3Com Baseline 2928 PWR Plus User Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. 2928 - Baseline Plus Switch PWR
  6. User manual

3Com Baseline 2928 PWR Plus User Manual

Baseline switch 2900 family
Hide thumbs Also See for Baseline 2928 PWR Plus:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
Table of Contents

Advertisement

Quick Links

3Com Baseline Switch 2900 Family
User Guide
Baseline Switch 2920-SFP Plus
Baseline Switch 2928-SFP Plus
Baseline Switch 2952-SFP Plus
Baseline Switch 2928-PWR Plus
Baseline Switch 2928-HPWR Plus
Manual Version:
6W102-20090810
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Baseline 2928 PWR Plus and is the answer not in the manual?

Questions and answers

Related Manuals for 3Com Baseline 2928 PWR Plus

Summary of Contents for 3Com Baseline 2928 PWR Plus

  • Page 1 3Com Baseline Switch 2900 Family User Guide Baseline Switch 2920-SFP Plus Baseline Switch 2928-SFP Plus Baseline Switch 2952-SFP Plus Baseline Switch 2928-PWR Plus Baseline Switch 2928-HPWR Plus Manual Version: 6W102-20090810 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.

  • Page 3: About This Manual

    Back up the configuration file or upload the configuration file to be used at the next startup from the host of the current user to the device. 8 Configuration Save the current configuration to the configuration file to be used at Management the next startup.

  • Page 4: Table Of Contents

    Add, modify, and delete a PKI entity or a PKI domain. 39 PKI Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, and delete a certificate. Configure a port isolation group, and display port isolation group 40 Port Isolation Group information.
  • Page 5 Optional alternative items are grouped in square brackets and [ x | y | ... ] * separated by vertical bars. Many or none can be selected. The argument(s) before the ampersand (&) sign can be entered 1 to n &<1-n> times.
  • Page 6 This guide provides all the information you need to install Getting Started Guide and use the 3Com Baseline Switch 2900 Family. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
  • Page 7 Setting Up the Configuration Environment ······················································································3-1 Setting Terminal Parameters···········································································································3-2 Logging In to the CLI ·······················································································································3-6 CLI Commands ·······································································································································3-6 initialize············································································································································3-6 ipsetup ·············································································································································3-7 password ·········································································································································3-8 ping ··················································································································································3-8 quit ···················································································································································3-9 reboot···············································································································································3-9 summary········································································································································3-10 upgrade ·········································································································································3-11 Configuration Example for Upgrading the Host Software Through the CLI··········································3-12...

  • Page 8: Overview

    Overview The 3Com baseline switch 2900 family can be configured through the command line interface (CLI), web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. The web interface supports all switch 2900 series configurations. The CLI provides some configuration commands to facilitate your operation. To perform other...

  • Page 9: Configuration Through The Web Interface

    If the device is not connected to the network, or no DHCP server exists in the subnet where the device resides, you can get the default IP address of the device on the label on the right of the device rear...

  • Page 10: Example

    If a DHCP server exists in the subnet where the device resides, the device will dynamically obtain its default IP address through the DHCP server. You can log in to the device through the console port, and execute the summary command to view the information of its default IP address.

  • Page 11: Logging Out Of The Web Interface

    After logging in to the Web interface, you can select Device > Users from the navigation tree, create a new user, and select Wizard or Network > VLAN interface to configure the IP address of the VLAN interface acting as the management interface. For detailed configuration, refer to the corresponding configuration manuals of these modules.

  • Page 12: Web User Level

    Body area: Allows you to configure and display features. Title area: Displays the path of the current configuration interface in the navigation tree; provides the Help button to display the Web related help information, and the Logout button to log out of the Web interface.
  • Page 13 User level in Table 2-2 indicates that users of this level or users of a higher level can perform the corresponding operations. Table 2-2 Description of Web-based NM functions Function menu Description User level Wizard IP Setup Perform quick configuration of the device.

  • Page 14: Rmon

    Initialize Restore the factory default settings. Configure File File Manage files on the device, such as displaying the Manage Manageme file list, downloading a file, uploading a file, and Management ment removing a file.

  • Page 15: Energy Saving

    SNMP Display SNMP user information. Monitor User Create, modify and delete an SNMP user. Configure Display the status of the SNMP trap function and Monitor information about target hosts. Trap Enable or disable the SNMP trap function, or Configure create, modify and delete a target host.

  • Page 16: Mac Address

    Display the addresses of the OUIs that can be Monitor Summary identified by voice VLAN. Add the address of an OUI that can be identified by OUI Add Configure voice VLAN. Remove the address of an OUI that can be...
  • Page 17 DHCP server DHCP Configure group, and enable/disable the DHCP relay agent on an interface. Display the status, trusted and untrusted ports and Monitor DHCP client information of DHCP snooping. DHCP Snooping Enable/disable DHCP snooping, and configure Configure DHCP snooping trusted and untrusted ports.
  • Page 18 Display the certificate information of PKI domains Monitor and view the contents of a certificate. Certificate Generate a key pair, destroy a key pair, retrieve a certificate, request a certificate, and delete a Configure certificate. Display the contents of the CRL.

  • Page 19: Introduction To The Controls On The Web Pages

    Apply button Click the button to submit and apply the input information. Cancel button Click the button to cancel the input information. The page changes to the display page of the function or to the Device Info page. Search button Select an item to be queried, input the keyword, and click the Query button to display the items that meet the requirements.
  • Page 20 Click the button to remove the selected items. Select All button Click the button to select all the items in a list, or all the ports on the device panel. Select None button Click the button to deselect all the items in a list, or all the ports on the device panel.

  • Page 21: Configuration Guidelines

    Figure 2-7 About Sort display On the page, you can click the blue items of each column to sort and display the records based on the item you selected. Figure 2-8 Sort display Configuration Guidelines The Web-based console supports Microsoft Internet Explorer 6.0 SP2 and higher, but it does not support the Back, Next, Refresh buttons provided by the browser.
  • Page 22 If the software version of the device changes, when you log in to the device through the Web interface, you are recommended to delete the temporary Internet files of IE; otherwise, the Web page content may not be displayed correctly.

  • Page 23: Configuration Through The Command Line Interface

    Set up the configuration environment as follows: Step1 Take the console cable out of the package. (A console cable is an 8-core shielded cable. One end of the cable is a crimped RJ-45 connector, which is connected to the console port of the switch, and the other end is a DB-9 female connector, which is connected to the serial port on the console terminal, as shown below.)

  • Page 24: Setting Terminal Parameters

    Figure 3-1 Console cable Step2 Plug the DB-9 female connector of the console cable to the serial port of the console terminal or PC. Step3 Connect the RJ-45 connector of the console cable to the console port of the switch. (as shown below)
  • Page 25 Figure 3-3 Connection description of the HyperTerminal Step2 Type the name of the new connection in the Name text box and click OK. The following dialog box appears. Select the serial port to be used from the Connect using drop-down list.
  • Page 26 Figure 3-4 Set the serial port used by the HyperTerminal connection Step3 Click OK after selecting a serial port. The following dialog box appears. Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None.
  • Page 27 Figure 3-6 HyperTerminal window Step5 Click Properties in the HyperTerminal window to enter the Switch Properties dialog box. Click the Settings tab, set the emulation to VT100, and then click OK. Figure 3-7 Set terminal emulation in Switch Properties dialog box...

