]

  • Página 406

    i Table of Contents 1 ACL Confi guration ············································································································ ························· 1-1 ACL Overview ············[...]

  • Página 407

    1-1 1 ACL Configuration When configuring ACL, go to these secti ons for inform ation you are interested in: z ACL Overview z ACL Configuration Task List z Displaying and Maintain ing ACL Configuration z Examples for Upper-layer Software Ref erencing ACLs z Examples for Applying ACLs to Hardware ACL Overview As the network scale and network traf fic[...]

  • Página 408

    1-2 Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP address ran ge (that is, the more the number of zeros in the wildca rd mask ), the higher the match prio rity. 2) Fragment keyword: A rule with the fragment keyword is pri or to others. 3) If the above two conditions are identica l, the ear[...]

  • Página 409

    1-3 z Referenced by routing poli cies z Used to control Telnet, SNMP and Web login users z When an ACL is directly applied to hardware for packet filt ering, the switch will permit packets if the packets do not match the ACL. z When an ACL is referenced by upper-layer software to co ntrol Telnet, SNMP and Web logi n users, the switch will deny pack[...]

  • Página 410

    1-4 An absolute time range on Switch 4500 Serie s can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure Follow these steps to co nfigure a time range: To do... Use the command... Remarks Enter syst em view s ystem-vie w — Create a time range time-range time-nam e { start-time to end -time days-of-the-week [ from star[...]

  • Página 411

    1-5 <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packet s based on their source IP addresses. A basic AC[...]

  • Página 412

    1-6 Configuration example # Configure ACL 2000 to deny pa ckets who s e source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's st[...]

  • Página 413

    1-7 Note that: z With the config match order specified for the advan ced ACL, you can modify any existent rule. T he unmodified part of the rule remains. With the auto m atch order specified for the ACL, you cannot modify any existent rule; otherwise t he system prompts error information. z If you do not specify the rule-id argument when creating a[...]

  • Página 414

    1-8 To do... Use the command... Remarks Define an ACL rule rule [ rule-id ] { permit | deny } rule-string Required For information about rule-string , refer to ACL Commands . Assign a description stri ng to the ACL rule rule rule-id comment text Optional No description by default Assign a description stri ng to the ACL description text Optional No [...]

  • Página 415

    1-9 To do... Use the command... Remarks Enter syst em view system-vie w — Create a user-defined ACL and enter user-defined ACL view acl number acl-number Required Define an ACL rule rule [ rule-id ] { permit | deny } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ] Required For information about rule-string , refer to AC[...]

  • Página 416

    1-10 Acl's step is 1 rule 0 deny 06 ff 27 Applying ACL Rules on Ports By applying ACL rule s on ports, you can f ilter packet s on the corresponding po rts. Configuration prerequisites Y ou need to define an ACL before applying it on a port. For information abo ut defining an A CL, refer t o Configuring Basic ACL , Configuring Advanced ACL , C[...]

  • Página 417

    1-11 Configuration procedure Follow these steps to appl y ACL rule s to ports in a VLAN: To do... Use the command... Remarks Enter syst em view system-vie w — Apply ACL rules to ports in a VLAN packet-filter vlan vlan-id { inbound | outbound } acl-rule Required For information about acl-rule , refer to ACL Commands . Configuration example # Apply[...]

  • Página 418

    1-12 Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control T elnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for[...]

  • Página 419

    1-13 Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is ac tive from 8:00 to 18:00 everyday . <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter pa ckets with the so urce IP addre ss of 10.1.1.1. [Sysname] acl number[...]

  • Página 420

    1-14 Configuration procedure # Define a periodic time range that is ac tive from 8:00 to 18:00 everyday . <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter p ackets d estined for wage query serve r . [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 ti[...]

  • Página 421

    1-15 User-defined ACL Configuration Example Network requirements As shown in Figure 1-6 , PC 1 and PC 2 are co nnected to the swit ch through Ethernet 1/0/1 an d Ethernet 1/0/2 respectively . They be long to VLAN 1 and acce ss the Internet through the same gate way , which has an IP addre ss of 192.168.0.1 (the IP address of VLAN-interfa ce 1). Con[...]

  • Página 422

    1-16 Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Eth1/0/1 PC 1 PC 3 Database server PC 2 VLAN 10 Eth1/0/2 Eth1/0/3 192.168.1.2 Configuration procedure # Define a periodic time range that is a ctive from 8:00 to 18:00 in working days. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Defin[...]

  • Página 423

    i Table of Contents 1 QoS Confi guration ············································································································ ························· 1-1 Overview ··············[...]

  • Página 424

    1-1 1 QoS Configuration When configuring QoS, go to these secti ons fo r information you are interested in: z Overview z QoS Supported By Switch 4500 Series z QoS Configuration z Displaying and Maintaining QoS z QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) i s a co ncept concerning service deman d and supply . It[...]

  • Página 425

    1-2 and V oD. As for other applications, such as transaction processin g and T elnet, although bandwid th is not as critical, a too long delay may cause unexpected result s. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications de mand higher se rvice performance from IP networks. In addition to simply de[...]

  • Página 426

    1-3 QoS Supported By Switch 4500 Series The Switch 4500 series suppo rt the QoS features listed in T able 1-1 : Table 1-1 QoS features supported by Switch 4500 series QoS Feature Description Refer to … Traffic classificati on Classify incoming traffic based on ACLs. The Switch 4500 series support the following types of ACLs: z Basic ACL s z Advan[...]

  • Página 427

    1-4 protocol or the port number of an application. Normal ly , traffic classification is done by checking the information carried in p acket header . Packet p aylo ad is rarely adopted fo r traffic classification. The identifying rule is unlimited in ra nge. It can be a quin tuplet consisting of sour ce address, source port number , protocol number[...]

  • Página 428

    1-5 z Assured forwarding (AF) cl ass: This class is furt h er divided into four subclasse s (AF1/2/3/4) and a subclass is further divided i nto three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; z Class selector (CS ) class: This class comes from the IP ToS field and inc[...]

  • Página 429

    1-6 2) 802.1p priority 802.1p priority lies in Layer 2 p ack et headers and is a pplicable to occasions where the Layer 3 p acket header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure abov e, the 4-byte 802.1Q tag h eader consist s of the tag protocol i dentif[...]

  • Página 430

    1-7 Priority trust mode After a p acket enters a swit ch, the switch sets the 802.1p pri ority and local preceden ce for the packet according to it s own capabi lit y and the corresponding rules. 1) For a packet carrying no 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch use s the port priority as the 802.1p[...]

  • Página 431

    1-8 Priority Marking The priority marking function is to rea ssign priority for the traf fic matching an A CL referenced for traffic classificati on. z If 802.1p priority marking is configured, the traffic will be mapped to the local precedence correspondi ng to the re-marked 802.1p priority and assigne d to the output queue correspondi ng to the l[...]

  • Página 432

    1-9 enough to forward the pa ckets, the traf fic is conformi ng to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: z Average rate: The rate at which to kens are put in to the bucket, na mely, the permitted average rate of the traffic. It is generally set to committed information rate[...]

  • Página 433

    1-10 The Switch 4500 se ries support three queu e scheduling algorithms: S trict Priority (SP) queuing, Weighted Fai r Queuing (WFQ), and Wei ghted Round Robin (WRR) queuing. 1) SP queuing Figure 1-6 Diagram for SP queuing SP queue -scheduling algorithm is specially designe d fo r critical service application s. An important feature of critical ser[...]

  • Página 434

    1-11 Figure 1-7 Diagram for WFQ queuin g Before WFQ is introduced, you mu st understan d fair queuing (FQ) first. FQ i s designed for the p urpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: z Different queues are scheduled fai rly, so[...]

  • Página 435

    1-12 Figure 1-8 Diagram for WRR queuing WRR queue-scheduling al gorithm schedules all t he queues in turn and every qu eue can be assured of a certain service time. In a typical 3Com switch there are eight output queue s on each port. WRR config ures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2 , w1, and w0 respectively for qu[...]

  • Página 436

    1-13 In WRED algorithm, an up per limit and a lower limit are set for each queu e, and the packet s in a queue are processed as follows. z When the current queue length is smaller t han the lo wer limit, no packet is dropped; z When the queue length exceeds the up per limit, all the newly received packets are dropped; z When the queue length is bet[...]

  • Página 437

    1-14 Configuration procedure Follow these steps to co nfigure to trust port priority: To do… Use the command… Remarks Enter syst em view sy stem-view — Enter Ethernet port view interface interface-type interface-number — Configure to trust port priority and configure the port priority priority priority-level Optional By default, the switch [...]

  • Página 438

    1-15 Configuration procedure Follow these steps to co nfigure the mappi ng between 802.1p priority and local pr ecedence: To do… Use the command… Remarks Enter syste m view system-v iew — Configure the mapping between 802.1p priority and local prec edence qos cos-local-precedenc e-map cos0-map-lo cal-prec co s1 -map-local-pre c cos2-map-lo ca[...]

  • Página 439

    1-16 Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to section Priority Marking[...]

  • Página 440

    1-17 To do… Use the command… Remarks Enter syst em view system-view — Mark the priorities for the packet s belonging to a VLAN and matching specific ACL rules traffic-priority v lan vlan-id { inbound | outbound } acl-rule { { ds cp dscp-value | ip-precedenc e { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-[...]

  • Página 441

    1-18 To do… Use the command… Remarks Configure traf fic policing traffic-limit inbound acl-rule [ union-effect ] target-rate [ burst-bucket burst -bucket-size ] [ exceed action ] Required Specify a committed information rate (CIR) for the target-r ate argument, and specify a committed bust size (CBS) for the burst-bucket -size argument. By defa[...]

  • Página 442

    1-19 To do… Use the command… Remarks Configure line rate line-rate { inbound | outbound } target-rate [ burst-bucket burst-bucket -size ] Required S pecify a committed information rate (CIR) for the target-rate argument, and specify a committed bust size (CBS) for the burst-bucket -size argument. By default, line rate is disabled. Configuration[...]

  • Página 443

    1-20 Configuration procedure Follow these steps to co nfigure queue scheduling in system view: To do… Use the command… Remarks Enter syste m view system-v iew — Configure queue scheduling queue-scheduler { strict-priority | wfq queue0-width queue 1-width queue2-width queue 3-width queue4-width queue 5-width queue6-width queue 7-width | wr r q[...]

  • Página 444

    1-21 z The queue scheduling algorithm sp ecified by using the queue-scheduler command in system view takes effect on all the ports. The qu eue scheduling algorithm configured in port view must be the same as that configured in system vi ew. Othe rwise, the system prompt s configuration errors. z If the weight (or bandwidth value) specified in syste[...]

  • Página 445

    1-22 To do… Use the command… Remarks Enter syste m view system-v iew — Enter Ethernet port view interface interface-type interface-number — Configure WRED wre d qu eue-index qsta rt probability Required By default, WRED is not configured. Configuration example Configure WRED for queue 2 of Ethernet 1/0/1 to drop the p ackets in queu e 2 ran[...]

