Page 1: User Guide
HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch User Guide Part number: 5998-7332R Software version: Release 1108 Document version: 6W101-20161012...
Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Overview ········································································································· 1 Accessing the Web interface ····························································································································· 1 Restrictions and guidelines for Web-based login ······················································································· 1 Logging in to the Web interface for the first time ························································································ 4 Logging out of the Web interface ··············································································································· 5 ...
Page 4 System time configuration example ················································································································· 38 Network requirements ······························································································································ 38 Configuring the system time ····················································································································· 38 Verifying the configuration ························································································································ 39 Configuration guidelines ·································································································································· 39 Configuring syslog ························································································ 40 Displaying syslogs ··········································································································································· 40 Setting the log host ··········································································································································...
Page 5 Configuring the flow interval ·········································································· 68 Viewing port traffic statistics ····························································································································· 68 Configuring RMON ························································································ 69 Overview ·························································································································································· 69 Working mechanism ································································································································· 69 RMON groups ·········································································································································· 69 RMON configuration task list ··························································································································· 70 Configuring a statistics entry ····················································································································...
Page 6 Configuring VLAN interfaces ······································································· 122 Overview ························································································································································ 122 Creating a VLAN interface ····························································································································· 122 Modifying a VLAN interface ··························································································································· 123 Deleting a VLAN interface ······························································································································ 125 Configuration guidelines ································································································································ 126 Configuring a voice VLAN ··········································································· 127 ...
Page 7 Enabling LLDP on ports ································································································································· 177 Setting LLDP parameters on ports ················································································································· 178 Setting LLDP parameters for a single port ····························································································· 178 Setting LLDP parameters for ports in batch ··························································································· 180 Configuring LLDP globally ····························································································································· 181 ...
Page 8 Network requirements ···························································································································· 224 Configuration procedure ························································································································· 225 Verifying the configuration ······················································································································ 227 Configuring IPv4 or IPv6 static routes ························································· 228 Creating an IPv4 static route ·························································································································· 228 Displaying the IPv4 active route table ············································································································ 229 ...
Page 9 802.1X configuration examples ······················································································································ 266 MAC-based 802.1X configuration example ···························································································· 266 802.X with ACL assignment configuration example ··············································································· 273 Configuring AAA ························································································· 282 Overview ························································································································································ 282 AAA application ······································································································································ 282 Domain-based user management ·········································································································· 283 ...
Page 10 PKI configuration example ····························································································································· 338 Configuration guidelines ································································································································ 342 Configuring MAC authentication ································································· 343 Overview ························································································································································ 343 User account policies ····························································································································· 343 Authentication methods ·························································································································· 343 MAC authentication timers ····················································································································· 343 Using MAC authentication with other features ······························································································· 344 ...
Page 11 Configuring a rule for a basic IPv4 ACL ································································································· 387 Configuring a rule for an advanced IPv4 ACL ························································································ 389 Configuring a rule for an Ethernet frame header ACL ············································································ 391 Adding an IPv6 ACL ······························································································································· 393 ...
Page 12 Index ··········································································································· 440 ...
Page 13: Overview
Overview The HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch provides a Web interface for visual configuration and management. The device also provides a command line interface (CLI) for device management when the Web interface is not available. This book focuses on configuring the switch from the Web interface, and does not provide information about accessing the CLI.
Page 14 Select the Security tab, and select the content zone where the target Website resides, as shown in Figure Figure 1 Internet Explorer settings (1) Click Custom Level. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting.
Page 15 Figure 2 Internet Explorer settings (2) Click OK to save your settings. Enabling JavaScript in a Firefox browser Launch the Firefox browser, and select Tools > Options. In the Options dialog box, click the Content icon, and select Enable JavaScript.
Page 16: Logging In To The Web Interface For The First Time
Figure 3 Firefox browser settings Click OK to save your settings. Miscellaneous • The Web interface does not support the Back, Next, or Refresh button provided by the browser. Using these buttons might result in abnormal display of Web pages. •...
Page 17: Logging Out Of The Web Interface
If the device is not connected to the network, or no DHCP server exists in the subnet where the device resides, you can get the IP address of the device on the label on the device. IP address is 169.254.xxx.xxx. If the MAC address is 08004E000102, the IP address would be 169.254.1.2.
Page 18: Using The Web Interface
Using the Web interface The Web interface contains a navigation tree, a title area, and a body area, as shown in Figure Figure 5 Web interface layout (1) Navigation tree (2) Body area (3) Title area • Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed.
Page 19: Page Display Function
Icon/button Function Clears selection of all entries in a list. Buffers but does not apply the configuration of the current step, and enters the next configuration step. Buffers but does not apply the configuration of the current step, and returns to the previous configuration step. Applies the configurations of all configuration steps.
Page 20 Figure 8 Advanced search For example, to search the LLDP table for the LLDP entries with LLDP Work Mode TxRx, and LLDP Status Disabled: Click the Advanced Search link, specify the search criteria on the advanced search page as shown in Figure 9, and then click Apply.
Page 21: Sort Function
Figure 11 Advanced search function example (3) Sort function The Web interface provides the sorting function on some list pages to display the entries in a certain order. On a list page, you can click the name of a column header in blue to sort the entries. An arrow will be displayed next to the column header you clicked, as shown in Figure 12.
Page 22: Feature Summary
Feature summary This chapter provides the following information: • Feature menu navigators for the Web interface. • Information about features configurable from the CLI. Features configurable from the Web interface are also configurable from the CLI. Feature menu navigators for the Web interface This section summarizes features available from each menu on the Web interface.
Page 23: Device Menu
Device menu Table 4 to navigate to the tasks you can perform from the Device menu. Table 4 Device menu navigator Menus Tasks User level Basic System Name Display and configure the system name. Configure Display and configure the idle timeout period for logged-in Web Idle Timeout Configure users.
Page 24 Menus Tasks User level Create, modify, delete, and enable/disable a port, and Setup Configure clear port statistics. Port Mirroring Display the configuration information about a port Summary Monitor mirroring group. Create a port mirroring group. Configure Remove Remove a port mirroring group. Configure Modify Port Configure ports for a mirroring group.
Page 25: Network Menu
Menus Tasks User level Create, modify, and delete an SNMP community. Management Display SNMP group information. Management Group Create, modify, and delete an SNMP group. Management Display SNMP user information. Management User Create, modify, and delete an SNMP user. Management Display the status of the SNMP trap function and Management information about target hosts.
Page 26 Menus Tasks User level Summary Display voice VLAN information globally or on a port. Monitor Setup Configure the global voice VLAN. Configure Port Setup Configure a voice VLAN on a port. Configure Display the addresses of the OUIs that can be identified by OUI Summary Monitor voice VLAN.
Page 27 Menus Tasks User level and the IGMP snooping multicast entry information. Configure IGMP snooping globally or in a VLAN. Configure Display the IGMP snooping configuration information on a Monitor port. Advanced Configure IGMP snooping on a port. Configure MLD Snooping Display global MLD snooping configuration information or the MLD snooping configuration information in a VLAN, Monitor...
Page 28: Authentication Menu
Menus Tasks User level IPv4 Trace Route Perform IPv4 trace route operations. Visitor IPv6 Trace Route Perform IPv6 trace route operations. Visitor Authentication menu Table 6 to navigate to the tasks you can perform from the Authentication menu. Table 6 Authentication menu navigator Menus Tasks User level...
Page 29: Security Menu
Menus Tasks User level Display configuration information about user groups. Monitor User Group Create, modify, and remove a user group. Management Certificate Management Display information about PKI entities. Monitor Entity Add, modify, and delete a PKI entity. Configure Display information about PKI domains. Monitor Domain Add, modify, and delete a PKI domain.
Page 30 Menus Tasks User level Summary Display time range configuration information. Monitor Create a time range. Configure Remove Delete a time range. Configure ACL IPv4 Summary Display IPv4 ACL configuration information. Monitor Create an IPv4 ACL. Configure Basic Setup Configure a rule for a basic IPv4 ACL. Configure Advanced Setup Configure a rule for an advanced IPv4 ACL.
Page 31: Poe Menu
• Features configurable only from the CLI. This section describes only the commands that are peculiar to the HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch. To obtain information about all available commands, enter a question mark (?) at the CLI of the switch. For more information about using the CLI and the commands, see the configuration guides and command references for HP 5120 EI switches.
Page 32: Manage-Mode
Table 10 Commands for features peculiar to the HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch Command Task manage-mode on Set the device operating mode to management or unmanagement. undo manage-mode on poe force-power gigabitethernet Forcibly allocate power to a pair of PoE interfaces (PIs).
Page 33: Poe Legacy Enable
Views System view Default command level 2: System level Parameters gigabitethernet interface-number1: Specifies PI 1 by its interface number. Valid interface numbers are 1/0/3 and 1/0/4. power1: Specifies the amount of power to be allocated to PI 1. The value range is 1000 mW to 17000 gigabitethernet interface-number2: Specifies PI 2 by its interface number.
Page 34 Examples # Enable the PD compatibility check feature. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] poe legacy enable...
Page 35: Configuration Wizard
Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system location, contact information, and management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 13 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.
Page 36: Configuring Management Ip Address
Figure 14 System parameter configuration page Configure the parameters as described in Table Table 11 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...
Page 37 Figure 15 Management IP address configuration page Configure the parameters as described in Table Table 12 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network > VLAN Interface and selecting the Create tab. Select VLAN The IP address of a VLAN interface can be used as the management IP address to Interface...
Page 38: Finishing Configuration Wizard
Item Description DHCP Configure how the VLAN interface obtains an IPv4 address: • DHCP—Select the option for the VLAN interface to get an IP BOOTP address through DHCP. • BOOTP—Select the option for the VLAN interface to get an IP address through BOOTP.
Page 39 Figure 16 Configuration complete...
Page 40: Displaying System And Device Information
Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information page to view the basic system information, system resource state, and recent system logs. Figure 17 System information Displaying basic system information Table 13 Field description Item Description...
Page 41: Displaying The System Resource State
Displaying the system resource state The System Resource State area displays the most recent CPU usage, memory usage, and temperature. Displaying recent system logs Table 14 Field description Field Description Time Time when the system logs were generated. Level Severity of the system logs. Description Description for the system logs.
Page 42 Figure 18 Device information To set the interval for refreshing device information, select one of the following options from the Refresh Period list: • If you select a certain period, the system refreshes device information at the specified interval. • If you select Manual, the system refreshes device information only when you click the Refresh button.
Page 43: Configuring Basic Device Settings
Configuring basic device settings The device basic information feature provides the following functions: • Set the system name of the device. The configured system name is displayed on the top of the navigation bar. • Set the idle timeout period for logged-in users. The system logs an idle user off the Web for security purpose after the configured period.