  • Page 28: Logging In To The Cli

    Logging In to the CLI The login process requires a user name and password. The default user name for first time configuration is admin, no password is required. User names and passwords are case sensitive. To logon to the CLI Interface: Step1 Press Enter.

  • Page 29: Ipsetup

    Description Use the initialize command to delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot. Use the command with caution because this command deletes the configuration file to be used at the next startup and restores the factory default settings.

  • Page 30: Password

    Syntax ping host Parameters host: Destination IP address (in dotted decimal notation), URL, or host name (a string of 1 to 20 characters). Description Use the ping command to ping a specified destination. You can enter Ctrl+C to terminate a ping operation.

  • Page 31: Quit

    = 1/41/205 ms The above information shows that IP address 1.1.2.2 is reachable and the echo replies are all returned from the destination. The minimum, average, and maximum roundtrip intervals are 1 millisecond, 41 milliseconds, and 205 milliseconds respectively.

  • Page 32: Summary

    In this case, you can specify a new main configuration file to reboot the device, or you can power off the device, and then power it on, and the system will automatically use the backup configuration file at the next startup.

  • Page 33: Upgrade

    Use the upgrade server-address source-filename runtime command to upgrade the boot file. If the boot file in the downloaded software package is not applicable, the original boot file is still used at the next startup.

  • Page 34: Configuration Example For Upgrading The Host Software Through The Cli

    # Download software package main.bin from the TFTP server and use the boot file in the package at the next startup. <Sysname> upgrade 192.168.20.41 main.bin runtime Configuration Example for Upgrading the Host Software Through the CLI Network requirements As shown in...
  • Page 35 File downloaded successfully. The specified file will be used as the boot file at the next reboot. # Reboot the switch. <Switch> reboot After getting the new application file, reboot the switch to have the upgraded application take effect. 3-13...
  • Page 36 Table of Contents 1 Configuration Wizard ································································································································1-1 Overview ·················································································································································1-1 Basic Service Setup ································································································································1-1 Entering the Configuration Wizard Homepage················································································1-1 Configuring System Parameters ·····································································································1-1 Configuring Management IP Address ·····························································································1-3 Finishing Configuration Wizard ·······································································································1-4...

  • Page 37: Configuration Wizard

    From the navigation tree, select Wizard to enter the config uration wizard homepage, as shown in Figure 1-1. Figure 1-1 Configuration wizard homepage Conf iguring System Parameters In the wizard homepage, click Next to enter the system parameter configuration page, as shown in Figure 1-2...
  • Page 38 Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device > Basic. For details, refer to Device Basic Information Configuration.

  • Page 39: Configuring Management Ip Address

    Use the new management IP address to re-log in to the system. A management IP address is the IP address of a VLAN interface, which can be used to access the device. You can also set configure a VLAN interface and its IP address in the page you enter by selecting Network >...

  • Page 40: Finishing Configuration Wizard

    When errors occurred on the VLAN interface, disable the interface and then enable the port to bring the port to work properly. By default, the VLAN interface is down if no Ethernet ports in the VLAN is up. The Admin VLAN is in the up state if one or more ports in the VLAN are up.
  • Page 41 Figure 1-4 Configuration finishe The page displays your configurations. Review the configurations and if you want to modify the settings click Back to go back to the page. Click Finish to confirm your settings and the system performs the configurations.
  • Page 42 Configuration Task List····················································································································1-2 Configuring Global Parameters of a Stack ······················································································1-3 Configuring Stack Ports···················································································································1-4 Displaying Topology Summary of a Stack·······················································································1-4 Displaying Device Summary of a Stack ··························································································1-5 Logging Into a Slave Device From the Master ················································································1-5 IRF Stack Configuration Example···········································································································1-6 Configuration Guidelines·······················································································································1-11...

  • Page 43: Irf

    Establishing a Stack An administrator can establish a stack as follows: Configure a private IP address pool for a stack and create the stack on the network device which is to be configured as the master device. Configure ports between the stack devices as stack ports.

  • Page 44: Configuring An Irf Stack

    The administrator can log in to any slave device from the master device of the stack, and perform various configurations for the slave device. Configuring an IRF Stack Configuration Task List Perform the tasks in Table 1-1 to configure an IRF stack.

  • Page 45: Configuring Global Parameters Of A Stack

    Configuring Global Parameters of a Stack Select IRF from the navigation tree to enter the page shown in Figure 1-2. You can configure global parameters of a stack in the Global Settings area. Figure 1-2 Set up Table 1-2 describes configuration items of global parameters.

  • Page 46: Configuring Stack Ports

    Port Settings area. Select the check box before a port name, and click Enable to configure the port as a stack port. Select the check box before a port name, and click Disable to configure the port as a non-stack port.

  • Page 47: Displaying Device Summary Of A Stack

    Return to Stack configuration task list. Logging Into a Slave Device From the Master Select IRF from the navigation tree, click the Device Summary tab, and click the tab of a slave device to enter the page shown in Figure 1-5.

  • Page 48: Irf Stack Configuration Example

    1-6, Switch A, Switch B, Switch C, and Switch D are connected with one another. Create a stack, where Switch A is the master device, Switch B, Switch C, and Switch D are slave devices. An administrator can log in to Switch B, Switch C and Switch D through Switch A to perform remote configurations.
  • Page 49 Select Enable from the Build Stack drop-down list. Click Apply. Now, switch A becomes the master device. # Configure a stack port on Switch A. On the page of the Setup tab, perform the following configurations, as shown in Figure 1-8.
  • Page 50 1/0/1 connecting with Switch C, and GigabitEthernet 1/0/3 connecting with Switch D as stack ports. Select IRF from the navigation tree of Switch B to enter the page of the Setup tab, and then perform the following configurations, as shown in Figure 1-9.
  • Page 51 # On Switch C, configure local port GigabitEthernet 1/0/1 connecting with Switch B as a stack port. Select IRF from the navigation tree of Switch C to enter the page of the Setup tab, and then perform the following configurations, as shown in .
  • Page 52 # On Switch D, configure local port GigabitEthernet 1/0/1 connecting with Switch B as a stack port. Select IRF from the navigation tree of Switch D to enter the page of the Setup tab, and then perform the following configurations, as shown in Figure 1-10.

  • Page 53: Configuration Guidelines

    Configuration Guidelines When configuring an IRF stack, note that: If a device is already configured as the master device of a stack, you are not allowed to modify the private IP address pool on the device. If a device is already configured as a slave device of a stack, the Global Settings area on the slave device is grayed out.
  • Page 54 Table of Contents 1 Summary ····················································································································································1-1 Overview ·················································································································································1-1 Displaying Device Summary ···················································································································1-1 Displaying System Information········································································································1-1 Displaying Device Information·········································································································1-2...