  • Página 446

    1-23 For information about the mirroring-gr oup monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example Network requirement s: z Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segme nt. z Duplicate the packets from network segment 10.1.1. 0/24 to the d estination mirroring port Eth[...]

  • Página 447

    1-24 QoS Configuration Examples Configuration Example of Traf fic policing and Line Rate Network requirement An enterprise network connect s all the departme nts through an E thernet switch. PC 1, with the IP address 192. 168.0.1 belongs to the R& D department and is conne cted to Ethernet 1/0/1 of the switch. The marketing dep artment is conne[...]

  • Página 448

    1-25 Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 1-10 , an enterprise netwo rk connects all the departme nts through an E thernet switch. Client s PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; client s PC 4 through PC 6 are connected to Eth ernet 1/0/3 of the switch. Serv[...]

  • Página 449

    1-26 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2] quit 3) Configure queue scheduling # Apply SP queue schedul ing algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration[...]

  • Página 450

    1-27 Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/1[...]

  • Página 451

    1-28 # Configure VLAN mapping on Ethernet 1/0/1 1 to replace VLAN tag 100 with VLAN t ag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-remark-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLA N tag 200 with VL AN tag 600. [SwitchA] inte[...]

  • Página 452

    i Table of Contents 1 Mirroring Conf iguration ······································································································ ······················ 1-1 Mirroring Overview ···············[...]

  • Página 453

    1-1 1 Mirroring Configuration When configuring mirro ring, go to these section s for information you are interested in: z Mirroring Overview z Mirroring Configuratio n z Displaying and Maintaining Port Mirroring z Mirroring Configuration Example s Mirroring Overview Mirroring is to duplicate pa ckets from a port to anot her port connected with a da[...]

  • Página 454

    1-2 Remote Port Mirroring Remote port mirroring does not requi re the source and destination port s to be on the same device. The source and destination p orts can be located on multiple devices across the net work. This allows an administrator to monitor traf fic on remote devices conveniently . T o implement remote port mirroring, a speci al VLAN[...]

  • Página 455

    1-3 Sw it ch Ports involved Function Intermediate switch T r unk por t Sends mirrored packet s to the destination switch. T wo trunk ports are necessary for the intermediate switch to connect the devi ces at the source switch side and the destination switch side. T runk po rt Receives remote mirr ored pa ckets. Destination switch Destination port R[...]

  • Página 456

    1-4 Configuring Local Port Mirroring Configuration prerequisites z The source port is determined a nd the direction in whi ch the packets are to be mirrored is determined. z The destination port is det ermined. Configuration procedure Follow these steps to co nfigure port mirroring on Switch 4500 serie s: To do… Use the command… Remarks Enter s[...]

  • Página 457

    1-5 Configuration on a switch acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN a re determined. z Layer 2 connectivity is ensured between t he source and destination switches over the remote-probe VLAN. z The direction of the packets to be monitored is dete rmined. 2) Configur[...]

  • Página 458

    1-6 cannot be configured with function s like VLAN-VPN , port loop back detection, packet filtering, QoS, port security, and so on. z You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port. z Only an existing static VLAN can be configur ed as the remote-prob e VLAN. To remove a remote-probe VLAN, you need to restor e it[...]

  • Página 459

    1-7 To do… Use the command… Remarks Enter syste m view system-v iew — Create a VLAN and enter VLAN view vlan vlan-id v lan-id is the ID of the remote-probe VLAN. Configure the current VLAN as a remote-probe VLAN remote-prob e vlan enable Req uired Return to system view quit — Enter the view of the Ethernet port connecting to the source swit[...]

  • Página 460

    1-8 Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departm ents of a comp any connect to each other throug h Switch 4500 series: z Research and Develo pment (R&D) department is connected to Switch C through Ethernet 1/0/1. z Marketing department is connected to Switch C through Ethernet 1/0/[...]

  • Página 461

    1-9 Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all p ack ets received on and sent from the R&D dep artment and the marketing depa rtment on the data detection d evice. Remote Port Mirroring Configuration Example Network requirements The departm ents of a comp any connect to each o[...]

  • Página 462

    1-10 Configuration procedure 1) Configure the source switch (Switch A) # Create remote source mi rroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-pro be VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source port s, re fle[...]

  • Página 463

    1-11 [Sysname-Ethernet1/0/2] port trunk permit vlan 10 3) Configure the destination switch (Switch C) # Create remote destination mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-pro be VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] qu[...]

  • Página 464

    i Table of Contents 1 XRN Fabric Co nfiguration ····································································································· ···················· 1-1 Introduction to XRN ·················[...]

  • Página 465

    1-1 1 XRN Fabric Configuration When configuring XRN fabr ic, go to these sect ions for information you are interested in: z Introduction to XRN z XRN Fabric Configuration z Displaying and Maintaining XR N Fabric z XRN Fabric Configuration Example Introduction to XRN Expandable Re silient Networking (XRN), a feature p artic ular to 3Com Switch 4500 [...]

  • Página 466

    1-2 Figure 1-2 Port connection mode for Switch 4500 series bus topology XRN fabric Mode Green=Speed Y ellow=Dup lex RPS PWR Console Unit 1000 Base - X 1 Speed : Green=100Mbps , Y e llow=10Mbps 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 1 8 19 20 21 22 23 24 25 26 27 28 Duplx : Gre en=Full D upl x , Y ellow=Half Duplx H3C S3600 Series 10/100Base-TX Mod[...]

  • Página 467

    1-3 z The number of the existing devices in the fabric does not rea ch the maximum number of devices allowed by the fabric (up to eight devices can form a fabri c). z The fabric name of the device and the exis ting devices in the fabric are the same. z The software version of the device is the sam e as that of the existing devices in the fabric. z [...]

  • Página 468

    1-4 Status Analysis Solution of the fabric are not the same, or the password configured does not match. passwords for the local device and the fabric as the same. How XRN Works When a fabric is esta blished, the devices determine their respective roles in the fabric by comp aring their CPU MAC addresse s. The devi ce with the lowest CPU MAC addre s[...]

  • Página 469

    1-5 Task Remarks Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fa bric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch Y ou can specify the fabric port of a switch in either system view or Ethernet interface view . Confi[...]

  • Página 470

    1-6 z Establishing an XRN system requi res a high cons istency of the configuration of each device. Hence, before you enable the fabri c port, do not per form any configuration for the port, and d o not configure some functions that a ffect the XRN for other port s or globally. Otherwise, you cannot enable the fabric port. For detailed re striction[...]

  • Página 471

    1-7 Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will aut omatically number the switches to constitute an XRN fabric by default, so that ea ch switch has a unique unit ID in t he fabric. Y ou can use the command in the following t able to set unit IDs for switches. Ma ke sure to set different unit IDs for dif[...]

  • Página 472

    1-8 z If auto-numbering is sele cted, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numberi ng. The value of priority can be 5 or 10. Priority[...]

  • Página 473

    1-9 To do… Use the command… Remarks Enter syst em view system-vie w — Set the XRN fabric authentication mode for the switch xrn-fabric authentication-m ode { simple password | md5 key } Optional By default, no authentication mode is set on a switch. When an XRN fabric operates normally, you can rega rd the whole fabric as a single device and [...]

  • Página 474

    1-10 Network Diagram Figure 1-3 Network diagram for forming an XRN fabri c Configuration Procedure 1) Configure Switch A. # Configure fabric port s. <Sysname> system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable # Configure the unit name as Unit 1 . [Sysname] set unit 1 name Unit1 # Configure the fabric name as hello . [Sysname] sys[...]

  • Página 475

    1-11 # Configure the unit name as Unit 3 . [Sysname] set unit 1 name unit3 # Configure the fabric name as hello . [Sysname] sysname hello # Configure the fabric authentication mode as simple and the p assword as we l c o m e . [hello] xrn-fabric authentication-mode simple welcome 4) Configure Switch D. # Configure fabric port s. <Sysname> sys[...]

  • Página 476

    i Table of Contents 1 Cluster ······················································································································ ·································· 1-1 Cluster Ov[...]

  • Página 477

    1-1 1 Cluster When configuring cluster , go to these sections for information you a re interested in: z Cluster Overview z Cluster Configuration Task List z Displaying and Maintaining Cluster Confi guration z Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contain s a group of switches. Through cluster man agement, yo[...]

  • Página 478

    1-2 Figure 1-1 A cluster implementation HGMP V2 ha s the following advanta ges: z It eases the configuration and m anagement of mult iple switches: You just need to configure a public IP address for the manag ement device instead of for all th e devices in the cluster; and t hen you can configure and manage all the member dev i ces through the mana[...]

  • Página 479

    1-3 Table 1-1 Description o n cluster roles Role Configuration Function Management device Configured with a external IP address z Provides an interface for managing all the switches i n a cluster z Manages member devices through comma nd redirection, that is, it forwards the commands intended for specific member devices. z Discovers neighbors, coll[...]

  • Página 480

    1-4 z A candidate device beco mes a member device after b eing added to a cluster. z A member device becom es a candidate device after it is removed from the cluster. z A management device becomes a ca ndidate devic e only after the cluster is removed. After you create a cluster on a S witch 4500 sw itch, the switch collect s the network topology i[...]

  • Página 481

    1-5 packet data. The receiving devices store the info rm ation carried in the NDP packet into th e NDP table but do not forward the NDP packet. When they re ceive another NDP packet, if the information carried in the packet is different from the store d one, the corresponding entry in the NDP tabl e is updated, otherwise only the holdt ime of the e[...]

  • Página 482

    1-6 z To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP param eters. z On member/candidate devi ces, you only need to enable NTDP globally and on specifi c ports. z Member and candidate de vices adopt the NT DP settings of the manageme nt device. Introduction to Cluster A clu[...]

  • Página 483

    1-7 Figure 1-3 State machine of the connection between the manag ement device and a member device Receives the handshake or management packets Fails to receive handshake packets in three consecutive intervals State holdtime exceeds the specified value Disconnect state is recovered Active Connect Disconnect z After a cluster is created and a candid [...]

  • Página 484

    1-8 z Enabling the managemen t packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the manag ement VLAN only, through which the management pa ckets are isolated from other packets a nd netwo rk security is improved. z Enabling the management device and the member devices to communicate with each other in the ma[...]

  • Página 485

    1-9 downstream switch comp ares its own MAC add ress with the destination MAC add ress carried in the multicast packet: z If the two MAC addresses are the same, the downstr eam switch sends a response to the switch sending the tracemac command, indi cating the success of the tracemac com mand. z If the two MAC addresses are different, the downstre [...]

  • Página 486

    1-10 Task Remarks Enabling NDP globally and on specific port s Required Configuring NDP-related p arameters Optional Enabling NTDP globally and on a specific port Requir ed Configuring NTDP-related p arameters Optional Enabling the cluster function Required Configuring cluste r parame ters Required Configuring insid e-outside intera ction for a clu[...]

  • Página 487

    1-11 Configuring NDP-related parameters Follow these steps to co nfigure NDP-related param eters: To do… Use the command… Remarks Enter syst em view system-vie w — Configure the holdtime of NDP information ndp timer aging aging-in-seconds Optional By default, the holdtime of NDP information is 180 seconds. Configure the interval to send NDP p[...]