Page 44: Maintaining Devices
Maintaining devices Software upgrade CAUTION: Software upgrade takes some time. Avoid performing any operation on the Web interface during the upgrading procedure. Otherwise, the upgrade operation may be interrupted. A boot file, also known as the system software or device software, is an application file used to boot the device.
Page 45: Device Reboot
Item Description slave boards at one time NJ5000 5G PoE+ switch does not support this option. Reboot after the Specify whether to reboot the device to make the upgraded software take effect upgrade finished after the application file is uploaded. Device reboot CAUTION: •...
Page 46: Diagnostic Information
Figure 23 Electronic label Diagnostic information Each functional module has its own running information. Generally, you view the output for each module one by one. To receive as much information as possible in one operation during daily maintenance or when system failure occurs, the diagnostic information module allows you to save the running statistics of multiple functional modules to a file named default.diag, and then you can locate problems faster by checking this file.
Page 47: Configuring System Time
Configuring system time Overview You must configure a correct system time so that the device can operate correctly with other devices. The system time module allows you to display and set the device system time on the Web interface. You can set the system time through manual configuration or network time protocol (NTP) automatic synchronization.
Page 48: Configuring System Time By Using Ntp
Enter the system date and time in the Time field, or select the date and time in the calendar. To set the time on the calendar page, select one of the following methods: Click Today. The date setting in the calendar is synchronized to the current local date configuration, and the time setting does not change.
Page 49: Configuring The Time Zone And Daylight Saving Time
Item Description NTP Server Specify the IP address of an NTP server, and configure the 1/Reference Key authentication key ID used for the association with the NTP server. The device synchronizes its time to the NTP server only if the key provided by the server is the same as the specified key.
Page 50: System Time Configuration Example
Figure 30 Setting the daylight saving time System time configuration example Network requirements As shown in Figure • The local clock of Device A is set as the reference clock. • Switch B operates in client mode, and uses Device A as the NTP server. Configure NTP authentication on Device A and Switch B so that Switch B is to be synchronized to Device A.
Page 51: Verifying The Configuration
Figure 32 Configuring Device A as the NTP server of Switch B Verifying the configuration After the configuration, verify that Device A and Switch B have the same system time. Configuration guidelines When you configure the system time, follow these guidelines: •...
Page 52: Configuring Syslog
Configuring syslog System logs record network and device information, including running status and configuration changes. With system logs, administrators can take corresponding actions against network problems and security problems. The system sends system logs to the following destinations: • Console •...
Page 53: Setting The Log Host
Field Description Source Displays the module that generated the system log. Displays the severity level of the system log. The information is classified into eight levels by severity: • Emergency—The system is unusable. • Alert—Action must be taken immediately. • Critical—Critical condition.
Page 54: Setting Buffer Capacity And Refresh Interval
Table 19 Configuration items Item Description IPv4/Domain Specify the IPv4 address or domain name of the log host. Loghost IP/Domain IMPORTANT: IPv6 You can specify up to four log hosts. Set the IPv6 address of the log host. Loghost IP Setting buffer capacity and refresh interval Select Device >...
Page 55: Managing The Configuration
Managing the configuration You can back up, restore, save, or reset the device configuration. Backing up the configuration Configuration backup allows you to do the following: • Open and view the configuration files for the next startup, including the .cfg file and .xml file. •...
Page 56: Saving The Configuration
Figure 37 Restoring the configuration Click the upper Browse button. The file upload dialog box appears. Select the .cfg file to be uploaded, and click OK. Click the lower Browse button. The file upload dialog box appears. Select the .xml file to be uploaded, and click OK. Saving the configuration You save the running configuration to both the .cfg configuration file and .xml configuration file that will be used at the next startup.
Page 57: Resetting The Configuration
a. Select Device > Configuration from the navigation tree. b. Click the Save tab. c. Click Save Current Settings. Resetting the configuration Resetting the configuration restores the device's factory defaults, deletes the current configuration files, and reboots the device. To reset the configuration: Select Device >...
Page 58: Managing Files
Managing files The device requires a series of files for correct operation, including boot files and configuration files. These files are saved on the storage media. You can display files on the storage media, download, upload, or remove a file, or specify the main boot file. Displaying files Select Device >...
Page 59: Uploading A File
Uploading a file IMPORTANT: Uploading a file takes some time. Hewlett Packard Enterprise recommends not performing any operation on the Web interface during the upload. Select Device > File Management from the navigation tree to enter the file management page (see Figure 40).
Page 60: Managing Ports
Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. • For a Layer 2 Ethernet port, these operation parameters include its state, speed, duplex mode, link type, PVID, description, MDI mode, flow control settings, MAC learning limit, and storm suppression ratios.
Page 61 Table 21 Configuration items Item Description Enable or disable the port. Port State Sometimes, after you modify the operation parameters of a port, you must disable and then enable the port to have the modifications take effect. Set the transmission speed of the port: •...
Page 62 Item Description the remote MDI mode. • When crossover cables are used, the local MDI mode must be the same as the remote MDI mode, or the MDI mode of at least one end must be set to auto. Enable or disable flow control on the port. With flow control enabled at both sides, when traffic congestion occurs on the ingress port, the ingress port sends a Pause frame notifying the egress port to temporarily Flow Control...
Page 63: Displaying Port Operation Parameters
Item Description the box below. • kbps—Sets the maximum number of kilobits of unicast traffic that can be forwarded on an Ethernet port per second. When you select this option, you must enter a number in the box below. Interface or interfaces that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters.
Page 64: Port Management Configuration Example
Figure 43 The Detail tab Port management configuration example Network requirements As shown in Figure • Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of the switch, respectively. The rates of the network adapters of these servers are all 1000 Mbps.
Page 65: Configuring The Switch
Configuring the switch As shown in Figure 45, set the speed of GigabitEthernet 1/0/4 to 1000 Mbps: Figure 45 Configuring the speed of GigabitEthernet 1/0/4 Batch configure the autonegotiation speed range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps: a.
Page 66 Figure 46 Batch configuring the port speed Display the speed settings of ports: a. Click the Summary tab. b. Click the Speed button to display the speed information of all ports on the lower part of the page, as shown in Figure...
Page 67 Figure 47 Displaying the speed settings of ports...
Page 68: Configuring Port Mirroring
Configuring port mirroring Port mirroring refers to the process of copying the packets passing through a port/VLAN/CPU to the monitor port connecting to a monitoring device for packet analysis. Terminology Mirroring source The mirroring source can be one or more monitored ports, called source ports. The device where the ports reside is called a "source device."...
Page 69: Configuration Restrictions And Guidelines
Figure 48 Local port mirroring implementation As shown in Figure 48, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/2 reside on the same device. Packets of GigabitEthernet 1/0/1 are copied to GigabitEthernet 1/0/2, which then forwards the packets to the data monitoring device for analysis. Configuration restrictions and guidelines When you configure port mirroring, follow these restrictions and guidelines: •...
Page 70: Configuring A Mirroring Group
Configuring a mirroring group From the navigation tree, select Device > Port Mirroring. Click Add to enter the page for adding a mirroring group. Figure 49 Adding a mirroring group Configure the mirroring group as described in Table Click Apply. Table 22 Configuration items Item Description...
Page 71: Local Port Mirroring Configuration Example
Figure 50 Modifying ports Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 23 Configuration items Item Description ID of the mirroring group to be configured. Mirroring Group The available groups were added previously.
Page 72: Configuration Procedure
Figure 51 Network diagram Configuration procedure Adding a local mirroring group From the navigation tree, select Device > Port Mirroring. Click Add to enter the page for adding mirroring groups as shown in Figure Figure 52 Adding a local mirroring group Enter 1 for Mirroring Group ID, and select Local from the Type list.
Page 73 Select 1 (GigabitEthernet 1/0/1) and 2 (GigabitEthernet 1/0/2) on the chassis front panel. Figure 53 Configuring the source ports Click Apply. A configuration progress dialog box appears. After the success notification appears, click Close. Configuring GigabitEthernet 1/0/3 as the monitor port Click Modify Port.
Page 74: Managing Users
Managing users The user management function allows you to do the following: • Adding a local user, and specifying the password, access level, and service types for the user. • Setting the super password for non-management level users to switch to the management level.
Page 75: Setting The Super Password
Item Description Confirm Password Enter the same password again. Select the password encryption type: • Reversible—Uses a reversible encryption algorithm. The ciphertext password Password can be decrypted to get the plaintext password. Encryption • Irreversible—Uses an irreversible encryption algorithm. The ciphertext password cannot be decrypted to get the plaintext password.
Page 76: Switching To The Management Level
Item Description password cannot be decrypted to get the plaintext password. Switching to the management level A non-management level user can switch to the management level after providing the correct super password. The level switching operation does not change the access level setting for the user. When the user logs in to the Web interface again, the access level of the user is still the level set for the user.
Page 77: Configuring A Loopback Test
Configuring a loopback test You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test. During the test time, the port cannot forward data packets correctly. Ethernet port loopback test has the following types: • Internal loopback test—Establishes self loop in the switching chip and checks whether there is a chip failure related to the functions of the port.
Page 78 Figure 59 Loopback test result...
Page 79: Configuring Vct
Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.
Page 80: Configuring The Flow Interval
Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port, and the bandwidth use of the port over the specified interval. Viewing port traffic statistics Select Device > Flow interval from the navigation tree. By default, the Port Traffic Statistics tab is displayed.
Page 81: Configuring Rmon
Configuring RMON Overview Remote Network Monitoring (RMON) is an enhancement to SNMP. It enables proactive remote monitoring and management of network devices and subnets. An RMON monitor periodically or continuously collects traffic statistics for the network attached to a port on the managed device. The managed device can automatically send a notification when a statistic crosses an alarm threshold, so the NMS does not need to constantly poll MIB variables and compare the results.
Page 82: Rmon Configuration Task List
Event group The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group. The events can be handled in one of the following ways: •...
Page 83 • A statistics object of the history group is the variable defined in the history record table, and the recorded content is a cumulative sum of the variable in each period. Perform the tasks in Table to configure RMON history statistics function. Table 26 RMON statistics group configuration task list Task Remarks...
Page 84: Configuring A Statistics Entry
Task Remarks log the event, send a trap to the NMS, take no action, and log the event and send a trap to the NMS. IMPORTANT: You cannot create an entry if the values of the specified alarm variable, sampling interval, sampling type, rising threshold and falling threshold are identical to those of an existing entry in the system.
Page 85: Configuring A History Entry
Figure 64 Adding a statistics entry Configure a statistic entry as described in Table Click Apply. Table 30 Configuration items Item Description Select the name of the interface on which the statistics entry is created. Interface Name Only one statistics entry can be created on one interface. Owner Set the owner of the statistics entry.
Page 86: Configuring An Event Entry
Figure 66 Adding a history entry Configure a history entry as described in Table Click Apply. Table 31 Configuration items Item Description Interface Name Select the name of the interface on which the history entry is created. Set the capacity of the history record list corresponding to this history entry (the maximum number of records that can be saved in the history record list).
Page 87: Configuring An Alarm Entry
Click Add. Figure 68 Adding an event entry Configure an event entry as described in Table Click Apply. Table 32 Configuration items Item Description Description Set the description for the event. Owner Set the entry owner. Set the actions that the system takes when the event is triggered: •...
Page 88 Figure 70 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 33 Configuration items Item Description Alarm variable: Set the traffic statistics that are collected and monitored. For Static Item more information, see Table Set the name of the interface whose traffic statistics are Interface Name collected and monitored.
Page 89: Displaying Rmon Statistics
Item Description If you select the Create Default Event box, this option is not configurable. Falling Threshold Set the alarm falling threshold. Set the action that the system takes when the value of the alarm variable is lower than the alarm falling threshold. Falling Event If you select the Create Default Event box, this option is not configurable.
Page 90: Displaying Rmon History Sampling Information
Field Description etherStatsCRCAlignErrors. Total number of undersize packets (shorter than 64 Number of Received Packets Smaller Than octets) received by the interface, corresponding to the 64 Bytes MIB node etherStatsUndersizePkts. Total number of oversize packets (longer than 1518 Number of Received Packets Larger Than octets) received by the interface, corresponding to the 1518 Bytes MIB node etherStatsOversizePkts.
Page 91 Figure 72 RMON history sampling information Table 35 Field description Field Description Number of the entry in the system buffer. Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved. Dropped packets during the sampling period, corresponding to the MIB DropEvents node etherHistoryDropEvents.
Page 92: Displaying Rmon Event Logs
Displaying RMON event logs Select Device > RMON from the navigation tree. Click the Log tab. Figure 73 Log tab In this example, event 1 has generated one log, which is triggered because the alarm value (11779194) exceeds the rising threshold (10000000). The sampling type is absolute. RMON configuration example Network requirements As shown in...
Page 93 Figure 75 Adding a statistics entry Display RMON statistics for GigabitEthernet 1/0/1: a. Click the icon corresponding to GigabitEthernet 1/0/1. b. Display this information as shown in Figure Figure 76 Displaying RMON statistics Create an event to start logging after the event is triggered: a.
Page 94 Figure 77 Configuring an event group Figure 78 Displaying the index of an event entry Configure an alarm group to sample received bytes on GigabitEthernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled: a. Click the Alarm tab. b.
Page 95 Figure 79 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can display log information for event 1 on the Web interface. Select Device > RMON from the navigation tree. Click the Log tab. The log page appears.
Page 96: Configuring Energy Saving
Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes when the effective time period ends. Configuring energy saving on a port Select Device >...
Page 97: Configuring Snmp
Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.
Page 98: Snmp Protocol Versions
• Notifications—Includes traps and informs. SNMP agent sends traps or informs to report events to the NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps. SNMP protocol versions HPE devices support SNMPv1, SNMPv2c, and SNMPv3.
Page 99: Enabling Snmp Agent
Task Remarks The SNMP agent function is disabled by default. IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations are removed. Optional. After creating SNMP views, you can specify an SNMP view for an Configuring an SNMP view SNMP group to limit the MIB objects that can be accessed by the SNMP group.
Page 100 Figure 84 Setup tab Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 39 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the Local Engine ID SNMP agent.
Page 101: Configuring An Snmp View
Configuring an SNMP view Creating an SNMP view Select Device > SNMP from the navigation tree. Click the View tab. The View tab appears. Figure 85 View tab Click Add. The Add View window appears. Figure 86 Creating an SNMP view (1) Type the view name.
Page 102: Adding Rules To An Snmp View