  • Page 55: Summary

    The system information includes the basic system information, system resources state, and recent system operation logs. Displaying Device Summary Displaying System Information After you log in to the Web interface, the System Information page appears by default, as shown in Figure 1-1. Figure 1-1 System information Select from the Refresh Period drop-down list: If you select a certain period, the system refreshes the system information at the specified interval.

  • Page 56: Displaying Device Information

    The Summary page displays up to five the most recent system operation logs about the login and logout events. For more system operation logs, you can click More to enter the Log List page. You can also enter this page by selecting Device > Syslog. For details, refer to Log Management Configuration.
  • Page 57 Figure 1-2 Device information Select from the Refresh Period drop-down list: If you select a certain period, the system refreshes the information at the specified interval. If you select Manual, the system refreshes the information only when you click the Refresh button.
  • Page 58 Table of Contents 1 Device Basic Information Configuration ·································································································1-1 Overview ·················································································································································1-1 Configuring Device Basic Information·····································································································1-1 Configuring System Name ··············································································································1-1 Configuring Idle Timeout Period······································································································1-1...

  • Page 59: Device Basic Information Configuration

    Set the system name of the device. The configured system name will be displayed on the top of the navigation bar. Set the idle timeout period for a logged-in user. That is, the system will log an idle user off the Web for security purpose after the configured period.
  • Page 60 Figure 1-2 Configuring idle timeout period Table 1-2 describes the idle timeout period configuration item. Table 1-2 Idle timeout period configuration item Item Description Idle timeout Set the idle timeout period for a logged-in user.
  • Page 61 Table of Contents 1 System Time Configuration······················································································································1-1 Overview ·················································································································································1-1 Configuring System Time························································································································1-1 System Time Configuration Example······································································································1-2 Configuration Guidelines·························································································································1-3...

  • Page 62: System Time Configuration

    System Time Configuration Overview The system time module allows you to display and set the device system time on the Web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time. An administrator can by no means keep time synchronized among all the devices within a network by changing the system clock on each device, because this is a huge amount of workload and cannot guarantee the clock precision.

  • Page 63: System Time Configuration Example

    Figure 1-2, the local clock of Device A is set as the reference clock. Switch B works in the client mode, and uses Device A as the NTP server. Configure NTP authentication on Device A and Switch B. Figure 1-2 Network diagram for configuring system time 1.0.1.11/24...

  • Page 64: Configuration Guidelines

    Select NTP. Type 24 in the ID box, and type aNiceKey in the Key String text box for key 1. Type 1.0.1.11 in the NTP Server 1 text box and type 24 in the Reference Key ID text box. Click Apply.
  • Page 65 A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized. If the clock of a server has a stratum level higher than or equal to that of a client’s clock, the client will not synchronize its clock to the server’s.
  • Page 66 Table of Contents 1 Log Management ·······································································································································1-1 Overview ·················································································································································1-1 Configuring Log Management·················································································································1-1 Configuration Task List····················································································································1-1 Setting Syslog Related Parameters ································································································1-1 Displaying Syslog ····························································································································1-2 Setting Loghost································································································································1-4...

  • Page 67: Log Management

    Display detailed information of system logs. Optional Setting Loghost Set the loghost that can receive system logs. Setting Syslog Related Parameters Select Device > Syslog from the navigation tree, and click the Logset tab to enter the syslog configuration page, as shown in Figure 1-1.
  • Page 68 Automatic: You can select to refresh the Web interface every 1 minute, 5 minutes, or 10 minutes. Return to Log management configuration task list. Displaying Syslog Select Device > Syslog from the navigation tree to enter the syslog display page, as shown in Figure 1-2.
  • Page 69 Click Sequential Display to change the order in which system logs are displayed, and then the Sequential Display button will be changed to Reverse Display. After you change the order in which system logs are displayed, the system logs are displayed in this order, unless you change it again.

  • Page 70: Setting Loghost

    Note: A smaller value represents a higher severity level. Return to Log management configuration task list. Setting Loghost Select Device > Syslog from the navigation tree, and click the Loghost tab to enter the loghost configuration page, as shown in Figure 1-3. Figure 1-3 Set loghost Table 1-5 describes the loghost configuration item.
  • Page 71 Table of Contents 1 Configuration Management ······················································································································1-1 Back Up Configuration ····························································································································1-1 Restore Configuration ·····························································································································1-1 Save Configuration··································································································································1-2 Initialize ···················································································································································1-3...

  • Page 72: Configuration Management

    Open and view the configuration file (.cfg file or .xml file) for the next startup Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user Select Device > Configuration from the navigation tree to enter the backup configuration page, as...

  • Page 73: Save Configuration

    Figure 1-2 Configuration restore page After you click the upper Browse button in this figure, the file upload dialog box appears. You can select the .cfg file to be uploaded, and then click Apply. After you click the lower Browse button in this figure, the file upload dialog box appears. You can select the .xml file to be uploaded, and then click Apply.

  • Page 74: Initialize

    This operation will restore the system to factory defaults, delete the current configuration file, and reboot the device. Select Device > Configuration from the navigation tree, and then click the Initialize tab to enter the initialize confirmation page as shown in Figure 1-4.
  • Page 75 Table of Contents 1 Device Maintenance ··································································································································1-1 Software Upgrade ···································································································································1-1 Device Reboot·········································································································································1-2 Electronic Label·······································································································································1-3 Diagnostic Information ····························································································································1-3...

  • Page 76: Device Maintenance

    A boot file, also known as the system software or device software, is an application file used to boot the device. A main boot file is used to boot a device and a backup boot file is used to boot a device only when the main boot file is unavailable.

  • Page 77: Device Reboot

    Before rebooting the device, save the configuration; otherwise, all unsaved configuration will be lost after device reboot. After the device reboots, you need to re-log in to the Web interface. Select Device > Device Maintenance from the navigation tree, click the Reboot tab to enter the device reboot configuration page, as shown in Figure 1-2.

  • Page 78: Electronic Label

    If the check succeeds, the system will reboot the device; if the check fails, a dialog box appears, telling you that the current configuration and the saved configuration are inconsistent, and the device will not be rebooted. In this case, you need to save the current configuration manually before you can reboot the device.
  • Page 79 Figure 1-5 The diagnostic information file is created Click Click to Download, and the File Download dialog box appears. You can select to open this file or save this file to the local host. The generation of the diagnostic file will take a period of time. During this process, do not perform any operation on the Web page.
  • Page 80 Table of Contents 1 File Management········································································································································1-1 Overview ·················································································································································1-1 File Management Configuration··············································································································1-1 Displaying File List···························································································································1-1 Downloading a File ··························································································································1-1 Uploading a File·······························································································································1-2 Removing a File·······························································································································1-2...