  • Página 488

    1-12 To do… Use the command… Remarks Launch topology information collection manually ntdp explore Optional Enabling the cluster function Follow these steps to ena ble the cluster function: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the cluster functio n globally cluster enable Required By default, the cluster[...]

  • Página 489

    1-13 2) Establish a cluster in automatic mod e Follow these steps to est ablish a cluster in automatic mode: To do… Use the command… Remarks Enter syst em view system-vie w — Enter cluster view cluste r — Configure the IP addre ss range for the cluster ip-pool administrator-ip-address { ip-mask | ip-mask-length } Req uired S tart automatic [...]

  • Página 490

    1-14 z The cluster switches a re properly connected; z The shared servers are properly conn ected to the manag ement switch. 2) Configuration procedure Follow these steps to co nfigure the netwo rk management interface for a cluste r: To do… Use the command… Remarks Enter syst em view system-vie w — Enter cluster view cluste r Required Config[...]

  • Página 491

    1-15 To reduce the risk of being attacked by malic ious users against o pened socket and enha nce switch security, the Switch 4500 series Ethernet switch es provide the following functions, so that a cluster socket is opened only when it is needed: z Opening UDP port 40000 (used for clu ster) only when the cluster function is imp lemented, z Closin[...]

  • Página 492

    1-16 To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to ena ble the cluster function: To do… Use the command… Remarks Enter syst em view system-vie w — Enable the cluster functio n globally c[...]

  • Página 493

    1-17 To do… Use the command… Remarks Return to system view quit — Return to user view quit — Switch between management device and member device cluster switch-to { member-nu mber | mac-add ress H-H-H | administrator } Optional Y ou can use this command switch to the view of a member device and switch back. Configure the MAC address of the m[...]

  • Página 494

    1-18 Configuring the enhanced cluster features Complete the following t asks to configure the enhanced cluster fea ture: Task Remarks Configuring cluste r topology manageme nt function Required Configuring cluste r device blacklist Required Configuring cluster topol ogy management function 1) Configuration prerequisites Before configuring the clust[...]

  • Página 495

    1-19 If the management device of a cluster is a slave de vice in an XRN fab ric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric. Configuring cluster device blacklist Follow these steps to co nfigure the cluste r device bla cklist on a management device: To do… Use the command… Remarks E[...]

  • Página 496

    1-20 z NDP and NTDP have b een enabled on the mana ge ment device and member device s, and NDP- and NTDP-related paramet ers have been configured. z A cluster is established, and you can manage the member devices th rough the management device. 2) Configuration procedure Perform the following operations o n the managemen t device to synchronize SNM[...]

  • Página 497

    1-21 z The MIB view name is mib_a , which includes all objec ts of the subtree org z The SNMPv3 user is user_a , which belong s to the group group_a . # Create a community with the name of read_ a , allowing read-only access right using this community name. [test_0.Sysname-cluster] cluster-snmp-agent community read read_a Member 2 succeeded in the [...]

  • Página 498

    1-22 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard z Configuration file content on a member device ( only the SNMP-related information is displaye[...]

  • Página 499

    1-23 z Perform the above operations on the m a nagement device of the cluster. z Creating a public local user is eq ual to execut ing these configurat ions on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configurati on files of the managem ent devic[...]

  • Página 500

    1-24 Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster , where: z A Switch 4500 series switch serve s as the management device. z The rest are member devices. Serving as the manageme nt device, the Switch 45 00 swit ch manages the two membe r devices. The configuration for the c[...]

  • Página 501

    1-25 [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable 2) Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2[...]

  • Página 502

    1-26 # Set the delay for a member device to forw ard topol ogy collection request s to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topolo gy collection request s to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology informa tion to 3 minutes. [Sysname] ntdp tim[...]

  • Página 503

    1-27 z After completing the above confi guration, you can execute the cluster sw itch-t o { member-number | mac-address H-H-H } command on the manage ment device to switch to member device view to maintain and manage a me mber device. After that, you can execute the cluster switch-to administrator command to return to management device view. z In a[...]

  • Página 504

    1-28 <Sysname> system-view [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.168.5.30 255.255.255.0 [Sysname-Vlan-interface3[...]

  • Página 505

    1-29 Network diagram Figure 1-6 Network diagram for the enhance d cluster feature configuration FTP server 192 . 168 . 0.4 2 4 3 1 9 2. 1 6 8. 0 . 1 0001 - 2034 - a0e5 Management device Member device Member device Member device 1 Configuration procedure # Enter cluster view . <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC a[...]

  • Página 506

    i Table of Contents 1 PoE Confi guration ············································································································ ························· 1-1 PoE Overview ············[...]

  • Página 507

    1-1 1 PoE Configuration When configuring PoE, go to these secti ons fo r information you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled device s use twisted pairs through electri cal ports to suppl y power to the remote powered devices (P D) in the[...]

  • Página 508

    1-2 z Through the fixed 24/48 Ethernet el ectrical ports , it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (32 8 feet). z Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. z When AC power input is adopted for the switch, the maximum total power that can be p rovided is 300 W.[...]

  • Página 509

    1-3 Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Softwar e of Fabric Switches Online Optional Displaying PoE Configuration Optional Enabling the PoE Feature on a Port Follow these steps to ena ble the PoE feature on a port: To do… Use the command… Remarks Enter syst em view system-vie w — Ent[...]

  • Página 510

    1-4 z auto : When the switch is close to its full load in su pplying power, it will first supply power to the PDs that are connected to the ports with critical pr iority, and then supp ly power to the PDs that are connected to the ports with high priority. For exampl e: Port A has the priority of critical. When the switch PoE is clo se to its full [...]

  • Página 511

    1-5 Configuring the PD Compat ibility Detection Function After the PD com patibility detection function is ena bled, the switch can det ect the PDs that do not conform to the 802.3af sta ndard and supply power to them. After the PoE feature is enabled, perform the follo wing configuration to ena ble the PD comp atibility detection function. Follow [...]

  • Página 512

    1-6 z When the internal tempe rature of the switch d ecreases from X (X>65° C, or X>149°F) to Y (60°C ≤ Y<65°C, or 140°F ≤ Y<149°F), the switch still keeps t he PoE function disabled on all the ports. z When the internal tempe rature of the switch increase s from X (X<60°C, or X<14 0°F) to Y (60°C<Y ≤ 65°C, or 1[...]

  • Página 513

    1-7 Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing software of the fabric switch online update fabric { file - url | devic e-name file - url } Optional Displaying PoE Configuration To do… Use the com mand… Remarks Display the current PD disconnection detection mod[...]

  • Página 514

    1-8 Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW . [SwitchA] interface Ethernet 1/0/1 [Switc[...]

  • Página 515

    2-1 2 PoE Profile Configuration When configuring PoE profile, go to these sect ions for information y ou are interested in: z Introduction to PoE Profile z PoE Profile Configuration z Displaying PoE Profile Configuration z PoE Profile Configuration Example Introduction to PoE Profile On a large-sized network or a network with mobile users, to help [...]

  • Página 516

    2-2 To do… Use the command… Remarks Enable the PoE feature on a port poe enable Required Disabled by default. Configure PoE mode for Ethernet ports poe mode { signal | spare } Optional signal by default. Configure the PoE priority for Ethernet ports poe priority { critical | high | low } Optional low by default. Configure the relevant features [...]

  • Página 517

    2-3 Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed information about the PoE profiles created on the switch display poe-profile { all-profile | interface interface-type interface-number | name profile-name } Available in any view PoE Profile Configuration Example PoE Profile Application Example Network[...]

  • Página 518

    2-4 Network diagram Figure 2-1 PoE profile application Network IP Phone Switch A AP IP Phone IP Phone IP Phone AP AP AP Eth1/0/1~Eth1/0/5 E th1/0/6~Eth1/0/10 Configuration procedure # Create Profile 1, and enter PoE profile view . <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configu ration applic abl[...]

  • Página 519

    2-5 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configu ration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority hig[...]

  • Página 520

    i Table of Contents 1 UDP Helper C onfigurat ion ························································································································ 1-1 Introduction to UDP Helper ··············?[...]

  • Página 521

    1-1 1 UDP Helper Configuration When configuring UDP helper , go to these sections for information you are interested in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintaining UDP Helper z UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcast s to obt ain network configu[...]

  • Página 522

    1-2 Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to co nfigure UDP He lper: To do… Use the command… Remarks Enter syst em view system-vie w — Enable UDP Helper udp-helper enable Required Disabled by default. Specify a UDP port number udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs |[...]

  • Página 523

    1-3 To do… Use the command… Remarks Clear statistics about packets forwarded by UDP Helper reset udp-helper packet Available in user view UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.168.1.0/24 and PC B on 192.168.10.0/24; they are connected through Sw[...]

  • Página 524

    i Table of Contents 1 SNMP Conf iguration ··········································································································· ······················· 1-1 SNMP Overview ··············[...]

  • Página 525

    1-1 1 SNMP Configuration When configuring SNMP , go to these sections for information you are interested in: z SNMP Overview z Configuring Basic SNMP F unctions z Configuring Trap-Related F unctions z Enabling Logging for Network Managem ent z Displaying SNMP z SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) i[...]

  • Página 526

    1-2 z Set the permission for a community to access an MIB object to be read-only or re ad-write. Communities with read-o nly permissions can only query the swit ch information, while those with read-write permission can config ure the switch as well. z Set the basic ACL specified by the community name. Supported MIBs An SNMP p acket carries managem[...]

  • Página 527

    1-3 To do… Use the command… Remarks Direct configura tion Set a community name snmp-agent community { read | wr i te } community - name [ acl acl-number | mib-vie w view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ writ e- view write-view ] [ noti fy- view notify-view ] [ acl acl-number ] Set a co[...]

  • Página 528

    1-4 To do… Use the command… Remarks Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate-p assword plain-password mode { md5 | sha } { local-engineid | specified-engineid engin eid } Optional This command is used if passwo rd in cipher-text is needed for adding a new use r . Add a user to an SNMP group snmp-agent usm[...]

  • Página 529

    1-5 To do… Use the command… Remarks Enable the switch to send traps to NMS snmp - agent trap enable [ configuration | flash | stand ard [ authentication | cold st art | linkdo w n | linkup | warmst art ]* | system ] Enter port view or interface view interface inte rface-type int erface-number Enable the port or interface to send traps enable sn[...]

  • Página 530

    1-6 To do… Use the command… Remarks Enable logging for network management snmp-agent log { set-operation | get-operation | all } Optional Disabled by default. z When SNMP logging is enabled on a device, SNMP logs are output to the informat ion center of the device. With the output destinations of the information center set, the output destinati[...]

  • Página 531

    1-7 z Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, conta ct and switch location, and enabling the switch to sent trap s. Thus, the NMS is able to access Switch A and receive the trap s sent by Switch A. Network diagram Figure 1-2 Network diagram for SNMP configuration 10.10.10.[...]