Figure 87 Creating an SNMP view (2) Table 40 Configuration items Item Description View Name Set the SNMP view name. Select to exclude or include the objects in the view range determined by the Rule MIB subtree OID and subtree mask. Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
Page 103: Configuring An Snmp Community
Figure 88 Adding rules to an SNMP view Configure the parameters as described in Table Click Apply. NOTE: You can also click the icon corresponding to the specified view on the page as shown in Figure 85, and then you can enter the page to modify the view. Configuring an SNMP community Select Device >...
Page 104: Configuring An Snmp Group
Figure 90 Creating an SNMP Community Configure the SNMP community as described in Table Click Apply. Table 41 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent.
Page 105: Configuring An Snmp User
Click Add. The Add SNMP Group page appears. Figure 92 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 42 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...
Page 106 Figure 93 SNMP user Click Add. The Add SNMP User page appears. Figure 94 Creating an SNMP user Configure the SNMP user as described in Table Click Apply. Table 43 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group.
Page 107: Configuring Snmp Trap Function
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an Group Name SNMP group with no authentication no privacy or authentication without privacy.
Page 108: Displaying Snmp Packet Statistics
Click Add. The page for adding a target host of SNMP traps appears. Figure 96 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 44 Configuration items Item Description Set the destination IP address.
Page 109: Snmpv1/V2C Configuration Example
The page for displaying SNMP packet statistics appears. Figure 97 SNMP packet statistics SNMPv1/v2c configuration example Network requirements As shown in Figure 98, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 98 Network diagram Configuring the agent Enable SNMP:...
Page 110 Figure 99 Configuring the SNMP agent Configure a read-only community: a. Click the Community tab. b. Click Add. The Add SNMP Community page appears. c. Enter public in the Community Name field, and select Read only from the Access Right list.
Page 111 Figure 101 Configuring an SNMP read and write community Enable SNMP traps: a. Click the Trap tab. The Trap tab page appears. b. Select Enable SNMP Trap. c. Click Apply. Figure 102 Enabling SNMP traps Configure a target host SNMP traps: a.
Page 112: Snmpv3 Configuration Example
Figure 103 Adding a trap target host Configuring the NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. To configure the NMS: Configure the SNMP version for the NMS as v1 or v2c. Create a read-only community and name it public.
Page 113 Configuring the agent Enable SNMP agent: a. Select Device > SNMP from the navigation tree. The SNMP configuration page appears. b. Select the Enable option, and select the v3 option. c. Click Apply. Figure 105 Configuring the SNMP agent Configure an SNMP view: a.
Page 114 Figure 107 Creating an SNMP view (2) Configure an SNMP group: a. Click the Group tab. b. Click Add. The page in Figure 108 appears. c. Type group1 in the Group Name field, select view1 from the Read View list, select view1 from the Write View list.
Page 115 d. Click Apply. Figure 109 Creating an SNMP user Enable SNMP traps: a. Click the Trap tab. The Trap tab page appears. b. Select Enable SNMP Trap. c. Click Apply. Figure 110 Enabling SNMP traps Configure a target host SNMP traps: a.
Page 116 b. Select the IPv4/Domain option and type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list. c. Click Apply. Figure 111 Adding a trap target host Configuring the NMS The configuration on NMS must be consistent with that on the agent.
Page 117: Displaying Interface Statistics
Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To display interface statistics, select Device > Interface Statistics from the navigation tree. Figure 112 Interface statistics display page Table 45 describes the fields on the page. Table 45 Field description Field Description...
Page 118: Configuring Vlans
Configuring VLANs Overview Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2.
Page 119: Vlan Types
IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 115. Figure 115 Position and format of VLAN tag A VLAN tag contains the following fields: • Tag protocol identifier (TPID)—The 16-bit TPID field indicates whether the frame is VLAN-tagged and is 0x8100 by default.
Page 120 unnecessary to separate different VLAN members. As shown in Figure 116, Device A is connected to common PCs that cannot recognize VLAN tagged-packets, and you must configure Device A's ports that connect to the PCs as access ports. • Trunk port—A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic from the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN tagged.
Page 121: Restrictions And Guidelines
• Make sure a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID or untagged frames, the port drops these frames. Frame handling methods The following table shows how ports of different link types handle frames: Actions Access Trunk...
Page 122: Recommended Configuration Procedure For Assigning A Trunk Port To A Vlan
Step Remarks PVID. The three Selecting VLANs operations produce the Specify the range of VLANs available same result, and the latest for selection during related operations. operation takes effect. Configure a subset of all existing VLANs. This step is required before you By default, an access port perform operations on the Detail, is an untagged member of...
Page 123: Recommended Configuration Procedure For Assigning A Hybrid Port To A Vlan
Step Remarks member of the specified VLANs. Configure the tagged Modifying ports. VLAN of the trunk port. Recommended configuration procedure for assigning a hybrid port to a VLAN Step Remarks Required. Creating VLANs. Create one or multiple VLANs. Optional. Configure the link type of the port as hybrid. To configure a trunk port as a hybrid port, first configure it as an access port.
Page 124: Creating Vlans
Step Remarks port. Creating VLANs From the navigation tree, select Network > VLAN. Click Create. The page for creating VLANs appears. Enter the VLAN IDs, a VLAN ID range, or both. Click Create. Figure 117 Creating VLANs Table 46 Configuration items Item Description VLAN IDs...
Page 125: Setting The Pvid For A Port
From the navigation tree, select Network > VLAN. Click Modify Port. Select the port that you want to configure on the chassis front panel. Select the Link Type option. Set the link type to access, hybrid, or trunk. Click Apply. A progress dialog box appears.
Page 126: Selecting Vlans
Figure 119 Modifying the PVID for a port Selecting VLANs From the navigation tree, select Network > VLAN. The Select VLAN tab is displayed by default for you to select VLANs. Figure 120 Selecting VLANs Select the Display all VLANs option to display all VLANs, or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed.
Page 127: Modifying A Vlan
Modifying a VLAN From the navigation tree, select Network > VLAN. Click Modify VLAN. The page for modifying a VLAN appears. Figure 121 Modifying a VLAN Modify the member ports of a VLAN as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds.
Page 128: Modifying Ports
Modifying ports From the navigation tree, select Network > VLAN. Click Modify Port. The page for modifying ports appears. Figure 122 Modifying ports Modify the VLANs of a port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds.
Page 129: Vlan Configuration Example
Item Description • You can configure a hybrid port as a tagged or untagged member of a VLAN only if the VLAN is an existing, static VLAN. VLAN configuration example Network requirements As shown in Figure 123, trunk port GigabitEthernet 1/0/1 of Switch A is connected to trunk port GigabitEthernet 1/0/1 of Switch B.
Page 130 Figure 124 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: a. From the navigation tree, select Network > VLAN. b. Click Create. The page for creating VLANs appears. c.
Page 131 Figure 125 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: a. Click Select VLAN. The page for selecting VLANs appears. b. Select the option before Display a subnet of all configured VLANs, and enter 1-100 in the field.
Page 132 e. Select 100 – VLAN 0100 in the Please select a VLAN to modify: list, select the Untagged option, and select GigabitEthernet 1/0/1 on the chassis front device panel. f. Click Apply. A configuration progress dialog box appears. g. After the configuration process is complete, click Close. Figure 127 Assigning GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Assign GigabitEthernet 1/0/1 to VLAN 2, and VLAN 6 through VLAN 50 as a tagged member: a.
Page 133: Configuring Switch B
Figure 128 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B in the same way Switch A is configured. (Details not shown.) Configuration guidelines When you configure VLANs, follow these guidelines: •...
Page 134: Configuring Vlan Interfaces
Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information, see "Configuring VLANs." Overview VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. A VLAN interface can also act as the management interface for a Layer 2 switch.
Page 135: Modifying A Vlan Interface
Table 49 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure the corresponding VLAN exists. DHCP Configure the way in which the VLAN interface gets an IPv4 address.
Page 136 Figure 130 Modifying a VLAN interface Modify a VLAN interface as described in Table Click Apply. Table 50 Configuration items Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN interfaces.
Page 137: Deleting A Vlan Interface
Item Description Auto Configure the way in which the VLAN interface gets an IPv6 link-local address. Select the Auto or Manual option: • Auto—The device automatically assigns a link-local address to the VLAN interface according to the link-local address prefix (FE80::/64) and the Manual link-layer address of the VLAN interface.
Page 138: Configuration Guidelines
Figure 131 Deleting a VLAN interface Select the target VLAN, and click Remove Interface to delete the VLAN interface. To delete the IPv4 address or IPv6 link-local address of the VLAN interface, select the target VLAN, and then click Remove IP address. To delete the global unicast address of the VLAN interface, select the IPv6 address in the IPv6 Address area, and then click Remove.
Page 139: Configuring A Voice Vlan
Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communities, data traffic and voice traffic are usually transmitted in the network at the same time. Usually, voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio.
Page 140 IP phones connected in series access the network through the device and ports on the device simultaneously transmit both voice traffic and data traffic, as shown in Figure 132. When the voice VLAN works normally, if the system reboots, the system reassigns ports in automatic voice VLAN assignment mode to the voice VLAN after the reboot, ensuring that existing voice connections can work normally.
Page 141: Security Mode And Normal Mode Of Voice Vlans
Voice VLAN assignment Port link mode supported for tagged Configuration requirements type voice traffic In automatic mode, the PVID of the port cannot be the voice VLAN. Hybrid Automatic and manual In manual mode, configure the port to permit packets of the voice VLAN to pass through tagged.
Page 142: Recommended Voice Vlan Configuration Procedure
In a safe network, you can configure the voice VLANs to operate in normal mode, reducing the consumption of system resources due to source MAC addresses checking. Hewlett Packard Enterprise recommends not transmitting both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure that the voice VLAN security mode is disabled. Table 54 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN operating Packet type...
Page 143: Configuring Voice Vlan Globally
Step Remarks OUI list The system supports up to 8 OUI addresses. By default, the system is configured with two OUI addresses, as shown in Table Recommended configuration procedure for a port in manual voice VLAN assignment mode Step Remarks (Optional.) Configuring voice Configure the voice VLAN to operate in security mode and configure the aging...
Page 144: Configuring Voice Vlan On Ports
Configuring voice VLAN on ports Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Figure 135 Configuring voice VLAN on ports Configure the voice VLAN function for ports as described in Table Click Apply. Table 56 Configuration items Item Description Set the voice VLAN assignment mode of a port to:...
Page 145: Voice Vlan Configuration Examples
Figure 136 Adding OUI addresses to the OUI list Add an OUI address to the list as described in Table Click Apply. Table 57 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry.
Page 146 Figure 137 Network diagram Configuring Switch A Create VLAN 2: a. Select Network > VLAN from the navigation tree. b. Click the Create tab. c. Enter VLAN ID 2. d. Click Create. Figure 138 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: a.
Page 147 Figure 139 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: a. Select Network > Voice VLAN from the navigation tree. b. Click the Setup tab. c. Select Enable in the Voice VLAN security list. d. Set the voice VLAN aging timer to 30 minutes. e.
Page 148 b. Select Auto in the Voice VLAN port mode list. c. Select Enable in the Voice VLAN port state list. d. Enter voice VLAN ID 2. e. Select GigabitEthernet 1/0/1 on the chassis front panel. f. Click Apply. Figure 141 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: a.
Page 149: Configuring A Voice Vlan On A Port In Manual Voice Vlan Assignment Mode
Figure 143 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information. Figure 144 Displaying voice VLAN information Configuring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in...
Page 150 Figure 145 Network diagram Configuring Switch A Create VLAN 2: a. Select Network > VLAN from the navigation tree. b. Click the Create tab. c. Enter VLAN ID 2. d. Click Create. Figure 146 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port and configure its PVID as VLAN 2: a.
Page 151 Figure 147 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: a. Select Network > VLAN from the navigation tree. b. Click the Modify Port tab. c. Select GigabitEthernet 1/0/1 from the chassis front panel. d.
Page 152 Figure 148 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: a. Select Network > Voice VLAN from the navigation tree. b. Click the Port Setup tab. c. Select Manual in the Voice VLAN port mode list. d.
Page 153 a. Click the OUI Add tab. b. Enter OUI address 0011-2200-0000. c. Select FFFF-FF00-0000 as the mask. d. Enter description string test. e. Click Apply. Figure 150 Adding OUI addresses to the OUI list Verifying the configuration When the preceding configurations are complete, the OUI Summary tab is displayed by default, as shown in Figure 151.
Page 154: Configuration Guidelines
Figure 152 Displaying the current voice VLAN information Configuration guidelines When you configure the voice VLAN function, follow these guidelines: • To remove a VLAN functioning as a voice VLAN, disable its voice VLAN function first. • Only one VLAN is supported and only an existing static VLAN can be configured as the voice VLAN.
Page 155: Configuring The Mac Address Table
Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces only. This document covers only the configuration of unicast MAC address entries, including static, dynamic, and blackhole entries. Overview To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table to forward frames.
Page 156: Displaying And Configuring Mac Address Entries
• Blackhole entries—Manually configured and never age out. They are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all frames destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.
Page 157: Setting The Aging Time Of Mac Address Entries
Item Description Set the port to which the MAC address belongs. This port must belong to the Port specified VLAN. Setting the aging time of MAC address entries Select Network > MAC from the navigation tree. Click the Setup tab to enter the page for setting the MAC address entry aging time. Figure 155 Setting the aging time for MAC address entries Configure the aging time for MAC address entries as described in Table...
Page 158 Figure 156 Creating a static MAC address entry...
Page 159: Configuring Mstp
Configuring MSTP Overview Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
Page 160: Basic Concepts In Stp
• Root path cost • Designated bridge ID (represented by device priority) • Designated port ID (represented by port name) Basic concepts in STP Root bridge A tree network must have a root bridge. The entire network contains only one root bridge, and all the other bridges in the network are called "leaf nodes".
Page 161: Calculation Process Of The Stp Algorithm
Path cost Path cost is a reference value used for link selection in STP. STP calculates path costs to select the most robust links and block redundant links that are less robust, to prune the network into a loop-free tree. All the ports on the root bridge are designated ports.
Page 162 Table 60 Selecting the optimum configuration BPDU Step Actions Upon receiving a configuration BPDU on a port, the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port. It takes one of the following actions: •...
Page 163 Table 61 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Configuration BPDUs comparison on each device.
Page 164 Configuration BPDU Device Comparison process on ports after comparison will be replaced with the calculated configuration BPDU, which will be sent out periodically. • Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and it updates the configuration BPDU of CP1.
Page 165 Figure 159 The final calculated spanning tree The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval. •...
Page 166: Introduction To Rstp
Introduction to RSTP Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP. If the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data, a newly elected RSTP root port rapidly enters the forwarding state.
Page 167 Figure 160 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: • A spanning tree protocol enabled. •...
Page 168 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. Figure 160, the VLAN-to-instance mapping table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