  • Page 81: File Management

    1-1. On the top of this page, select a disk from the Please select disk drop-down list, and the used space, available space, and capacity of the disk will be displayed at the right of the drop-down list. The area below the drop-down list displays all files (displayed in the format of path + filename) saved on the disk and their sizes.

  • Page 82: Uploading A File

    1-1. In the Upload File area, select a disk from the Please select disk drop-down list to save the file, type the file path and filename in the File box, or click Browse to select a file. Click Apply to upload the file to the specified storage device.
  • Page 83 Table of Contents 1 Port Management Configuration··············································································································1-1 Overview ·················································································································································1-1 Configuring a Port ···································································································································1-1 Setting Operation Parameters for a Port ·························································································1-1 Viewing the Operation Parameters of a Port···················································································1-5 Port Management Configuration Example ······························································································1-6...

  • Page 84: Port Management Configuration

    Port Management Configuration Overview You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port, including but not limited to its state, rate, duplex mode, link type, PVID, MDI mode, flow control settings, MAC learning limit, and storm suppression ratios.
  • Page 85 For details, refer to VLAN Configuration. Link Type To change the link type of a port from trunk to hybrid or vice versa, you must first set its link type to access. Set the default VLAN ID of the interface. For details about setting the PVID, refer to VLAN Configuration.
  • Page 86 For an Ethernet port in normal mode, the pin roles are changed. Pin 1 and pin 2 are used for receiving signals; pin 3 and pin 6 are used for transmitting signals. To enable normal communication, you must connect the local transmit pins to the remote receive pins.
  • Page 87 Otherwise, the suppression result will be unpredictable. To set storm constrain for unicast traffic on a port, select Device > Storm Constrain. Port or ports that you have selected from the chassis front panel, and Selected Ports for which you have set operation parameters...
  • Page 88 Select Device > Port Management from the navigation tree. The Summary tab is displayed by default. Select the parameter you want to view by clicking the radio button before it to display the setting of this parameter for all the ports in the lower part of the page, as shown in Figure 1-2.

  • Page 89: Port Management Configuration Example

    1-4: Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 or the switch respectively. The rates of the network adapters of these servers are all 1000 Mbps. The switch connects to the external network through GigabitEthernet 1/0/4 whose rate is 1000 Mbps.
  • Page 90 Configuration procedure # Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps. Select Device > Port Management from the navigation tree, click the Setup tab to enter the page shown in Figure 1-5, and make the following configurations: Figure 1-5 Configure the rate of GigabitEthernet 1/0/4 Select 100 in the Speed dropdown list.
  • Page 91 Figure 1-6 Batch configure port rate # Display the rate settings of ports. Click the Summary tab. Select the Speed option to display the rate information of all ports on the lower part of the page, as shown in Figure...
  • Page 92 Figure 1-7 Display the rate settings of ports...
  • Page 93 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Port Mirroring·······················································································································1-1 Configuration Task List····················································································································1-1 Creating a Mirroring Group··············································································································1-2 Configuring Ports for a Mirroring Group ··························································································1-3 Configuration Examples ··························································································································1-4 Local Port Mirroring Configuration Example····················································································1-4 Configuration Guidelines·························································································································1-7...

  • Page 94: Port Mirroring Configuration

    Port Mirroring Configuration Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis. You can select to port-mirror inbound, outbound, or bidirectional traffic on a port as needed.

  • Page 95: Creating A Mirroring Group

    Port. You can configure one only monitor port for a mirroring group. Creating a Mirroring Group Select Device > Port Mirroring from the navigation tree and click Create to enter the page for creating a mirroring group, as shown in Figure 1-2.

  • Page 96: Configuring Ports For A Mirroring Group

    Local port mirroring configuration task list. Configuring Ports for a Mirroring Group Select Device > Port Mirroring from the navigation tree and click Modify Port to enter the page for configuring ports for a mirroring group, as shown in Figure 1-3.

  • Page 97: Configuration Examples

    Figure 1-4 Network diagram for local port mirroring configuration Configuration procedure # Create a local mirroring group. Select Device > Port Mirroring from the navigation tree and click Create to enter the page for creating mirroring groups, as shown in Figure...
  • Page 98 Type in mirroring group ID 1. Select Local in the Type drop-down list. Click Apply. # Configure the mirroring ports. Click Modify Port to enter the page for configuring ports for the mirroring group, as shown in Figure 1-6. Figure 1-6 Configure the mirroring ports...
  • Page 99 Figure 1-7 Configuration progress dialog box After the configuration process is complete, click Close. # Configure the monitor port. Click Modify Port to enter the page for configuring ports for the mirroring group, as shown in Figure 1-8. Figure 1-8 Configure the monitor port Select 1 –...

  • Page 100: Configuration Guidelines

    Pay attention to the following points during local port mirroring configuration: To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. You can configure multiple mirroring ports but only one monitor port for a local mirroring group.
  • Page 101 Table of Contents 1 User Management······································································································································1-1 Overview ·················································································································································1-1 Users ·······················································································································································1-1 Creating a User ·······························································································································1-1 Setting the Super Password············································································································1-2 Switching the User Access Level to the Management Level ··························································1-3...

  • Page 102: User Management

    Switch the current Web user access level to the management level. Users Creating a User Select Device > Users from the navigation tree, and click the Create tab to enter the page for creating local users, as shown in Figure 1-1.
  • Page 103 Setting the Super Password In this part, users of the management level can specify the password for a lower-level user to switch from the current access level to the management level. If no such a password is configured, the switchover will fail.
  • Page 104 The access level switchover of a user is valid for the current login only. The access level configured for the user is not changed. When the user re-logs in to the Web interface, the access level of the user is still the original level.
  • Page 105 Figure 1-3 Switch to the management level.
  • Page 106 Table of Contents 1 Loopback Test Configuration···················································································································1-1 Overview ·················································································································································1-1 Loopback Operation································································································································1-1 Configuration Guidelines·························································································································1-2...

  • Page 107: Loopback Test Configuration

    In an external loopback test, a loopback plug is used on the port. Packets forwarded by the port will be received by itself through the loopback plug. The external loopback test can be used to check whether there is a hardware failure on the port.

  • Page 108: Configuration Guidelines

    After selecting a testing type, you need to select a port on which you want to perform the loopback test from the chassis front panel. After that, click Test to start the loopback test, and you can see the test result in the Result text box, as shown in Figure 1-2.
  • Page 109 Table of Contents 1 VCT······························································································································································1-1 Overview ·················································································································································1-1 Testing Cable Status·······························································································································1-1...