  • Página 532

    1-8 [Sysname] snmp-agent trap enable standard linkdown [Sysname] snmp-agent target-host trap address udp-domain 10 .10.10.1 udp -port 5000 params securityname public Configuring the NMS Authentication-related configuration on an NMS must be consi stent with that of the devices for the NMS to manage the devices successfully . For more info rmation, [...]

  • Página 533

    2-1 2 RMON Configuration When configuring RMON, go to these se ctions for information you are interested in: z Introduction to RMON z RMON Configuration z Displaying RMON z RMON Configuration Example Introduction to RMON Remote Monitoring (RMO N) is a kind of MIB defined by Internet En gineering T ask Force (IETF). It is an important en hancement m[...]

  • Página 534

    2-2 statistics and performance st atistics of the netwo rk seg ments to which the port s of the managed network devices are connected. Thus, t he NMS can further manage the netwo rks. Commonly Used RMON Groups Event group Event group is used to def ine the indexes of event s and the processing m ethods of the event s. The events defined in a n even[...]

  • Página 535

    2-3 Statistics group S tatistics group contai ns the st atistics of each moni to red port on a switch. An entry in a stati stics g roup is an accumulated value counting from the ti me when the st atistics group is created. The statisti cs include the number of th e following it ems: collision s, packet s with Cyclic Redundancy Check (CRC ) errors, [...]

  • Página 536

    2-4 z The rmon alarm and rmon prialarm commands take effect on existing no des only. z For each port, only one RM ON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to creat e another statistics e ntry with a different index for the same port. Displaying RMON To do… Use the [...]

  • Página 537

    2-5 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the ev ent t able, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the exte nded alarm t abl e to allow the system to cal culate the alarm variables with the (.1.3.6. 1[...]

  • Página 538

    i Table of Contents 1 NTP Confi guration ············································································································ ························· 1-1 Introduction to NTP ········?[...]

  • Página 539

    1-1 1 NTP Configuration When configuring NTP , go to these secti ons for information you are intere sted in: z Introduction to NTP z NTP Configuration Task Li st z Configuring NTP Implementation Modes z Configuring Access Control Right z Configuring NTP Authentication z Configuring Optional NTP Parameters z Displaying NTP Configuration z Configurat[...]

  • Página 540

    1-2 z Defining the accuracy of cloc ks by stratum to sy nchronize the clocks of all devices in a network quickly z Supporting access control (se e section Configuring Access Control Rig ht ) and MD5 en crypted authentication (see section Configuri ng NTP Authentication ) z Sending protocol packet s in unica st, multicast, or broadcast mode z The cl[...]

  • Página 541

    1-3 Figure 1-1 Implementation principle of NTP IP network IP network IP network IP network Device B Device A Device B Device A Device B Device A Device B Device A 10:00:00 am 11:00:0 1 am 10:00:00 am NTP message 10:00:0 0 am 11:00:01 am 11:00:02 am NTP message NTP message NTP message received at 10:00 :03 am 1. 3 . 2 . 4 . The procedure of synchron[...]

  • Página 542

    1-4 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Passive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode, both sides can be synchronized to each other Response packet In the symmetric peer mode, the local S4500 Ethe[...]

  • Página 543

    1-5 Multicast mode Figure 1-5 Multicast mode T able 1-1 describes how the above ment ioned NTP mode s are implemented on 3Com S4500 serie s Ethernet switches. Table 1-1 NTP implementation modes on 3Com S 4500 series Ethernet swit ches NTP implementation mode Configuration on S4500 series switches Server/client mode Configure the local S4500 Etherne[...]

  • Página 544

    1-6 z When a 3Com S4500 Ethern et switch works in se rver mode or symmetric passi ve mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. z The NTP server mode, NTP broadcast mode, or NTP multicast mode take s effect only after the local clock of the 3Com S4500 Ether net switch [...]

  • Página 545

    1-7 z Execution of one of the ntp-servi ce unicast-server , ntp-service unicast-peer , ntp-service broadcast-client , ntp-service broadca st-server , ntp-service multicast-client , and ntp-service multicast-server commands ena bles the NTP feature and ope ns UDP port 123 at the same time. z Execution of the undo form of one of the above six command[...]

  • Página 546

    1-8 To do… Use the command… Remarks Specify a symmetric-pa ssive peer for the switch ntp-service unicast-p eer { remote-ip | peer-name } [ authen tication-key id key-id | priority | source-inter face Vlan-interface vlan-id | vers io n number ]* Required By default, a switch is not configured to work in the symmetric mode. z In the symmetric pee[...]

  • Página 547

    1-9 To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interfac e vlan-id — Configure the switch to work in the NTP broadcast server mode ntp-service broadcas t-server [ authentication-keyid key-i d | vers io n number ]* Required Not configured by default. Configuring a switch to work in the NTP broadcast client mode Fol[...]

  • Página 548

    1-10 To do… Use the command… Remarks Enter syst em view system-vie w — Enter VLAN interface view interface Vlan-interfac e vlan-id — Configure the switch to work in the NTP multicast client mode ntp-service multicast-client [ ip-address ] Required Not configured by default. Configuring Access Control Right With the following comma nd, you c[...]

  • Página 549

    1-11 The access-control right mechani sm provides only a mi nimum degree of se curity protection f or the local switch. A more secure met hod is identity authentication. Configuring NTP Authentication In networks with higher security requirement s, the NTP authentication function mu st be enabled to run NTP . Through password authenti cation on the[...]

  • Página 550

    1-12 Configuration Procedure Configuring NTP authentication on the client Follow these steps to co nfigure NTP aut hentication on the client: To do… Use the command… Remarks Enter syst em view system-view — Enable the NTP authentication function ntp-service authentication enable Required Disabled by default. Configure the NTP authentication k[...]

  • Página 551

    1-13 To do… Use the command… Remarks Configure the specified key as a trusted key ntp-service reliable authenticati on-keyid key-id Required By default, no trusted authentication key is configured. Enter VLAN interface view interface Vlan-interface vl an-id — Configure on the NTP broadcast server ntp-service broadcas t-server authentication-k[...]

  • Página 552

    1-14 If you have specified an interface in the ntp-s ervice unicast-serv er or ntp-servi ce unicast-peer command, this interface wil l be used for sending NTP message s. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including st atic association s and [...]

  • Página 553

    1-15 To do… Use the command… Remarks Display the information about the sessions mai ntained by NTP display ntp-service sessions [ verbose ] Display the brief information about NTP servers along the path from the local device to the reference cl ock sour ce display ntp-service trace Configuration Examples Configuring NTP Server/Client Mode Netwo[...]

  • Página 554

    1-16 [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05A[...]

  • Página 555

    1-17 Configuration procedure z Configure Device C. # Set Device A as the NTP server . <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 z Configure Device B (after the Device C is syn chronized to Device A). # Enter system view . <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicas[...]

  • Página 556

    1-18 Configuring NTP Broadcast Mode Network requirements z The local clock of Device C is set as the NTP mast er clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NT P broadcast messages through VLAN-interface 2. z Device A and Device D are two S4500 Ethernet switche s. Configure Device A and Dev[...]

  • Página 557

    1-19 View the NTP status of Device D after th e clock synchronizatio n. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer disper[...]

  • Página 558

    1-20 Network diagram Figure 1-9 Network diagram for NTP multicast mode co nfiguration Configuration procedure z Configure Device C. # Enter system view . <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service mul[...]

  • Página 559

    1-21 Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicate s that Device D is sync hronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the i nformation about the NTP sessions of Device D (you can see th[...]

  • Página 560

    1-22 z To synchronize Device B, you need to perform the following configurations on De vice A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key , with the key ID being 42 and the key being aNiceKey . [DeviceA] ntp-service authentication-keyid 42 a[...]

  • Página 561

    i Table of Contents 1 SSH Confi guration ············································································································ ························· 1-1 SSH Overview ············[...]

  • Página 562

    1-1 1 SSH Configuration When configuring SSH, go to these secti ons fo r information you are interested: z SSH Overview z SSH Server and Client z Displaying and Maintain ing SSH Configuration z Comparison of SSH Command s with the Same Functions z SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that prov[...]

  • Página 563

    1-2 The same key is used for both encryption and de cryp tion. Supported symmetric key algorithms incl ude DES, 3DES, and AES, which can effectively prevent dat a eavesdropping. z Asymmetric key algorithm Asymmetric key algorithm is also called publi c key algorithm. Both ends have their own key p air , consisting of a private key and a public key [...]

  • Página 564

    1-3 Currently, the switch supports only SSH2 Version. Version negotiation z The server opens port 22 to listen to connection requ ests from cli ents. z The cli ent sends a TCP connection r equest to the se rver . Aft er the TCP connect ion is e stablished, the server sends the first pa cket to the client, wh ich includes a version id entification s[...]

  • Página 565

    1-4 z The server starts to authent icate the user. If aut hentication fails, the server sends an authentica tion failure message to the client, which con tains t he list of methods used for a new auth entication process . z The client selects an authentication type from the method list to perform authentication again. z The above process repeats un[...]

  • Página 566

    1-5 Figure 1-2 Network diagram for SSH connections Configure the devices accordin gly This docu ment describes two case s: z The 3Com switch acts as the SSH server to coope rate with softwa re that supports the SSH client functions. z The 3Com switch acts as the SSH serv er to coop erate with another 3Com swit ch that acts as an SSH client. Complet[...]

  • Página 567

    1-6 Task Remarks Configuring the User Interfaces for SSH Clients Required Preparation Configuring the SSH Managem ent Functions Optional Key Configuring Key Pairs Required Authentication Creating an SSH User and Specifying an Authentication Type Required Authorization Specifying a Service Type for an SSH User Optional By default, an SSH user can us[...]

  • Página 568

    1-7 To do... Use the command... Remarks S pecify the supported protocol(s) protocol inbound { all | ssh } Optional By default, both T elnet and SSH are supported. z If you have configured a user interface to s upport SSH protocol, you must configure AAA authentication for the user interface by using the authentica tion-mode schem e command to ensur[...]

  • Página 569

    1-8 z You can configure a login header only wh en the service type is stelnet . For configuratio n of service types, refer to Specifying a Service Type for an SSH User . z For details of the header command, refer to the corresp onding section in Login Com mand . Configuring Key Pairs The SSH server ’s key pairs are fo r generating sessi on keys a[...]

  • Página 570

    1-9 To do… Use the command… Remarks Destroy the RSA key pair public-key local destroy rsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an auth entication type. Specif ying an authentication type for a new user is a must to get the user login. An SSH user is represented as a s[...]

  • Página 571

    1-10 To do... Use the command... Remarks Create an SSH user, and specify an authentication type for it ssh user username authentication-type { all | passwo rd | password-publickey | publickey } are used and different authentication types are specified, the authentication type specified with the ssh user authentication-type command takes preceden ce[...]

  • Página 572

    1-11 If the ssh user service-type command is executed wit h a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessa ry if the password authentication mode[...]