Page 169 Figure 161 Port roles MSTP calculation involves the following port roles: • Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have any root port. • Designated port—Forwards data to the downstream network segment or device. •...
Page 170: How Mstp Works
Table 63 Ports states supported by different port roles Port role Port state Root Designate Boundary Alternate Backup port port/master port d port port port Forwarding √ √ √ — — Learning √ √ √ — — Discarding √ √ √...
Page 171: Protocols And Standards
Protocols and standards MSTP is documented in the following protocols and standards: • IEEE 802.1d, Spanning Tree Protocol • IEEE 802.1w, Rapid Spanning Tree Protocol • IEEE 802.1s, Multiple Spanning Tree Protocol Configuration guidelines When you configure MSTP, follow these guidelines: •...
Page 172: Configuring Mstp Globally
Figure 162 MST region Click Modify. Figure 163 Configuring an MST region Configure the MST region information as described in Table 64, and click Apply. Table 64 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region.
Page 173 Click the Global tab. Figure 164 Configuring MSTP globally Configure the global MSTP configuration as described in Table 65, and then click Apply. Table 65 Configuration items Item Description Selects whether to enable STP globally. Enable STP Globally Other MSTP configurations take effect only after you enable STP globally. Selects whether to enable BPDU guard.
Page 174 Item Description connected with a device running STP. Sets the maximum number of hops in an MST region to restrict the region size. Max Hops The setting can take effect only when it is configured on the regional root bridge. Specifies the standard for path cost calculation.
Page 175: Configuring Mstp On A Port
Configuring MSTP on a port From the navigation tree, select Network > MSTP. Click the Port Setup tab. Figure 165 MSTP configuration on a port Configure MSTP for ports as described in Table 66, and then click Apply. Table 66 Configuration items Item Description Selects whether to enable STP on the port.
Page 176: Displaying Mstp Information Of A Port
Item Description SpecifIes whether the port is connected to a point-to-point link: Auto—Configures the device to automatically detect whether or not the link type of the port is point-to-point. Force False—The link type for the port is not point-to-point link. Force True—The link type for the port is point-to-point link.
Page 177 If you have configured aggregate interfaces on the device, the page displays a list of aggregate interfaces below the chassis front panel. You can select aggregate interfaces from this list. The lower part of the page displays the MSTP information of the port in MSTI 0 (when STP is enabled globally) or the STP status and statistics (when STP is not enabled globally), the MSTI to which the port belongs, and the path cost and priority of the port in the MSTI.
Page 178: Mstp Configuration Example
Field Description • Config—The configured value. • Active—The actual value. Whether the port is connected to a point-to-point link: • Config—The configured value. Point-to-point • Active—The actual value. Transmit Limit Maximum number of packets sent within each Hello time. Protection type on the port: •...
Page 179: Configuration Procedure
• Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, MSTI 3, and MSTI 0, respectively. • Switch A and Switch B operate at the distribution layer. Switch C and Switch D operate at the access layer.
Page 180 The system maps VLAN 10 to MSTI 1 and adds the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list. i. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-instance mapping entries to the VLAN-to-instance mapping list. j.
Page 181 Figure 170 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region on the switch in the same way the MST region is configured on Switch Configure MSTP globally: a. From the navigation tree, select Network > MSTP. b.
Page 182 Configure MSTP globally: a. From the navigation tree, select Network > MSTP. b. Click Global. c. Select Enable from the Enable STP Globally list. d. Select MSTP from the Mode list. e. Select the box before Instance. f. Set the Instance ID field to 3. g.
Page 183 Figure 171 Configuring MSTP globally (on Switch D)
Page 184: Configuring Lldp
Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices from different vendors can discover one another and exchange configuration. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Page 185 Figure 173 LLDP frame encapsulated in SNAP Table 70 Fields in a SNAP-encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address. MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used.
Page 186 Table 71 Basic management TLVs Type Description Remarks Specifies the bridge MAC address of the sending Chassis ID device. Specifies the ID of the sending port. • If the LLDPDU carries LLDP-MED TLVs, the port ID TLV carries the MAC address of the sending Port ID port or the bridge MAC in case the port does not Mandatory.
Page 187 Type Description Configuration/Status autonegotiation, enabling status of auto negotiation, and the current rate and duplex mode. Contains the power supply capability of the port: • Port class (PSE or PD). • Power supply mode. Power Via MDI • Whether PSE power supply is supported. •...
Page 188: Lldp Operating Modes
For more information about LLDPDU TLVs, see the IEEE standard (LLDP) 802.1AB-2005 and the LLDP-MED standard (ANSI/TIA-1057). Management address The network management system uses the management address of a device to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV.
Page 189: Recommended Lldp Configuration Procedure
Recommended LLDP configuration procedure Step Remarks Optional. Enabling LLDP on By default, LLDP is enabled on ports. ports. Make sure LLDP is also enabled globally, because LLDP can work on a port only when it is enabled both globally and on the port. Optional.
Page 190: Setting Lldp Parameters On Ports
Figure 175 The port setup tab Setting LLDP parameters on ports The Web interface allows you to set LLDP parameters for a single port or for multiple ports in batch. Setting LLDP parameters for a single port From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed.
Page 191 Configure the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 75 Configuration items Item Description Interface Name Displays the name of the port or ports you are configuring.
Page 192: Setting Lldp Parameters For Ports In Batch
Item Description format (a numeric or character string in the TLV). If no management address is specified, the main IP address of the lowest VLAN carried on the port is used. If no main IP address is assigned to the VLAN, 127.0.0.1 is used. Port VLAN ID Select the box to include the PVID TLV in transmitted LLDP frames.
Page 193: Configuring Lldp Globally
By default, the Port Setup tab is displayed. Select one or multiple ports on the port list. Click Modify Selected to enter the page for modifying these ports in batch. Figure 177 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply.
Page 194 Figure 178 The global setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 76 Configuration items Item Description LLDP Enable...
Page 195: Displaying Lldp Information For A Port
Item Description make sure the product of the TTL multiplier and the LLDP frame transmission interval is less than 255 seconds for CDP-compatible LLDP to work correctly with Cisco IP phones. Set the minimum interval for sending traps. With the LLDP trapping function enabled on a port, traps are sent out of the port Trap Interval to advertise the topology changes detected over the trap interval to neighbors.
Page 196 Table 77 Field description Field Description Port ID subtype: • Interface alias. • Port component. • MAC address. Port ID subtype • Network address. • Interface name. • Agent circuit ID. • Locally assigned—Locally-defined port ID type other than those listed above.
Page 197 Figure 180 The neighbor information tab Table 78 Field description Field Description Chassis ID type: • Chassis component. • Interface alias. • Port component. Chassis type • MAC address. • Network address. • Interface name. • Locally assigned—Locally-defined chassis type other than those listed above.
Page 198 Field Description Link aggregation group ID. It is 0 if the neighbor port is not assigned to Aggregation port ID any link aggregation group. Maximum frame Size Maximum frame size supported on the neighbor port. MED device class: • Connectivity device—An intermediate device that provide network connectivity.
Page 199: Displaying Global Lldp Information
Field Description • Low—Priority level 3. Click the Statistics Information tab to display the LLDP statistics. Figure 181 The statistic information tab Click the Status Information tab to display the LLDP status information. Figure 182 The status information tab Displaying global LLDP information From the navigation tree, select Network >...
Page 200: Displaying Lldp Information Received From Lldp Neighbors
Figure 183 The global summary tab Table 79 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defined. Capabilities supported on the system: • Repeater. System capabilities supported • Bridge. • Router. Capabilities enabled on the system: •...
Page 201: Lldp Configuration Example
Figure 184 The neighbor summary tab LLDP configuration example Network requirements As shown in Figure 185, configure LLDP on Switch A and Switch B so that the NMS can determine the status of the link between Switch A and MED and the link between Switch A and Switch B. Figure 185 Network diagram Configuring Switch A (Optional.) Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
Page 202 Figure 186 The port setup tab d. Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Figure 187 Setting LLDP on multiple ports Enable global LLDP: a.
Page 203: Configuring Switch B
Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Figure 188 The global setup tab Configuring Switch B (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. By default, LLDP is enabled on Ethernet ports. Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1: a.
Page 204: Verifying The Configuration
Figure 189 Setting the LLDP operating mode to Tx Enable global LLDP: a. Click the Global Setup tab. b. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 205: Lldp Configuration Guidelines
The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device (Switch B), as shown in Figure 191. Figure 191 The status information tab (2) Tear down the link between Switch A and Switch B. Click Refresh to display the status information of port GigabitEthernet 1/0/2 on Switch A. The updated status information of port GigabitEthernet 1/0/2 shows that no neighbor device is connected to the port, as shown in Figure...
Page 206: Configuring Arp
Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 193 shows the format of the ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 193 ARP message format •...
Page 207: Arp Table
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B: a.
Page 208: Gratuitous Arp
Gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device, the sender MAC address is the MAC address of the sending device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. A device sends a gratuitous ARP packet for either of the following purposes: •...
Page 209: Removing Arp Entries
Figure 196 Add a static ARP entry Configure the static ARP entry as described in Table Click Apply. Table 80 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry. VLAN ID Enter a VLAN ID and specify a port for the static ARP entry.
Page 210: Static Arp Configuration Example
Figure 197 Gratuitous Configuring ARP page Configure gratuitous ARP as described in Table Click Apply. Table 81 Configuration items Item Description Disable learning of ARP entries from gratuitous ARP packets. Disable gratuitous ARP packets learning function Gratuitous ARP packet learning is enabled by default. Enable the device to send gratuitous ARP packets upon receiving Send gratuitous ARP packets ARP requests from another network segment.
Page 211 a. From the navigation tree, select Network > VLAN. b. Click the Add tab. c. Enter 100 in the VLAN ID field. d. Click Create. Figure 199 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: a. Click the Modify Port tab. b.
Page 212 Figure 200 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: a. From the navigation tree, select Network > VLAN Interface. b. Click the Create tab. c. Enter 100 in the VLAN ID field. d. Select Configure Primary IPv4 Address. e.
Page 213 Figure 201 Creating VLAN-interface 100 Create a static ARP entry: a. From the navigation tree, select Network > ARP Management. The default ARP Table page appears. b. Click Add. c. Enter 192.168.1.1 in the IP Address field. d. Enter 00e0-fc01-0000 in the MAC Address field. e.
Page 214: Configuring Arp Attack Protection
Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides user validity check and ARP packet validity check.
Page 215 Figure 203 ARP detection configuration page Configure ARP detection as described in Table Click Apply. Table 82 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list, select one or multiple VLANs from the VLAN Settings Disabled VLANs list and click the <<...
Page 216: Configuring Igmp Snooping
Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router. As shown in Figure 204, when IGMP snooping is not enabled, the Layer 2 switch floods multicast...
Page 217 Figure 205 IGMP snooping related ports The following describes the ports involved in IGMP snooping: • Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated routers and IGMP queriers. In Figure 205, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Page 218: How Igmp Snooping Works
Message received before Action after the Timer Description the timer expires timer expires out. NOTE: In IGMP snooping, only dynamic ports age out. How IGMP snooping works The ports in this section are dynamic ports. IGMP messages include general query, IGMP report, and leave message. An IGMP snooping-enabled switch performs differently depending on the message.
Page 219: Protocols And Standards
An IGMPv2 or IGMPv3 host sends an IGMP leave message to the multicast router when it leaves a multicast group. When the switch receives an IGMP leave message on a dynamic member port, the switch first examines whether a forwarding entry matches the group address in the message, and, if a match is found, whether the forwarding entry for the group contains the dynamic member port.
Page 220: Enabling Igmp Snooping Globally
Step Remarks When you enable IGMP snooping, follow these guidelines: • Enable IGMP snooping globally before you enable it for a VLAN. • IGMP snooping for a VLAN takes effect only on the member ports in that VLAN. Optional. Configure the maximum number of multicast groups and fast-leave processing on a port of the specified VLAN.
Page 221: Configuring Igmp Snooping In A Vlan
Figure 207 Enabling dropping unknown multicast data globally Click Apply. Configuring IGMP snooping in a VLAN From the navigation tree, select Network > IGMP snooping. Click the icon for the VLAN. Figure 208 Configuring IGMP snooping in a VLAN Configure the parameters as described in Table Click Apply.
Page 222: Configuring Igmp Snooping Port Functions
Item Description • IGMPv2 snooping can process IGMPv1 and IGMPv2 messages, but it floods IGMPv3 messages in the VLAN instead of processing them. • IGMPv3 snooping can process IGMPv1, IGMPv2, and IGMPv3 messages. IMPORTANT: If you change IGMPv3 snooping to IGMPv2 snooping, the system clears all IGMP snooping forwarding entries that are dynamically added.
Page 223: Displaying Igmp Snooping Multicast Forwarding Entries
Table 84 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an GigabitEthernet port or Layer 2 aggregate interface. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Page 224: Igmp Snooping Configuration Example
Figure 211 Displaying detailed information about the entry Table 85 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Multicast source address. If no multicast sources are specified, this field Source Address displays 0.0.0.0. Group Address Multicast group address.
Page 225: Configuration Procedure
Configuration procedure Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1. (Details not shown.) Configuring Switch A Create VLAN 100: a. From the navigation tree, select Network > VLAN. b. Click the Create tab. c.
Page 226 Figure 214 Assigning ports to the VLAN Enable IGMP snooping and dropping unknown multicast data globally: a. From the navigation tree, select Network > IGMP snooping. b. Select Enable. c. Click Apply. Figure 215 Enabling IGMP snooping and dropping unknown multicast data globally Enable IGMP snooping for VLAN 100: a.
Page 227: Verifying The Configuration
Figure 216 Configuring IGMP snooping in VLAN 100 Verifying the configuration From the navigation tree, select Network > IGMP snooping. Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast forwarding entries. Figure 217 Displaying IGMP snooping multicast forwarding entries Click the icon for the multicast entry (0.0.0.0, 224.1.1.1) to display detailed information about this entry.
Page 228: Configuring Mld Snooping
Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv6 multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from MLD messages that are exchanged between the hosts and the router. As shown in Figure 219, when MLD snooping is not enabled, the Layer 2 switch floods IPv6 multicast...
Page 229 Figure 220 MLD snooping related ports The following describes the ports involved in MLD snooping: • Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated routers and MLD queriers. As shown in Figure 220, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Page 230: How Mld Snooping Works
Message received Action after the Timer Description before the timer timer expires expires member port ages out. NOTE: In MLD snooping, only dynamic ports age out. How MLD snooping works The ports in this section are dynamic ports. MLD messages include general query, MLD report, and done message. An MLD snooping-enabled switch performs differently depending on the MLD message.
Page 231: Protocols And Standards
whether a forwarding entry matches the IPv6 group address in the message, and, if a match is found, determines whether the forwarding entry contains the dynamic member port. • If no forwarding entry matches the IPv6 multicast group address, or if the forwarding entry does not contain the port, the switch directly discards the MLD done message.
Page 232: Enabling Mld Snooping Globally
Step Remarks Required. Enable MLD snooping in the VLAN and configure the MLD snooping version and querier. Configuring MLD snooping in By default, MLD snooping is disabled in a VLAN. a VLAN When you enable MLD snooping, follow these guidelines: •...