  • Page 110: Testing Cable Status

    Select Device > VCT from the navigation tree to enter the page for testing cable status. Select the port you want to test in the chassis front panel and then click Test. The test result is returned in less than 5...
  • Page 111 Status and length of the cable. The status of a cable can be normal, abnormal, abnormal(open), abnormal(short), or failure. When a cable is normal, the cable length displayed is the total length of the cable. Cable status When a cable is not normal, the cable length displayed is the length of the cable between the current port and the location where fault occurs.
  • Page 112 Table of Contents 1 Flow Interval Configuration ······················································································································1-1 Overview ·················································································································································1-1 Monitoring Port Traffic Statistics ·············································································································1-1 Setting the Traffic Statistics Generating Interval ·············································································1-1 Viewing Port Traffic Statistics··········································································································1-1...

  • Page 113: Flow Interval Configuration

    Flow Interval Configuration Overview With the flow interval module, you can view the average receiving rate and average sending rate of a port over the specified interval. Monitoring Port Traffic Statistics Setting the Traffic Statistics Generating Interval Select Device > Flow interval from the navigation bar, and click the Interval Configuration tab to...
  • Page 114 Figure 1-2 Port traffic statistics...
  • Page 115 Table of Contents 1 Storm Constrain Configuration················································································································1-1 Overview ·················································································································································1-1 Configuring Storm Constrain···················································································································1-1 Setting the Traffic Statistics Generating Interval ·············································································1-1 Configuring Storm Constrain ···········································································································1-2...

  • Page 116: Storm Constrain Configuration

    Device > Port Management. For details, refer to Port Management. With storm constrain enabled on a port, you can specify the system to act as follows when a certain type of traffic (broadcast, multicast, or unicast) exceeds the corresponding upper threshold: Block: Block the port.
  • Page 117 The traffic statistics generating interval set here is the interval used by the storm constrain function for measuring traffic against the traffic thresholds. It is different from the interval set in the flow interval module, which is used for measuring the average traffic sending and receiving rates over a specific interval.
  • Page 118 (in seconds) to collect traffic data, and analyzes the data in the next interval. Thus, it is normal that a period longer than one traffic statistics generating interval is waited for a control action to happen if you enable the function while the packet storm is present.
  • Page 119 Select or clear the option to enable or disable the system to output logs both when an upper threshold is crossed and when the corresponding lower threshold is crossed after that.
  • Page 120 Configuration Task List····················································································································1-3 Configuring a Statistics Entry ··········································································································1-5 Configuring a History Entry ·············································································································1-6 Configuring an Event Entry ·············································································································1-7 Configuring an Alarm Entry ·············································································································1-7 Displaying RMON Statistics Information ·························································································1-9 Displaying RMON History Sampling Information ··········································································1-11 Displaying RMON Event Logs·······································································································1-13 RMON Configuration Example··············································································································1-13...

  • Page 121: Rmon

    The alarm function enables a managed device to monitor the value of a specified MIB variable, log the event and send a trap to the management device when the value reaches the threshold, such as the port rate reaches a certain value or the potion of broadcast packets received in the total packets reaches a certain value.

  • Page 122: Rmon Groups

    Log: Logging event related information (the time of the event occurred, contents of the event, and so on) in the event log table of the RMON MIB of the device, and thus the management device can check the logs through the SNMP GET operation.

  • Page 123: Configuring Rmon

    Configuring the RMON statistics function RMON statistics function can be implemented by either the statistics group or the history group, but the objects of the statistics are different. You can choose to configure a statistics group or a history group accordingly.

  • Page 124: Configuring An Event Entry

    Configuring the RMON alarm function If you need to configure that the managed device sends a trap to the NMS when it triggers an alarm event, you should configure the SNMP agent as described in SNMP Configuration before configuring the RMON alarm function.
  • Page 125 Configuring a Statistics Entry Select Device > RMON from the navigation tree to enter the page of the Statistics tab, as shown in Figure 1-1. Click Add to enter the page for adding a statistics entry, as shown in Figure 1-2.
  • Page 126 Configuring a History Entry Select Device > RMON from the navigation tree and click the History tab to enter the page, as shown Figure 1-3. Click Add to enter the page for adding a history entry, as shown in Figure 1-4.
  • Page 127 Configuring an Event Entry Select Device > RMON from the navigation tree and click the Event tab to enter the page, as shown in Figure 1-5. Click Add to enter the page for adding an event entry, as shown in Figure 1-6.
  • Page 128 Table 1-8 Alarm entry configuration items Item Description Set the traffic statistics that will be collected and monitored, see Table 1-9 Statics Item for details. Alarm variable Interface Set the name of the interface whose traffic statistics will be collected and Name monitored.
  • Page 129 RMON alarm configuration task list. Displaying RMON Statistics Information Select Device > RMON from the navigation tree to enter the page of the Statistics tab, as shown in Figure 1-1. Click the icon of a statistics entry to enter the page as shown in...
  • Page 130 RMON statistics. Table 1-9 Fields of RMON statistics Item Description Total number of octets received by the interface, Number of Received Bytes corresponding to the MIB node etherStatsOctets. Total number of packets received by the interface, Number of Received Packets corresponding to the MIB node etherStatsPkts.
  • Page 131 Display RMON running status. Displaying RMON History Sampling Information Select Device > RMON from the navigation tree and click the History tab to enter the page, as shown Figure 1-3. Click the icon of a history entry to enter the page as shown in...
  • Page 132 MIB node etherHistoryOversizePkts. Number of fragments received during the sampling period, corresponding to Fragments the MIB node etherHistoryFragments. Number of jabbers received during the sampling period (Support for the field Jabbers depends on the device model.), corresponding to the MIB node etherHistoryJabbers.

  • Page 133: Displaying Rmon Event Logs

    Displaying RMON Event Logs Select Device > RMON from the navigation tree and click the Log tab to enter the page, as shown in Figure 1-11, which displays log information for all event entries. Figure 1-11 Log Return to Display RMON running status.
  • Page 134 Figure 1-13 Add a statistics entry Select GigabitEthernet1/0/1 from the Interface Name drop-down box. Type user1-rmon in the text box of Owner. Click Apply. # Display RMON statistics for interface Ethernet 1/0/1. Click the icon corresponding to GigabitEthernet 1/0/1. You can view the information as shown in Figure 1-14.
  • Page 135 Figure 1-14 Display RMON statistics # Create an event to start logging after the event is triggered. Click the Event tab, click Add, and then perform the following configurations, as shown in Figure 1-15. Figure 1-15 Configure an event group...
  • Page 136 Type 1-rmon in the text box of Owner. Select the check box before Log. Click Apply. The page goes to the page displaying the event entry, and you can see that the entry index of the new event is 1, as shown in Figure 1-16.
  • Page 137 Select Number of Received Bytes from the Statics Item drop-down box. Select GigabitEthernet1/0/1 from the Interface Name drop-down box. Type 10 in the text box of Interval. Select Delta from the Simple Type drop-down box. Type 1-rmon in the text box of Owner.
  • Page 138 Table of Contents 1 Energy Saving Configuration ···················································································································1-1 Overview ·················································································································································1-1 Configuring Energy Saving on a Port······································································································1-1...

