Contents Overview ········································································································· 1 Accessing the Web interface ····························································································································· 1 Restrictions and guidelines for Web-based login ······················································································· 1 Logging in to the Web interface for the first time ························································································ 4 Logging out of the Web interface ··············································································································· 5 ...
Page 4
System time configuration example ················································································································· 38 Network requirements ······························································································································ 38 Configuring the system time ····················································································································· 38 Verifying the configuration ························································································································ 39 Configuration guidelines ·································································································································· 39 Configuring syslog ························································································ 40 Displaying syslogs ··········································································································································· 40 Setting the log host ··········································································································································...
Page 5
Configuring the flow interval ·········································································· 68 Viewing port traffic statistics ····························································································································· 68 Configuring RMON ························································································ 69 Overview ·························································································································································· 69 Working mechanism ································································································································· 69 RMON groups ·········································································································································· 69 RMON configuration task list ··························································································································· 70 Configuring a statistics entry ····················································································································...
Page 6
Configuring VLAN interfaces ······································································· 122 Overview ························································································································································ 122 Creating a VLAN interface ····························································································································· 122 Modifying a VLAN interface ··························································································································· 123 Deleting a VLAN interface ······························································································································ 125 Configuration guidelines ································································································································ 126 Configuring a voice VLAN ··········································································· 127 ...
Page 7
Enabling LLDP on ports ································································································································· 177 Setting LLDP parameters on ports ················································································································· 178 Setting LLDP parameters for a single port ····························································································· 178 Setting LLDP parameters for ports in batch ··························································································· 180 Configuring LLDP globally ····························································································································· 181 ...
Page 8
Network requirements ···························································································································· 224 Configuration procedure ························································································································· 225 Verifying the configuration ······················································································································ 227 Configuring IPv4 or IPv6 static routes ························································· 228 Creating an IPv4 static route ·························································································································· 228 Displaying the IPv4 active route table ············································································································ 229 ...
Page 9
802.1X configuration examples ······················································································································ 266 MAC-based 802.1X configuration example ···························································································· 266 802.X with ACL assignment configuration example ··············································································· 273 Configuring AAA ························································································· 282 Overview ························································································································································ 282 AAA application ······································································································································ 282 Domain-based user management ·········································································································· 283 ...
Page 10
PKI configuration example ····························································································································· 338 Configuration guidelines ································································································································ 342 Configuring MAC authentication ································································· 343 Overview ························································································································································ 343 User account policies ····························································································································· 343 Authentication methods ·························································································································· 343 MAC authentication timers ····················································································································· 343 Using MAC authentication with other features ······························································································· 344 ...
Page 11
Configuring a rule for a basic IPv4 ACL ································································································· 387 Configuring a rule for an advanced IPv4 ACL ························································································ 389 Configuring a rule for an Ethernet frame header ACL ············································································ 391 Adding an IPv6 ACL ······························································································································· 393 ...
Page 12
Index ··········································································································· 440 ...
Overview The HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch provides a Web interface for visual configuration and management. The device also provides a command line interface (CLI) for device management when the Web interface is not available. This book focuses on configuring the switch from the Web interface, and does not provide information about accessing the CLI.
Page 14
Select the Security tab, and select the content zone where the target Website resides, as shown in Figure Figure 1 Internet Explorer settings (1) Click Custom Level. In the Security Settings dialog box, enable Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for scripting, and Active scripting.
Page 15
Figure 2 Internet Explorer settings (2) Click OK to save your settings. Enabling JavaScript in a Firefox browser Launch the Firefox browser, and select Tools > Options. In the Options dialog box, click the Content icon, and select Enable JavaScript.
Figure 3 Firefox browser settings Click OK to save your settings. Miscellaneous • The Web interface does not support the Back, Next, or Refresh button provided by the browser. Using these buttons might result in abnormal display of Web pages. •...
If the device is not connected to the network, or no DHCP server exists in the subnet where the device resides, you can get the IP address of the device on the label on the device. IP address is 169.254.xxx.xxx. If the MAC address is 08004E000102, the IP address would be 169.254.1.2.
Using the Web interface The Web interface contains a navigation tree, a title area, and a body area, as shown in Figure Figure 5 Web interface layout (1) Navigation tree (2) Body area (3) Title area • Navigation tree—Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed.
Icon/button Function Clears selection of all entries in a list. Buffers but does not apply the configuration of the current step, and enters the next configuration step. Buffers but does not apply the configuration of the current step, and returns to the previous configuration step. Applies the configurations of all configuration steps.
Page 20
Figure 8 Advanced search For example, to search the LLDP table for the LLDP entries with LLDP Work Mode TxRx, and LLDP Status Disabled: Click the Advanced Search link, specify the search criteria on the advanced search page as shown in Figure 9, and then click Apply.
Figure 11 Advanced search function example (3) Sort function The Web interface provides the sorting function on some list pages to display the entries in a certain order. On a list page, you can click the name of a column header in blue to sort the entries. An arrow will be displayed next to the column header you clicked, as shown in Figure 12.
Feature summary This chapter provides the following information: • Feature menu navigators for the Web interface. • Information about features configurable from the CLI. Features configurable from the Web interface are also configurable from the CLI. Feature menu navigators for the Web interface This section summarizes features available from each menu on the Web interface.
Device menu Table 4 to navigate to the tasks you can perform from the Device menu. Table 4 Device menu navigator Menus Tasks User level Basic System Name Display and configure the system name. Configure Display and configure the idle timeout period for logged-in Web Idle Timeout Configure users.
Page 24
Menus Tasks User level Create, modify, delete, and enable/disable a port, and Setup Configure clear port statistics. Port Mirroring Display the configuration information about a port Summary Monitor mirroring group. Create a port mirroring group. Configure Remove Remove a port mirroring group. Configure Modify Port Configure ports for a mirroring group.
Menus Tasks User level Create, modify, and delete an SNMP community. Management Display SNMP group information. Management Group Create, modify, and delete an SNMP group. Management Display SNMP user information. Management User Create, modify, and delete an SNMP user. Management Display the status of the SNMP trap function and Management information about target hosts.
Page 26
Menus Tasks User level Summary Display voice VLAN information globally or on a port. Monitor Setup Configure the global voice VLAN. Configure Port Setup Configure a voice VLAN on a port. Configure Display the addresses of the OUIs that can be identified by OUI Summary Monitor voice VLAN.
Page 27
Menus Tasks User level and the IGMP snooping multicast entry information. Configure IGMP snooping globally or in a VLAN. Configure Display the IGMP snooping configuration information on a Monitor port. Advanced Configure IGMP snooping on a port. Configure MLD Snooping Display global MLD snooping configuration information or the MLD snooping configuration information in a VLAN, Monitor...
Menus Tasks User level IPv4 Trace Route Perform IPv4 trace route operations. Visitor IPv6 Trace Route Perform IPv6 trace route operations. Visitor Authentication menu Table 6 to navigate to the tasks you can perform from the Authentication menu. Table 6 Authentication menu navigator Menus Tasks User level...
Menus Tasks User level Display configuration information about user groups. Monitor User Group Create, modify, and remove a user group. Management Certificate Management Display information about PKI entities. Monitor Entity Add, modify, and delete a PKI entity. Configure Display information about PKI domains. Monitor Domain Add, modify, and delete a PKI domain.
Page 30
Menus Tasks User level Summary Display time range configuration information. Monitor Create a time range. Configure Remove Delete a time range. Configure ACL IPv4 Summary Display IPv4 ACL configuration information. Monitor Create an IPv4 ACL. Configure Basic Setup Configure a rule for a basic IPv4 ACL. Configure Advanced Setup Configure a rule for an advanced IPv4 ACL.
• Features configurable only from the CLI. This section describes only the commands that are peculiar to the HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch. To obtain information about all available commands, enter a question mark (?) at the CLI of the switch. For more information about using the CLI and the commands, see the configuration guides and command references for HP 5120 EI switches.
Table 10 Commands for features peculiar to the HPE FlexNetwork NJ5000 5G PoE+ Walljack Switch Command Task manage-mode on Set the device operating mode to management or unmanagement. undo manage-mode on poe force-power gigabitethernet Forcibly allocate power to a pair of PoE interfaces (PIs).
Views System view Default command level 2: System level Parameters gigabitethernet interface-number1: Specifies PI 1 by its interface number. Valid interface numbers are 1/0/3 and 1/0/4. power1: Specifies the amount of power to be allocated to PI 1. The value range is 1000 mW to 17000 gigabitethernet interface-number2: Specifies PI 2 by its interface number.
Page 34
Examples # Enable the PD compatibility check feature. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] poe legacy enable...
Configuration wizard The configuration wizard guides you through configuring the basic service parameters, including the system name, system location, contact information, and management IP address. Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree. Figure 13 Configuration wizard homepage Configuring system parameters On the wizard homepage, click Next.
Figure 14 System parameter configuration page Configure the parameters as described in Table Table 11 Configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...
Page 37
Figure 15 Management IP address configuration page Configure the parameters as described in Table Table 12 Configuration items Item Description Select a VLAN interface. Available VLAN interfaces are those configured in the page that you enter by selecting Network > VLAN Interface and selecting the Create tab. Select VLAN The IP address of a VLAN interface can be used as the management IP address to Interface...
Item Description DHCP Configure how the VLAN interface obtains an IPv4 address: • DHCP—Select the option for the VLAN interface to get an IP BOOTP address through DHCP. • BOOTP—Select the option for the VLAN interface to get an IP address through BOOTP.
Displaying system and device information Displaying system information Select Summary from the navigation tree to enter the System Information page to view the basic system information, system resource state, and recent system logs. Figure 17 System information Displaying basic system information Table 13 Field description Item Description...
Displaying the system resource state The System Resource State area displays the most recent CPU usage, memory usage, and temperature. Displaying recent system logs Table 14 Field description Field Description Time Time when the system logs were generated. Level Severity of the system logs. Description Description for the system logs.
Page 42
Figure 18 Device information To set the interval for refreshing device information, select one of the following options from the Refresh Period list: • If you select a certain period, the system refreshes device information at the specified interval. • If you select Manual, the system refreshes device information only when you click the Refresh button.
Configuring basic device settings The device basic information feature provides the following functions: • Set the system name of the device. The configured system name is displayed on the top of the navigation bar. • Set the idle timeout period for logged-in users. The system logs an idle user off the Web for security purpose after the configured period.
Maintaining devices Software upgrade CAUTION: Software upgrade takes some time. Avoid performing any operation on the Web interface during the upgrading procedure. Otherwise, the upgrade operation may be interrupted. A boot file, also known as the system software or device software, is an application file used to boot the device.
Item Description slave boards at one time NJ5000 5G PoE+ switch does not support this option. Reboot after the Specify whether to reboot the device to make the upgraded software take effect upgrade finished after the application file is uploaded. Device reboot CAUTION: •...
Figure 23 Electronic label Diagnostic information Each functional module has its own running information. Generally, you view the output for each module one by one. To receive as much information as possible in one operation during daily maintenance or when system failure occurs, the diagnostic information module allows you to save the running statistics of multiple functional modules to a file named default.diag, and then you can locate problems faster by checking this file.
Configuring system time Overview You must configure a correct system time so that the device can operate correctly with other devices. The system time module allows you to display and set the device system time on the Web interface. You can set the system time through manual configuration or network time protocol (NTP) automatic synchronization.
Enter the system date and time in the Time field, or select the date and time in the calendar. To set the time on the calendar page, select one of the following methods: Click Today. The date setting in the calendar is synchronized to the current local date configuration, and the time setting does not change.
Item Description NTP Server Specify the IP address of an NTP server, and configure the 1/Reference Key authentication key ID used for the association with the NTP server. The device synchronizes its time to the NTP server only if the key provided by the server is the same as the specified key.
Figure 30 Setting the daylight saving time System time configuration example Network requirements As shown in Figure • The local clock of Device A is set as the reference clock. • Switch B operates in client mode, and uses Device A as the NTP server. Configure NTP authentication on Device A and Switch B so that Switch B is to be synchronized to Device A.
Figure 32 Configuring Device A as the NTP server of Switch B Verifying the configuration After the configuration, verify that Device A and Switch B have the same system time. Configuration guidelines When you configure the system time, follow these guidelines: •...
Configuring syslog System logs record network and device information, including running status and configuration changes. With system logs, administrators can take corresponding actions against network problems and security problems. The system sends system logs to the following destinations: • Console •...
Field Description Source Displays the module that generated the system log. Displays the severity level of the system log. The information is classified into eight levels by severity: • Emergency—The system is unusable. • Alert—Action must be taken immediately. • Critical—Critical condition.
Table 19 Configuration items Item Description IPv4/Domain Specify the IPv4 address or domain name of the log host. Loghost IP/Domain IMPORTANT: IPv6 You can specify up to four log hosts. Set the IPv6 address of the log host. Loghost IP Setting buffer capacity and refresh interval Select Device >...
Managing the configuration You can back up, restore, save, or reset the device configuration. Backing up the configuration Configuration backup allows you to do the following: • Open and view the configuration files for the next startup, including the .cfg file and .xml file. •...
Figure 37 Restoring the configuration Click the upper Browse button. The file upload dialog box appears. Select the .cfg file to be uploaded, and click OK. Click the lower Browse button. The file upload dialog box appears. Select the .xml file to be uploaded, and click OK. Saving the configuration You save the running configuration to both the .cfg configuration file and .xml configuration file that will be used at the next startup.
a. Select Device > Configuration from the navigation tree. b. Click the Save tab. c. Click Save Current Settings. Resetting the configuration Resetting the configuration restores the device's factory defaults, deletes the current configuration files, and reboots the device. To reset the configuration: Select Device >...
Managing files The device requires a series of files for correct operation, including boot files and configuration files. These files are saved on the storage media. You can display files on the storage media, download, upload, or remove a file, or specify the main boot file. Displaying files Select Device >...