Page 233: Configuring Mld Snooping In A Vlan
Figure 222 Enabling dropping unknown IPv6 multicast data globally Click Apply. Configuring MLD snooping in a VLAN Select Network > MLD snooping from the navigation tree. Click the icon for the VLAN. Figure 223 Configuring MLD snooping in a VLAN Configure the parameters as described in Table Click Apply.
Page 234: Configuring Mld Snooping Port Functions
Item Description • MLDv2 snooping can process MLDv1 and MLDv2 messages. IMPORTANT: If you change the MLDv2 snooping to MLDv1 snooping, the system clears all MLD snooping forwarding entries that are dynamically added. Enable or disable the MLD snooping querier function. In an IPv6 multicast network that runs MLD, a Layer 3 device acts as the MLD querier to send MLD queries and establish and maintain IPv6 multicast forwarding entries, ensuring correct IPv6 multicast traffic forwarding at the network layer.
Page 235: Displaying Mld Snooping Multicast Forwarding Entries
Item Description lower part of this page. TIP: Advanced MLD snooping features configured on a Layer 2 aggregate interface do not interfere with configurations on its member ports, nor do they take part in aggregation calculations. The configuration on a member port of the aggregate group does not take effect until the port leaves the aggregate group Specify the ID of the VLAN in which port functions are to be configured.
Page 236: Mld Snooping Configuration Example
Figure 226 Detailed information about an MLD snooping multicast entry Table 88 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Multicast source address. If no IPv6 multicast sources are specified, this Source Address field displays ::.
Page 237: Configuration Procedure
Configuration procedure Configuring Router A Enable IPv6 multicast routing, assign an IPv6 address to each interface, enable IPv6 PIM-DM on each interface, and enable MLD on GigabitEthernet 1/0/1. (Details not shown.) Configuring Switch A Create VLAN 100: a. Select Network > VLAN from the navigation tree. b.
Page 238 Figure 229 Assigning ports to VLAN 100 Enable MLD snooping and dropping unknown IPv6 multicast data globally: a. Select Network > MLD snooping from the navigation tree. b. Select Enable. c. Click Apply. Figure 230 Enabling MLD snooping and dropping unknown IPv6 multicast data globally Enable MLD snooping: a.
Page 239: Verifying The Configuration
Figure 231 Enabling MLD snooping in VLAN 100 Verifying the configuration Select Network > MLD snooping from the navigation tree. Click Show Entries in the basic VLAN configuration page to display information about MLD snooping multicast forwarding entries. Figure 232 Displaying MLD snooping multicast forwarding entries Click the icon for the multicast entry (::, FF1E::101) to display detailed information about this entry.
Page 240: Configuring Ipv4 Or Ipv6 Static Routes
Configuring IPv4 or IPv6 static routes The switch does not provide Layer 3 forwarding service. The IP routing feature of the switch only ensures that the switch is accessible on an IP network. You must configure a static route only if both of the following situations occur: •...
Page 241: Displaying The Ipv4 Active Route Table
Click Apply. Table 89 Configuration items Item Description Destination IP Address Enter the destination host or network IP address in dotted decimal notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation. Set a preference value for the static route.
Page 242: Displaying The Ipv6 Active Route Table
Figure 236 Creating an IPv6 static route Create an IPv6 static route as described in Table Click Apply. Table 90 Configuration items Item Description Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts Destination IP Address separated by colons (:).
Page 243 Figure 237 IPv6 active route table...
Page 244: Dhcp Overview
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client-server model. Figure 238 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. You can enable the DHCP client on an interface.
Page 245: Ip Address Allocation Process
IP address allocation process Figure 239 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
Page 246: Dhcp Message Format
DHCP message format Figure 240 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 240 DHCP message format op (1) htype (1) hlen (1) hops (1) xid (4)
Page 247: Common Dhcp Options
Figure 241 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table.
Page 248: Protocols And Standards
• Sub-option 1—Padded with the VLAN ID and interface number of the interface that received the client's request. The following figure gives its format. The value of the sub-option type is 1, and that of the circuit ID type is 0. Figure 242 Sub-option 1 in normal padding format •...
Page 249: Configuring Dhcp Snooping
Configuring DHCP snooping DHCP snooping works between the DHCP client and server. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. Overview DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers.
Page 250: Dhcp Snooping Support For Option 82
Figure 245 Trusted and untrusted ports in a cascaded network Table 91 describes roles of the ports shown in Figure 245. Table 91 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1...
Page 251: Recommended Configuration Procedure
Recommended configuration procedure Task Remarks Required. Enabling DHCP snooping By default, DHCP snooping is disabled. Required. Specify an interface as trusted and configure DHCP snooping to support Option 82. By default, an interface is untrusted and DHCP snooping does not support Option 82.
Page 252: Configuring Dhcp Snooping Functions On An Interface
Configuring DHCP snooping functions on an interface From the navigation tree, select Network > DHCP. Click the DHCP Snooping tab to enter the page shown in Figure 246. Click the icon of a specific interface in the Interface Config area to enter the page shown Figure 247.
Page 253: Dhcp Snooping Configuration Example
Table 94 describes the fields of DHCP snooping entries. Table 94 Field description Item Description IP Address Displays the IP address assigned by the DHCP server to the client. MAC Address Displays the MAC address of the client. Displays the client type: •...
Page 254 Figure 250 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/5: a. Click the icon of GigabitEthernet 1/0/5 on the interface list. b. Select the Trust option next to Interface State as shown in Figure 251. c. Click Apply. Figure 251 Configuring DHCP snooping functions on GigabitEthernet 1/0/5 Configure DHCP snooping functions on GigabitEthernet 1/0/2: a.
Page 255 b. Select the Untrust option for Interface State as shown in Figure 253. c. Select the Enable option next to Option 82 Support. d. Select Replace for Option 82 Strategy. e. Click Apply. Figure 253 Configuring DHCP snooping functions on GigabitEthernet 1/0/3...
Page 256: Managing Services
Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services, modify HTTP and HTTPS port numbers, and associate the FTP, HTTP, or HTTPS service with an ACL to block illegal users. FTP service FTP is an application layer protocol for sharing files between server and client over a TCP/IP network.
Page 257 Figure 254 Service management Enable or disable services on the page. Table 95 describes the detailed configuration items. Click Apply. Table 95 Configuration items Item Description Enable or disable the FTP service. Enable FTP service The FTP service is disabled by default. Associate the FTP service with an ACL.
Page 258 Item Description Enable or disable the HTTPS service. Enable HTTPS service The HTTPS service is disabled by default. Select a local certificate for the HTTPS service from the Certificate dropdown list. You can configure the certificates available in the dropdown list in Authentication >...
Page 259: Using Diagnostic Tools
Using diagnostic tools This chapter describes how to use the ping and traceroute utilities. Ping Use the ping utility to determine if a specific address is reachable. A ping operation involves the following steps: The source device sends ICMP echo requests to the destination device. The destination device responds by sending ICMP echo replies to the source device after receiving the ICMP echo requests.
Page 260: Ping Operation
The destination device responds with an ICMP port-unreachable message because the packet from the source has an unreachable port number. In this way, the source device gets the address of the destination device. In this way, the source device can get the addresses of all Layer 3 devices on the path. Ping operation Configuring IPv4 Ping Select Network >...
Page 261: Configuring Ipv6 Ping
Configuring IPv6 Ping Select Network > Diagnostic Tools from the navigation tree. Click the IPv6 Ping tab. The ping configuration page appears. Figure 257 Ping configuration page Enter the IP address or the host name of the destination device in the Destination IPv6 address or host name field.
Page 262: Configuring Ipv6 Traceroute
The traceroute configuration page appears. Figure 259 Traceroute configuration page Enter the IP address or host name of the destination device in the Destination IP address or host name field. Click Start. The output is displayed in the Summary area. Figure 260 IPv4 traceroute output Configuring IPv6 traceroute Select Network >...
Page 263 Figure 261 Traceroute configuration page Enter the IP address or host name of the destination device in the Destination IPv6 address or host name field. Click Start. The output is displayed in the Summary area. Figure 262 IPv6 traceroute output...
Page 264: Configuring 802.1X
Configuring 802.1X 802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of WLANs. It has been widely used on Ethernet for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
Page 265: Controlled/Uncontrolled Port And Port Authorization Status
Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports. • Controlled port—Allows incoming and outgoing traffic to pass through when it is in the authorized state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown in Figure...
Page 266: Eap Over Radius
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field comprises the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 266 shows the EAPOL packet format.
Page 267: Initiating 802.1X Authentication
Figure 267 EAP-Message attribute format Type Length String EAP packets Message-Authenticator RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum different from Message-Authenticator...
Page 268 EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure 269. Figure 269 EAP relay In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to enable EAP relay.
Page 269 Figure 271 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
Page 270 10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11. After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online.
Page 271: 802.1X Timers
802.1X timers This section describes the timers used on an 802.1X device to guarantee that the client, the device, and the RADIUS server can interact with each other correctly. • Username request timeout timer—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request.
Page 272 On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed. Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to...
Page 273: Configuration Prerequisites
password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
Page 274: Recommended Configuration Procedure
• If local authentication is used, create local user accounts on the access device and specify the LAN access service for the user accounts. For more information, see "Configuring users." Recommended configuration procedure Step Remarks Required. This function enables 802.1X authentication globally. It also Configuring 802.1X globally configures the authentication method and advanced parameters.By default, 802.1X authentication is disabled globally.
Page 275: Configuring 802.1X On A Port
The support of the RADIUS server for EAP packets. The authentication methods supported by the 802.1X client and the RADIUS server. Click Advanced to expand the advanced 802.1X configuration area. Figure 274 Configuring advanced 802.1X parameters Configure advanced 802.1X settings as described in Table 97, and then click Apply.
Page 276 Figure 275 Configuring 802.1X on a port Table 98 describes the configuration items. Table 98 Configuration items Item Description Select a port where you want to enable 802.1X. Only ports not enabled with 802.1X authentication are available. Port 802.1X configuration takes effect on a port only after 802.1X is enabled both globally and on the port.
Page 277: Configuring An 802.1X Guest Vlan
Item Description • The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and it enables periodic online user re-authentication, even if the function is not configured on the access device.
Page 278: Configuring An Auth-Fail Vlan
Feature Relationship description performs MAC-based access control than the shutdown port action of the port intrusion protection feature. Configuring an Auth-Fail VLAN Configuration prerequisites • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member.
Page 279 Specify the device to try up to 5 times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes. Figure 276 Network diagram Configuring IP addresses # Assign an IP address to each interface as shown in...
Page 280 Figure 278 Configuring 802.1X for GigabitEthernet 1/0/1 Configuring the RADIUS scheme for the switch Configure authentication and accounting attributes for the RADIUS scheme: a. From the navigation tree, select Authentication > RADIUS, and click Add. b. Enter the scheme name system. c.
Page 281 Figure 279 Configuring the RADIUS scheme Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b. Select the server type Primary Authentication. c. Enter the IP address 10.1.1.1, and enter the port number 1812.
Page 282 d. Click Apply. The RADIUS Server Configuration area displays the primary authentication server you have configured. Configure the backup authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b. Select the server type Backup Authentication. c.
Page 283 Figure 280 Creating an ISP domain Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test from the Select an ISP domain list. c. Select Default AuthN, select authentication method RADIUS from the Default AuthN list, and select the authentication scheme system from the Name list, as shown in Figure 281.
Page 284 Figure 282 Configuration progress dialog box e. After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: a. Click the Authorization tab. b. Select test from the Select an ISP domain list. c. Select Default AuthZ, select the authorization method RADIUS from the Default AuthZ list, and select the authorization scheme system from the Name list, as shown in Figure 283.
Page 285: 802.X With Acl Assignment Configuration Example
Figure 284 Configuring the AAA accounting method for the ISP domain d. Click Apply. e. After the configuration process is complete, click Close. 802.X with ACL assignment configuration example Network requirements As shown in Figure 285, perform 802.1X authentication on port GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
Page 286 Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b. Select the server type Primary Authentication. c. Enter the IP address 10.1.1.1, and enter the port number 1812. d. Enter expert in the Key and Confirm Key fields. e.
Page 287 Figure 288 Configuring the RADIUS scheme Click Apply. Configuring AAA Create an ISP domain: a. From the navigation tree, select Authentication > AAA. The Domain Setup page appears. b. Enter test from the Domain Name list, and select Enable from the Default Domain list. c.
Page 288 Figure 289 Creating an ISP domain Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test from the Select an ISP domain list. c. Select Default AuthN, select RADIUS as the default authentication method, and select the authentication scheme system from the Name list, as shown in Figure 290.
Page 289 Figure 291 Configuration progress dialog box e. After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: a. Click the Authorization tab. b. Select test from the Select an ISP domain list. c. Select Default AuthZ, select RADIUS as the default authorization method, and select the authorization scheme system from the Name list, as shown in Figure 292.
Page 290 Figure 293 Configuring the AAA accounting method for the ISP domain f. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Add tab. Enter the ACL number 3000, and click Apply. Figure 294 Creating ACL 3000 Click the Advanced Setup tab.
Page 291 − Enter 10.0.0.1 as the destination IP address. − Enter 0.0.0.0 as the destination IP address wildcard. d. Click Add. Figure 295 ACL rule configuration Configuring 802.1X Configure 802.1X globally: a. From the navigation tree, select Authentication > 802.1X. b. Select Enable 802.1X. c.
Page 292 Figure 296 Configuring 802.1X globally Configure 802.1X for GigabitEthernet 1/0/1: a. In the Ports With 802.1X Enabled area, click Add. b. Select GigabitEthernet1/0/1 from the Port list. c. Click Apply. Figure 297 Configuring 802.1X for GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.
Page 293 Figure 298 Ping operation summary...
Page 294: Configuring Aaa
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
Page 295: Domain-Based User Management
Domain-based user management A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain for a user by the username entered by the user at login. For a username in the userid@isp-name format, the access device considers the userid part the username for authentication and the isp-name part the ISP domain name.
Page 296: Configuring An Isp Domain
Configuring an ISP domain Select Authentication > AAA from the navigation tree. The Domain Setup page appears. Figure 300 Domain Setup page Create an ISP domain, as described in Table 101. Click Apply. Table 101 Configuration items Item Description Enter the ISP domain name, which is for identifying the domain. Domain Name You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain).
Page 297 Figure 301 Authentication method configuration page Select the ISP domain and specify authentication methods for the domain, as described Table 102. Click Apply. Table 102 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Configure the default authentication method and secondary authentication method for all types of users.
Page 298: Configuring Authorization Methods For The Isp Domain