  • Page 139: Energy Saving Configuration

    Energy Saving Configuration Overview Energy saving allows you to configure a port to work at the lowest transmission speed, disable PoE, or go down during a specified time range on certain days of a week. The port resumes working normally when the effective time period ends.
  • Page 140 Item Description Set the port to transmit data at the lowest speed. Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. Shutdown An energy saving policy can have all the three energy saving schemes configured, of which the shutdown scheme takes the highest priority.
  • Page 141 SNMP Protocol Version···················································································································1-1 MIB Overview ··································································································································1-2 SNMP Configuration ·······························································································································1-3 Configuration Task List····················································································································1-3 Enabling SNMP ·······························································································································1-4 Configuring an SNMP View·············································································································1-5 Configuring an SNMP Community ··································································································1-7 Configuring an SNMP Group···········································································································1-8 Configuring an SNMP User ···········································································································1-10 Configuring SNMP Trap Function ·································································································1-11 SNMP Configuration Example ··············································································································1-13...

  • Page 142: Snmp

    An SNMP enabled network comprises Network Management Station (NMS) and agent. An NMS is a station that runs the SNMP client software. It offers a user friendly interface, making it easier for network administrators to perform most network management tasks.

  • Page 143: Mib Overview

    {1.2.1.1.5}. This string of numbers is the OID of the managed object A. A subtree can be identified by the OID of the root node of the subtree. For example, the OID of the subtree with the root node being B is the OID of node B –– {1.2.1.1}.

  • Page 144: Snmp Configuration

    If the number of bits in the subtree mask is smaller than the number of nodes of the OID, the short bits of the subtree mask will be set to 1 during subtree mask-OID matching.

  • Page 145: Enabling Snmp

    Select Device > SNMP from the navigation tree to enter the SNMP configuration page, as shown in Figure 1-4. On the upper part of the page, you can select to enable or disable SNMP and configure parameters such as SNMP version; on the lower part of the page, you can view the SNMP statistics,...

  • Page 146: Configuring An Snmp View

    Set the SNMP version run by the system Return to SNMPv1 or SNMPv2c configuration task list SNMPv3 configuration task list. Configuring an SNMP View Select Device > SNMP from the navigation tree, and then click the View tab to enter the page as shown Figure 1-5.
  • Page 147 SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to crate an SNMP view. Note that the view will not be created if you click Cancel.

  • Page 148: Configuring An Snmp Community

    SNMPv3 configuration task list. Configuring an SNMP Community Select Device > SNMP from the navigation tree, then click the Community tab to enter the page as shown in Figure 1-9. Click Add to enter the Add SNMP Community page as shown in Figure 1-10.

  • Page 149: Configuring An Snmp Group

    SNMPv1 or SNMPv2c configuration task list. Configuring an SNMP Group Select Device > SNMP from the navigation tree, then click the Group tab to enter the page as shown in Figure 1-11. Click Add to enter the Add SNMP Group page as shown in Figure 1-12.
  • Page 150 Write View If no write view is configured, the NMS cannot perform the write operations to all MIB objects on the device. Select the notify view of the SNMP group, that is, the view that can send trap messages. Notify View If no notify view is configured, the agent does not send traps to the NMS.

  • Page 151: Configuring An Snmp User

    SNMPv3 configuration task list. Configuring an SNMP User Select Device > SNMP from the navigation tree, then click the User tab to enter the page as shown in Figure 1-13. Click Add to enter the Add SNMP User page, as shown in Figure 1-14.

  • Page 152: Configuring Snmp Trap Function

    Configuring SNMP Trap Function Select Device > SNMP from the navigation tree, and click the Trap tab to enter the page as shown in Figure 1-15. On the upper part of the page, you can select to enable the SNMP trap function; on the lower part of the page, you can configure target hosts of the SNMP traps.
  • Page 153 The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy. Security Level When the security model is selected as v1 or v2c, the security level is no authentication no privacy, and cannot be modified. 1-12...

  • Page 154: Snmp Configuration Example

    Configuration procedure Configure Agent # Configuration IP addresses for the interfaces. (Omitted) # Enable SNMP. Select Device > SNMP from the navigation tree, and you will enter the Setup page as shown in Figure 1-18. Figure 1-18 Enable SNMP Select the Enable radio box.
  • Page 155 Figure 1-19 Create an SNMP view (1) Type view1 in the text box. Click Apply to enter the SNMP rule configuration page, as shown in Figure 1-20. Figure 1-20 Create an SNMP view (2) Select the Included radio box. Type the MIB subtree OID interfaces.
  • Page 156 Click the Group tab and then click Add to enter the page as shown in Figure 1-22. Figure 1-22 Create an SNMP group Type group1 in the text box of Group Name. Select view1 from the Read View drop-down box.
  • Page 157 Click the Trap tab and enter the page as shown in Figure 1-24. Figure 1-24 Enable the agent to send SNMP traps Select the Enable SNMP Trap check-box. Click Apply. # Add target hosts of SNMP traps. Click Add to enter the page as shown in Figure 1-25.
  • Page 158 After the above configuration, the NMS can establish an SNMP connection with the agent and query and reconfigure values of objects in the agent MIB. If an idle interface on the agent is shut down or brought up, the NMS will receive a trap information sent by the agent.
  • Page 159 Table of Contents 1 Interface Statistics·····································································································································1-1 Overview ·················································································································································1-1 Displaying Interface Statistics ·················································································································1-1...

  • Page 160: Interface Statistics

    Overview The interface statistics module displays statistics information about the packets received and sent through interfaces. Displaying Interface Statistics Select Device > Interface Statistics from the navigation tree to enter the interface statistics display page, as shown in Figure 1-1.
  • Page 161 Field Description OutUcastPkts Number of unicast packets sent through the interface. OutNUcastPkts Number of non-unicast packets sent through the interface. OutDiscards Number of valid packets discarded in the outbound direction. OutErrors Number of invalid packets sent through the interface.
  • Page 162 Table of Contents 1 VLAN Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to VLAN ·······················································································································1-1 How VLAN Works····························································································································1-1 VLAN Types ····································································································································1-2 Introduction to Port-Based VLAN ····································································································1-3 Configuring a VLAN ································································································································1-4 Configuration Task List····················································································································1-4 Creating VLANs·······························································································································1-4 Selecting VLANs······························································································································1-5 Modifying a VLAN····························································································································1-6 Modifying Ports································································································································1-8 VLAN Configuration Example ·················································································································1-9...

  • Page 163: Vlan Configuration

    VLANs, that is, Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 1-1.

  • Page 164: Vlan Types

    The field is set to 0 by default. The 12-bit VLAN ID field identifies the VLAN the frame belongs to. The VLAN ID range is 0 to 4095. As 0 and 4095 are reserved by the protocol, the VLAN ID range available for assignment is 1 to 4094.

  • Page 165: Introduction To Port-Based Vlan

    A trunk port allows only traffic of the default VLAN to pass through untagged. Default VLAN (PVID) By default, VLAN 1 is the default VLAN for all ports. However, you can change the default VLAN for a port as required. When doing this, follow these guidelines: Because an access port can join only one VLAN, its default VLAN is the VLAN to which it belongs and cannot be configured.