Uploading a file IMPORTANT: Uploading a file takes some time. Hewlett Packard Enterprise recommends not performing any operation on the Web interface during the upload. Select Device > File Management from the navigation tree to enter the file management page (see Figure 40).
Managing ports You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port and an aggregate interface. • For a Layer 2 Ethernet port, these operation parameters include its state, speed, duplex mode, link type, PVID, description, MDI mode, flow control settings, MAC learning limit, and storm suppression ratios.
Page 61
Table 21 Configuration items Item Description Enable or disable the port. Port State Sometimes, after you modify the operation parameters of a port, you must disable and then enable the port to have the modifications take effect. Set the transmission speed of the port: •...
Page 62
Item Description the remote MDI mode. • When crossover cables are used, the local MDI mode must be the same as the remote MDI mode, or the MDI mode of at least one end must be set to auto. Enable or disable flow control on the port. With flow control enabled at both sides, when traffic congestion occurs on the ingress port, the ingress port sends a Pause frame notifying the egress port to temporarily Flow Control...
Item Description the box below. • kbps—Sets the maximum number of kilobits of unicast traffic that can be forwarded on an Ethernet port per second. When you select this option, you must enter a number in the box below. Interface or interfaces that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters.
Figure 43 The Detail tab Port management configuration example Network requirements As shown in Figure • Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 of the switch, respectively. The rates of the network adapters of these servers are all 1000 Mbps.
Configuring the switch As shown in Figure 45, set the speed of GigabitEthernet 1/0/4 to 1000 Mbps: Figure 45 Configuring the speed of GigabitEthernet 1/0/4 Batch configure the autonegotiation speed range on GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 as 100 Mbps: a.
Page 66
Figure 46 Batch configuring the port speed Display the speed settings of ports: a. Click the Summary tab. b. Click the Speed button to display the speed information of all ports on the lower part of the page, as shown in Figure...
Page 67
Figure 47 Displaying the speed settings of ports...
Configuring port mirroring Port mirroring refers to the process of copying the packets passing through a port/VLAN/CPU to the monitor port connecting to a monitoring device for packet analysis. Terminology Mirroring source The mirroring source can be one or more monitored ports, called source ports. The device where the ports reside is called a "source device."...
Figure 48 Local port mirroring implementation As shown in Figure 48, the source port GigabitEthernet 1/0/1 and monitor port GigabitEthernet 1/0/2 reside on the same device. Packets of GigabitEthernet 1/0/1 are copied to GigabitEthernet 1/0/2, which then forwards the packets to the data monitoring device for analysis. Configuration restrictions and guidelines When you configure port mirroring, follow these restrictions and guidelines: •...
Configuring a mirroring group From the navigation tree, select Device > Port Mirroring. Click Add to enter the page for adding a mirroring group. Figure 49 Adding a mirroring group Configure the mirroring group as described in Table Click Apply. Table 22 Configuration items Item Description...
Figure 50 Modifying ports Configure ports for the mirroring group as described in Table Click Apply. A progress dialog box appears. After the success notification appears, click Close. Table 23 Configuration items Item Description ID of the mirroring group to be configured. Mirroring Group The available groups were added previously.
Figure 51 Network diagram Configuration procedure Adding a local mirroring group From the navigation tree, select Device > Port Mirroring. Click Add to enter the page for adding mirroring groups as shown in Figure Figure 52 Adding a local mirroring group Enter 1 for Mirroring Group ID, and select Local from the Type list.
Page 73
Select 1 (GigabitEthernet 1/0/1) and 2 (GigabitEthernet 1/0/2) on the chassis front panel. Figure 53 Configuring the source ports Click Apply. A configuration progress dialog box appears. After the success notification appears, click Close. Configuring GigabitEthernet 1/0/3 as the monitor port Click Modify Port.
Managing users The user management function allows you to do the following: • Adding a local user, and specifying the password, access level, and service types for the user. • Setting the super password for non-management level users to switch to the management level.
Item Description Confirm Password Enter the same password again. Select the password encryption type: • Reversible—Uses a reversible encryption algorithm. The ciphertext password Password can be decrypted to get the plaintext password. Encryption • Irreversible—Uses an irreversible encryption algorithm. The ciphertext password cannot be decrypted to get the plaintext password.
Item Description password cannot be decrypted to get the plaintext password. Switching to the management level A non-management level user can switch to the management level after providing the correct super password. The level switching operation does not change the access level setting for the user. When the user logs in to the Web interface again, the access level of the user is still the level set for the user.
Configuring a loopback test You can check whether an Ethernet port operates correctly by performing Ethernet port loopback test. During the test time, the port cannot forward data packets correctly. Ethernet port loopback test has the following types: • Internal loopback test—Establishes self loop in the switching chip and checks whether there is a chip failure related to the functions of the port.
Configuring VCT Overview You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds. The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable.
Configuring the flow interval With the flow interval module, you can view the number of packets and bytes sent and received by a port, and the bandwidth use of the port over the specified interval. Viewing port traffic statistics Select Device > Flow interval from the navigation tree. By default, the Port Traffic Statistics tab is displayed.
Configuring RMON Overview Remote Network Monitoring (RMON) is an enhancement to SNMP. It enables proactive remote monitoring and management of network devices and subnets. An RMON monitor periodically or continuously collects traffic statistics for the network attached to a port on the managed device. The managed device can automatically send a notification when a statistic crosses an alarm threshold, so the NMS does not need to constantly poll MIB variables and compare the results.
Event group The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group. The events can be handled in one of the following ways: •...
Page 83
• A statistics object of the history group is the variable defined in the history record table, and the recorded content is a cumulative sum of the variable in each period. Perform the tasks in Table to configure RMON history statistics function. Table 26 RMON statistics group configuration task list Task Remarks...
Task Remarks log the event, send a trap to the NMS, take no action, and log the event and send a trap to the NMS. IMPORTANT: You cannot create an entry if the values of the specified alarm variable, sampling interval, sampling type, rising threshold and falling threshold are identical to those of an existing entry in the system.
Figure 64 Adding a statistics entry Configure a statistic entry as described in Table Click Apply. Table 30 Configuration items Item Description Select the name of the interface on which the statistics entry is created. Interface Name Only one statistics entry can be created on one interface. Owner Set the owner of the statistics entry.
Figure 66 Adding a history entry Configure a history entry as described in Table Click Apply. Table 31 Configuration items Item Description Interface Name Select the name of the interface on which the history entry is created. Set the capacity of the history record list corresponding to this history entry (the maximum number of records that can be saved in the history record list).
Click Add. Figure 68 Adding an event entry Configure an event entry as described in Table Click Apply. Table 32 Configuration items Item Description Description Set the description for the event. Owner Set the entry owner. Set the actions that the system takes when the event is triggered: •...
Page 88
Figure 70 Adding an alarm entry Configure an alarm entry as described in Table Click Apply. Table 33 Configuration items Item Description Alarm variable: Set the traffic statistics that are collected and monitored. For Static Item more information, see Table Set the name of the interface whose traffic statistics are Interface Name collected and monitored.
Item Description If you select the Create Default Event box, this option is not configurable. Falling Threshold Set the alarm falling threshold. Set the action that the system takes when the value of the alarm variable is lower than the alarm falling threshold. Falling Event If you select the Create Default Event box, this option is not configurable.
Field Description etherStatsCRCAlignErrors. Total number of undersize packets (shorter than 64 Number of Received Packets Smaller Than octets) received by the interface, corresponding to the 64 Bytes MIB node etherStatsUndersizePkts. Total number of oversize packets (longer than 1518 Number of Received Packets Larger Than octets) received by the interface, corresponding to the 1518 Bytes MIB node etherStatsOversizePkts.
Page 91
Figure 72 RMON history sampling information Table 35 Field description Field Description Number of the entry in the system buffer. Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved. Dropped packets during the sampling period, corresponding to the MIB DropEvents node etherHistoryDropEvents.
Displaying RMON event logs Select Device > RMON from the navigation tree. Click the Log tab. Figure 73 Log tab In this example, event 1 has generated one log, which is triggered because the alarm value (11779194) exceeds the rising threshold (10000000). The sampling type is absolute. RMON configuration example Network requirements As shown in...
Page 93
Figure 75 Adding a statistics entry Display RMON statistics for GigabitEthernet 1/0/1: a. Click the icon corresponding to GigabitEthernet 1/0/1. b. Display this information as shown in Figure Figure 76 Displaying RMON statistics Create an event to start logging after the event is triggered: a.
Page 94
Figure 77 Configuring an event group Figure 78 Displaying the index of an event entry Configure an alarm group to sample received bytes on GigabitEthernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled: a. Click the Alarm tab. b.
Page 95
Figure 79 Configuring an alarm group Verifying the configuration After the above configuration, when the alarm event is triggered, you can display log information for event 1 on the Web interface. Select Device > RMON from the navigation tree. Click the Log tab. The log page appears.
Configuring energy saving Energy saving enables a port to operate at the lowest transmission speed, disable PoE, or go down during a specific time range on certain days of a week. The port resumes when the effective time period ends. Configuring energy saving on a port Select Device >...
Configuring SNMP This chapter provides an overview of the Simple Network Management Protocol (SNMP) and guides you through the configuration procedure. Overview SNMP is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.
• Notifications—Includes traps and informs. SNMP agent sends traps or informs to report events to the NMS. The difference between these two types of notification is that informs require acknowledgement but traps do not. The device supports only traps. SNMP protocol versions HPE devices support SNMPv1, SNMPv2c, and SNMPv3.
Task Remarks The SNMP agent function is disabled by default. IMPORTANT: If SNMP agent is disabled, all SNMP agent-related configurations are removed. Optional. After creating SNMP views, you can specify an SNMP view for an Configuring an SNMP view SNMP group to limit the MIB objects that can be accessed by the SNMP group.
Page 100
Figure 84 Setup tab Configure SNMP settings on the upper part of the page as described in Table Click Apply. Table 39 Configuration items Item Description SNMP Specify to enable or disable SNMP agent. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the Local Engine ID SNMP agent.
Configuring an SNMP view Creating an SNMP view Select Device > SNMP from the navigation tree. Click the View tab. The View tab appears. Figure 85 View tab Click Add. The Add View window appears. Figure 86 Creating an SNMP view (1) Type the view name.
Figure 87 Creating an SNMP view (2) Table 40 Configuration items Item Description View Name Set the SNMP view name. Select to exclude or include the objects in the view range determined by the Rule MIB subtree OID and subtree mask. Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
Figure 88 Adding rules to an SNMP view Configure the parameters as described in Table Click Apply. NOTE: You can also click the icon corresponding to the specified view on the page as shown in Figure 85, and then you can enter the page to modify the view. Configuring an SNMP community Select Device >...
Figure 90 Creating an SNMP Community Configure the SNMP community as described in Table Click Apply. Table 41 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent.
Click Add. The Add SNMP Group page appears. Figure 92 Creating an SNMP group Configure SNMP group as described in Table Click Apply. Table 42 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group: •...
Page 106
Figure 93 SNMP user Click Add. The Add SNMP User page appears. Figure 94 Creating an SNMP user Configure the SNMP user as described in Table Click Apply. Table 43 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group.
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an Group Name SNMP group with no authentication no privacy or authentication without privacy.
Click Add. The page for adding a target host of SNMP traps appears. Figure 96 Adding a target host of SNMP traps Configure the settings for the target host as described in Table Click Apply. Table 44 Configuration items Item Description Set the destination IP address.
The page for displaying SNMP packet statistics appears. Figure 97 SNMP packet statistics SNMPv1/v2c configuration example Network requirements As shown in Figure 98, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the switch (agent) at 1.1.1.1/24, and the switch automatically sends traps to report events to the NMS. Figure 98 Network diagram Configuring the agent Enable SNMP:...
Page 110
Figure 99 Configuring the SNMP agent Configure a read-only community: a. Click the Community tab. b. Click Add. The Add SNMP Community page appears. c. Enter public in the Community Name field, and select Read only from the Access Right list.
Page 111
Figure 101 Configuring an SNMP read and write community Enable SNMP traps: a. Click the Trap tab. The Trap tab page appears. b. Select Enable SNMP Trap. c. Click Apply. Figure 102 Enabling SNMP traps Configure a target host SNMP traps: a.
Figure 103 Adding a trap target host Configuring the NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. To configure the NMS: Configure the SNMP version for the NMS as v1 or v2c. Create a read-only community and name it public.
Page 113
Configuring the agent Enable SNMP agent: a. Select Device > SNMP from the navigation tree. The SNMP configuration page appears. b. Select the Enable option, and select the v3 option. c. Click Apply. Figure 105 Configuring the SNMP agent Configure an SNMP view: a.
Page 114
Figure 107 Creating an SNMP view (2) Configure an SNMP group: a. Click the Group tab. b. Click Add. The page in Figure 108 appears. c. Type group1 in the Group Name field, select view1 from the Read View list, select view1 from the Write View list.
Page 115
d. Click Apply. Figure 109 Creating an SNMP user Enable SNMP traps: a. Click the Trap tab. The Trap tab page appears. b. Select Enable SNMP Trap. c. Click Apply. Figure 110 Enabling SNMP traps Configure a target host SNMP traps: a.
Page 116
b. Select the IPv4/Domain option and type 1.1.1.2 in the following field, type user1 in the Security Name field, select v3 from the Security Model list, and select Auth/Priv from the Security Level list. c. Click Apply. Figure 111 Adding a trap target host Configuring the NMS The configuration on NMS must be consistent with that on the agent.
Displaying interface statistics The interface statistics module displays statistics about the packets received and sent through interfaces. To display interface statistics, select Device > Interface Statistics from the navigation tree. Figure 112 Interface statistics display page Table 45 describes the fields on the page. Table 45 Field description Field Description...
Configuring VLANs Overview Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2.
IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 115. Figure 115 Position and format of VLAN tag A VLAN tag contains the following fields: • Tag protocol identifier (TPID)—The 16-bit TPID field indicates whether the frame is VLAN-tagged and is 0x8100 by default.
Page 120
unnecessary to separate different VLAN members. As shown in Figure 116, Device A is connected to common PCs that cannot recognize VLAN tagged-packets, and you must configure Device A's ports that connect to the PCs as access ports. • Trunk port—A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic from the port VLAN ID (PVID), traffic sent through a trunk port will be VLAN tagged.
• Make sure a port permits its PVID. Otherwise, when the port receives frames tagged with the PVID or untagged frames, the port drops these frames. Frame handling methods The following table shows how ports of different link types handle frames: Actions Access Trunk...
Step Remarks PVID. The three Selecting VLANs operations produce the Specify the range of VLANs available same result, and the latest for selection during related operations. operation takes effect. Configure a subset of all existing VLANs. This step is required before you By default, an access port perform operations on the Detail, is an untagged member of...
Step Remarks member of the specified VLANs. Configure the tagged Modifying ports. VLAN of the trunk port. Recommended configuration procedure for assigning a hybrid port to a VLAN Step Remarks Required. Creating VLANs. Create one or multiple VLANs. Optional. Configure the link type of the port as hybrid. To configure a trunk port as a hybrid port, first configure it as an access port.
Step Remarks port. Creating VLANs From the navigation tree, select Network > VLAN. Click Create. The page for creating VLANs appears. Enter the VLAN IDs, a VLAN ID range, or both. Click Create. Figure 117 Creating VLANs Table 46 Configuration items Item Description VLAN IDs...
From the navigation tree, select Network > VLAN. Click Modify Port. Select the port that you want to configure on the chassis front panel. Select the Link Type option. Set the link type to access, hybrid, or trunk. Click Apply. A progress dialog box appears.
Figure 119 Modifying the PVID for a port Selecting VLANs From the navigation tree, select Network > VLAN. The Select VLAN tab is displayed by default for you to select VLANs. Figure 120 Selecting VLANs Select the Display all VLANs option to display all VLANs, or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed.
Modifying a VLAN From the navigation tree, select Network > VLAN. Click Modify VLAN. The page for modifying a VLAN appears. Figure 121 Modifying a VLAN Modify the member ports of a VLAN as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds.
Modifying ports From the navigation tree, select Network > VLAN. Click Modify Port. The page for modifying ports appears. Figure 122 Modifying ports Modify the VLANs of a port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the dialog box prompts that the configuration succeeds.
Item Description • You can configure a hybrid port as a tagged or untagged member of a VLAN only if the VLAN is an existing, static VLAN. VLAN configuration example Network requirements As shown in Figure 123, trunk port GigabitEthernet 1/0/1 of Switch A is connected to trunk port GigabitEthernet 1/0/1 of Switch B.
Page 130
Figure 124 Configuring GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100: a. From the navigation tree, select Network > VLAN. b. Click Create. The page for creating VLANs appears. c.
Page 131
Figure 125 Creating VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member: a. Click Select VLAN. The page for selecting VLANs appears. b. Select the option before Display a subnet of all configured VLANs, and enter 1-100 in the field.
Page 132
e. Select 100 – VLAN 0100 in the Please select a VLAN to modify: list, select the Untagged option, and select GigabitEthernet 1/0/1 on the chassis front device panel. f. Click Apply. A configuration progress dialog box appears. g. After the configuration process is complete, click Close. Figure 127 Assigning GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Assign GigabitEthernet 1/0/1 to VLAN 2, and VLAN 6 through VLAN 50 as a tagged member: a.
Figure 128 Assigning GigabitEthernet 1/0/1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B in the same way Switch A is configured. (Details not shown.) Configuration guidelines When you configure VLANs, follow these guidelines: •...
Configuring VLAN interfaces Before creating a VLAN interface, you must create the corresponding VLAN in Network > VLAN. For more information, see "Configuring VLANs." Overview VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. A VLAN interface can also act as the management interface for a Layer 2 switch.
Table 49 Configuration items Item Description Enter the ID of the VLAN interface to be created. Before creating a VLAN interface, Input a VLAN ID: make sure the corresponding VLAN exists. DHCP Configure the way in which the VLAN interface gets an IPv4 address.
Page 136
Figure 130 Modifying a VLAN interface Modify a VLAN interface as described in Table Click Apply. Table 50 Configuration items Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the list are those created on the page for creating VLAN interfaces.
Item Description Auto Configure the way in which the VLAN interface gets an IPv6 link-local address. Select the Auto or Manual option: • Auto—The device automatically assigns a link-local address to the VLAN interface according to the link-local address prefix (FE80::/64) and the Manual link-layer address of the VLAN interface.
Figure 131 Deleting a VLAN interface Select the target VLAN, and click Remove Interface to delete the VLAN interface. To delete the IPv4 address or IPv6 link-local address of the VLAN interface, select the target VLAN, and then click Remove IP address. To delete the global unicast address of the VLAN interface, select the IPv6 address in the IPv6 Address area, and then click Remove.
Configuring a voice VLAN Overview The voice technology is developing quickly, and more and more voice devices are in use. In broadband communities, data traffic and voice traffic are usually transmitted in the network at the same time. Usually, voice traffic needs higher priority than data traffic to reduce the transmission delay and packet loss ratio.
Page 140
IP phones connected in series access the network through the device and ports on the device simultaneously transmit both voice traffic and data traffic, as shown in Figure 132. When the voice VLAN works normally, if the system reboots, the system reassigns ports in automatic voice VLAN assignment mode to the voice VLAN after the reboot, ensuring that existing voice connections can work normally.
Voice VLAN assignment Port link mode supported for tagged Configuration requirements type voice traffic In automatic mode, the PVID of the port cannot be the voice VLAN. Hybrid Automatic and manual In manual mode, configure the port to permit packets of the voice VLAN to pass through tagged.
In a safe network, you can configure the voice VLANs to operate in normal mode, reducing the consumption of system resources due to source MAC addresses checking. Hewlett Packard Enterprise recommends not transmitting both voice packets and non-voice packets in a voice VLAN. If you have to, first make sure that the voice VLAN security mode is disabled. Table 54 How a voice VLAN-enable port processes packets in security/normal mode Voice VLAN operating Packet type...
Step Remarks OUI list The system supports up to 8 OUI addresses. By default, the system is configured with two OUI addresses, as shown in Table Recommended configuration procedure for a port in manual voice VLAN assignment mode Step Remarks (Optional.) Configuring voice Configure the voice VLAN to operate in security mode and configure the aging...
Configuring voice VLAN on ports Select Network > Voice VLAN from the navigation tree. Click the Port Setup tab. Figure 135 Configuring voice VLAN on ports Configure the voice VLAN function for ports as described in Table Click Apply. Table 56 Configuration items Item Description Set the voice VLAN assignment mode of a port to:...
Figure 136 Adding OUI addresses to the OUI list Add an OUI address to the list as described in Table Click Apply. Table 57 Configuration items Item Description OUI Address Set the source MAC address of voice traffic. Mask Set the mask length of the source MAC address. Description Set the description of the OUI address entry.
Page 146
Figure 137 Network diagram Configuring Switch A Create VLAN 2: a. Select Network > VLAN from the navigation tree. b. Click the Create tab. c. Enter VLAN ID 2. d. Click Create. Figure 138 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port: a.
Page 147
Figure 139 Configuring GigabitEthernet 1/0/1 as a hybrid port Configure the voice VLAN function globally: a. Select Network > Voice VLAN from the navigation tree. b. Click the Setup tab. c. Select Enable in the Voice VLAN security list. d. Set the voice VLAN aging timer to 30 minutes. e.
Page 148
b. Select Auto in the Voice VLAN port mode list. c. Select Enable in the Voice VLAN port state list. d. Enter voice VLAN ID 2. e. Select GigabitEthernet 1/0/1 on the chassis front panel. f. Click Apply. Figure 141 Configuring voice VLAN on GigabitEthernet 1/0/1 Add OUI addresses to the OUI list: a.
Figure 143 Displaying the current OUI list of the device Click the Summary tab, where you can view the current voice VLAN information. Figure 144 Displaying voice VLAN information Configuring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in...
Page 150
Figure 145 Network diagram Configuring Switch A Create VLAN 2: a. Select Network > VLAN from the navigation tree. b. Click the Create tab. c. Enter VLAN ID 2. d. Click Create. Figure 146 Creating VLAN 2 Configure GigabitEthernet 1/0/1 as a hybrid port and configure its PVID as VLAN 2: a.
Page 151
Figure 147 Configuring GigabitEthernet 1/0/1 as a hybrid port Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member: a. Select Network > VLAN from the navigation tree. b. Click the Modify Port tab. c. Select GigabitEthernet 1/0/1 from the chassis front panel. d.
Page 152
Figure 148 Assigning GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Configure voice VLAN on GigabitEthernet 1/0/1: a. Select Network > Voice VLAN from the navigation tree. b. Click the Port Setup tab. c. Select Manual in the Voice VLAN port mode list. d.
Page 153
a. Click the OUI Add tab. b. Enter OUI address 0011-2200-0000. c. Select FFFF-FF00-0000 as the mask. d. Enter description string test. e. Click Apply. Figure 150 Adding OUI addresses to the OUI list Verifying the configuration When the preceding configurations are complete, the OUI Summary tab is displayed by default, as shown in Figure 151.
Figure 152 Displaying the current voice VLAN information Configuration guidelines When you configure the voice VLAN function, follow these guidelines: • To remove a VLAN functioning as a voice VLAN, disable its voice VLAN function first. • Only one VLAN is supported and only an existing static VLAN can be configured as the voice VLAN.
Configuring the MAC address table MAC address configurations related to interfaces apply to Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces only. This document covers only the configuration of unicast MAC address entries, including static, dynamic, and blackhole entries. Overview To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table to forward frames.
• Blackhole entries—Manually configured and never age out. They are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all frames destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.
Item Description Set the port to which the MAC address belongs. This port must belong to the Port specified VLAN. Setting the aging time of MAC address entries Select Network > MAC from the navigation tree. Click the Setup tab to enter the page for setting the MAC address entry aging time. Figure 155 Setting the aging time for MAC address entries Configure the aging time for MAC address entries as described in Table...
Page 158
Figure 156 Creating a static MAC address entry...
Configuring MSTP Overview Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
• Root path cost • Designated bridge ID (represented by device priority) • Designated port ID (represented by port name) Basic concepts in STP Root bridge A tree network must have a root bridge. The entire network contains only one root bridge, and all the other bridges in the network are called "leaf nodes".
Path cost Path cost is a reference value used for link selection in STP. STP calculates path costs to select the most robust links and block redundant links that are less robust, to prune the network into a loop-free tree. All the ports on the root bridge are designated ports.
Page 162
Table 60 Selecting the optimum configuration BPDU Step Actions Upon receiving a configuration BPDU on a port, the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port. It takes one of the following actions: •...
Page 163
Table 61 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Configuration BPDUs comparison on each device.
Page 164
Configuration BPDU Device Comparison process on ports after comparison will be replaced with the calculated configuration BPDU, which will be sent out periodically. • Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and it updates the configuration BPDU of CP1.
Page 165
Figure 159 The final calculated spanning tree The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval. •...
Introduction to RSTP Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP. If the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data, a newly elected RSTP root port rapidly enters the forwarding state.
Page 167
Figure 160 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: • A spanning tree protocol enabled. •...
Page 168
VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs. Figure 160, the VLAN-to-instance mapping table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
Page 169
Figure 161 Port roles MSTP calculation involves the following port roles: • Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have any root port. • Designated port—Forwards data to the downstream network segment or device. •...
Table 63 Ports states supported by different port roles Port role Port state Root Designate Boundary Alternate Backup port port/master port d port port port Forwarding √ √ √ — — Learning √ √ √ — — Discarding √ √ √...
Protocols and standards MSTP is documented in the following protocols and standards: • IEEE 802.1d, Spanning Tree Protocol • IEEE 802.1w, Rapid Spanning Tree Protocol • IEEE 802.1s, Multiple Spanning Tree Protocol Configuration guidelines When you configure MSTP, follow these guidelines: •...
Figure 162 MST region Click Modify. Figure 163 Configuring an MST region Configure the MST region information as described in Table 64, and click Apply. Table 64 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region.
Page 173
Click the Global tab. Figure 164 Configuring MSTP globally Configure the global MSTP configuration as described in Table 65, and then click Apply. Table 65 Configuration items Item Description Selects whether to enable STP globally. Enable STP Globally Other MSTP configurations take effect only after you enable STP globally. Selects whether to enable BPDU guard.
Page 174
Item Description connected with a device running STP. Sets the maximum number of hops in an MST region to restrict the region size. Max Hops The setting can take effect only when it is configured on the regional root bridge. Specifies the standard for path cost calculation.
Configuring MSTP on a port From the navigation tree, select Network > MSTP. Click the Port Setup tab. Figure 165 MSTP configuration on a port Configure MSTP for ports as described in Table 66, and then click Apply. Table 66 Configuration items Item Description Selects whether to enable STP on the port.
Item Description SpecifIes whether the port is connected to a point-to-point link: Auto—Configures the device to automatically detect whether or not the link type of the port is point-to-point. Force False—The link type for the port is not point-to-point link. Force True—The link type for the port is point-to-point link.
Page 177
If you have configured aggregate interfaces on the device, the page displays a list of aggregate interfaces below the chassis front panel. You can select aggregate interfaces from this list. The lower part of the page displays the MSTP information of the port in MSTI 0 (when STP is enabled globally) or the STP status and statistics (when STP is not enabled globally), the MSTI to which the port belongs, and the path cost and priority of the port in the MSTI.
Field Description • Config—The configured value. • Active—The actual value. Whether the port is connected to a point-to-point link: • Config—The configured value. Point-to-point • Active—The actual value. Transmit Limit Maximum number of packets sent within each Hello time. Protection type on the port: •...