Item Description • RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used. • Not Set—The device uses the settings in the Default AuthN area for login users. NOTE: The HPE NJ5000 5G PoE+ switch does not support PPP authentication and portal authentication. Configuring authorization methods for the ISP domain Select Authentication >...
Page 299: Configuring Accounting Methods For The Isp Domain
Item Description Secondary Method Options include: • Local—Local authorization. • None—This method trusts all users and assigns default rights to them. • RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used. • Not Set—The device uses the settings in the Default AuthZ area for LAN access users.
Page 300: Aaa Configuration Example
Table 104 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Specify whether to enable the accounting optional feature. The feature enables a user who would otherwise be disconnected to use network resources even if there is no accounting server available or communication with Accounting Optional the current accounting server fails.
Page 301 Figure 304 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown) Configure a local user: a. Select Device > Users from the navigation tree. b.
Page 302 Figure 306 Configuring ISP domain test Configure the ISP domain to use local authentication: a. Select Authentication > AAA from the navigation tree. b. Click the Authentication tab. c. Select the domain test. d. Select Login AuthN and select the authentication method Local. Figure 307 Configuring the ISP domain to use local authentication e.
Page 303 Figure 308 Configuration progress dialog box Configure the ISP domain to use local authorization: a. Select Authentication > AAA from the navigation tree. b. Click the Authorization tab. c. Select the domain test. d. Select Login AuthZ and select the authorization method Local. e.
Page 304 Figure 310 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abcd. You will be serviced as a user in domain test.
Page 305: Configuring Radius
Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Page 306: Basic Radius Message Exchange Process
Basic RADIUS message exchange process Figure 312 illustrates the interactions between the host, the RADIUS client, and the RADIUS server. Figure 312 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user's username and password to the RADIUS client.
Page 307 Figure 313 RADIUS packet format Code Identifier Length Authenticator Attributes The following describes the fields of a RADIUS packet: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 105 Main values of the Code field Code Packet type Description...
Page 308 Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length fields. Table 106 Commonly used RADIUS attributes Attribute Attribute User-Name...
Page 309: Extended Radius Attributes
Attribute Attribute Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets Tunnel-Client-Auth-id Acct-Session-Id Tunnel-Server-Auth-id NOTE: This table lists the attribute types, which are defined by RFC 2865, RFC 2866, RFC 2867, and RFC 2568.
Page 310: Configuring A Radius Scheme
• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support • RFC 2869, RADIUS Extensions Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
Page 311: Configuring Common Parameters
Item Description server type, the username format, and the shared keys for authentication and accounting packets. For more information about common configuration, see "Configuring common parameters." Configure the parameters of the RADIUS authentication servers and RADIUS Server Configuration accounting servers. For more information about RADIUS server configuration, see "Adding RADIUS servers."...
Page 312 Item Description • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet format defined in RFC 2138/2139 or later. • Extended—Extended RADIUS servers, usually running on CAMS or IMC. The RADIUS client and the RADIUS server communicate by using the proprietary RADIUS protocol and packet format.
Page 313 Item Description RADIUS server, the device considers the request a failure. IMPORTANT: The server response timeout time multiplied by the maximum number of RADIUS packet transmission attempts must not exceed 75. Set the interval for sending realtime accounting information. The interval must be a multiple of 3.
Page 314: Adding Radius Servers
Item Description IMPORTANT: When enabling the accounting-on feature on a device for the first time, you must save the configuration so that the feature takes effect after the device reboots. Set the interval for sending accounting-on packets. This field is Accounting-On Interval configurable only after you select the Send accounting-on packets box.
Page 315: Radius Configuration Example
RADIUS configuration example Network requirements As shown in Figure 319, an 802.1X user logs in to the switch from the host. Configure the switch to implement RADIUS authentication and accounting for the 802.1X user. RADIUS accounting records the online duration of the 802.1X user. Configure RADIUS servers on CAMS or IMC to use the default port for authentication and accounting.
Page 316 Figure 320 RADIUS authentication server configuration page In the RADIUS Server Configuration area, click Add again to configure the primary accounting server: a. Select Primary Accounting as the server type. b. Enter 10.110.91.146 as the IP address. c. Enter 1813 as the port. d.
Page 317 Figure 322 RADIUS scheme configuration Configuring AAA Select Authentication > AAA in the navigation tree. The domain setup page appears. On the domain setup page, configure a domain: a. Enter test for Domain Name. b. Click Enable to use the domain as the default domain. c.
Page 318 a. Select the domain name test. b. Select Default AuthN and select RADIUS as the authentication mode. c. Select system from the Name list to use it as the authentication scheme. d. Click Apply. A configuration progress dialog box appears. e.
Page 319: Configuration Guidelines
Figure 326 Configuring the AAA authorization method for the ISP domain Select the Accounting tab to configure the accounting scheme: a. Select the domain name test. b. Select Accounting Optional and select Enable from the list. c. Select Default Accounting and select RADIUS as the accounting mode. d.
Page 320 • The status of RADIUS servers, blocked or active, determines which servers the device will communicate with or turn to when the current servers are not available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers that function as the backup of the primary servers.
Page 321: Configuring Hwtacacs
Configuring HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and it uses a client/server model for information exchange between the network access server (NAS) and the HWTACACS server.
Page 322: Configuring Hwtacacs Servers For The Scheme
Figure 329 Creating the HWTACACS scheme named system Click Apply. The added HWTACACS scheme is displayed, as shown in Figure 330. Figure 330 Displaying the added HWTACACS scheme Configuring HWTACACS servers for the scheme On the page in Figure 330, click the Modify icon for the HWTACACS scheme system.
Page 323: Configuring Hwtacacs Communication Parameters For The Scheme
Figure 332 Add HWTACACS Server page Configure the server parameters as described in Table 111. Click Apply. Table 111 Configuration items Item Description Select the server type, including: • Primary Authentication. • Primary Authorization. • Server Type Primary Accounting. • Secondary Authentication.
Page 324 Figure 333 HWTACACS communication parameter configuration Configure the HWTACACS parameters as described in Table 112. Click Apply. Table 112 Configuration items Item Description Set the format of the usernames sent to the HWTACACS servers. A username is typically in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which the user belongs.
Page 325 Item Description accounting server use the MD5 algorithm to encrypt packets exchanged between them and use a shared key to verify the packets. Make sure the HWTACACS server and client use the same shared key for secure communication. Set the interval for which the primary server has to wait before being active. Quiet Time If you leave this field blank, the default quiet interval is used.
Page 326: Hwtacacs Configuration Example
Item Description If you leave this field blank, the default unit is used. Specify the measurement unit for data packets sent to the HWTACACS server for traffic accounting. Options include: • One-packet (default). • Kilo-packet. Unit for Packets • Mega-packet. •...
Page 327 Figure 335 Page for adding an HWTACACS scheme b. Click Add. The Add HWTACACS Scheme page appears, as shown in Figure 336. Figure 336 Creating the HWTACACS scheme system c. Click Apply. The added HWTACACS scheme is displayed, as shown in Figure 337.
Page 328 Figure 339 Configuring the HWTACACS authentication server d. Click Apply. The HWTACACS Server Configuration area displays the added HWTACACS server, as shown in Figure 340. Figure 340 Displaying the added HWTACACS server Configure the HWTACACS authorization server: a. In the HWTACACS Server Configuration area, click Add. b.
Page 329 Figure 341 Configuring the parameters for communication Configure the ISP domain test: a. From the navigation tree, select Authentication > AAA. b. Enter test in the Domain Name field, as shown in Figure 342. c. Click Apply. Figure 342 Configuring the ISP domain test Configure an authentication method for the ISP domain, as shown in Figure 343:...
Page 330 a. Click the Authentication tab. b. Select the ISP domain test from the list. c. Select Default AuthN, and then select HWTACACS from the list. d. Select system from the Name list. e. Click Apply. A progress dialog box appears. f.
Page 331: Verifying The Configuration
c. Select Accounting Optional, and then select Enable from the list. d. Select Default Accounting, and then select HWTACACS from the list. e. Select system from the Name list. f. Click Apply. A progress dialog box appears. g. When the configuration progress is complete, click Close. Figure 345 Configuring an accounting method for the ISP domain Verifying the configuration # Initiate a connection to the HPE NJ5000 5G PoE+ switch from the host, and enter the username...
Page 332 • HWTACACS authentication must work with HWTACACS authorization. If only HWTACACS authentication is configured, but HWTACACS authorization is not, users cannot log in. • You can remove an HWTACACS server only when the device and the server do not have active TCP connections for sending authentication, authorization, or accounting packets.
Page 333: Configuring Users
Configuring users You can configure local users and create groups to manage them. A local user represents a set of user attributes configured on a device (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user to pass local authentication, you must add an entry for the user in the local user database of the device.
Page 334 Figure 347 Local user configuration page Configure the local user as described in Table 114. Click Apply. Table 114 Configuration items Item Description Username Specify a name for the local user. Password Specify and confirm the password of the local user. Confirm The settings of these two fields must be the same.
Page 335: Configuring A User Group
Item Description checks whether the expiration time has passed. If it has not passed, the device permits the user to log in. Specify the VLAN to be authorized to the local user after the user passes authentication. VLAN This option takes effect on only LAN users. Specify the ACL to be used by the access device to restrict the access of the local user after the user passes authentication.
Page 336 Click Apply. Table 115 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group: Visitor, Monitor, Configure, or Level Management, in ascending order of priority. Specify the VLAN to be authorized to users of the user group after the users pass VLAN authentication.
Page 337: Managing Certificates
Managing certificates Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key technologies and digital certificates, and for verifying the identities of the digital certificate owners. A digital certificate is a binding of certificate owner identity information and a public key. Users can get certificates, use certificates, and revoke certificates.
Page 338: How Pki Works
Figure 350 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.
Page 339: Pki Applications
The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the request, updates the CRLs and publishes the CRLs on the LDAP server. PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications.
Page 340 Step Remarks By default, no local RSA key pair exists. Generating an RSA key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user, and the public key is transferred to the CA along with some other information.
Page 341: Recommended Configuration Procedure For Automatic Request
Recommended configuration procedure for automatic request Task Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the DN shows the identity information of the entity. A CA Creating a PKI entity identifies a certificate applicant uniquely by an entity DN.
Page 342: Creating A Pki Domain
Figure 352 PKI entity configuration page Configure the parameters, as described in Table 116. Click Apply. Table 116 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
Page 343 Figure 353 PKI domain list Click Add. Click Display Advanced Config to display the advanced configuration items. Figure 354 PKI domain configuration page Configure the parameters, as described in Table 117. Click Apply. Table 117 Configuration items Item Description Domain Name Enter the name for the PKI domain.
Page 344 Item Description information. Available PKI entities are those that have been configured. Select the authority for certificate request. • CA—Indicates that the entity requests a certificate from a CA. Institution • RA—Indicates that the entity requests a certificate from an RA. RA is recommended.
Page 345: Generating An Rsa Key Pair
Item Description name. This item is available after you click the Enable CRL Checking box. If the URL of the CRL distribution point is not set, you should get the CA certificate and a local certificate, and then get a CRL through SCEP. Generating an RSA key pair From the navigation tree, select Authentication >...
Page 346: Destroying The Rsa Key Pair
Destroying the RSA key pair From the navigation tree, select Authentication > Certificate Management. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 357 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 347 Item Description Mode like FTP, disk, or email), and then import the certificate into the local PKI system. The following configuration items are displayed if this box is selected. Get File From Specify the path and name of the certificate file to import: Device •...
Page 348: Requesting A Local Certificate
Requesting a local certificate From the navigation tree, select Authentication > Certificate Management. Click the Certificate tab. Click Request Cert. Figure 360 Local certificate request page Configure the parameters, as described in Table 119. Table 119 Configuration items Item Description Domain Name Select the PKI domain for the certificate.
Page 349: Retrieving And Displaying A Crl
Retrieving and displaying a CRL From the navigation tree, select Authentication > Certificate Management. Click the CRL tab. Figure 362 CRL page Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 363 CRL information Table 120 Field description Field...
Page 350: Pki Configuration Example
Field Description Next Update Next update time. X509v3 CRL Number CRL sequence number Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3). Pubic key identifier. keyid A CA might have multiple key pairs, and this field identifies which key pair is used for the CRL signature.
Page 351 c. Enter aaa as the PKI entity name, enter ac as the common name, and click Apply. Figure 365 Creating a PKI entity Create a PKI domain: a. Click the Domain tab. b. Click Add. The page in Figure 366 appears.
Page 352 Figure 366 Creating a PKI domain Generate an RSA key pair: a. Click the Certificate tab. b. Click Create Key. c. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 367 Generating an RSA key pair Retrieve the CA certificate: a.
Page 353 Figure 368 Retrieving the CA certificate Request a local certificate: a. Click the Certificate tab. b. Click Request Cert. c. Select torsa as the PKI domain, select Password , and enter challenge-word as the password. d. Click Apply. The system displays "Certificate request has been submitted." e.
Page 354: Configuration Guidelines
Configuration guidelines When you configure PKI, follow these guidelines: • Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal. • The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
Page 355: Configuring Mac Authentication
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
Page 356: Using Mac Authentication With Other Features
are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance. • Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
Page 357: Recommended Configuration Procedure
accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user. Make sure the port security feature is disabled. For more information about port security, see "Configuring port security." Recommended configuration procedure Step Remarks...
Page 358: Configuring Mac Authentication On A Port
Configure MAC authentication global settings as described in Table 121, and then click Apply. Table 121 Configuration items Item Description Enable MAC Authentication Specify whether to enable MAC authentication globally. Set the period that the device waits for traffic from a user before it Offline Detection Period regards the user idle.
Page 359: Mac Authentication Configuration Examples
Item Description the 802.1X guest VLAN on a port that performs MAC-based access control. If a user fails both types of authentication, the access port adds the user to the 802.1X guest VLAN. For more information about 802.1X guest VLANs, see "Configuring 802.1X."...
Page 360 Figure 374 Creating an ISP domain Click the Authentication tab. Select the ISP domain aabbcc.net. Select LAN-access AuthN, and select Local from the list. Figure 375 Configuring the authentication method for the ISP domain Click Apply. A configuration progress dialog box appears, as shown in Figure 376.
Page 361 Figure 376 Configuration progress dialog box After the configuration process is complete, click Close. Configuring MAC authentication Configure MAC authentication globally: a. From the navigation tree, select Authentication > MAC Authentication. b. Select Enable MAC Authentication. c. Click Advanced, and configure advanced MAC authentication. d.