  • Página 573

    1-12 To do... Use the command... Remarks Enter syst em view system-vie w — Import the public key from a public key file public-key peer keyname import sshkey filename Required Assigning a Public Key to an SSH User This configuration task is unnece ssary if the SSH user’s authentication mode is password . For the publickey authentication mode, y[...]

  • Página 574

    1-13 With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format. Configuring the SSH Client The configurations requi[...]

  • Página 575

    1-14 Task Remarks Opening an SSH co nnection with publickey authentication Required for publickey authenticatio n; unnecessary for pass word authentication z For putty, it is recommended to u se PuTTY releas e 0.53; PuTTY rele ase 0.58 is also suppo rted. For OpenSSH, it is recommended to use Ope n SSH_3.1p1; OpenSSH_4.2p1 is also supported. Any ot[...]

  • Página 576

    1-15 Note that while generating t he key pair , you must move the mouse continuou sly and keep the mouse off the green process bar in the blue box of shown in Figure 1-4 . Oth erwise, the process bar stop s moving and the key pair generating process is stopped. Figure 1-4 Generate the client keys (2) After the key pai r is generated, click Save pub[...]

  • Página 577

    1-16 Likewise, to save the priv ate key , cli ck Save private key . A warning window pop s up to prompt you whether to save the private key witho ut any precaution. Cli ck Ye s and enter the name of the file for saving the private key (“pri vate” in this case) to save the private ke y . Figure 1-6 Generate the client keys (4) T o generate RSA p[...]

  • Página 578

    1-17 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of t he se rver . Note that there must be a route available between the IP addres s of the server and the client. Selecting a protocol for remote connection As shown in Figure 1-8 , select SSH under Protocol . Selecting an SSH versio[...]

  • Página 579

    1-18 Figure 1-9 SSH client configuration interface 2 Under Protocol options , sele ct 2 from Preferred SSH protocol version . Some SSH client software, for example, Tectia c lient software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software support s DES algorithm negotiation ssh2. Opening an SSH connection[...]

  • Página 580

    1-19 Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window , navigate to the private key file and cli ck Open . If the connection is normal, a user will be prompted for a username. Once p assing the authenticat ion, the user can log in to the server . Configuring an SSH Client Assu med by an SSH2-Cap[...]

  • Página 581

    1-20 Configuring whether first-time authentication is supported When the device connect s to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. z With first-time authentication enabled, an SSH client that is not configured with the se rver host public key can continue accessi ng the server when[...]

  • Página 582

    1-21 Follow these steps to sp ecify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter syst em view system-vie w — S pecify a source IP address for the SSH client ssh2 source -ip ip-address Optional By default, no source IP address is configured. S pecify a source interface for the SSH client ssh2 source-i[...]

  • Página 583

    1-22 To do... Use the command... Remarks Display information about all SSH users display ssh user-inform ation [ username ] Display the current source IP address or the IP address of the source interface specified for the SSH server . display ssh-server source-ip Display the mappings bet ween host public keys and SSH servers saved on a client displ[...]

  • Página 584

    1-23 The results of t he display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they c annot be directly used as parameters in the public-key peer comman d. For the same reason, neither can the resul ts of the display public-key local rsa public co mmand[...]

  • Página 585

    1-24 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001 , and set the authentication passwo rd to abc , protocol type to SSH, and command privilege level to 3 for the clie nt. [Switch] local-user client001 [Switch-[...]

  • Página 586

    1-25 Figure 1-13 SSH client configuration interface (2 ) Under Protocol options , sele ct 2 from Preferred SSH protocol version . 3) As shown in Figure 1-13 , click Open . If the connection is normal, you will be prompted to enter the user name client001 and password ab c . Once authentication succeed s, you will log in to the server. 1.1.1 When Sw[...]

  • Página 587

    1-26 Network diagram Figure 1-14 Switch acts as server for p assword and RADIUS authentication Configuration procedure 1) Configure the RADIUS server This document takes CA MS Version 2.10 as an example to show the basi c RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and sele ct System Managem[...]

  • Página 588

    1-27 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Dev ice Management , and then in the right pane, cli ck Add to enter the Add Account pa ge and perform the following configuration s: z Add a user named hello , and specify the password. z Select SSH as th[...]

  • Página 589

    1-28 Generating the RSA key pair on the server is p rerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] proto[...]

  • Página 590

    1-29 Figure 1-17 SSH client configuration interface (1 ) In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . z From the category on the left pane of the window, select Connection > SSH . The window as shown in Figure 1-1 8 appears . Figure 1-18 SSH client configuration interface (2 )[...]

  • Página 591

    1-30 Under Protocol options , select 2 from Prefer red SSH protocol version . Then, click Open . If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the se rver . The level of commands that you can access af ter login is authorized by the CAMS server . Y o[...]

  • Página 592

    1-31 [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWT ACA CS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary a[...]

  • Página 593

    1-32 In the Host Name (or IP addres s) text box, enter the IP address of the SSH server . 2) From the category on the le ft pane of the window, select Connection > SSH . The window as shown in Figure 1-2 1 appears . Figure 1-21 SSH client configuration interface (2 ) Under Protocol options , select 2 from Prefer red SSH protocol version . Then, [...]

  • Página 594

    1-33 Configuration procedure z Configure the SSH server # Create a VLAN interface on the switch and assign an IP addre ss, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Gen[...]

  • Página 595

    1-34 Figure 1-23 Generate a cl ient key pair (1) While generating the key pair, you m ust move the mouse continuously and keep the m ouse off the green process b ar show n in Figure 1-24 . Otherwise, the process bar sto ps moving and the key pair generating process is sto pped.[...]

  • Página 596

    1-35 Figure 1-24 Generate a cl ient key pair (2) After the key pai r is generated, click Save public key and enter the name of the file for saving th e public key ( public in this case). Figure 1-25 Generate a cl ient key pair (3) Likewise, to save the priv ate key , cli ck Save private key . A warning window pop s up to prompt you whether to save [...]

  • Página 597

    1-36 Figure 1-26 Generate a cl ient key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you contin ue to configure the client. # Establish a connection with the SSH server 2) Launch PuTTY.exe to enter the followin g interface. Fi[...]

  • Página 598

    1-37 Figure 1-28 SSH client configuration interface (2 ) Under Protocol options , sele ct 2 from Preferred SSH protocol version . 4) Select Connection / SSH / Auth . The following window appears. Figure 1-29 SSH client configuration interface (3 )[...]

  • Página 599

    1-38 Click Browse to bring up the file selection window , navigate to the private key file and click OK . 5) From the window shown in Figure 1 -29 , click Open . If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in Figure 1-30 , est ablish an[...]

  • Página 600

    1-39 [SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of use r client001 as passwo rd. [SwitchB] ssh user client001 authentication-type password z Configure Switch A # Create a VLAN interface on the switch and assi gn an IP address, wh[...]

  • Página 601

    1-40 Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and assign an IP addre ss, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Gen[...]

  • Página 602

    1-41 <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch 001. [SwitchA] public-key local export rsa ssh2 Switch001 Aft[...]

  • Página 603

    1-42 Network diagram Figure 1-32 Switch acts as client and first-ti me authentication is not suppo rted Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and as sign an IP address for it to se rve as the de stination of the client. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-inte[...]

  • Página 604

    1-43 # Import the client’s public key file Swit ch001 and name the public key as Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign public key Switch001 to user client001 [SwitchB] ssh user client001 assign publickey Switch001 # Export the generated RSA host public key pair to a file named Switch002. [SwitchB] public-[...]

  • Página 605

    1-44 # Import the public key pai r named Switch002 from the file Switch002. [SwitchA] public-key peer Switch002 import sshkey Switch002 # S pecify the host public key pair name of the server . [SwitchA] ssh client 10.165.87.136 assign publickey Switch002 # Establish the SSH con nection to server 10.165.87.136. [SwitchA] ssh2 10.165.87.136 Username:[...]

  • Página 606

    i Table of Contents 1 File System Manage ment Confi guration ························································································· ········ 1-1 File System C onfiguration ·······························[...]

  • Página 607

    1-1 1 File System Management Configuration When configuring file syste m management, go to thes e sections for information you are interested in: z File System Configuration z File Attribute Configuration z Configuration File Backup and Restorati on File System Configuration Introduction to File System T o facilitate manageme nt on the switch memor[...]

  • Página 608

    1-2 Directory Operations The file system provides direct ory-relate d functions, such as: z Creating/deleting a directory z Displaying the current work directo ry, or contents in a specified directory Follow these steps to pe rform directory-related operations: To do… Use the command… Remarks Create a directory mkdir directory Optional Availabl[...]

  • Página 609

    1-3 To do… Use the command… Remarks Rename a file rename fileurl - source fileurl - dest Optional Available in user view Copy a file copy fileurl - source fileurl - dest Optional Available in user view Move a file mo ve fileurl - source fileurl - dest Optional Available in user view Display the content of a file more file - url Optional Availab[...]

  • Página 610

    1-4 The format operation leads to the loss o f all files, including the conf iguration files, on the Flash memory and is irretrievable. Prompt Mode Configuration Y ou can set the prompt mode of the curre nt file system to alert or quiet . In alert mode, the fil e system will give a prompt for confirmation if you execut e a co mmand which may cause [...]

  • Página 611

    1-5 Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin 2 -rwh 4 Apr 01 2000 23:55:49 snmpboots 3 -rwh 428 Apr 02 2000 00:47:30 hostkey 4 -rwh 572 Apr 02 2000 00:47:38 serverkey 5 -rw- 1220 Apr 02 2000 00:06:57 song.cfg 6 -rw- 26103 Jan 01 1970 00:04:34 testv1r1.bin 7 -rwh 88 Apr 01 2000 23:55:53 private-data.txt 8 (*) -r[...]

  • Página 612

    1-6 Attribute name Des cription Feature Identifier backup Identifies backup startup files. The backup startup file is used after a switch fails to start up using the main startup file. In the Flash memory, there can be only one app file, o ne configuration file and one Web file with the backup attribute. (b) none Identifies files that are neither o[...]

  • Página 613

    1-7 Configuring File Attributes Y ou can configure and view the main attribute or back up attribute of the file us ed for the next startup of a switch, and change the m ain or backup attribute of the file. Follow these steps to co nfigure file attributes: To do… Use the command… Remarks Configure the app file with the main attribute for the nex[...]

  • Página 614

    1-8 Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly , you can o nly back up and restore the con fi guration file of the units one by one in a fabric system. By using the configuration file bac kup and restoratio n feat ure, you can easily back up and restore the configuration files in the[...]

  • Página 615

    i Table of Contents 1 FTP and SFTP Configur ation ··································································································· ················· 1-1 Introduction to FTP and SFTP ················?[...]

  • Página 616

    1-1 1 FTP and SFTP Configuration When configuring FTP and SFTP , go to these se ctions for information you are interested in: z Introduction to FTP and SFTP z FTP Configuration z SFTP Configuration Introduction to FTP and SFTP Introduction to FTP File T ransfer Protocol (FTP) is comm only used in IP-based networks to tran smit files. Before World W[...]