• Packets of VLAN 10, VLAN 20, VLAN 30, and VLAN 40 are forwarded along MSTI 1, MSTI 2, MSTI 3, and MSTI 0, respectively. • Switch A and Switch B operate at the distribution layer. Switch C and Switch D operate at the access layer.
Page 180
The system maps VLAN 10 to MSTI 1 and adds the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list. i. Repeat the preceding three steps to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-instance mapping entries to the VLAN-to-instance mapping list. j.
Page 181
Figure 170 Configuring MSTP globally (on Switch A) Configuring Switch B Configure an MST region on the switch in the same way the MST region is configured on Switch Configure MSTP globally: a. From the navigation tree, select Network > MSTP. b.
Page 182
Configure MSTP globally: a. From the navigation tree, select Network > MSTP. b. Click Global. c. Select Enable from the Enable STP Globally list. d. Select MSTP from the Mode list. e. Select the box before Instance. f. Set the Instance ID field to 3. g.
Page 183
Figure 171 Configuring MSTP globally (on Switch D)
Configuring LLDP Overview In a heterogeneous network, a standard configuration exchange platform makes sure different types of network devices from different vendors can discover one another and exchange configuration. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Page 185
Figure 173 LLDP frame encapsulated in SNAP Table 70 Fields in a SNAP-encapsulated LLDP frame Field Description MAC address to which the LLDP frame is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address. MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used.
Page 186
Table 71 Basic management TLVs Type Description Remarks Specifies the bridge MAC address of the sending Chassis ID device. Specifies the ID of the sending port. • If the LLDPDU carries LLDP-MED TLVs, the port ID TLV carries the MAC address of the sending Port ID port or the bridge MAC in case the port does not Mandatory.
Page 187
Type Description Configuration/Status autonegotiation, enabling status of auto negotiation, and the current rate and duplex mode. Contains the power supply capability of the port: • Port class (PSE or PD). • Power supply mode. Power Via MDI • Whether PSE power supply is supported. •...
For more information about LLDPDU TLVs, see the IEEE standard (LLDP) 802.1AB-2005 and the LLDP-MED standard (ANSI/TIA-1057). Management address The network management system uses the management address of a device to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV.
Recommended LLDP configuration procedure Step Remarks Optional. Enabling LLDP on By default, LLDP is enabled on ports. ports. Make sure LLDP is also enabled globally, because LLDP can work on a port only when it is enabled both globally and on the port. Optional.
Figure 175 The port setup tab Setting LLDP parameters on ports The Web interface allows you to set LLDP parameters for a single port or for multiple ports in batch. Setting LLDP parameters for a single port From the navigation tree, select Network > LLDP. By default, the Port Setup tab is displayed.
Page 191
Configure the LLDP parameters for the port as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 75 Configuration items Item Description Interface Name Displays the name of the port or ports you are configuring.
Item Description format (a numeric or character string in the TLV). If no management address is specified, the main IP address of the lowest VLAN carried on the port is used. If no main IP address is assigned to the VLAN, 127.0.0.1 is used. Port VLAN ID Select the box to include the PVID TLV in transmitted LLDP frames.
By default, the Port Setup tab is displayed. Select one or multiple ports on the port list. Click Modify Selected to enter the page for modifying these ports in batch. Figure 177 Modifying LLDP settings on ports in batch Set the LLDP settings for these ports as described in Table Click Apply.
Page 194
Figure 178 The global setup tab Set the global LLDP setup as described in Table Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Table 76 Configuration items Item Description LLDP Enable...
Item Description make sure the product of the TTL multiplier and the LLDP frame transmission interval is less than 255 seconds for CDP-compatible LLDP to work correctly with Cisco IP phones. Set the minimum interval for sending traps. With the LLDP trapping function enabled on a port, traps are sent out of the port Trap Interval to advertise the topology changes detected over the trap interval to neighbors.
Page 196
Table 77 Field description Field Description Port ID subtype: • Interface alias. • Port component. • MAC address. Port ID subtype • Network address. • Interface name. • Agent circuit ID. • Locally assigned—Locally-defined port ID type other than those listed above.
Page 197
Figure 180 The neighbor information tab Table 78 Field description Field Description Chassis ID type: • Chassis component. • Interface alias. • Port component. Chassis type • MAC address. • Network address. • Interface name. • Locally assigned—Locally-defined chassis type other than those listed above.
Page 198
Field Description Link aggregation group ID. It is 0 if the neighbor port is not assigned to Aggregation port ID any link aggregation group. Maximum frame Size Maximum frame size supported on the neighbor port. MED device class: • Connectivity device—An intermediate device that provide network connectivity.
Field Description • Low—Priority level 3. Click the Statistics Information tab to display the LLDP statistics. Figure 181 The statistic information tab Click the Status Information tab to display the LLDP status information. Figure 182 The status information tab Displaying global LLDP information From the navigation tree, select Network >...
Figure 183 The global summary tab Table 79 Field description Field Description Chassis ID Local chassis ID depending on the chassis type defined. Capabilities supported on the system: • Repeater. System capabilities supported • Bridge. • Router. Capabilities enabled on the system: •...
Figure 184 The neighbor summary tab LLDP configuration example Network requirements As shown in Figure 185, configure LLDP on Switch A and Switch B so that the NMS can determine the status of the link between Switch A and MED and the link between Switch A and Switch B. Figure 185 Network diagram Configuring Switch A (Optional.) Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
Page 202
Figure 186 The port setup tab d. Select Rx from the LLDP Operating Mode list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Figure 187 Setting LLDP on multiple ports Enable global LLDP: a.
Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds. Figure 188 The global setup tab Configuring Switch B (Optional.) Enable LLDP on port GigabitEthernet 1/0/1. By default, LLDP is enabled on Ethernet ports. Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1: a.
Figure 189 Setting the LLDP operating mode to Tx Enable global LLDP: a. Click the Global Setup tab. b. Select Enable from the LLDP Enable list. Click Apply. A progress dialog box appears. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device (Switch B), as shown in Figure 191. Figure 191 The status information tab (2) Tear down the link between Switch A and Switch B. Click Refresh to display the status information of port GigabitEthernet 1/0/2 on Switch A. The updated status information of port GigabitEthernet 1/0/2 shows that no neighbor device is connected to the port, as shown in Figure...
Configuring ARP Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 193 shows the format of the ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 193 ARP message format •...
All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B: a.
Gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device, the sender MAC address is the MAC address of the sending device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff. A device sends a gratuitous ARP packet for either of the following purposes: •...
Figure 196 Add a static ARP entry Configure the static ARP entry as described in Table Click Apply. Table 80 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry. VLAN ID Enter a VLAN ID and specify a port for the static ARP entry.
Figure 197 Gratuitous Configuring ARP page Configure gratuitous ARP as described in Table Click Apply. Table 81 Configuration items Item Description Disable learning of ARP entries from gratuitous ARP packets. Disable gratuitous ARP packets learning function Gratuitous ARP packet learning is enabled by default. Enable the device to send gratuitous ARP packets upon receiving Send gratuitous ARP packets ARP requests from another network segment.
Page 211
a. From the navigation tree, select Network > VLAN. b. Click the Add tab. c. Enter 100 in the VLAN ID field. d. Click Create. Figure 199 Creating VLAN 100 Add GigabitEthernet 1/0/1 to VLAN 100: a. Click the Modify Port tab. b.
Page 212
Figure 200 Adding GigabitEthernet 1/0/1 to VLAN 100 Create VLAN-interface 100: a. From the navigation tree, select Network > VLAN Interface. b. Click the Create tab. c. Enter 100 in the VLAN ID field. d. Select Configure Primary IPv4 Address. e.
Page 213
Figure 201 Creating VLAN-interface 100 Create a static ARP entry: a. From the navigation tree, select Network > ARP Management. The default ARP Table page appears. b. Click Add. c. Enter 192.168.1.1 in the IP Address field. d. Enter 00e0-fc01-0000 in the MAC Address field. e.
Configuring ARP attack protection Overview Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection provides user validity check and ARP packet validity check.
Page 215
Figure 203 ARP detection configuration page Configure ARP detection as described in Table Click Apply. Table 82 Configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLANs list, select one or multiple VLANs from the VLAN Settings Disabled VLANs list and click the <<...
Configuring IGMP snooping Overview IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router. As shown in Figure 204, when IGMP snooping is not enabled, the Layer 2 switch floods multicast...
Page 217
Figure 205 IGMP snooping related ports The following describes the ports involved in IGMP snooping: • Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated routers and IGMP queriers. In Figure 205, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Message received before Action after the Timer Description the timer expires timer expires out. NOTE: In IGMP snooping, only dynamic ports age out. How IGMP snooping works The ports in this section are dynamic ports. IGMP messages include general query, IGMP report, and leave message. An IGMP snooping-enabled switch performs differently depending on the message.
An IGMPv2 or IGMPv3 host sends an IGMP leave message to the multicast router when it leaves a multicast group. When the switch receives an IGMP leave message on a dynamic member port, the switch first examines whether a forwarding entry matches the group address in the message, and, if a match is found, whether the forwarding entry for the group contains the dynamic member port.
Step Remarks When you enable IGMP snooping, follow these guidelines: • Enable IGMP snooping globally before you enable it for a VLAN. • IGMP snooping for a VLAN takes effect only on the member ports in that VLAN. Optional. Configure the maximum number of multicast groups and fast-leave processing on a port of the specified VLAN.
Figure 207 Enabling dropping unknown multicast data globally Click Apply. Configuring IGMP snooping in a VLAN From the navigation tree, select Network > IGMP snooping. Click the icon for the VLAN. Figure 208 Configuring IGMP snooping in a VLAN Configure the parameters as described in Table Click Apply.
Item Description • IGMPv2 snooping can process IGMPv1 and IGMPv2 messages, but it floods IGMPv3 messages in the VLAN instead of processing them. • IGMPv3 snooping can process IGMPv1, IGMPv2, and IGMPv3 messages. IMPORTANT: If you change IGMPv3 snooping to IGMPv2 snooping, the system clears all IGMP snooping forwarding entries that are dynamically added.
Table 84 Configuration items Item Description Select the port on which advanced IGMP snooping features will be configured. The port can be an GigabitEthernet port or Layer 2 aggregate interface. After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Figure 211 Displaying detailed information about the entry Table 85 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Multicast source address. If no multicast sources are specified, this field Source Address displays 0.0.0.0. Group Address Multicast group address.
Configuration procedure Configuring Router A Enable IP multicast routing globally, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 1/0/1. (Details not shown.) Configuring Switch A Create VLAN 100: a. From the navigation tree, select Network > VLAN. b. Click the Create tab. c.
Page 226
Figure 214 Assigning ports to the VLAN Enable IGMP snooping and dropping unknown multicast data globally: a. From the navigation tree, select Network > IGMP snooping. b. Select Enable. c. Click Apply. Figure 215 Enabling IGMP snooping and dropping unknown multicast data globally Enable IGMP snooping for VLAN 100: a.
Figure 216 Configuring IGMP snooping in VLAN 100 Verifying the configuration From the navigation tree, select Network > IGMP snooping. Click Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast forwarding entries. Figure 217 Displaying IGMP snooping multicast forwarding entries Click the icon for the multicast entry (0.0.0.0, 224.1.1.1) to display detailed information about this entry.
Configuring MLD snooping Overview MLD snooping runs on a Layer 2 switch as an IPv6 multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from MLD messages that are exchanged between the hosts and the router. As shown in Figure 219, when MLD snooping is not enabled, the Layer 2 switch floods IPv6 multicast...
Page 229
Figure 220 MLD snooping related ports The following describes the ports involved in MLD snooping: • Router port—Layer 3 multicast device-side port. Layer 3 multicast devices include designated routers and MLD queriers. As shown in Figure 220, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
Message received Action after the Timer Description before the timer timer expires expires member port ages out. NOTE: In MLD snooping, only dynamic ports age out. How MLD snooping works The ports in this section are dynamic ports. MLD messages include general query, MLD report, and done message. An MLD snooping-enabled switch performs differently depending on the MLD message.
whether a forwarding entry matches the IPv6 group address in the message, and, if a match is found, determines whether the forwarding entry contains the dynamic member port. • If no forwarding entry matches the IPv6 multicast group address, or if the forwarding entry does not contain the port, the switch directly discards the MLD done message.
Step Remarks Required. Enable MLD snooping in the VLAN and configure the MLD snooping version and querier. Configuring MLD snooping in By default, MLD snooping is disabled in a VLAN. a VLAN When you enable MLD snooping, follow these guidelines: •...
Figure 222 Enabling dropping unknown IPv6 multicast data globally Click Apply. Configuring MLD snooping in a VLAN Select Network > MLD snooping from the navigation tree. Click the icon for the VLAN. Figure 223 Configuring MLD snooping in a VLAN Configure the parameters as described in Table Click Apply.
Item Description • MLDv2 snooping can process MLDv1 and MLDv2 messages. IMPORTANT: If you change the MLDv2 snooping to MLDv1 snooping, the system clears all MLD snooping forwarding entries that are dynamically added. Enable or disable the MLD snooping querier function. In an IPv6 multicast network that runs MLD, a Layer 3 device acts as the MLD querier to send MLD queries and establish and maintain IPv6 multicast forwarding entries, ensuring correct IPv6 multicast traffic forwarding at the network layer.
Item Description lower part of this page. TIP: Advanced MLD snooping features configured on a Layer 2 aggregate interface do not interfere with configurations on its member ports, nor do they take part in aggregation calculations. The configuration on a member port of the aggregate group does not take effect until the port leaves the aggregate group Specify the ID of the VLAN in which port functions are to be configured.
Figure 226 Detailed information about an MLD snooping multicast entry Table 88 Field description Field Description VLAN ID ID of the VLAN to which the entry belongs. Multicast source address. If no IPv6 multicast sources are specified, this Source Address field displays ::.