Page 362: Acl Assignment Configuration Example
Configure MAC authentication for GigabitEthernet 1/0/1: a. In the Ports With MAC Authentication Enabled area, click Add. b. Select GigabitEthernet1/0/1 from the Port list, and click Apply. Figure 378 Enabling MAC authentication for port GigabitEthernet 1/0/1 ACL assignment configuration example Network requirements As shown in Figure...
Page 363 c. Enter the scheme name system. d. Select the server type Extended. e. Select Without domain name from the Username Format list. f. Click Apply. Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b.
Page 364 Figure 382 RADIUS configuration Configuring AAA for the scheme Create an ISP domain: a. From the navigation tree, select Authentication > AAA. b. On the Domain Setup page, enter test in the Domain Name field and click Apply.
Page 365 Figure 383 Creating an ISP domain Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select the ISP domain test. c. Select Default AuthN, select the authentication method RADIUS, and select the authentication scheme system from the Name list. Figure 384 Configuring the authentication method for the ISP domain d.
Page 366 Figure 385 Configuration progress dialog box e. After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: a. Click the Authorization tab. b. Select the ISP domain test. c. Select Default AuthZ, select the authorization mode RADIUS, and select the authorization scheme system from the Name list.
Page 367 Figure 387 Configuring the accounting method for the ISP domain e. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Add tab. Enter the ACL number 3000, and then click Apply. Figure 388 Adding ACL 3000 Click the Advanced Setup tab.
Page 368 d. In the IP Address Filter area, select Destination IP Address: − Enter the destination IP address 10.0.0.1. − Enter the destination address wildcard 0.0.0.0. e. Click Add. Figure 389 Configuring an ACL rule Configuring MAC authentication Configure MAC authentication globally: a.
Page 369 d. Select the authentication ISP domain test, select the authentication information format MAC without hyphen, and click Apply. Figure 390 Configuring MAC authentication globally Configure MAC authentication for GigabitEthernet 1/0/1: a. In the Ports With MAC Authentication Enabled area, click Add. b.
Page 370: Configuring Port Security
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies networks that require different authentication methods for different users on a port. Port security prevents unauthorized access to a network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic.
Page 371 • Advanced mode—Port security supports 802.1X and MAC authentication. Different port security modes represent different combinations of the two methods. Table 123 describes the advanced security modes. Table 123 Advanced security modes Advanced mode Description MAC-Auth A port performs MAC authentication for users. It services multiple users. A port performs 802.1X authentication and implements port-based access control.
Page 372: Configuration Guidelines
Configuration guidelines When you configure port security, follow these restrictions and guidelines: • Before you enable port security, disable 802.1X and MAC authentication globally. • Only one port security mode can be configured on a port. • The outbound restriction feature is not supported in this release. Recommended configuration procedure To configure basic port security mode: Step...
Page 373: Configuring Global Settings For Port Security
Step Remarks mode. You can configure up to 16 permitted OUI values. A port in this mode allows only one 802.1X user and one user whose MAC address contains the specified OUI to pass authentication at the same time. By default, no OUI values are configured. Configuring global settings for port security From the navigation tree, select Authentication >...
Page 374: Configuring Basic Port Security Control
Table 124 Configuration items Item Description Specify whether to enable the port security feature globally. Enable Port Security By default, port security is disabled. Configure intrusion protection actions globally. Intrusion protection actions: • Temporarily Disabling Port Time—Sets the time length for how long the port is disabled temporarily upon receiving illegal frames.
Page 375: Configuring Secure Mac Addresses
Table 125 Configuration items Item Description Select a port where you want to configure port security. Port By default, port security is disabled on all ports, and access to the ports is not restricted. Set the maximum number of secure MAC addresses on the port. The number of authenticated users on the port cannot exceed the specified upper limit.
Page 376: Configuring Advanced Port Security Control
Figure 396 Secure MAC address list Click Add. The page for adding a secure MAC address appears. Figure 397 Adding secure MAC address Configure a secure MAC address as described in Table 126. Click Apply. Table 126 Configuration items Item Description Port Select a port where the secure MAC address is configured.
Page 377 The page for configuring advanced port security control appears. Figure 399 Configuring advanced port security control Configure advanced port security control as described in Table 127. Click Apply. Table 127 Configuration items Item Description Select a port where you want to configure port security. Port By default, port security is disabled on all ports, and access to the ports is not restricted.
Page 378: Configuring Permitted Ouis
Configuring permitted OUIs From the navigation tree, select Authentication > Port Security. The Port Security page as shown in Figure 392 appears. In the Advanced Port Security Configuration area, click Permitted OUIs. Figure 400 Permitted OUIs Enter the 48-bit MAC address in the format of H-H-H in the OUI Value field. Click Add.
Page 379 Figure 402 Configuring port security Configuring the basic port security control In the Security Ports And Secure MAC Address List area, click Add. On the page that appears, select GigabitEthernet1/0/3. Enter 3 as the maximum number of MAC addresses. Select Enable Intrusion Protection, and select Disable Port Temporarily from the list. Click Apply.
Page 380 Figure 404 Secure MAC address list When the maximum number of MAC addresses is reached, intrusion protection is triggered. Select Device > Port Management from the navigation tree, and then select the Detail tab. On the page, click the target port (GigabitEthernet 1/0/3 in this example) to view details. Figure 405 shows that the port state is inactive.
Page 381: Advanced Port Security Mode Configuration Example
Figure 406 Displaying port state If you remove MAC addresses from the secure MAC address list, the port can continue to learn MAC addresses. Advanced port security mode configuration example Network requirements As shown in Figure 407, the switch authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Page 382 Configuring a RADIUS scheme Create a RADIUS scheme: a. From the navigation tree, select Authentication > RADIUS. b. Click Add. c. On the page that appears, configure a RADIUS scheme: − Enter the scheme name system. − Select the service type Extended. −...
Page 383 c. Click Apply. The RADIUS Server Configuration area displays the servers you have configured, as shown in Figure 410. Figure 410 Configuring the RADIUS scheme Click Apply. Configuring AAA Configure AAA authentication method: a. From the navigation tree, select Authentication > AAA. b.
Page 384 Figure 412 Configuration progress dialog box f. When the configuration process is complete, click Close. Configure AAA authorization method: a. Click the Authorization tab. b. Select the ISP domain system. c. Select Default AuthZ, select authorization method RADIUS from the list, and select the authorization scheme system from the Name list.
Page 385 Figure 414 Configuring AAA accounting e. When the configuration process is complete, click Close. Configuring port security Enable port security: a. From the navigation tree, select Authentication > Port Security. b. Select Enable Port Security. c. Click Apply. Figure 415 Configuring global port security settings Configure advanced port security control: a.
Page 386 b. Select GigabitEthernet1/0/1 from the Port list, and select 802.1X MAC Based Or OUI from the Security Mode list. c. Click Apply. Figure 416 Configuring advanced port security control settings on GigabitEthernet 1/0/1 Add permitted OUIs: a. In the Advanced Port Security Configuration area, click Permitted OUIs. b.
Page 387: Configuring Port Isolation
Configuring port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another. The switch supports only one isolation group that is automatically created as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device.
Page 388: Port Isolation Configuration Example
Port isolation configuration example Network requirements As shown in Figure 419: • Campus network users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 of Switch. • Switch is connected to the external network through GigabitEthernet 1/0/1. •...
Page 389 Figure 420 Assigning ports to the isolation group a. Click Apply. A configuration progress dialog box appears. b. After the configuration process is complete, click Close. Viewing information about the isolation group Click Summary. Display port isolation group 1, which contains ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4.
Page 390: Configuring Authorized Ip
Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuration procedure From the navigation tree, select Security > Authorized IP. Click Setup to enter the authorized IP configuration page.
Page 391: Authorized Ip Configuration Example
Authorized IP configuration example Network requirements Figure 423, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 423 Network diagram Configuration procedure Create an ACL: a. From the navigation tree, select QoS > ACL IPv4. b.
Page 392 b. Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and enter 10.1.1.3, and then enter 0.0.0.0 in the Source Wildcard field. c. Click Add. Figure 425 Configuring an ACL rule to permit Host B Configure authorized IP: a.
Page 393: Configuring Loopback Detection
Configuring loopback detection A loop occurs when a port receives a packet sent by itself. Loops might cause broadcast storms. The purpose of loopback detection is to detect loops on ports. With loopback detection enabled on an Ethernet port, the device periodically checks for loops on the port.
Page 394: Configuring Loopback Detection On A Port
Figure 427 Loopback Detection page In the System Loopback Detection area, configure the global loopback detection settings as described in Table 130, and then click Apply. Table 130 Configuration items Item Description Set whether to enable loopback detection globally. Enable loopback detection on the system Set the loopback detection interval.
Page 395: Configuring Acls
Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Grayed-out options on Web configuration pages cannot be configured. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
Page 396: Implementing Time-Based Acl Rules
ACL category Sequence of tie breakers Narrower TCP/UDP service port number range. Smaller ID. Longer prefix for the source IP address (a longer prefix means a narrower IP address range). IPv6 basic ACL Smaller ID. Specific protocol number. Longer prefix for the source IPv6 address. Longer prefix for the destination IPv6 address.
Page 397: Ipv4 Fragments Filtering With Acls
• Absolute time range—Represents only a period of time and does not recur. IPv4 fragments filtering with ACLs Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To improve network security, ACL filters all packets by default, including fragments and non-fragmented packets.
Page 398: Configuring A Time Range
Step Remarks Configuring a rule for an advanced IPv6 Complete one of the tasks according to the ACL ACL. category. Configuring a time range Select QoS > Time Range from the navigation tree. Click the Add tab. Figure 428 Adding a time range Configure a time range as described in Table 133.
Page 399: Adding An Ipv4 Acl
Item Description and the date is in the MM/DD/YYYY format. The end time period. must be greater than the start time. Adding an IPv4 ACL Select QoS > ACL IPv4 from the navigation tree. Click the Add tab. Figure 429 Adding an IPv4 ACL Add an IPv4 ACL as described in Table 134.
Page 400 Figure 430 Configuring a basic IPv4 ACL Configure a rule for a basic IPv4 ACL. Click Add. Table 135 Configuration items Item Description Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv4 ACLs. Select the Rule ID box and enter a number for the rule.
Page 401: Configuring A Rule For An Advanced Ipv4 Acl
Item Description Source IP Address Select the Source IP Address box and enter a source IPv4 address and a wildcard mask, in dotted decimal notation. Source Wildcard Time Range Select the time range during which the rule takes effect. Configuring a rule for an advanced IPv4 ACL Select QoS >...
Page 402 Configure a rule for an advanced IPv4 ACL as described in Table 136. Click Add. Table 136 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs. Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign Rule ID one automatically.
Page 403: Configuring A Rule For An Ethernet Frame Header Acl
Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection Established These items are available only when you select 6 TCP from the Protocol list. Operator Select the operators and enter the source port numbers and Source destination port numbers as required.
Page 404 Figure 432 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 137. Click Add. Table 137 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.
Page 405: Adding An Ipv6 Acl
Item Description Filter Source Mask Destination MAC Select the Destination MAC Address box and enter a destination MAC Address address and a mask. Destination Mask COS(802.1p priority) Specify the 802.1p priority for the rule. Select the LSAP Type box and specify the DSAP and SSAP fields in the LSAP Type LLC encapsulation by configuring the following items: •...
Page 406: Configuring A Rule For A Basic Ipv6 Acl
Item Description Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured. • Auto—Packets are compared against ACL rules in the depth-first match order. Description Set the description for the ACL.
Page 407: Configuring A Rule For An Advanced Ipv6 Acl
Item Description • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments. Select this box to keep a log of matched IPv6 packets.
Page 408 Figure 435 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL as described in Table 140. Click Add. Table 140 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.
Page 409 Item Description Select this box to keep a log of matched IPv6 packets. A log entry contains the ACL rule number, operation for the matched Check Logging packets, protocol number, source/destination address, source/destination port number, and number of matched packets. This function is not supported.
Page 410: Configuring Qos
Configuring QoS Grayed-out options on Web configuration pages cannot be configured. Overview Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network might provide various services.
Page 411 Figure 436 Traffic congestion causes • The traffic enters a device from a high speed link and is forwarded over a low speed link. • The packet flows enter a device from several incoming interfaces and are forwarded out of an outgoing interface, whose rate is smaller than the total rate of these incoming interfaces.
Page 412: End-To-End Qos
End-to-end QoS Figure 437 End-to-end QoS model Traffic classification Traffic classification Traffic policing Traffic policing Traffic policing Traffic policing Congestion management Congestion management Congestion management Congestion management Congestion avoidance Congestion avoidance Congestion avoidance Congestion avoidance Traffic shaping Traffic shaping Traffic shaping Traffic shaping As shown in Figure...
Page 413: Packet Precedences
downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria. To provide differentiated services, traffic classes must be associated with certain traffic control actions or resource allocation actions. What traffic control actions to use depends on the current phase and the resources of the network.
Page 414 DSCP value (decimal) DSCP value (binary) Description 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in Layer 2 packet headers and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 415: Queue Scheduling
Figure 440 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID (Tag protocol identifier) TCI (Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...
Page 416 Figure 441 SP queuing A typical switch provides eight queues per port. As shown in Figure 441, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.
Page 417: Rate Limit
to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 25, 25, 15, 15, 5, 5, 5, and 5 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively). In this way, the queue with the lowest priority is assured of at least 5 Mbps of bandwidth, and the disadvantage of SP queuing (that packets in low-priority queues might fail to be served for a long time) is avoided.
Page 418: Priority Mapping
• Burst size—The capacity of the token bucket, or the maximum traffic size permitted in each burst. It is usually set to the committed burst size (CBS). The set burst size must be greater than the maximum packet size. One evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the tokens for forwarding the packet are taken away.
Page 419: Introduction To Priority Mapping Tables
• Trust port priority—The device assigns a priority to a packet by mapping the priority of the receiving port. You can select one priority trust mode as needed. Figure 445 shows the process of priority mapping on a device. Figure 445 Priority mapping process Introduction to priority mapping tables The device provides the following types of priority mapping tables: •...
Page 420: Configuration Guidelines
Input DSCP value Local precedence (Queue) 40 to 47 48 to 55 56 to 63 Configuration guidelines When an ACL is referenced by a QoS policy for traffic classification, the action (permit or deny) in the ACL is ignored, and the actions in the associated traffic behavior are performed. Recommended QoS configuration procedures Recommended QoS policy configuration procedure A QoS policy involves the following components: class, traffic behavior, and policy.
Page 421: Adding A Class