  • Page 166: Configuring A Vlan

    VLANs, or remove ports from VLANs; configure the link type and PVID of the ports. Creating VLANs Select Network > VLAN from the navigation tree and click Create to enter the page for creating VLANs, as shown in Figure 1-4.

  • Page 167: Selecting Vlans

    VLAN configuration task list (approach Return to VLAN configuration task list (approach II). Selecting VLANs Select Network > VLAN from the navigation tree. The Select VLAN tab is displayed by default for you to select VLANs, as shown in Figure 1-5.

  • Page 168: Modifying A Vlan

    VLAN ID(s) to be displayed. Return to VLAN configuration task list (approach Modifying a VLAN Select Network > VLAN from the navigation tree and click Modify VLAN to enter the page for modifying a VLAN, as shown in Figure 1-6.
  • Page 169 VLANs. Modify the description string of the selected VLAN. Modify Description By default, the description string of a VLAN is its VLAN ID, such as VLAN 0001. Set the member type of the port to be modified in the VLAN...

  • Page 170: Modifying Ports

    Modifying Ports Select Network > VLAN from the navigation tree and click Modify Port to enter the page for modifying ports, as shown in Figure 1-7. Figure 1-7 The Modify Port tab Table 1-6 describes the configuration items of modifying ports.

  • Page 171: Vlan Configuration Example

    Configure Switch A # Configure GigabitEthernet 1/0/1 as a trunk port and configure VLAN 100 as its default VLAN. Select Device > Port Management from the navigation tree and click Setup to enter the page for setting ports, as shown in Figure 1-9.
  • Page 172 Select GigabitEthernet 1/0/1 on the chassis front device panel. Click Apply. # Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100. Select Network > VLAN from the navigation tree and click Create to enter the page for creating VLANs, as shown in Figure 1-10.
  • Page 173 Click Select VLAN to enter the page for selecting VLANs, as shown in Figure 1-11. Figure 1-11 Set a VLAN range Select the radio button before Display a subnet of all configured VLANs and type 1-100 in the text box. 1-11...
  • Page 174 Click Select. Click Modify VLAN to enter the page for modifying the ports in a VLAN, as shown in Figure 1-12. Figure 1-12 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Select 100 – VLAN 0100 in the Please select a VLAN to modify: drop-down list.

  • Page 175: Configuration Guidelines

    Click Modify Port to enter the page for modifying the VLANs to which a port belongs, as shown in Figure 1-14. Figure 1-14 Assign GigabitEthernet 1/0/1 to VLAN 2, and VLAN 6 through VLAN 50 as a tagged member Select GigabitEthernet 1/0/1 on the chassis front device panel.
  • Page 176 Table of Contents 1 VLAN Interface Configuration ··················································································································1-1 Overview ·················································································································································1-1 Configuring VLAN Interfaces ··················································································································1-1 Configuration Task List····················································································································1-1 Creating a VLAN Interface ··············································································································1-1 Modifying a VLAN Interface·············································································································1-3...

  • Page 177: Vlan Interface Configuration

    For each VLAN, you can create one VLAN interface. You can assign the VLAN interface an IP address and specify it as the gateway of the VLAN to forward the traffic destined for an IP network segment different from that of the VLAN.
  • Page 178 VLAN interface. Table 1-2 Configuration items of creating a VLAN interface Item Description Input the ID of the VLAN interface to be created. Before creating a VLAN Input a VLAN ID: interface, make sure that the corresponding VLAN exists. DHCP Configure the way in which the VLAN interface gets an IPv4 address.
  • Page 179 Apply button to submit the modification. After you change the IP address of the VLAN interface you are using to log in to the device, you will be disconnected from the device. You can use the changed IP address to re-log in.
  • Page 180 Manual option. Manual Select Up or Down in the Admin Status drop-down list to bring up or shut down the selected VLAN interface. When the VLAN interface fails, you can shut down and then bring up the Modif VLAN interface, which may restore it.
  • Page 181 Configuring Voice VLAN on a Port ··································································································1-6 Adding OUI Addresses to the OUI List····························································································1-7 Voice VLAN Configuration Examples ·····································································································1-8 Configuring Voice VLAN on a Port in Automatic Voice VLAN Assignment Mode···························1-8 Configuring a Voice VLAN on a Port in Manual Voice VLAN Assignment Mode··························1-13 Configuration Guidelines·······················································································································1-18...

  • Page 182: Voice Vlan Configuration

    Voice VLAN Assignment Modes A port connected to a voice device, an IP phone for example, can be assigned to a voice VLAN in one of these two modes: Automatic mode and manual mode. Ports on a same device can be assigned to...
  • Page 183 You can configure an aging timer for the voice VLAN. The system will remove the port from the voice VLAN when the aging timer expires if no voice packet is received on the port during the aging timer. Assigning ports to and removing ports from a voice VLAN are automatically performed.

  • Page 184: Security Mode And Normal Mode Of Voice Vlans

    MAC address against the OUI addresses configured for the device. If the default VLAN of the port is the voice VLAN and the port works in manual VLAN assignment mode, the port forwards all received untagged packets in the voice VLAN. In normal mode, the voice VLANs are vulnerable to traffic attacks.

  • Page 185: Configuring The Voice Vlan

    Before configuring the voice VLAN, you must create the corresponding VLAN and configure the link type of each port to be assigned to the VLAN. As VLAN 1 is the system-default VLAN, you do not need to create it; however, you cannot configure it as the voice VLAN. For information about port link types, refer to Port Management Configuration.

  • Page 186: Configuring Voice Vlan Globally

    Table 1-1. Configuring Voice VLAN Globally Select Network > Voice VLAN from the navigation tree, and click the Setup tab on the displayed page to enter the page shown in Figure 1-1. Figure 1-1 Configure voice VLAN Table 1-6 describes the global voice VLAN configuration items.

  • Page 187: Configuring Voice Vlan On A Port

    Configuring voice VLAN on a port working in manual voice VLAN assignment mode. Configuring Voice VLAN on a Port Select Network > Voice VLAN from the navigation tree, and click the Port Setup tab on the displayed page to enter the page shown in Figure 1-2.

  • Page 188: Adding Oui Addresses To The Oui List

    Configuring voice VLAN on a port working in manual voice VLAN assignment mode. Adding OUI Addresses to the OUI List Select Network > Voice VLAN from the navigation tree and click the OUI Add tab on the displayed page to enter the page shown in Figure 1-3.