Configuration procedure Configuring Router A Enable IPv6 multicast routing, assign an IPv6 address to each interface, enable IPv6 PIM-DM on each interface, and enable MLD on GigabitEthernet 1/0/1. (Details not shown.) Configuring Switch A Create VLAN 100: a. Select Network > VLAN from the navigation tree. b.
Page 238
Figure 229 Assigning ports to VLAN 100 Enable MLD snooping and dropping unknown IPv6 multicast data globally: a. Select Network > MLD snooping from the navigation tree. b. Select Enable. c. Click Apply. Figure 230 Enabling MLD snooping and dropping unknown IPv6 multicast data globally Enable MLD snooping: a.
Figure 231 Enabling MLD snooping in VLAN 100 Verifying the configuration Select Network > MLD snooping from the navigation tree. Click Show Entries in the basic VLAN configuration page to display information about MLD snooping multicast forwarding entries. Figure 232 Displaying MLD snooping multicast forwarding entries Click the icon for the multicast entry (::, FF1E::101) to display detailed information about this entry.
Configuring IPv4 or IPv6 static routes The switch does not provide Layer 3 forwarding service. The IP routing feature of the switch only ensures that the switch is accessible on an IP network. You must configure a static route only if both of the following situations occur: •...
Click Apply. Table 89 Configuration items Item Description Destination IP Address Enter the destination host or network IP address in dotted decimal notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation. Set a preference value for the static route.
Figure 236 Creating an IPv6 static route Create an IPv6 static route as described in Table Click Apply. Table 90 Configuration items Item Description Enter the destination host or network IP address, in the X:X::X:X format. The 128-bit destination IPv6 address is a hexadecimal address with eight parts Destination IP Address separated by colons (:).
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client-server model. Figure 238 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. You can enable the DHCP client on an interface.
IP address allocation process Figure 239 Dynamic IP address allocation process The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message.
DHCP message format Figure 240 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 240 DHCP message format op (1) htype (1) hlen (1) hops (1) xid (4)
Figure 241 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table.
• Sub-option 1—Padded with the VLAN ID and interface number of the interface that received the client's request. The following figure gives its format. The value of the sub-option type is 1, and that of the circuit ID type is 0. Figure 242 Sub-option 1 in normal padding format •...
Configuring DHCP snooping DHCP snooping works between the DHCP client and server. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. Overview DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers.
Figure 245 Trusted and untrusted ports in a cascaded network Table 91 describes roles of the ports shown in Figure 245. Table 91 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1...
Recommended configuration procedure Task Remarks Required. Enabling DHCP snooping By default, DHCP snooping is disabled. Required. Specify an interface as trusted and configure DHCP snooping to support Option 82. By default, an interface is untrusted and DHCP snooping does not support Option 82.
Configuring DHCP snooping functions on an interface From the navigation tree, select Network > DHCP. Click the DHCP Snooping tab to enter the page shown in Figure 246. Click the icon of a specific interface in the Interface Config area to enter the page shown Figure 247.
Table 94 describes the fields of DHCP snooping entries. Table 94 Field description Item Description IP Address Displays the IP address assigned by the DHCP server to the client. MAC Address Displays the MAC address of the client. Displays the client type: •...
Page 254
Figure 250 Enabling DHCP snooping Configure DHCP snooping functions on GigabitEthernet 1/0/5: a. Click the icon of GigabitEthernet 1/0/5 on the interface list. b. Select the Trust option next to Interface State as shown in Figure 251. c. Click Apply. Figure 251 Configuring DHCP snooping functions on GigabitEthernet 1/0/5 Configure DHCP snooping functions on GigabitEthernet 1/0/2: a.
Page 255
b. Select the Untrust option for Interface State as shown in Figure 253. c. Select the Enable option next to Option 82 Support. d. Select Replace for Option 82 Strategy. e. Click Apply. Figure 253 Configuring DHCP snooping functions on GigabitEthernet 1/0/3...
Managing services Overview Service management allows you to manage the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services, modify HTTP and HTTPS port numbers, and associate the FTP, HTTP, or HTTPS service with an ACL to block illegal users. FTP service FTP is an application layer protocol for sharing files between server and client over a TCP/IP network.
Page 257
Figure 254 Service management Enable or disable services on the page. Table 95 describes the detailed configuration items. Click Apply. Table 95 Configuration items Item Description Enable or disable the FTP service. Enable FTP service The FTP service is disabled by default. Associate the FTP service with an ACL.
Page 258
Item Description Enable or disable the HTTPS service. Enable HTTPS service The HTTPS service is disabled by default. Select a local certificate for the HTTPS service from the Certificate dropdown list. You can configure the certificates available in the dropdown list in Authentication >...
Using diagnostic tools This chapter describes how to use the ping and traceroute utilities. Ping Use the ping utility to determine if a specific address is reachable. A ping operation involves the following steps: The source device sends ICMP echo requests to the destination device. The destination device responds by sending ICMP echo replies to the source device after receiving the ICMP echo requests.
The destination device responds with an ICMP port-unreachable message because the packet from the source has an unreachable port number. In this way, the source device gets the address of the destination device. In this way, the source device can get the addresses of all Layer 3 devices on the path. Ping operation Configuring IPv4 Ping Select Network >...
Configuring IPv6 Ping Select Network > Diagnostic Tools from the navigation tree. Click the IPv6 Ping tab. The ping configuration page appears. Figure 257 Ping configuration page Enter the IP address or the host name of the destination device in the Destination IPv6 address or host name field.
The traceroute configuration page appears. Figure 259 Traceroute configuration page Enter the IP address or host name of the destination device in the Destination IP address or host name field. Click Start. The output is displayed in the Summary area. Figure 260 IPv4 traceroute output Configuring IPv6 traceroute Select Network >...
Page 263
Figure 261 Traceroute configuration page Enter the IP address or host name of the destination device in the Destination IPv6 address or host name field. Click Start. The output is displayed in the Summary area. Figure 262 IPv6 traceroute output...
Configuring 802.1X 802.1X overview 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for the security of WLANs. It has been widely used on Ethernet for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.
Controlled/uncontrolled port and port authorization status 802.1X defines two logical ports for the network access port: controlled port and uncontrolled port. Any packet arriving at the network access port is visible to both logical ports. • Controlled port—Allows incoming and outgoing traffic to pass through when it is in the authorized state, and denies incoming and outgoing traffic when it is in the unauthorized state, as shown in Figure...
• Data—Content of the EAP packet. This field appears only in a Request or Response EAP packet. The Data field comprises the request type (or the response type) and the type data. Type 1 (Identity) and type 4 (MD5-challenge) are two examples for the type field. EAPOL packet format Figure 266 shows the EAPOL packet format.
Figure 267 EAP-Message attribute format Type Length String EAP packets Message-Authenticator RADIUS includes the Message-Authenticator attribute in all packets that have an EAP-Message attribute to check their integrity. The packet receiver drops the packet if the calculated packet integrity checksum different from Message-Authenticator...
Page 268
EAP relay is defined in IEEE 802.1X. In this mode, the network device uses EAPOR packets to send authentication information to the RADIUS server, as shown in Figure 269. Figure 269 EAP relay In EAP relay mode, the client must use the same authentication method as the RADIUS server. On the network access device, you only need to enable EAP relay.
Page 269
Figure 271 802.1X authentication procedure in EAP relay mode When a user launches the 802.1X client software and enters a registered username and password, the 802.1X client software sends an EAPOL-Start packet to the network access device. The network access device responds with an Identity EAP-Request packet to ask for the client username.
Page 270
10. Upon receiving the RADIUS Access-Accept packet, the network access device sends an EAP-Success packet to the client, and sets the controlled port in the authorized state so the client can access the network. 11. After the client comes online, the network access device periodically sends handshake requests to check whether the client is still online.
802.1X timers This section describes the timers used on an 802.1X device to guarantee that the client, the device, and the RADIUS server can interact with each other correctly. • Username request timeout timer—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request.
Page 272
On a periodic online user re-authentication enabled port, if a user has been online before you enable the MAC-based VLAN function, the access device does not create a MAC-to-VLAN mapping for the user unless the user passes re-authentication and the VLAN for the user has changed. Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to...
password. Users in the Auth-Fail VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. The Auth-Fail VLAN does not accommodate 802.1X users that have failed authentication for authentication timeouts or network connection problems. The way that the network access device handles VLANs on the port differs by 802.1X access control mode.
• If local authentication is used, create local user accounts on the access device and specify the LAN access service for the user accounts. For more information, see "Configuring users." Recommended configuration procedure Step Remarks Required. This function enables 802.1X authentication globally. It also Configuring 802.1X globally configures the authentication method and advanced parameters.By default, 802.1X authentication is disabled globally.
The support of the RADIUS server for EAP packets. The authentication methods supported by the 802.1X client and the RADIUS server. Click Advanced to expand the advanced 802.1X configuration area. Figure 274 Configuring advanced 802.1X parameters Configure advanced 802.1X settings as described in Table 97, and then click Apply.
Page 276
Figure 275 Configuring 802.1X on a port Table 98 describes the configuration items. Table 98 Configuration items Item Description Select a port where you want to enable 802.1X. Only ports not enabled with 802.1X authentication are available. Port 802.1X configuration takes effect on a port only after 802.1X is enabled both globally and on the port.
Item Description • The periodic online user re-authentication timer can also be set by the authentication server in the session-timeout attribute. The server-assigned timer overrides the timer setting on the access device, and it enables periodic online user re-authentication, even if the function is not configured on the access device.
Feature Relationship description performs MAC-based access control than the shutdown port action of the port intrusion protection feature. Configuring an Auth-Fail VLAN Configuration prerequisites • Create the VLAN to be specified as the 802.1X Auth-Fail VLAN. • If the 802.1X-enabled port performs MAC-based access control, configure the port as a hybrid port, enable MAC-based VLAN on the port, and assign the port to the Auth-Fail VLAN as an untagged member.
Page 279
Specify the device to try up to 5 times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes. Figure 276 Network diagram Configuring IP addresses # Assign an IP address to each interface as shown in...
Page 280
Figure 278 Configuring 802.1X for GigabitEthernet 1/0/1 Configuring the RADIUS scheme for the switch Configure authentication and accounting attributes for the RADIUS scheme: a. From the navigation tree, select Authentication > RADIUS, and click Add. b. Enter the scheme name system. c.
Page 281
Figure 279 Configuring the RADIUS scheme Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b. Select the server type Primary Authentication. c. Enter the IP address 10.1.1.1, and enter the port number 1812.
Page 282
d. Click Apply. The RADIUS Server Configuration area displays the primary authentication server you have configured. Configure the backup authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b. Select the server type Backup Authentication. c.
Page 283
Figure 280 Creating an ISP domain Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test from the Select an ISP domain list. c. Select Default AuthN, select authentication method RADIUS from the Default AuthN list, and select the authentication scheme system from the Name list, as shown in Figure 281.
Page 284
Figure 282 Configuration progress dialog box e. After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: a. Click the Authorization tab. b. Select test from the Select an ISP domain list. c. Select Default AuthZ, select the authorization method RADIUS from the Default AuthZ list, and select the authorization scheme system from the Name list, as shown in Figure 283.
Figure 284 Configuring the AAA accounting method for the ISP domain d. Click Apply. e. After the configuration process is complete, click Close. 802.X with ACL assignment configuration example Network requirements As shown in Figure 285, perform 802.1X authentication on port GigabitEthernet 1/0/1. Use the RADIUS server at 10.1.1.1 as the authentication and authorization server and the RADIUS server at 10.1.1.2 as the accounting server.
Page 286
Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b. Select the server type Primary Authentication. c. Enter the IP address 10.1.1.1, and enter the port number 1812. d. Enter expert in the Key and Confirm Key fields. e.
Page 287
Figure 288 Configuring the RADIUS scheme Click Apply. Configuring AAA Create an ISP domain: a. From the navigation tree, select Authentication > AAA. The Domain Setup page appears. b. Enter test from the Domain Name list, and select Enable from the Default Domain list. c.
Page 288
Figure 289 Creating an ISP domain Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select test from the Select an ISP domain list. c. Select Default AuthN, select RADIUS as the default authentication method, and select the authentication scheme system from the Name list, as shown in Figure 290.
Page 289
Figure 291 Configuration progress dialog box e. After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: a. Click the Authorization tab. b. Select test from the Select an ISP domain list. c. Select Default AuthZ, select RADIUS as the default authorization method, and select the authorization scheme system from the Name list, as shown in Figure 292.
Page 290
Figure 293 Configuring the AAA accounting method for the ISP domain f. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Add tab. Enter the ACL number 3000, and click Apply. Figure 294 Creating ACL 3000 Click the Advanced Setup tab.
Page 291
− Enter 10.0.0.1 as the destination IP address. − Enter 0.0.0.0 as the destination IP address wildcard. d. Click Add. Figure 295 ACL rule configuration Configuring 802.1X Configure 802.1X globally: a. From the navigation tree, select Authentication > 802.1X. b. Select Enable 802.1X. c.
Page 292
Figure 296 Configuring 802.1X globally Configure 802.1X for GigabitEthernet 1/0/1: a. In the Ports With 802.1X Enabled area, click Add. b. Select GigabitEthernet1/0/1 from the Port list. c. Click Apply. Figure 297 Configuring 802.1X for GigabitEthernet 1/0/1 Verifying the configuration After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.
Configuring AAA Overview Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It provides the following security functions: • Authentication—Identifies users and determines whether a user is valid. • Authorization—Grants user rights and controls user access to resources and services. For example, a user who has successfully logged in to the device can be granted read and print permissions to the files on the device.
Domain-based user management A NAS manages users based on ISP domains. On a NAS, each user belongs to one ISP domain. A NAS determines the ISP domain for a user by the username entered by the user at login. For a username in the userid@isp-name format, the access device considers the userid part the username for authentication and the isp-name part the ISP domain name.