Step Remarks Add a policy. Required. Associate the traffic behavior with the class in the QoS policy. Configuring classifier-behavior associations for the policy A class can be associated with only one traffic behavior in a QoS policy. Associating a class already associated with a traffic behavior will overwrite the old association.
Page 422: Configuring Classification Rules
Figure 446 Adding a class Add a class as described in Table 147. Click Add. Table 147 Configuration items Item Description Classifier Name Specify a name for the classifier to be added. Specify the logical relationship between rules of the classifier. •...
Page 423 Figure 447 Configuring classification rules Configure classification rules for a class as described in Table 148. Click Apply. Table 148 Configuration items Item Description Define a rule to match customer VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
Page 424: Adding A Traffic Behavior
Item Description ACL IPv6 Define an IPv6 ACL-based rule. Adding a traffic behavior Select QoS > Behavior from the navigation tree. Click the Add tab to enter the page for adding a traffic behavior. Figure 448 Adding a traffic behavior Add a traffic behavior as described in Table 149.
Page 425: Configuring Other Actions For A Traffic Behavior
Figure 449 Port setup page for a traffic behavior Configure traffic mirroring and traffic redirecting as described in Table 150. Click Apply. Table 150 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Mirror To Set the action of mirroring traffic to the specified destination port.
Page 426 Figure 450 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 151. Click Apply. Table 151 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Enable/Disable Enable or disable CAR. Set the committed information rate (CIR), the average traffic rate.
Page 427: Adding A Policy
Item Description • Not Set—Cancels the packet filtering action. Adding a policy Select QoS > QoS Policy from the navigation tree. Click the Add tab to enter the page for adding a policy. Figure 451 Adding a policy Add a policy as described in Table 152.
Page 428: Applying A Policy To A Port
Figure 452 Setting a policy Configure a classifier-behavior association for a policy as described in Table 153. Click Apply. Table 153 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.
Page 429: Configuring Queue Scheduling On A Port
Table 154 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which the policy is to be applied. • Inbound—Applies the policy to the incoming packets of the specified ports. Direction •...
Page 430: Configuring Gts On Ports
Configuring GTS on ports From the navigation tree, select QoS > GTS. Click the Setup tab, as shown in Figure 455. Figure 455 GTS Configure GTS parameters as described in Table 156. Click Apply. Table 156 Configuration items Item Description Enable or disable GTS.
Page 431: Configuring Priority Mapping Tables
Figure 456 Configuring rate limit on a port Configure rate limit on a port as described in Table 157. Click Apply. Table 157 Configuration items Item Description Please select an interface Select the types of interfaces to be configured with rate limit. type Rate Limit Enable or disable rate limit on the specified port.
Page 432: Configuring Priority Trust Mode On A Port
Figure 457 Configuring priority mapping tables Configure a priority mapping table as described in Table 158. Click Apply. Table 158 Configuration items Item Description Select the priority mapping table to be configured: • Mapping Type CoS to Queue. • DSCP to Queue. Input Priority Value Set the output priority value for an input priority value.
Page 433 Click Apply. Table 159 Configuration items Item Description Interface Interface to be configured. Priority Set a local precedence value for the port. Select a priority trust mode for the port: • Untrust—Packet priority is not trusted. Trust Mode • Dot1p—802.1p priority of the incoming packets is trusted and used for priority mapping. •...
Page 434: Acl And Qos Configuration Example
ACL and QoS configuration example Network requirements As shown in Figure 460, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
Page 435 Figure 461 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: a. Select QoS > ACL IPv4 from the navigation tree. b. Click the Add tab. c. Enter the ACL number 3000. d. Click Apply. Figure 462 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: a.
Page 436 d. Select Permit in the Action list. e. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0. f. Select test-time in the Time Range list. g. Click Add. Figure 463 Defining an ACL rule for traffic to the FTP server Add a class: a.
Page 437 Figure 464 Adding a class Define classification rules: a. Click the Setup tab. b. Select the class name class1 in the list. c. Select the ACL IPv4 box, and select ACL 3000 in the following list.
Page 438 Figure 465 Defining classification rules d. Click Apply. A progress dialog box appears, as shown in Figure 466. e. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 439 Figure 466 Configuration progress dialog box Add a traffic behavior: a. Select QoS > Behavior from the navigation tree. b. Click the Add tab. c. Enter the behavior name behavior1. d. Click Add. Figure 467 Adding a traffic behavior Configure actions for the traffic behavior: a.
Page 440 Figure 468 Configuring actions for the behavior Add a policy: a. Select QoS > QoS Policy from the navigation tree. b. Click the Add tab. c. Enter the policy name policy1. d. Click Add. Figure 469 Adding a policy Configure classifier-behavior associations for the policy: a.
Page 441 b. Select policy1. c. Select class1 from the Classifier Name list. d. Select behavior1 from the Behavior Name list. e. Click Apply. Figure 470 Configuring classifier-behavior associations for the policy 10. Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: a.
Page 442: Configuring Poe
Configuring PoE Overview Power over Ethernet (PoE) enables a power sourcing equipment (PSE) to supply power to powered devices (PDs) through Ethernet interfaces over straight-through twisted pair cables. Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web cameras, and data collectors.
Page 443: Protocols And Standards
Protocols and standards The device supports IEEE 802.3af and IEEE 802.3at. Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly. Otherwise, either you cannot configure PoE or the PoE configuration does not take effect. Configuring PoE ports Select PoE >...
Page 444: Configuring Non-Standard Pd Detection
Item Description When the sum of the power consumption of all ports exceeds the maximum power of PSE, the system considers the PSE as overloaded. The power priority for the HPE NJ5000 5G PoE+ switch cannot be changed. If multiple PIs require power supply during power overload, the one with the smallest ID takes precedence.
Page 445: Poe Configuration Example
Figure 475 PoE summary (with GigabitEthernet 1/0/3 selected) PoE configuration example Network requirements As shown in Figure 476, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are connected to IP telephones. The IP telephones have a higher power supply priority than the AP so the PSE supplies power to the IP telephones first if the PSE power is overloaded.
Page 446 Figure 477 Configuring the PoE ports supplying power to the IP telephones Enable PoE on GigabitEthernet 1/0/4: a. Click the Setup tab. b. On the tab, click to select port GigabitEthernet 1/0/4 from the chassis front panel, and then select Enable from the Power State list. c.
Page 447: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Bold text represents commands and keywords that you enter literally as shown. Boldface Italic text represents arguments that you replace with actual values.
Page 448: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 449: Support And Other Resources
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Page 450: Websites
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 451 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 452 Index 802.1 LLDPDU TLV types, Numerics 802.3 LLDPDU TLV types, 802.1X QoS packet 802.1p priority, access control methods, ACL assignment, architecture, authentication, configuration, 282, authentication (access device initiated), HWTACACS communication parameter authentication (client initiated), configuration, authentication configuration, HWTACACS implementation, 309, authentication initiation, HWTACACS scheme system creation, Auth-Fail VLAN,...
Page 453 adding operation, IPv4 ACL, static configuration, IPv6 ACL, static entry configuration, NMM local port mirroring local group, static table entry, QoS policy, table, QoS traffic behavior, ARP attack protection QoS traffic class, configuration, RADIUS server, detection configuration, rules to SNMP view, packet validity check, Web device local user, user validity check,...
Page 454 security 802.1X RADIUS MST regional root, Message-Authentication attribute, STP designated bridge, security MAC authentication, STP root bridge, security MAC authentication ACL buttons on webpage, assignment, security MAC authentication configuration, 345, cable status security MAC local authentication testing, configuration, calculating user group configuration, MSTI calculation, using 802.1X authentication with other MSTP CIST calculation,...
Page 455 AAA accounting methods for ISP domain, MAC authentication (port-specific), AAA authentication methods for ISP MAC-based 802.1X configuration, domain, management IP address, AAA authorization methods for ISP maximum PoE interface power, domain, MLD snooping, 216, AAA HWTACACS communication MLD snooping port function, parameters, MST region, AAA HWTACACS servers,...
Page 456 security 802.1X authentication, VLAN interface, security ARP attack protection, designated security ARP detection, MST port, security MAC authentication, 343, 345, STP bridge, security MAC authentication ACL STP port, assignment, destination security MAC local authentication, NMM port mirroring, SNMP community, detecting SNMP group, security ARP detection configuration, SNMP trap function,...
Page 457 Web interface HTTP login, active route table (IPv4), Web main boot file specifying, active route table (IPv6), Web service management, 244, all operation parameters for a port, Web-based NM functions, client's IP-to-MAC bindings, device information current system time, displaying device information, 28, global LLDP, device management IGMP snooping multicast forwarding entries,...
Page 458 security 802.1X RADIUS EAP-Message NMM RMON statistics group, attribute, port isolation configuration, 375, security 802.1X RADIUS port-based VLAN configuration, Message-Authentication attribute, security ARP attack protection configuration, security 802.1X relay authentication, VLAN configuration, 106, security 802.1X relay termination, VLAN frame encapsulation, security 802.1X relay/termination VLAN type, authentication mode,...
Page 459 QoS token bucket, history entry STP BPDU forwarding, configuration, STP forward delay timer, HTTP fragment filtering (ACL), Web interface login, frame HW Terminal Access Controller Access Control System. Use HWTACACS MAC address learning, HWTACACS MAC address table configuration, 143, 144, AAA implementation, 309, port-based VLAN frame handling, AAA server configuration,...
Page 460 SNMPv2c configuration, static route creation, SNMPv3 configuration, IPv6 intrusion protection ACL configuration (IPv6), port security feature, active route table, IP addressing static route creation, ACL configuration, IPv6 multicast ACL configuration (Ethernet frame configuring MLD snooping, header), displaying MLD snooping multicast forwarding ARP configuration, entries, ARP dynamic table entry,...
Page 461 NMM port mirroring configuration, security MAC local authentication configuration, traceroute, local port mirroring traceroute node failure identification, adding local group, learning configuration, MAC address, local group monitor port, MST learning port state, local group port, lease local group source port, DHCP IP address lease extension, NMM, leave message...
Page 462 dynamic aging timer, IGMP snooping, entry creation, MLD snooping, entry types, message manual entries, ARP configuration, MAC addressing ARP message format, port security secure MAC address ARP static configuration, configuration, DHCP format, MAC authentication gratuitous ARP configuration, ACL assignment, 344, gratuitous ARP packet learning, Auth-Fail VLAN, IP multicast IGMP snooping leave,...
Page 463 VLAN interface, ACL configuration (advanced), 389, ACL configuration (basic), 387, CIST, ACL configuration (Ethernet frame header), common root bridge, ACL configuration (IPv4), CST, ACL configuration (IPv6), IST, ACL packet fragment filtering, MSTI, all operation parameters for a port, port roles, ARP dynamic table entry, port states, ARP message format,...
Page 464 STP root port, PoE configuration, 430, VLAN type, PoE power, Web device configuration backup, PoE protocols and standards, Web device configuration reset, PoE system, Web device configuration restoration, port isolation configuration, Web device configuration save, port management, 48, Web device file displaying, port security advanced control configuration, Web device file download, port security advanced mode configuration,...
Page 465 local port mirroring group source port, AAA RADIUS packet format, local port mirroring local group, ACL fragment filtering, port mirroring configuration, ACL packet fragment filtering, port mirroring recommended procedure, gratuitous ARP packet learning, RMON configuration, 69, IP routing configuration (IPv4), RMON group, IP routing configuration (IPv6), SNMP configuration,...
Page 466 configuring energy saving, security MAC local authentication configuration, configuring IGMP snooping, specified operation parameter for all ports, configuring MLD snooping, STP designated port, DHCP snooping trusted port, STP root port, DHCP snooping untrusted port, VLAN port link type, IGMP snooping configuration, port isolation IGMP snooping member port, configuration, 375,...
Page 467 configuration, configuring device idle timeout period, port-based VLAN configuring device system name, configuration, configuring DHCP snooping, 239, port frame handling, configuring DHCP snooping functions on interface, port link type, configuring energy saving on port, PVID, configuring event entry, power over Ethernet. Use configuring gratuitous ARP, power supply priority configuring GTS,...
Page 468 configuring port isolation, configuring system parameters, configuring port link type, configuring system time (by using NTP), 36, configuring port security, 360, configuring system time (manually), configuring port security (global), configuring time zone and daylight saving time, configuring port security advanced configuring user group, control, configuring VLAN interface,...
Page 469 enabling dropping unknown multicast data SNMP versions, (globally), STP protocol packets, enabling IGMP snooping (globally), enabling IGMP snooping (in a VLAN), detect nonstandard PDs, enabling LLDP globally, PVID enabling LLDP on ports, configuration, enabling MLD snooping (globally), PVID (port-based VLAN), enabling MLD snooping (in a VLAN), enabling PSE detect nonstandard PDs, enabling SNMP agent,...
Page 470 assigning MAC authentication VLAN NMM port mirroring configuration, assignment, VLAN configuration, client/server model, Web interface login, common parameter configuration, RMON configuration, 293, alarm function configuration, configuration guidelines, alarm group, extended attributes, configuration, 69, MAC authentication configuration Ethernet statistics group, (global), event group, MAC authentication configuration group,...
Page 471 enabling IGMP snooping (in a VLAN), DHCP snooping configuration, 237, enabling MLD snooping (globally), enabling DHCP snooping, enabling MLD snooping (in a VLAN), HWTACACS configuration, 309, 309, IGMP snooping configuration, MAC authentication ACL assignment, IGMP snooping port function MAC authentication configuration, 343, 345, configuration, MAC authentication methods, MLD snooping configuration,...
Page 472 MIB, NMM RMON configuration, 69, algorithm calculation, packet statistics displaying, basic concepts, protocol versions, BPDU forwarding, SNMPv1 configuration, CIST, SNMPv2c configuration, CST, SNMPv3 configuration, designated bridge, trap function configuration, designated port, user configuration, IST, view configuration, loop detection, view creating, MST common root bridge, SNMP view MST port roles,...
Page 473 device system name configuration, ACL time range configuration, ping, time range traceroute, 247, configuration, Web device configuration backup, time zone Web device configuration management, configuring system time, Web device configuration reset, timer 802.1X, Web device configuration restoration, Web device configuration save, IP multicast IGMP snooping dynamic port aging timer, Web device file displaying,...
Page 474 displaying MLD snooping multicast forwarding entries, enabling IGMP snooping (in a VLAN), AAA RADIUS packet format, enabling MLD snooping (in a VLAN), RADIUS configuration, 293, frame encapsulation, unicast guest (802.1X), IP routing configuration (IPv4), IGMP snooping configuration, IP routing configuration (IPv6), IGMP snooping port function configuration, MAC address table IP subnet type VLAN,...
Page 475 device configuration backup, device configuration management, device configuration reset, device configuration restoration, device configuration save, device file displaying, device file download, device file management, device file removing, device file upload, device idle timeout period configuration, device local user adding, device main boot file specifying, device management, device privilege level switching, device reboot,...

HP FlexNetwork NJ5000 User Manual

Overview

Feature Summary

Configuration Wizard

Displaying System and Device Information

Configuring Basic Device Settings

Maintaining Devices

Configuring System Time

Configuring Syslog

Managing the Configuration

Managing Files

Managing Ports

Configuring Port Mirroring

Managing Users

Configuring a Loopback Test

Configuring VCT

Configuring the Flow Interval

Configuring RMON

Configuring Energy Saving

Configuring SNMP

Displaying Interface Statistics

Configuring Vlans

Configuring VLAN Interfaces

Configuring a Voice VLAN

Configuring the MAC Address Table

Configuring MSTP

Configuring LLDP

Configuring ARP

Configuring ARP Attack Protection

Configuring IGMP Snooping

Configuring MLD Snooping

Configuring Ipv4 or Ipv6 Static Routes

DHCP Overview

Configuring DHCP Snooping

Quick Links

User Guide

Related Manuals for HP FlexNetwork NJ5000

Summary of Contents for HP FlexNetwork NJ5000