  • Página 617

    1-2 files from an FTP server, and stops rotating whe n the file downloading is finished, as shown in Figure 1-1 . Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is establish ed based on an SSH2 connec tion. It allows a remote user to log in to a switch to manage and transmit files, providing a [...]

  • Página 618

    1-3 To do… Use the command… Remarks Configure a password for the specified user password { simple | cipher } password Optional By default, no password is configured. Configure the service type as FTP service-ty pe ftp Required By default, no service is configured. Enabling an FTP server Follow these steps to ena ble an FTP se rver: To do… Use[...]

  • Página 619

    1-4 Follow these steps to co nfigure connection idle time: To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the FTP server ftp timeout minutes Optional 30 minutes by default Specifying the source interface and source IP address for an FTP server Y ou can specify the source interface and [...]

  • Página 620

    1-5 Disconnecting a specified user On the FTP serve r , you can disconnect a specified us er from the FTP server to secure the network. Follow these steps to disco nnect a specified use r: To do… Use the command… Remarks Enter syst em view system-vie w — On the FTP server, disconnect a specified user from the FTP server ftp disconnect user-na[...]

  • Página 621

    1-6 Figure 1-3 Process of displaying a shell banner Follow these steps to co nfigure the banner display for an FTP server: To do… Use the command… Remarks Enter syste m view system-v iew — Configure a login banner header login text Configure a shell banner header shell text Required Use either command or both. By default, no banner is configu[...]

  • Página 622

    1-7 To do… Use the command… Remarks Enter FTP client view ftp [ cluster | remote-server [ port-number ] ] — Specify to transfer files in ASCII charac ters ascii Specify to transfer files in binary streams binary Use either command. By default, files are transferred in ASCII characters. Set the data transfer mode to passive passive Optional pa[...]

  • Página 623

    1-8 To do… Use the command… Remarks Download a remote file from the FTP server get remotefile [ localfile ] Upload a local file to the remote FTP server put localfile [ remotefile ] Rename a file on the remote server rename remote - source remote-dest Log in with the specified user name and password user username [ password ] Connect to a remot[...]

  • Página 624

    1-9 z The specified interface must be a n existing one. Otherwise a prompt appears to sho w that the configuration fails. z The value of the ip-addre ss argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. z The source interface/source IP address set fo [...]

  • Página 625

    1-10 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp 2) Configure the PC (FTP client) Run an FTP client application on the P C to connect to the FTP server . Upload the application named switch.bin to the root directory of the Flash memory of the FTP server , and download the confi gu[...]

  • Página 626

    1-11 z If available space on the Flash memory of the switch i s not enough to hold the file to be uploaded, you need to delete files not in use fro m the Flas h memory to make room for the file, and then upload the file again. The files in u se cannot be deleted. If you have to delete the files in u se to make room for the file to be uploaded, you [...]

  • Página 627

    1-12 Configuration procedure 1) Configure the sw itch (FTP se rver) # Configure the login ban ner of t he switch as “login banner a ppears” and the shell ban ner as “shell banner appears”. For det ailed configu ration of other network requi rements, see se ction Configuration Example: A Switch Operating as an FTP Server . <Sysname> sy[...]

  • Página 628

    1-13 Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–related configuratio ns on the PC , that is, create a user account on the FT P serve r with username sw it ch and password hello . (For det ailed configuration, refer to the configuration instruction relevant to the FTP server sof tware.) 2) Configure the switch (FTP[...]

  • Página 629

    1-14 <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader com mand and how to specify the startup file for a switch, refer to the System Maintenan ce and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server Re[...]

  • Página 630

    1-15 To do… Use the command… Remarks Enter syste m view system-v iew — Configure the connection idle time for the SFTP server ftp timeout time-out-value Optional 10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SF TP server can interoperate with SFTP client sof tware, including SSH T e ctia Client v4.2.[...]

  • Página 631

    1-16 To do… Use the command… Remarks Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_grou p } | prefer_ctos_cipher { 3des | des | aes128 } | prefer_stoc_cipher { 3des | des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha[...]

  • Página 632

    1-17 If you specify to authenticate a client th rough public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for publi c key authentication, you need to use the ide ntity-key key word to spec ify the algorithms to get correct lo cal private key; otherwise you[...]

  • Página 633

    1-18 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP addre ss, which is used as the destination address for the client to conne ct to the SFTP server . [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # S pecify the[...]

  • Página 634

    1-19 sftp-client> # Display the current directory of the server . Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 n[...]

  • Página 635

    1-20 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey 2 from the server and rename it as public . sftp-client> get pubkey2[...]

  • Página 636

    2-1 2 TFTP Configuration When configuring TFTP , go to these sections for information you are interested in: z Introduction to TFTP z TFTP Configuration Introduction to TFTP Compared wi th FTP , Trivial File T ransfer Protocol (T FTP) features simple interactive access i nterface and no authentication control. Theref ore, TFTP i s applicable in the[...]

  • Página 637

    2-2 TFTP Configuration Complete the following t asks to configure TFTP: Task Remarks Basic configurations on a T FTP client — TFTP Configuration: A Switch Operating as a TFTP Client Specifying the sou rce interface or source IP address for an FTP client Optional TFTP server configuration For details, see the correspondi ng manual — TFTP Configu[...]

  • Página 638

    2-3 To do… Use the command… Remarks Specify the source IP address used for the current connection tftp tftp-server source-ip ip-address { get source-file [ dest-file ] | put source -file -url [ dest-file ] } Optional Not specified by default. Enter syst em view system-vie w — Specify an interface as the source interface a TFTP client uses eve[...]

  • Página 639

    2-4 Network diagram Figure 2-1 Network diagram for TFTP configuration s Configuration procedure 1) Configure the TFTP server (PC) S tart the TFTP server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switch. (Y o u can log in to a switch through the Console port or by telnetting the switch. See[...]

  • Página 640

    2-5 For information about the boot boot-loader com mand and how to specify the startup file for a switch, refer to the System Maintenan ce and Debugging module of this manual.[...]

  • Página 641

    i Table of Contents 1 Informatio n Cent er··········································································································· ·························· 1-1 Information Cent er Overview ···?[...]

  • Página 642

    1-1 1 Information Center When configuring information ce nter , go to these sections for information you are interested in: z Information Center Overview z Information Center Configuration z Displaying and Maintaining Information Center z Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting[...]

  • Página 643

    1-2 Information filtering by severity works this way: information with the seve ri ty value greater than the configured threshold is not output during the filtering. z If the threshold is set to 1, only information with the severity being emergencies will be output; z If the threshold is set to 8, inform ation of all severities will be output. Ten [...]

  • Página 644

    1-3 Outputting system information by source module The system information ca n be classified by source module and then filtered. Some module names and description are shown in T able 1-3 . Table 1-3 Source module name list Module name Description 8021X 802.1X module ACL Access control list module ADBM Address base module AM Access management module[...]

  • Página 645

    1-4 Module name Description SYSMIB System MIB module TAC HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VTY Virtual type terminal module XM XModem module default Default settings for all the modules T o sum up, the major task of the information center is to output the three types of information [...]

  • Página 646

    1-5 z If the address of the log host is specified in the information cent er of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host . z There is the syslog process on the Unix or Linux pl atform, you can start the pr[...]

  • Página 647

    1-6 Module The module field represent s the name of the module t hat generates system in formation. Y ou can enter the info-center source ? comm and in system view to view the module list. Refer to T able 1-3 for module name and descripti on. Between “module” and “level” is a “/ ”. Level (Severity) System information can be divided into[...]

  • Página 648

    1-7 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system informatio n such as log, trap, or debugging information is output when the user is in putting commands, the co mmand line prompt (in command editing mode a prom pt, or a [Y/N] string in interaction mode) and the input information [...]

  • Página 649

    1-8 To do… Use the command… Remarks Set to display the UTC time zone in the output information of the information center info-center timestamp utc Required By default, no UTC time zone is displayed in the output information Setting to Output System In formation to the Console Setting to output system information to the console Follow these step[...]

  • Página 650

    1-9 LOG TRAP DEBUG Output destination Modules allowed Enable d/disab led Severit y Enabled/ disabled Severity Enabled/ disabled Severity Monitor terminal default (all modules) Enabled warning s Enabled debuggin g Enabled debuggin g Log host default (all modules) Enabled informati onal Enabled debuggin g Disabled debuggin g Trap buffer default (all [...]

  • Página 651

    1-10 Setting to output system information to a monitor terminal Follow these steps to set to output syst em information to a monitor terminal: To do… Use the command… Remarks Enter syste m view system-v iew — Enable the information center info-center enable Optional Enabled by default. Enable system information output to Telnet terminal or du[...]

  • Página 652

    1-11 To do… Use the command… Remarks Enable trap information terminal display function terminal trapping Optional Enabled by default Make sure that the debugging/log/trap information terminal disp lay function is enabled (use the terminal monitor command) before you enable the co rresponding terminal display function by using the terminal debug[...]

  • Página 653

    1-12 z After the switches form a fabric, you can use the info-ce nter switch-on command to enabl e the information output for the switches to make t he log, debugging and trap informatio n of each switch in the fabric synchronous. Each switch sends its ow n i nformation to other switches in the fabric and receives information sent by other switches[...]

  • Página 654

    1-13 To do… Use the command… Remarks Enable information output to the log buffer info-center logbuffer [ channel { channel - number | channel - name } | size buffersize ]* Optional By default, the switch uses information channel 4 to output log information to the log buffer, which can holds up to 512 items by default. Configure the output rules[...]

  • Página 655

    1-14 Displaying and Maintaining Information Center To do… Use the com mand… Remarks Display information on an information channel display channel [ channel - num ber | channel - name ] Display the operation status of information center, the configuration of information channels, the format of time stamp and the information output in case of fab[...]

  • Página 656

    1-15 # Disable the function of outputting information to log host channel s, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.1 0 as the log host. Permit ARP and IP modules to output information with severity lev[...]

  • Página 657

    1-16 Through combined configuration of the device name (facility), informatio n severity level threshold (severity), module name (filter) and the fil e “syslog.conf ”, you can sort information precisely for fi ltering. Log Output to a Linux Log Host Network requirements The switch sends the following log information to the Linux log ho st whose[...]

  • Página 658

    1-17 Note the following items when you edit file “/etc/syslo g.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used a s a separator instead of a space. z No space is permitted at the end of the file name. z The device name (facility) and received log informatio n severity sp ecified in [...]

  • Página 659

    1-18 <Switch> system-view [Switch] info-center enable # Disable the function of outputting in formation to the console ch annels. [Switch] undo info-center source default channel console # Enable log information output to the console. Pe rm it ARP and IP modules to output log inf ormation with severity level higher than informatio nal to the [...]

  • Página 660

    i Table of Contents 1 Boot ROM and Host Software Loading ··························································································· ········ 1-1 Introduction to Loading Approaches ···························[...]

  • Página 661

    1-1 1 Boot ROM and Host Software Loading T raditionally , switch sof tware is loaded through a se rial port. This approach is slow , time-consuming and cannot be used for remote loading. T o resolv e thes e problems, the TFTP and FTP modules are introduced into the switch. With these m odules, y ou can load/download sof tware/files conveniently to [...]