Configuring an ISP domain Select Authentication > AAA from the navigation tree. The Domain Setup page appears. Figure 300 Domain Setup page Create an ISP domain, as described in Table 101. Click Apply. Table 101 Configuration items Item Description Enter the ISP domain name, which is for identifying the domain. Domain Name You can enter a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain).
Page 297
Figure 301 Authentication method configuration page Select the ISP domain and specify authentication methods for the domain, as described Table 102. Click Apply. Table 102 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Configure the default authentication method and secondary authentication method for all types of users.
Item Description • RADIUS—RADIUS authentication. You must specify the RADIUS scheme to be used. • Not Set—The device uses the settings in the Default AuthN area for login users. NOTE: The HPE NJ5000 5G PoE+ switch does not support PPP authentication and portal authentication. Configuring authorization methods for the ISP domain Select Authentication >...
Item Description Secondary Method Options include: • Local—Local authorization. • None—This method trusts all users and assigns default rights to them. • RADIUS—RADIUS authorization. You must specify the RADIUS scheme to be used. • Not Set—The device uses the settings in the Default AuthZ area for LAN access users.
Table 104 Configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Specify whether to enable the accounting optional feature. The feature enables a user who would otherwise be disconnected to use network resources even if there is no accounting server available or communication with Accounting Optional the current accounting server fails.
Page 301
Figure 304 Network diagram Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. (Details not shown.) Configure IP addresses for the interfaces. (Details not shown) Configure a local user: a. Select Device > Users from the navigation tree. b.
Page 302
Figure 306 Configuring ISP domain test Configure the ISP domain to use local authentication: a. Select Authentication > AAA from the navigation tree. b. Click the Authentication tab. c. Select the domain test. d. Select Login AuthN and select the authentication method Local. Figure 307 Configuring the ISP domain to use local authentication e.
Page 303
Figure 308 Configuration progress dialog box Configure the ISP domain to use local authorization: a. Select Authentication > AAA from the navigation tree. b. Click the Authorization tab. c. Select the domain test. d. Select Login AuthZ and select the authorization method Local. e.
Page 304
Figure 310 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet@test and password abcd. You will be serviced as a user in domain test.
Configuring RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access.
Basic RADIUS message exchange process Figure 312 illustrates the interactions between the host, the RADIUS client, and the RADIUS server. Figure 312 Basic RADIUS message exchange process RADIUS operates in the following manner: The host initiates a connection request that carries the user's username and password to the RADIUS client.
Page 307
Figure 313 RADIUS packet format Code Identifier Length Authenticator Attributes The following describes the fields of a RADIUS packet: • The Code field (1 byte long) indicates the type of the RADIUS packet. Table 105 Main values of the Code field Code Packet type Description...
Page 308
Length—(1 byte long) Length of the attribute in bytes, including the Type, Length, and Value fields. Value—(Up to 253 bytes) Value of the attribute. Its format and content depend on the Type and Length fields. Table 106 Commonly used RADIUS attributes Attribute Attribute User-Name...
• RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support • RFC 2868, RADIUS Attributes for Tunnel Protocol Support • RFC 2869, RADIUS Extensions Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
Item Description server type, the username format, and the shared keys for authentication and accounting packets. For more information about common configuration, see "Configuring common parameters." Configure the parameters of the RADIUS authentication servers and RADIUS Server Configuration accounting servers. For more information about RADIUS server configuration, see "Adding RADIUS servers."...
Page 312
Item Description • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet format defined in RFC 2138/2139 or later. • Extended—Extended RADIUS servers, usually running on CAMS or IMC. The RADIUS client and the RADIUS server communicate by using the proprietary RADIUS protocol and packet format.
Page 313
Item Description RADIUS server, the device considers the request a failure. IMPORTANT: The server response timeout time multiplied by the maximum number of RADIUS packet transmission attempts must not exceed 75. Set the interval for sending realtime accounting information. The interval must be a multiple of 3.
Item Description IMPORTANT: When enabling the accounting-on feature on a device for the first time, you must save the configuration so that the feature takes effect after the device reboots. Set the interval for sending accounting-on packets. This field is Accounting-On Interval configurable only after you select the Send accounting-on packets box.
RADIUS configuration example Network requirements As shown in Figure 319, an 802.1X user logs in to the switch from the host. Configure the switch to implement RADIUS authentication and accounting for the 802.1X user. RADIUS accounting records the online duration of the 802.1X user. Configure RADIUS servers on CAMS or IMC to use the default port for authentication and accounting.
Page 316
Figure 320 RADIUS authentication server configuration page In the RADIUS Server Configuration area, click Add again to configure the primary accounting server: a. Select Primary Accounting as the server type. b. Enter 10.110.91.146 as the IP address. c. Enter 1813 as the port. d.
Page 317
Figure 322 RADIUS scheme configuration Configuring AAA Select Authentication > AAA in the navigation tree. The domain setup page appears. On the domain setup page, configure a domain: a. Enter test for Domain Name. b. Click Enable to use the domain as the default domain. c.
Page 318
a. Select the domain name test. b. Select Default AuthN and select RADIUS as the authentication mode. c. Select system from the Name list to use it as the authentication scheme. d. Click Apply. A configuration progress dialog box appears. e.
Figure 326 Configuring the AAA authorization method for the ISP domain Select the Accounting tab to configure the accounting scheme: a. Select the domain name test. b. Select Accounting Optional and select Enable from the list. c. Select Default Accounting and select RADIUS as the accounting mode. d.
Page 320
• The status of RADIUS servers, blocked or active, determines which servers the device will communicate with or turn to when the current servers are not available. In practice, you can specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers that function as the backup of the primary servers.
Configuring HWTACACS HW Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). HWTACACS is similar to RADIUS, and it uses a client/server model for information exchange between the network access server (NAS) and the HWTACACS server.
Figure 329 Creating the HWTACACS scheme named system Click Apply. The added HWTACACS scheme is displayed, as shown in Figure 330. Figure 330 Displaying the added HWTACACS scheme Configuring HWTACACS servers for the scheme On the page in Figure 330, click the Modify icon for the HWTACACS scheme system.
Figure 332 Add HWTACACS Server page Configure the server parameters as described in Table 111. Click Apply. Table 111 Configuration items Item Description Select the server type, including: • Primary Authentication. • Primary Authorization. • Server Type Primary Accounting. • Secondary Authentication.
Page 324
Figure 333 HWTACACS communication parameter configuration Configure the HWTACACS parameters as described in Table 112. Click Apply. Table 112 Configuration items Item Description Set the format of the usernames sent to the HWTACACS servers. A username is typically in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which the user belongs.
Page 325
Item Description accounting server use the MD5 algorithm to encrypt packets exchanged between them and use a shared key to verify the packets. Make sure the HWTACACS server and client use the same shared key for secure communication. Set the interval for which the primary server has to wait before being active. Quiet Time If you leave this field blank, the default quiet interval is used.
Item Description If you leave this field blank, the default unit is used. Specify the measurement unit for data packets sent to the HWTACACS server for traffic accounting. Options include: • One-packet (default). • Kilo-packet. Unit for Packets • Mega-packet. •...
Page 327
Figure 335 Page for adding an HWTACACS scheme b. Click Add. The Add HWTACACS Scheme page appears, as shown in Figure 336. Figure 336 Creating the HWTACACS scheme system c. Click Apply. The added HWTACACS scheme is displayed, as shown in Figure 337.
Page 328
Figure 339 Configuring the HWTACACS authentication server d. Click Apply. The HWTACACS Server Configuration area displays the added HWTACACS server, as shown in Figure 340. Figure 340 Displaying the added HWTACACS server Configure the HWTACACS authorization server: a. In the HWTACACS Server Configuration area, click Add. b.
Page 329
Figure 341 Configuring the parameters for communication Configure the ISP domain test: a. From the navigation tree, select Authentication > AAA. b. Enter test in the Domain Name field, as shown in Figure 342. c. Click Apply. Figure 342 Configuring the ISP domain test Configure an authentication method for the ISP domain, as shown in Figure 343:...
Page 330
a. Click the Authentication tab. b. Select the ISP domain test from the list. c. Select Default AuthN, and then select HWTACACS from the list. d. Select system from the Name list. e. Click Apply. A progress dialog box appears. f.
c. Select Accounting Optional, and then select Enable from the list. d. Select Default Accounting, and then select HWTACACS from the list. e. Select system from the Name list. f. Click Apply. A progress dialog box appears. g. When the configuration progress is complete, click Close. Figure 345 Configuring an accounting method for the ISP domain Verifying the configuration # Initiate a connection to the HPE NJ5000 5G PoE+ switch from the host, and enter the username...
Page 332
• HWTACACS authentication must work with HWTACACS authorization. If only HWTACACS authentication is configured, but HWTACACS authorization is not, users cannot log in. • You can remove an HWTACACS server only when the device and the server do not have active TCP connections for sending authentication, authorization, or accounting packets.
Configuring users You can configure local users and create groups to manage them. A local user represents a set of user attributes configured on a device (such as the user password, use type, service type, and authorization attribute), and is uniquely identified by the username. For a user to pass local authentication, you must add an entry for the user in the local user database of the device.
Page 334
Figure 347 Local user configuration page Configure the local user as described in Table 114. Click Apply. Table 114 Configuration items Item Description Username Specify a name for the local user. Password Specify and confirm the password of the local user. Confirm The settings of these two fields must be the same.
Item Description checks whether the expiration time has passed. If it has not passed, the device permits the user to log in. Specify the VLAN to be authorized to the local user after the user passes authentication. VLAN This option takes effect on only LAN users. Specify the ACL to be used by the access device to restrict the access of the local user after the user passes authentication.
Page 336
Click Apply. Table 115 Configuration items Item Description Group-name Specify a name for the user group. Select an authorization level for the user group: Visitor, Monitor, Configure, or Level Management, in ascending order of priority. Specify the VLAN to be authorized to users of the user group after the users pass VLAN authentication.
Managing certificates Overview The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key technologies and digital certificates, and for verifying the identities of the digital certificate owners. A digital certificate is a binding of certificate owner identity information and a public key. Users can get certificates, use certificates, and revoke certificates.
Figure 350 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.
The entity makes a request to the CA when it needs to revoke its certificate. The CA approves the request, updates the CRLs and publishes the CRLs on the LDAP server. PKI applications The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications.
Page 340
Step Remarks By default, no local RSA key pair exists. Generating an RSA key pair is an important step in certificate request. The key pair includes a public key and a private key. The private key is kept by the user, and the public key is transferred to the CA along with some other information.
Recommended configuration procedure for automatic request Task Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the DN shows the identity information of the entity. A CA Creating a PKI entity identifies a certificate applicant uniquely by an entity DN.
Figure 352 PKI entity configuration page Configure the parameters, as described in Table 116. Click Apply. Table 116 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
Page 343
Figure 353 PKI domain list Click Add. Click Display Advanced Config to display the advanced configuration items. Figure 354 PKI domain configuration page Configure the parameters, as described in Table 117. Click Apply. Table 117 Configuration items Item Description Domain Name Enter the name for the PKI domain.
Page 344
Item Description information. Available PKI entities are those that have been configured. Select the authority for certificate request. • CA—Indicates that the entity requests a certificate from a CA. Institution • RA—Indicates that the entity requests a certificate from an RA. RA is recommended.
Item Description name. This item is available after you click the Enable CRL Checking box. If the URL of the CRL distribution point is not set, you should get the CA certificate and a local certificate, and then get a CRL through SCEP. Generating an RSA key pair From the navigation tree, select Authentication >...
Destroying the RSA key pair From the navigation tree, select Authentication > Certificate Management. Click the Certificate tab. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 357 Key pair destruction page Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 347
Item Description Mode like FTP, disk, or email), and then import the certificate into the local PKI system. The following configuration items are displayed if this box is selected. Get File From Specify the path and name of the certificate file to import: Device •...
Requesting a local certificate From the navigation tree, select Authentication > Certificate Management. Click the Certificate tab. Click Request Cert. Figure 360 Local certificate request page Configure the parameters, as described in Table 119. Table 119 Configuration items Item Description Domain Name Select the PKI domain for the certificate.
Retrieving and displaying a CRL From the navigation tree, select Authentication > Certificate Management. Click the CRL tab. Figure 362 CRL page Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 363 CRL information Table 120 Field description Field...
Field Description Next Update Next update time. X509v3 CRL Number CRL sequence number Identifier of the CA that issued the certificate and the certificate version X509v3 Authority Key Identifier (X509v3). Pubic key identifier. keyid A CA might have multiple key pairs, and this field identifies which key pair is used for the CRL signature.
Page 351
c. Enter aaa as the PKI entity name, enter ac as the common name, and click Apply. Figure 365 Creating a PKI entity Create a PKI domain: a. Click the Domain tab. b. Click Add. The page in Figure 366 appears.
Page 352
Figure 366 Creating a PKI domain Generate an RSA key pair: a. Click the Certificate tab. b. Click Create Key. c. Enter 1024 as the key length, and click Apply to generate an RSA key pair. Figure 367 Generating an RSA key pair Retrieve the CA certificate: a.
Page 353
Figure 368 Retrieving the CA certificate Request a local certificate: a. Click the Certificate tab. b. Click Request Cert. c. Select torsa as the PKI domain, select Password , and enter challenge-word as the password. d. Click Apply. The system displays "Certificate request has been submitted." e.
Configuration guidelines When you configure PKI, follow these guidelines: • Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal. • The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
Configuring MAC authentication Overview MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port.
are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance. • Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user. Make sure the port security feature is disabled. For more information about port security, see "Configuring port security." Recommended configuration procedure Step Remarks...
Configure MAC authentication global settings as described in Table 121, and then click Apply. Table 121 Configuration items Item Description Enable MAC Authentication Specify whether to enable MAC authentication globally. Set the period that the device waits for traffic from a user before it Offline Detection Period regards the user idle.
Item Description the 802.1X guest VLAN on a port that performs MAC-based access control. If a user fails both types of authentication, the access port adds the user to the 802.1X guest VLAN. For more information about 802.1X guest VLANs, see "Configuring 802.1X."...
Page 360
Figure 374 Creating an ISP domain Click the Authentication tab. Select the ISP domain aabbcc.net. Select LAN-access AuthN, and select Local from the list. Figure 375 Configuring the authentication method for the ISP domain Click Apply. A configuration progress dialog box appears, as shown in Figure 376.
Page 361
Figure 376 Configuration progress dialog box After the configuration process is complete, click Close. Configuring MAC authentication Configure MAC authentication globally: a. From the navigation tree, select Authentication > MAC Authentication. b. Select Enable MAC Authentication. c. Click Advanced, and configure advanced MAC authentication. d.
Configure MAC authentication for GigabitEthernet 1/0/1: a. In the Ports With MAC Authentication Enabled area, click Add. b. Select GigabitEthernet1/0/1 from the Port list, and click Apply. Figure 378 Enabling MAC authentication for port GigabitEthernet 1/0/1 ACL assignment configuration example Network requirements As shown in Figure...
Page 363
c. Enter the scheme name system. d. Select the server type Extended. e. Select Without domain name from the Username Format list. f. Click Apply. Configure the primary authentication server in the RADIUS scheme: a. In the RADIUS Server Configuration area, click Add. b.
Page 364
Figure 382 RADIUS configuration Configuring AAA for the scheme Create an ISP domain: a. From the navigation tree, select Authentication > AAA. b. On the Domain Setup page, enter test in the Domain Name field and click Apply.
Page 365
Figure 383 Creating an ISP domain Configure AAA authentication method for the ISP domain: a. Click the Authentication tab. b. Select the ISP domain test. c. Select Default AuthN, select the authentication method RADIUS, and select the authentication scheme system from the Name list. Figure 384 Configuring the authentication method for the ISP domain d.
Page 366
Figure 385 Configuration progress dialog box e. After the configuration process is complete, click Close. Configure AAA authorization method for the ISP domain: a. Click the Authorization tab. b. Select the ISP domain test. c. Select Default AuthZ, select the authorization mode RADIUS, and select the authorization scheme system from the Name list.
Page 367
Figure 387 Configuring the accounting method for the ISP domain e. After the configuration process is complete, click Close. Configuring an ACL From the navigation tree, select QoS > ACL IPv4. Click the Add tab. Enter the ACL number 3000, and then click Apply. Figure 388 Adding ACL 3000 Click the Advanced Setup tab.
Page 368
d. In the IP Address Filter area, select Destination IP Address: − Enter the destination IP address 10.0.0.1. − Enter the destination address wildcard 0.0.0.0. e. Click Add. Figure 389 Configuring an ACL rule Configuring MAC authentication Configure MAC authentication globally: a.
Page 369
d. Select the authentication ISP domain test, select the authentication information format MAC without hyphen, and click Apply. Figure 390 Configuring MAC authentication globally Configure MAC authentication for GigabitEthernet 1/0/1: a. In the Ports With MAC Authentication Enabled area, click Add. b.
Configuring port security Overview Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. It applies networks that require different authentication methods for different users on a port. Port security prevents unauthorized access to a network by checking the source MAC address of inbound traffic and prevents access to unauthorized devices by checking the destination MAC address of outbound traffic.
Page 371
• Advanced mode—Port security supports 802.1X and MAC authentication. Different port security modes represent different combinations of the two methods. Table 123 describes the advanced security modes. Table 123 Advanced security modes Advanced mode Description MAC-Auth A port performs MAC authentication for users. It services multiple users. A port performs 802.1X authentication and implements port-based access control.
Configuration guidelines When you configure port security, follow these restrictions and guidelines: • Before you enable port security, disable 802.1X and MAC authentication globally. • Only one port security mode can be configured on a port. • The outbound restriction feature is not supported in this release. Recommended configuration procedure To configure basic port security mode: Step...
Step Remarks mode. You can configure up to 16 permitted OUI values. A port in this mode allows only one 802.1X user and one user whose MAC address contains the specified OUI to pass authentication at the same time. By default, no OUI values are configured. Configuring global settings for port security From the navigation tree, select Authentication >...
Table 124 Configuration items Item Description Specify whether to enable the port security feature globally. Enable Port Security By default, port security is disabled. Configure intrusion protection actions globally. Intrusion protection actions: • Temporarily Disabling Port Time—Sets the time length for how long the port is disabled temporarily upon receiving illegal frames.
Table 125 Configuration items Item Description Select a port where you want to configure port security. Port By default, port security is disabled on all ports, and access to the ports is not restricted. Set the maximum number of secure MAC addresses on the port. The number of authenticated users on the port cannot exceed the specified upper limit.
Figure 396 Secure MAC address list Click Add. The page for adding a secure MAC address appears. Figure 397 Adding secure MAC address Configure a secure MAC address as described in Table 126. Click Apply. Table 126 Configuration items Item Description Port Select a port where the secure MAC address is configured.
Page 377
The page for configuring advanced port security control appears. Figure 399 Configuring advanced port security control Configure advanced port security control as described in Table 127. Click Apply. Table 127 Configuration items Item Description Select a port where you want to configure port security. Port By default, port security is disabled on all ports, and access to the ports is not restricted.
Configuring permitted OUIs From the navigation tree, select Authentication > Port Security. The Port Security page as shown in Figure 392 appears. In the Advanced Port Security Configuration area, click Permitted OUIs. Figure 400 Permitted OUIs Enter the 48-bit MAC address in the format of H-H-H in the OUI Value field. Click Add.
Page 379
Figure 402 Configuring port security Configuring the basic port security control In the Security Ports And Secure MAC Address List area, click Add. On the page that appears, select GigabitEthernet1/0/3. Enter 3 as the maximum number of MAC addresses. Select Enable Intrusion Protection, and select Disable Port Temporarily from the list. Click Apply.
Page 380
Figure 404 Secure MAC address list When the maximum number of MAC addresses is reached, intrusion protection is triggered. Select Device > Port Management from the navigation tree, and then select the Detail tab. On the page, click the target port (GigabitEthernet 1/0/3 in this example) to view details. Figure 405 shows that the port state is inactive.
Figure 406 Displaying port state If you remove MAC addresses from the secure MAC address list, the port can continue to learn MAC addresses. Advanced port security mode configuration example Network requirements As shown in Figure 407, the switch authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Page 382
Configuring a RADIUS scheme Create a RADIUS scheme: a. From the navigation tree, select Authentication > RADIUS. b. Click Add. c. On the page that appears, configure a RADIUS scheme: − Enter the scheme name system. − Select the service type Extended. −...
Page 383
c. Click Apply. The RADIUS Server Configuration area displays the servers you have configured, as shown in Figure 410. Figure 410 Configuring the RADIUS scheme Click Apply. Configuring AAA Configure AAA authentication method: a. From the navigation tree, select Authentication > AAA. b.
Page 384
Figure 412 Configuration progress dialog box f. When the configuration process is complete, click Close. Configure AAA authorization method: a. Click the Authorization tab. b. Select the ISP domain system. c. Select Default AuthZ, select authorization method RADIUS from the list, and select the authorization scheme system from the Name list.
Page 385
Figure 414 Configuring AAA accounting e. When the configuration process is complete, click Close. Configuring port security Enable port security: a. From the navigation tree, select Authentication > Port Security. b. Select Enable Port Security. c. Click Apply. Figure 415 Configuring global port security settings Configure advanced port security control: a.
Page 386
b. Select GigabitEthernet1/0/1 from the Port list, and select 802.1X MAC Based Or OUI from the Security Mode list. c. Click Apply. Figure 416 Configuring advanced port security control settings on GigabitEthernet 1/0/1 Add permitted OUIs: a. In the Advanced Port Security Configuration area, click Permitted OUIs. b.
Configuring port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another. The switch supports only one isolation group that is automatically created as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device.
Port isolation configuration example Network requirements As shown in Figure 419: • Campus network users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 of Switch. • Switch is connected to the external network through GigabitEthernet 1/0/1. •...
Page 389
Figure 420 Assigning ports to the isolation group a. Click Apply. A configuration progress dialog box appears. b. After the configuration process is complete, click Close. Viewing information about the isolation group Click Summary. Display port isolation group 1, which contains ports GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4.
Configuring authorized IP The authorized IP function associates the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuration procedure From the navigation tree, select Security > Authorized IP. Click Setup to enter the authorized IP configuration page.
Authorized IP configuration example Network requirements Figure 423, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 423 Network diagram Configuration procedure Create an ACL: a. From the navigation tree, select QoS > ACL IPv4. b.
Page 392
b. Select 2001 from the ACL list, select Permit from the Action list, select the Source IP Address box and enter 10.1.1.3, and then enter 0.0.0.0 in the Source Wildcard field. c. Click Add. Figure 425 Configuring an ACL rule to permit Host B Configure authorized IP: a.
Configuring loopback detection A loop occurs when a port receives a packet sent by itself. Loops might cause broadcast storms. The purpose of loopback detection is to detect loops on ports. With loopback detection enabled on an Ethernet port, the device periodically checks for loops on the port.
Figure 427 Loopback Detection page In the System Loopback Detection area, configure the global loopback detection settings as described in Table 130, and then click Apply. Table 130 Configuration items Item Description Set whether to enable loopback detection globally. Enable loopback detection on the system Set the loopback detection interval.
Configuring ACLs Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Grayed-out options on Web configuration pages cannot be configured. Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
ACL category Sequence of tie breakers Narrower TCP/UDP service port number range. Smaller ID. Longer prefix for the source IP address (a longer prefix means a narrower IP address range). IPv6 basic ACL Smaller ID. Specific protocol number. Longer prefix for the source IPv6 address. Longer prefix for the destination IPv6 address.
• Absolute time range—Represents only a period of time and does not recur. IPv4 fragments filtering with ACLs Traditional packet filtering matches only first fragments of IPv4 packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To improve network security, ACL filters all packets by default, including fragments and non-fragmented packets.
Step Remarks Configuring a rule for an advanced IPv6 Complete one of the tasks according to the ACL ACL. category. Configuring a time range Select QoS > Time Range from the navigation tree. Click the Add tab. Figure 428 Adding a time range Configure a time range as described in Table 133.
Item Description and the date is in the MM/DD/YYYY format. The end time period. must be greater than the start time. Adding an IPv4 ACL Select QoS > ACL IPv4 from the navigation tree. Click the Add tab. Figure 429 Adding an IPv4 ACL Add an IPv4 ACL as described in Table 134.
Page 400
Figure 430 Configuring a basic IPv4 ACL Configure a rule for a basic IPv4 ACL. Click Add. Table 135 Configuration items Item Description Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv4 ACLs. Select the Rule ID box and enter a number for the rule.
Item Description Source IP Address Select the Source IP Address box and enter a source IPv4 address and a wildcard mask, in dotted decimal notation. Source Wildcard Time Range Select the time range during which the rule takes effect. Configuring a rule for an advanced IPv4 ACL Select QoS >...
Page 402
Configure a rule for an advanced IPv4 ACL as described in Table 136. Click Add. Table 136 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs. Select the Rule ID box and enter a number for the rule. If you do not specify the rule number, the system will assign Rule ID one automatically.
Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection Established These items are available only when you select 6 TCP from the Protocol list. Operator Select the operators and enter the source port numbers and Source destination port numbers as required.
Page 404
Figure 432 Configuring a rule for an Ethernet frame header ACL Configure a rule for an Ethernet frame header IPv4 ACL as described in Table 137. Click Add. Table 137 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules.
Item Description Filter Source Mask Destination MAC Select the Destination MAC Address box and enter a destination MAC Address address and a mask. Destination Mask COS(802.1p priority) Specify the 802.1p priority for the rule. Select the LSAP Type box and specify the DSAP and SSAP fields in the LSAP Type LLC encapsulation by configuring the following items: •...
Item Description Select a match order for the ACL. Available values are: • Config—Packets are compared against ACL rules in the order the rules are Match Order configured. • Auto—Packets are compared against ACL rules in the depth-first match order. Description Set the description for the ACL.
Item Description • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Select this box to apply the rule to only non-first fragments. Check Fragment If you do no select this box, the rule applies to all fragments and non-fragments. Select this box to keep a log of matched IPv6 packets.
Page 408
Figure 435 Configuring a rule for an advanced IPv6 ACL Add a rule for an advanced IPv6 ACL as described in Table 140. Click Add. Table 140 Configuration items Item Description Select Access Control List (ACL) Select the advanced IPv6 ACL for which you want to configure rules. Select the Rule ID box and enter a number for the rule.
Page 409
Item Description Select this box to keep a log of matched IPv6 packets. A log entry contains the ACL rule number, operation for the matched Check Logging packets, protocol number, source/destination address, source/destination port number, and number of matched packets. This function is not supported.
Configuring QoS Grayed-out options on Web configuration pages cannot be configured. Overview Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network might provide various services.
Page 411
Figure 436 Traffic congestion causes • The traffic enters a device from a high speed link and is forwarded over a low speed link. • The packet flows enter a device from several incoming interfaces and are forwarded out of an outgoing interface, whose rate is smaller than the total rate of these incoming interfaces.
downstream network can either use the classification results from its upstream network or classify the packets again according to its own criteria. To provide differentiated services, traffic classes must be associated with certain traffic control actions or resource allocation actions. What traffic control actions to use depends on the current phase and the resources of the network.
Page 414
DSCP value (decimal) DSCP value (binary) Description 010010 af21 010100 af22 010110 af23 011010 af31 011100 af32 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be (default) 802.1p priority 802.1p priority lies in Layer 2 packet headers and applies to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 416
Figure 441 SP queuing A typical switch provides eight queues per port. As shown in Figure 441, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.
to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 25, 25, 15, 15, 5, 5, 5, and 5 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0, respectively). In this way, the queue with the lowest priority is assured of at least 5 Mbps of bandwidth, and the disadvantage of SP queuing (that packets in low-priority queues might fail to be served for a long time) is avoided.