  • Página 662

    1-2 The loading process of the Boot RO M software is the same a s that of the host software, except that during the former proce ss, you should press “6 ” or <Ctrl+U> and <Enter> after entering the BOOT menu and the system gives different prompts. The following text mainly describes the Boot ROM loading process. BOOT Menu Starting..[...]

  • Página 663

    1-3 1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9. Set switch startup mode 0. Reboot Enter your choice(0-9): Loading by XModem through Conso[...]

  • Página 664

    1-4 0. Return Enter your choice (0-5): S tep 3: Choose an appropriate ba udrate for downl oading. For example, if you pre ss 5, the baudrate 1 15200 bp s is chosen and the system displays the following info rmation: Download baudrate is 115200 bit/s Please change the terminal's baudrate to 115200 bit/s and select XMODEM protocol Press enter ke[...]

  • Página 665

    1-5 Figure 1-2 Console port configuration dialog b ox S tep 5: Click the <Disconnect> button to disconne ct the HyperT erminal from the switch and then click the <Connect> button to reconnect the Hype rT erminal to the switch, as shown in Figure 1-3 . Figure 1-3 Connect and disconnect buttons The new baudrate take s effect after you dis[...]

  • Página 666

    1-6 Figure 1-4 Send file dialog box S tep 8: Click <Send>. The system displ ays the page, as sho wn in Figure 1-5 . Figure 1-5 Sending file page S tep 9: After the sending process comple tes, t he system displays the following information: Loading ...CCCCCCCCCC done! S tep 10: Reset HyperT erminal’s baud rate to 9600 bp s (refer to S tep 4 [...]

  • Página 667

    1-7 Loading host software Follow these steps to load the host software: S tep 1: Select <1> in BOOT Menu and pres s <Enter>. The sy stem displays the followin g information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): S tep 2: Enter 3 in the[...]

  • Página 668

    1-8 You can use one PC as both the configuration device and the TFTP server. S tep 2: Run the TFTP se rver program on the TFTP se rver , and specify the p ath of the program to be downloaded. TFTP server program is no t provided with the 3Com Series Ethernet Switches. S tep 3: Run the HyperT erminal prog ram on the configuration PC. S tart the swit[...]

  • Página 669

    1-9 0. Return to boot menu Enter your choice(0-3): S tep 2: Enter 1 in the above menu to download the host sof tware usin g TFTP . The subsequent step s are the same as those for loading the Boot ROM, except that t he system gives the prompt for host sof tware loading instead of Boot ROM loading. When loading Boot ROM and ho st software using TFTP [...]

  • Página 670

    1-10 Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): S tep 4: Enter 2 in the above menu to download the Boot ROM usin g FTP . Then set the following FTP-related param eters as required: Load File name :switch.btm Switch IP address :10.1[...]

  • Página 671

    1-11 Remote Boot ROM and Software Loading If your terminal is not directly connected to the swit ch, you can telnet to the switch, and use FTP or TFTP to load the Boot RO M and host software re motely . Remote Loading Using FTP Loading Procedure Using FTP Client 1) Loading the Boot ROM As shown in Figure 1-8 , a PC is used as b oth the configuratio[...]

  • Página 672

    1-12 Before restarting the switch, make sure you have save d all other configurations that you want, so as to avoid losing configuration information. 2) Loading host software Loading the host sof tware is the same as loa ding the Boot ROM program, except that the file to be downloaded is the host sof tware f ile, and that you need to use the boot b[...]

  • Página 673

    1-13 System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 S tep 3: Enable FTP servic e on the switch, and confi gur e the FTP user name to test and passwo rd to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New [...]

  • Página 674

    1-14 Figure 1-11 Enter Boot ROM directory S tep 6: Enter ftp 192.168.0 .28 and enter the user nam e test , password p ass , as shown in Figure 1-12 , to log on to the FTP serve r . Figure 1-12 Log on to the FTP server S tep 7: Use the put command to upload the file switch.btm to the switch, as sho wn in Figure 1-13 .[...]

  • Página 675

    1-15 Figure 1-13 Upload file switch.btm to the switch S tep 8: Configure switch.btm to be the Boot RO M at next startup, and then rest art the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname> reboot After the switch rest[...]

  • Página 676

    2-1 2 Basic System Configuration and Debugging When configuring basi c system configuration and de bu gging, go to these sections for information you are interested in: z Basic System Configuration z Displaying the System Status z Debugging the System Basic System Configuration Perform the following basi c system configuration: To do… Use the com[...]

  • Página 677

    2-2 Displaying the System Status To do… Use the command… Remar ks Display the current date and time of the system displa y clock Display the version of the system display version Display the information about users loggi ng onto the switch display users [ all ] Available in any view Debugging the System Enabling/Disabling System Debugging The d[...]

  • Página 678

    2-3 Y ou can use the following commands to enable the two switches. Follow these steps to ena ble debugging and termi nal display for a specific modu le: To do… Use the command… Remarks Enable system debugging for specific module debugging module-name [ debugging - option ] Required Disabled for all modules by default. Enable terminal display f[...]

  • Página 679

    3-1 3 Network Connectivity Test When config uring netw ork connec tivi ty test, go to these sections for information you are interested in: z ping z tracert Network Connectivity Test ping Y ou can use the ping command to check the network connectivity and the reachability of a host. To do… Use the command… Remarks Check the IP network connectiv[...]

  • Página 680

    4-1 4 Device Management When configuring device manag ement, go to these sections for information you are interested in: z Introduction to Device Management z Device Management Configuration z Displaying the Device Management Con figuration z Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management include[...]

  • Página 681

    4-2 Before rebooting, the system ch e cks whether there is any configur atio n change. If yes, it prompts whether or not to proceed. This prevent s the system from losing the configurations in case of shutting down the system without saving the configuratio ns Use the following command to reb oot the Ethernet switch: To do… Use the command… Rem[...]

  • Página 682

    4-3 Enabling of this function consumes some amount s of CPU resources. Therefore, if your network has a high CPU usage requi rement, you can disable this function to rele ase your CPU resource s. Specifying the APP to be Used at Reboot APP is the host sof tware of the switch. If multip le APPs exist in the Flash memory , you can use the command her[...]

  • Página 683

    4-4 Table 4-1 Commonly used pluggable transceivers Transceiver type Applied environment W hether can be an optical transceiver Whethe r can be an electrical transceiver SFP (Small Form-factor Pluggable) Generally used for 100M/1000M Ethernet interfaces or POS 155M/622M/2.5G interfaces Yes Yes GBIC (GigaBit Interface Converter) Generally used for 10[...]

  • Página 684

    4-5 To do… Use the command… Remarks Display the current alarm information of the pluggable transceiver(s) display transceiver alarm interface [ interface-type interface-num ber ] Available for all pluggable transceivers Display the currently measured value of the digital diagnosis parameters of the anti-spoofing optical transceiver(s) customize[...]

  • Página 685

    4-6 z Make configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the P C is reachable to each other. The host soft ware switch.app and the Boot ROM file boo t.btm of the switch are stored in the directory sw it c h on the PC. Use FTP to do wnload the switch. app an[...]

  • Página 686

    4-7 331 Give me your password, please Password: 230 Logged in successfully [ftp] 5) Enter the authorized path on the FTP server. [ftp] cd switch 6) Execute the get comm and to download the switch.a pp and boot.btm files on the FTP server to the Flash memory of the switch. [ftp] get switch.app [ftp] get boot.btm 7) Execute the quit command to termin[...]

  • Página 687

    i Table of Contents 1 VLAN-VPN C onfigurat ion ·························································································································· 1-1 VLAN-VPN Overview ··················[...]

  • Página 688

    1-1 1 VLAN-VPN Configuration When configuring VLAN-V PN, go to these sections for information you are inte rested in: z VLAN-VPN Overview z VLAN-VPN Configuration z Displaying and Maintaining VLAN-VPN Configuration z VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emer[...]

  • Página 689

    1-2 Figure 1-2 Structure of packets with double-laye r VLAN tags Destination MAC address 0 31 Data Source MAC address 15 Inner VLAN Tag Outer VLAN Tag Compared with MPLS-based Layer 2 VPN, VLAN-VPN ha s the following features: z It provides Layer 2 VPN tunnels that are simpler. z VLAN-VPN can be implemented throug h manual confi guration. That is, [...]

  • Página 690

    1-3 frame as needed. When doing that, you should set th e sam e TPID on both the customer-side port an d the service provider-side p ort. The TPID in an Ethernet frame has the same position with the pro tocol type field in a frame without a VLAN tag. T o avoid proble ms in packet forwardi ng and handli ng, you cannot set the TPID value to any of th[...]

  • Página 691

    1-4 Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-V PN Packets on a Port Optional Configuring the Inner-to-O uter Tag Priority Replicating and Mapping Feature Optional As XRN fabric is mutually exclusive with VLAN-VPN , make sure t hat XRN fabric is disabl ed on the switch before performin g any [...]

  • Página 692

    1-5 z Besides the default TPID 0x8100, you can confi gure only one TPID value on a Switch 4500 switch. z For the Switch 4500 series to exch ange packets with the public network d evice properly, you should configure the TPID value used by the pub lic network device on both the customer-side port and the service provider-side port. Configuring the I[...]

  • Página 693

    1-6 VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in Figure 1-4 , Switch A and Switch B are both Switch 4500 serie s switches. They connect the users to the servers through the public netwo rk. z PC users and PC serve rs are in VLAN 100 create d in the[...]

  • Página 694

    1-7 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit # Set the TPID value of Ethernet 1/ 0/12 to 0x9200 (for intercommunication with the device s in the public network) and configure the port as a trunk po rt permitting packet s of VLAN 1040. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 [Swit[...]

  • Página 695

    1-8 2) The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. 3) The outer VLAN tag of the packet remains unchan ged whil e the packet travels in the publi c network, till it reaches Ethernet1/ 0/22 of Switch B. 4) After the packet reaches Switch B, it is forw a[...]

  • Página 696

    2-1 2 Selective QinQ Configuration When configuring selective QinQ, go to these se ctions for information you are interested in: z Selective QinQ Overview z Selective QinQ Configuration z Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced appli cation of the VLAN -VPN feature. With the[...]

  • Página 697

    2-2 telephone users (in VLAN 201 to VLAN 300). Packet s of all these users are forward ed by Switch A to the public network. After the selective QinQ feature an d the inner-to-outer t ag mapping feature are enabled o n the port connecting Switch A to these users, the port will add dif ferent outer VL AN tags to the packet s according to their inner[...]

  • Página 698

    2-3 device receives a packet from the service provider network, this devic e will find the path for the packet by searching the MAC ad dress table of th e VLAN corr e sponding to the outer t ag and unica st the pa cket. Thus, packet broad cast is reduced in selective QinQ applications. Likewise, the entries in the MAC add ress table of the o uter V[...]