• Burst size—The capacity of the token bucket, or the maximum traffic size permitted in each burst. It is usually set to the committed burst size (CBS). The set burst size must be greater than the maximum packet size. One evaluation is performed on each arriving packet. In each evaluation, if the number of tokens in the bucket is enough, the traffic conforms to the specification and the tokens for forwarding the packet are taken away.
• Trust port priority—The device assigns a priority to a packet by mapping the priority of the receiving port. You can select one priority trust mode as needed. Figure 445 shows the process of priority mapping on a device. Figure 445 Priority mapping process Introduction to priority mapping tables The device provides the following types of priority mapping tables: •...
Input DSCP value Local precedence (Queue) 40 to 47 48 to 55 56 to 63 Configuration guidelines When an ACL is referenced by a QoS policy for traffic classification, the action (permit or deny) in the ACL is ignored, and the actions in the associated traffic behavior are performed. Recommended QoS configuration procedures Recommended QoS policy configuration procedure A QoS policy involves the following components: class, traffic behavior, and policy.
Step Remarks Add a policy. Required. Associate the traffic behavior with the class in the QoS policy. Configuring classifier-behavior associations for the policy A class can be associated with only one traffic behavior in a QoS policy. Associating a class already associated with a traffic behavior will overwrite the old association.
Figure 446 Adding a class Add a class as described in Table 147. Click Add. Table 147 Configuration items Item Description Classifier Name Specify a name for the classifier to be added. Specify the logical relationship between rules of the classifier. •...
Page 423
Figure 447 Configuring classification rules Configure classification rules for a class as described in Table 148. Click Apply. Table 148 Configuration items Item Description Define a rule to match customer VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
Item Description ACL IPv6 Define an IPv6 ACL-based rule. Adding a traffic behavior Select QoS > Behavior from the navigation tree. Click the Add tab to enter the page for adding a traffic behavior. Figure 448 Adding a traffic behavior Add a traffic behavior as described in Table 149.
Figure 449 Port setup page for a traffic behavior Configure traffic mirroring and traffic redirecting as described in Table 150. Click Apply. Table 150 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Mirror To Set the action of mirroring traffic to the specified destination port.
Page 426
Figure 450 Setting a traffic behavior Configure other actions for a traffic behavior as described in Table 151. Click Apply. Table 151 Configuration items Item Description Please select a behavior Select an existing behavior in the list. Enable/Disable Enable or disable CAR. Set the committed information rate (CIR), the average traffic rate.
Item Description • Not Set—Cancels the packet filtering action. Adding a policy Select QoS > QoS Policy from the navigation tree. Click the Add tab to enter the page for adding a policy. Figure 451 Adding a policy Add a policy as described in Table 152.
Figure 452 Setting a policy Configure a classifier-behavior association for a policy as described in Table 153. Click Apply. Table 153 Configuration items Item Description Please select a policy Select an existing policy in the list. Classifier Name Select an existing classifier in the list. Behavior Name Select an existing behavior in the list.
Table 154 Configuration items Item Description Please select a policy Select an existing policy in the list. Set the direction in which the policy is to be applied. • Inbound—Applies the policy to the incoming packets of the specified ports. Direction •...
Configuring GTS on ports From the navigation tree, select QoS > GTS. Click the Setup tab, as shown in Figure 455. Figure 455 GTS Configure GTS parameters as described in Table 156. Click Apply. Table 156 Configuration items Item Description Enable or disable GTS.
Figure 456 Configuring rate limit on a port Configure rate limit on a port as described in Table 157. Click Apply. Table 157 Configuration items Item Description Please select an interface Select the types of interfaces to be configured with rate limit. type Rate Limit Enable or disable rate limit on the specified port.
Figure 457 Configuring priority mapping tables Configure a priority mapping table as described in Table 158. Click Apply. Table 158 Configuration items Item Description Select the priority mapping table to be configured: • Mapping Type CoS to Queue. • DSCP to Queue. Input Priority Value Set the output priority value for an input priority value.
Page 433
Click Apply. Table 159 Configuration items Item Description Interface Interface to be configured. Priority Set a local precedence value for the port. Select a priority trust mode for the port: • Untrust—Packet priority is not trusted. Trust Mode • Dot1p—802.1p priority of the incoming packets is trusted and used for priority mapping. •...
ACL and QoS configuration example Network requirements As shown in Figure 460, the FTP server (10.1.1.1/24) is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Add an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
Page 435
Figure 461 Defining a time range covering 8:00 to 18:00 every day Add an advanced IPv4 ACL: a. Select QoS > ACL IPv4 from the navigation tree. b. Click the Add tab. c. Enter the ACL number 3000. d. Click Apply. Figure 462 Adding an advanced IPv4 ACL Define an ACL rule for traffic to the FTP server: a.
Page 436
d. Select Permit in the Action list. e. Select the Destination IP Address box, and enter IP address 10.1.1.1 and destination wildcard 0.0.0.0. f. Select test-time in the Time Range list. g. Click Add. Figure 463 Defining an ACL rule for traffic to the FTP server Add a class: a.
Page 437
Figure 464 Adding a class Define classification rules: a. Click the Setup tab. b. Select the class name class1 in the list. c. Select the ACL IPv4 box, and select ACL 3000 in the following list.
Page 438
Figure 465 Defining classification rules d. Click Apply. A progress dialog box appears, as shown in Figure 466. e. Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds.
Page 439
Figure 466 Configuration progress dialog box Add a traffic behavior: a. Select QoS > Behavior from the navigation tree. b. Click the Add tab. c. Enter the behavior name behavior1. d. Click Add. Figure 467 Adding a traffic behavior Configure actions for the traffic behavior: a.
Page 440
Figure 468 Configuring actions for the behavior Add a policy: a. Select QoS > QoS Policy from the navigation tree. b. Click the Add tab. c. Enter the policy name policy1. d. Click Add. Figure 469 Adding a policy Configure classifier-behavior associations for the policy: a.
Page 441
b. Select policy1. c. Select class1 from the Classifier Name list. d. Select behavior1 from the Behavior Name list. e. Click Apply. Figure 470 Configuring classifier-behavior associations for the policy 10. Apply the QoS policy in the inbound direction of interface GigabitEthernet 1/0/1: a.
Configuring PoE Overview Power over Ethernet (PoE) enables a power sourcing equipment (PSE) to supply power to powered devices (PDs) through Ethernet interfaces over straight-through twisted pair cables. Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web cameras, and data collectors.
Protocols and standards The device supports IEEE 802.3af and IEEE 802.3at. Configuring PoE Before configuring PoE, make sure the PoE power supply and PSE are operating correctly. Otherwise, either you cannot configure PoE or the PoE configuration does not take effect. Configuring PoE ports Select PoE >...
Item Description When the sum of the power consumption of all ports exceeds the maximum power of PSE, the system considers the PSE as overloaded. The power priority for the HPE NJ5000 5G PoE+ switch cannot be changed. If multiple PIs require power supply during power overload, the one with the smallest ID takes precedence.
Figure 475 PoE summary (with GigabitEthernet 1/0/3 selected) PoE configuration example Network requirements As shown in Figure 476, GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are connected to IP telephones. The IP telephones have a higher power supply priority than the AP so the PSE supplies power to the IP telephones first if the PSE power is overloaded.
Page 446
Figure 477 Configuring the PoE ports supplying power to the IP telephones Enable PoE on GigabitEthernet 1/0/4: a. Click the Setup tab. b. On the tab, click to select port GigabitEthernet 1/0/4 from the chassis front panel, and then select Enable from the Power State list. c.
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Bold text represents commands and keywords that you enter literally as shown. Boldface Italic text represents arguments that you replace with actual values.
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements.
Websites Website Link Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder Networking Hewlett Packard Enterprise Networking website www.hpe.com/info/networking Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty General websites Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs Hewlett Packard Enterprise Support Center...
Page 451
part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 453
adding operation, IPv4 ACL, static configuration, IPv6 ACL, static entry configuration, NMM local port mirroring local group, static table entry, QoS policy, table, QoS traffic behavior, ARP attack protection QoS traffic class, configuration, RADIUS server, detection configuration, rules to SNMP view, packet validity check, Web device local user, user validity check,...
Page 454
security 802.1X RADIUS MST regional root, Message-Authentication attribute, STP designated bridge, security MAC authentication, STP root bridge, security MAC authentication ACL buttons on webpage, assignment, security MAC authentication configuration, 345, cable status security MAC local authentication testing, configuration, calculating user group configuration, MSTI calculation, using 802.1X authentication with other MSTP CIST calculation,...
Page 455
AAA accounting methods for ISP domain, MAC authentication (port-specific), AAA authentication methods for ISP MAC-based 802.1X configuration, domain, management IP address, AAA authorization methods for ISP maximum PoE interface power, domain, MLD snooping, 216, AAA HWTACACS communication MLD snooping port function, parameters, MST region, AAA HWTACACS servers,...
Page 457
Web interface HTTP login, active route table (IPv4), Web main boot file specifying, active route table (IPv6), Web service management, 244, all operation parameters for a port, Web-based NM functions, client's IP-to-MAC bindings, device information current system time, displaying device information, 28, global LLDP, device management IGMP snooping multicast forwarding entries,...
Page 461
NMM port mirroring configuration, security MAC local authentication configuration, traceroute, local port mirroring traceroute node failure identification, adding local group, learning configuration, MAC address, local group monitor port, MST learning port state, local group port, lease local group source port, DHCP IP address lease extension, NMM, leave message...
Page 462
dynamic aging timer, IGMP snooping, entry creation, MLD snooping, entry types, message manual entries, ARP configuration, MAC addressing ARP message format, port security secure MAC address ARP static configuration, configuration, DHCP format, MAC authentication gratuitous ARP configuration, ACL assignment, 344, gratuitous ARP packet learning, Auth-Fail VLAN, IP multicast IGMP snooping leave,...
Page 463
VLAN interface, ACL configuration (advanced), 389, ACL configuration (basic), 387, CIST, ACL configuration (Ethernet frame header), common root bridge, ACL configuration (IPv4), CST, ACL configuration (IPv6), IST, ACL packet fragment filtering, MSTI, all operation parameters for a port, port roles, ARP dynamic table entry, port states, ARP message format,...
Page 464
STP root port, PoE configuration, 430, VLAN type, PoE power, Web device configuration backup, PoE protocols and standards, Web device configuration reset, PoE system, Web device configuration restoration, port isolation configuration, Web device configuration save, port management, 48, Web device file displaying, port security advanced control configuration, Web device file download, port security advanced mode configuration,...
Page 465
local port mirroring group source port, AAA RADIUS packet format, local port mirroring local group, ACL fragment filtering, port mirroring configuration, ACL packet fragment filtering, port mirroring recommended procedure, gratuitous ARP packet learning, RMON configuration, 69, IP routing configuration (IPv4), RMON group, IP routing configuration (IPv6), SNMP configuration,...
Page 466
configuring energy saving, security MAC local authentication configuration, configuring IGMP snooping, specified operation parameter for all ports, configuring MLD snooping, STP designated port, DHCP snooping trusted port, STP root port, DHCP snooping untrusted port, VLAN port link type, IGMP snooping configuration, port isolation IGMP snooping member port, configuration, 375,...
Page 467
configuration, configuring device idle timeout period, port-based VLAN configuring device system name, configuration, configuring DHCP snooping, 239, port frame handling, configuring DHCP snooping functions on interface, port link type, configuring energy saving on port, PVID, configuring event entry, power over Ethernet. Use configuring gratuitous ARP, power supply priority configuring GTS,...
Page 468
configuring port isolation, configuring system parameters, configuring port link type, configuring system time (by using NTP), 36, configuring port security, 360, configuring system time (manually), configuring port security (global), configuring time zone and daylight saving time, configuring port security advanced configuring user group, control, configuring VLAN interface,...
Page 469
enabling dropping unknown multicast data SNMP versions, (globally), STP protocol packets, enabling IGMP snooping (globally), enabling IGMP snooping (in a VLAN), detect nonstandard PDs, enabling LLDP globally, PVID enabling LLDP on ports, configuration, enabling MLD snooping (globally), PVID (port-based VLAN), enabling MLD snooping (in a VLAN), enabling PSE detect nonstandard PDs, enabling SNMP agent,...
Page 470
assigning MAC authentication VLAN NMM port mirroring configuration, assignment, VLAN configuration, client/server model, Web interface login, common parameter configuration, RMON configuration, 293, alarm function configuration, configuration guidelines, alarm group, extended attributes, configuration, 69, MAC authentication configuration Ethernet statistics group, (global), event group, MAC authentication configuration group,...
Page 471
enabling IGMP snooping (in a VLAN), DHCP snooping configuration, 237, enabling MLD snooping (globally), enabling DHCP snooping, enabling MLD snooping (in a VLAN), HWTACACS configuration, 309, 309, IGMP snooping configuration, MAC authentication ACL assignment, IGMP snooping port function MAC authentication configuration, 343, 345, configuration, MAC authentication methods, MLD snooping configuration,...
Page 473
device system name configuration, ACL time range configuration, ping, time range traceroute, 247, configuration, Web device configuration backup, time zone Web device configuration management, configuring system time, Web device configuration reset, timer 802.1X, Web device configuration restoration, Web device configuration save, IP multicast IGMP snooping dynamic port aging timer, Web device file displaying,...
Page 474
displaying MLD snooping multicast forwarding entries, enabling IGMP snooping (in a VLAN), AAA RADIUS packet format, enabling MLD snooping (in a VLAN), RADIUS configuration, 293, frame encapsulation, unicast guest (802.1X), IP routing configuration (IPv4), IGMP snooping configuration, IP routing configuration (IPv6), IGMP snooping port function configuration, MAC address table IP subnet type VLAN,...