  • Página 699

    2-4 Do not enable both the selective QinQ fu nction and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may opera te improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to ena ble the inter-V LAN MAC ad dress replicating feature: To do... Use the command... Remarks Enter syst em view [...]

  • Página 700

    2-5 z The public network permits packets of VLAN 1000 and VLAN 120 0. Apply QoS policies for these packets to reserve band width for packets of VL AN 1200. That is, packets of VLAN 120 0 have higher transmissi on priority over packets of VLAN 1000. z Employ the selective QinQ feature on Switch A and Swit ch B to differentiate tr affic of PC users f[...]

  • Página 701

    2-6 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hy brid port and configure VLA N 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN t ags when forwarding p ackets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] po[...]

  • Página 702

    2-7 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and con figure VLAN 12 as it s default VLAN . Configure Ethernet 1/0/12 to remove VLAN t ags when forw arding packets of VLAN 12 and VLAN 1000. [SwitchB] [...]

  • Página 703

    i Table of Contents 1 Remote-ping Co nfiguration ···································································································· ·················· 1-1 Introduction to remote-ping ···············?[...]

  • Página 704

    1-1 1 Remote-ping Configuration Introduction to remote-ping remote-ping is a network diagno stic tool used to test the performance of protocols (only ICM P by far) running on network. It is an enhanced altern ative to the ping command. remote-ping test group is a set of remote-ping test paramete rs. A test group contains sev eral test parameters a [...]

  • Página 705

    1-2 This paramet er is used to enable the sy stem to automat ically perform the sa me test at regular intervals. 5) Test timeout time T est timeout time is the durati on while the system waits for an EC HO-RESPONSE p acket after it sends out an ECHO-REQUEST p acket. If no ECHO-RESPONSE pa cket is received within this duration, this test is co nside[...]

  • Página 706

    1-3 Table 1-2 Display remote-ping configuration Operation Command Description Display the information of remote-ping test history display remote-ping history [ administrator-nam e operation-tag ] Display the latest remote-ping test results display remote-ping results [ administrator-nam e operation-tag ] The display command can be executed in any v[...]

  • Página 707

    1-4 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 [Sysname-remote-ping-administrator-icmp] display remote-ping history administrator icmp remote-ping entry(admin administrator[...]

  • Página 708

    i Table of Contents 1 IPv6 Conf iguration ··········································································································· ·························· 1-1 IPv6 Ov erview ··········?[...]

  • Página 709

    1-1 1 IPv6 Configuration When configuring IPv6, go to these secti ons for inform ation you are interested in: z IPv6 Overview z IPv6 Configuration Task List z IPv6 Configuration Example z The term “router” in this document refers to a r outer in a generic sense or an Ethernet switch running a routing protocol. z The 3com switch 4500 supports IP[...]

  • Página 710

    1-2 Figure 1-1 Comparison between IPv4 heade r format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 addr ess are bo th 128 bits (1 6 bytes) long. IPv6 can provide 3.4 x 10 38 addresses to completely meet the requirement s of hierarchical address division as well as allocation of public and private a [...]

  • Página 711

    1-3 Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemente d by a group of Internet Control Message Protocol V ersion 6 (ICMPv6) messages. The IPv6 neighbo r discovery protocol m anages message e xchange between neighbo r nodes (nodes on the sam e link). T he group of ICMPv6 messages t akes the place of Address Res[...]

  • Página 712

    1-4 z Multicast address: An ident ifier for a set of interf aces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a mu lticast address is delivered to all interfaces identified by that address. z Anycast address: An identifier for a set of interf aces (typically belonging to different nodes). A packet[...]

  • Página 713

    1-5 z Unassigned addre ss: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but ma y not use it as a destination IPv6 address. Multicast address Multicast addresses listed i n T able 1-2 are [...]

  • Página 714

    1-6 Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discov ery Protocol (NDP) use s five types of ICMPv6 messages to imple ment the following functions: z Address resolution z Neighbor unreachab ility detection z Duplicate address d etection z Router/prefix discovery z Address autoconfiguration z Redirection T able 1-3 lists the [...]

  • Página 715

    1-7 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighb or nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolutio n procedure is as follows: 1) Node A multicasts an NS message. T[...]

  • Página 716

    1-8 Figure 1-4 Duplicate address d etection The duplicate address detection procedu re is as follows: 1) Node A sends an NS message whose source ad dress is the unassi gned address :: and the destination address is the co rrespondin g solicite d-node multi cast address of the IPv6 address to be detected. The NS message also contains the IPv6 addre [...]

  • Página 717

    1-9 Task Remarks Configuring the Maximum Num ber of IPv6 ICMP Error Packets Sent within a Specified Time Optional Configuring the Hop Limit of ICMPv6 Reply Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address z An IPv6 address is required for a host to access an IPv6 network. A host can be assigned a global [...]

  • Página 718

    1-10 To do... Use the command... Remarks Automatically generate a link-local address ipv6 address auto link-local Configure an IPv6 link-local address Manually assign a link-local address for an interface. ipv6 address ipv6-addre ss link-local Optional By default, after an IPv6 site-local address or gl obal unicast address is configured for an inte[...]

  • Página 719

    1-11 Follow these steps to co nfi gure a static neigh bor entry: To do... Use the command... Remarks Enter syste m view system-v iew — Configure a static neighbor entry ipv6 neighbor ipv6-addre ss mac-address { vlan-id port-type port-number | interface interface-t ype interface-number } Required Configuring the maximum number of neighbors dynamic[...]

  • Página 720

    1-12 Configuring the NS Interval After a device sends a n NS message, if it does not receive a response within a specific period, the device will send another NS message. Y ou can conf igure the interval for sending NS messag es. Follow these steps to co nf igure the NS interval: To do… Use the command… Remarks Enter syst em view system-vie w ?[...]

  • Página 721

    1-13 packets are received, the I Pv6 TCP connection status becomes TI ME_WAIT. If other packets are received, the finwait timer is reset from t he last packet and the con nection is terminated after the finwait timer expires. z Size of IPv6 TCP receiving/sending buffer. Follow these steps to co nfi gure IPv6 TCP properties: To do… Use the command[...]

  • Página 722

    1-14 To do… Use the command… Remarks Enter syst em view system-vie w — Configure the hop limit of ICMPv6 reply packets ipv6 nd hop-limit value Optional 64 by default. Displaying and Maintaining IPv6 To do… Use the command… Remarks Display the FIB entries display ipv6 fib Display the mapping between host name and IPv6 address display ipv6 [...]

  • Página 723

    1-15 IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements T wo switches are directly connected th rough two Ethernet port s. The Ethernet po rts belong to VLAN 2. Differe nt types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches. The [...]

  • Página 724

    1-16 Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconf[...]

  • Página 725

    1-17 Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet l[...]

  • Página 726

    1-18 0.00% packet loss round-trip min/avg/max = 50/60/70 ms[...]

  • Página 727

    2-1 2 IPv6 Application Configuration When configuring IPv6 application, go to these sections for information you are interested in: z Introduction to IPv6 Application z Configuring IPv6 Application z IPv6 Application Configuration Example z Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and m ore applicat[...]

  • Página 728

    2-2 IPv6 Traceroute The traceroute ipv6 command is use d to record the route of IPv6 packet s from source to de stination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Tracer oute proc ess As Figure 2-1 shows, the traceroute process is as follows : z The source sends an IP datagram with the Hop Li mit [...]

  • Página 729

    2-3 To do… Use the command… Remarks Download/Upload files from TFTP server tftp ipv6 remote-system [ -i interface-type interface-number ] { get | put } source-filena me [ destination-filename ] Required Available in user view When you use the tftp ipv6 command to conne ct to the TFTP server, you must specify the “– i ” keyword if the dest[...]

  • Página 730

    2-4 Displaying and maintaining IPv6 Telnet To do… Use the command… Remarks Display the use information of the users who have logge d in displa y users [ all ] Available in any view IPv6 Application Configuration Example IPv6 Applications Network requirements In Figure 2-3 , SW A, SWB, and SWC are three switches, am ong which SW A is a 3com swit[...]

  • Página 731

    2-5 bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip[...]

  • Página 732

    2-6 Solution z Check that the IPv6 addresses are conf igured correctly. z Use the display ipv6 interface command to determine the interfa ces of the source and the destination and the link-layer protocol betwee n them are up. z Use the display ipv6 route-table command to verify that the destination is reachable. z Use the ping ipv6 -t timeout { des[...]

  • Página 733

    i Table of Contents 1 Access Management Configurat ion ·············································································· 1-1 Access Ma nagem ent Over view ····················································[...]

  • Página 734

    1-1 1 Access Management Configuration When configuring acc ess management, g o to these se ctions for informa tion you are interes ted in: z Access Managemen t Overview z Configuring Access Management z Access Manageme nt Configuration Examples Access Management Overview Normally , client PCs in a network are co nnected to switch es operatin g on t[...]

  • Página 735

    1-2 z A port without an access man agement IP addr ess pool configure d allows the hos ts to access external net works only if their IP add resses are not in the access manageme nt IP address p ools of othe r ports of the switch. Note that the IP addresses in the access management IP address pool configured on a port must be in th e same netw ork s[...]

  • Página 736

    1-3 Access Management Conf iguration Examples Access Management Configuration Example Network requiremen ts Client PCs are connec ted to the external netw ork through Sw itch A (an Ethern et switch). The IP addresses of the P Cs of Organi zation 1 are in th e range 202.10. 20.1/24 to 202.10. 20.20/24. The IP addre ss of PC 2 is 20 2.10.20.100/ 24, [...]

  • Página 737

    1-4 [Sysname-Ether net1/0/1] am ip-pool 202.10 .20.1 20 Combining Access Management with Port Isolation Network requiremen ts Client PCs are connec ted to the external netw ork through Sw itch A (an Ethern et switch). The IP addresses of the P Cs of Organi zation 1 are in th e range 202.10. 20.1/24 to 202.10. 20.20/24, and tho se of the PCs in Or g[...]

  • Página 738

    1-5 # Set the IP add ress of VLAN -interface 1 to 2 02.10.20.2 00/24. [Sysname] inte rface Vlan-interf ace 1 [Sysname-Vlan- interface1] ip ad dress 202.10. 20.200 24 [Sysname-Vlan- interface1] quit # Configure the a ccess management IP address po ol on Ethernet 1/0/1. [Sysname] inte rface Ethernet 1/ 0/1 [Sysname-Ether net1/0/1] am ip-pool 202.10 .[...]

  • Página 739

    i Table of Contents Appendix A Acronyms ············································································································ ···················· A-1[...]

  • Página 740

    A-1 Appendix A Acronyms A AAA Authentication, Authorization and A ccounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router B BDR Backup Designated Route r C CAR Committed Acces s Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configur[...]

  • Página 741

    A-2 LSDB Link State DataBase M MAC Medium Access Cont rol MIB Management Information Base N NBMA Non Broadca st MultiA ccess NIC Network Information Center NMS Network Management System NTP Network Tim e Protocol NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mo[...]

  • Página 742

    A-3 VPN Virtual private network W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandabl e Resilient Networking[...]