  • Page 189: Voice Vlan Configuration Examples

    VLAN 2 GE1/0/1 GE1/0/3 VLAN 2 0755-2002 010-1001 OUI: 0011-2200-0000 Mask: ffff-ff00-0000 Configuration procedure # Create VLAN 2. Select Network > VLAN from the navigation tree, and click Create on the displayed page to enter the page shown in Figure 1-5.
  • Page 190 Figure 1-5 Create VLAN 2 Type in VLAN ID 2. Click Create. # Configure GigabitEthernet 1/0/1 as a hybrid port. Select Device > Port Management from the navigation tree, and click Setup on the displayed page to enter the page shown in Figure 1-6.
  • Page 191 Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply. # Configure the voice VLAN function globally. Select Network > Voice VLAN from the navigation tree and click the Setup tab on the displayed page to enter the page shown in Figure 1-7.
  • Page 192 Select Enable in the Voice VLAN security drop-down list. (You can skip this step, because the voice VLAN security mode is enabled by default) Set the voice VLAN aging timer to 30 minutes. Click Apply. # Configure voice VLAN on GigabitEthernet 1/0/1.
  • Page 193 Select FFFF-FF00-0000 in the Mask drop-down list. Type in description string test. Click Apply. Verify the configuration When the configurations described above are completed, the OUI Summary tab is displayed by default, as shown in Figure 1-10. You can view the information about the newly-added OUI address.

  • Page 194: Configuring A Voice Vlan On A Port In Manual Voice Vlan Assignment Mode

    GE1/0/1 GE1/0/3 VLAN 2 0755-2002 010-1001 OUI: 0011-2200-0000 Mask: ffff-ff00-0000 Configuration procedure # Create VLAN 2. Select Network > VLAN from the navigation tree, and click Create on the displayed page to enter the page shown in Figure 1-13. 1-13...
  • Page 195 Type in VLAN ID 2. Click Create. # Configure GigabitEthernet 1/0/1 as a hybrid port and configure its default VLAN as VLAN 2. Select Device > Port Management from the navigation tree, and click Setup on the displayed page to enter the page shown in Figure 1-14.
  • Page 196 Select GigabitEthernet 1/0/1 from the chassis front panel. Click Apply. # Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member. Select Network > VLAN from the navigation tree, and click Modify Port on the displayed page to enter the page shown in Figure 1-15.
  • Page 197 Figure 1-16 Configuration progress dialog box After the configuration process is complete, click Close. # Configure voice VLAN on GigabitEthernet 1/0/1. Select Network > Voice VLAN from the navigation tree, and click Port Setup on the displayed page to enter the page shown in Figure 1-17.
  • Page 198 Select GigabitEthernet 1/0/1 on the chassis front panel. Click Apply. # Add OUI addresses to the OUI list. Click the OUI Add tab to enter the page shown in Figure 1-18. Figure 1-18 Add OUI addresses to the OUI list Type in OUI address 0011-2200-0000.

  • Page 199: Configuration Guidelines

    1-20, where you can view the current voice VLAN information. Figure 1-20 Current voice VLAN information Configuration Guidelines When configuring the voice VLAN function, follow these guidelines: To remove a VLAN functioning as a voice VLAN, disable its voice VLAN function first. 1-18...
  • Page 200 In automatic voice VLAN assignment mode, a hybrid port can process only tagged voice traffic. However, the protocol-based VLAN function requires hybrid ports to process untagged traffic. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the same time, the protocol-based VLAN cannot be associated with the port.
  • Page 201 Table of Contents 1 MAC Address Configuration ····················································································································1-1 Overview ·················································································································································1-1 Configuring MAC Addresses···················································································································1-2 Configuring a MAC Address Entry ··································································································1-2 Setting the Aging Time of MAC Address Entries ············································································1-4 MAC Address Configuration Example ····································································································1-5...

  • Page 202: Mac Address Configuration

    Dynamic entries can be manually configured or dynamically learned and will age out. The following is how your device learns a MAC address after it receives a frame from a port, port A for example: Checks the frame for the source MAC address (MAC-SOURCE for example).

  • Page 203: Configuring Mac Addresses

    Broadcast mode: If the device receives a frame with the destination address being all Fs, or no entry matches the destination MAC address, the device broadcasts the frame to all the ports except the receiving port. Figure 1-1 MAC address table of the device...
  • Page 204 Figure 1-2 The MAC tab Figure 1-3 Create a MAC address entry Table 1-1 shows the detailed configuration of creating a MAC address entry.

  • Page 205: Setting The Aging Time Of Mac Address Entries

    Set the port to which the MAC address belongs Setting the Aging Time of MAC Address Entries Select Network > MAC from the navigation tree, and then select the Setup tab to enter the page for setting the MAC address entry aging time, as shown in Figure 1-4.

  • Page 206: Mac Address Configuration Example

    MAC address 00e0-fc35-dc71 under GigabitEthernet 1/0/1 in VLAN 1. Configuration procedure # Create a static MAC address entry. Select Network > MAC from the navigation tree to enter the MAC tab, and then click Add, as shown in Figure 1-2. The page shown in Figure 1-5 appears.
  • Page 207 Implementation of MSTP on Devices ····························································································1-14 Protocols and Standards ···············································································································1-15 Configuring MSTP·································································································································1-15 Configuration Task List··················································································································1-15 Configuring an MST Region ··········································································································1-15 Configuring MSTP Globally ···········································································································1-16 Configuring MSTP on a Port ·········································································································1-19 Displaying MSTP Information of a Port ·························································································1-21 MSTP Configuration Example···············································································································1-23 Guidelines ·············································································································································1-28...

  • Page 208: Mstp Configuration

    STP, RSTP, and MSTP and the relationship among them. Introduction to STP STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a local area network (LAN). Devices running this protocol detect loops in the network by exchanging information with one another and eliminate loops by selectively blocking certain ports to prune the loop structure into a loop-free tree structure.
  • Page 209 Root port On a non-root bridge, the port nearest to the root bridge is called the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port.

  • Page 210: How Stp Works

    Upon initialization of a device, each port generates a BPDU with itself as the root bridge, in which the root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port. Selection of the optimum configuration BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices.
  • Page 211 If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. Assume that the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The configuration BPDU with the smallest S value has the highest priority.
  • Page 212 Figure 1-2, assume that the priority of Device A is 0, the priority of Device B is 1, the priority of Device C is 2, and the path costs of these links are 5, 10 and 4 respectively. Figure 1-2 Network diagram for the STP algorithm Initial state of each device The following table shows the initial state of each device.
  • Page 213 Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the configuration BPDU of the local port {0, 0, 0, AP1} is superior to the received configuration BPDU, and therefore discards the received configuration BPDU.
  • Page 214 Device B to Device C going down. After the comparison processes described in the table above, a spanning tree with Device A as the root bridge is established as shown in Figure 1-3.
  • Page 215 A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the change. However, the resulting new configuration BPDU cannot propagate throughout the network immediately. If the newly elected root ports and designated ports start to forward data right away, a temporary loop is likely to occur.

  • Page 216: Introduction To Rstp

    STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment.

  • Page 217: Basic Concepts In Mstp

    VLAN 2,3 mapped to instance 2 Other VLANs mapped to CIST MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. These devices have the following characteristics: All are MSTP-enabled,...
  • Page 218 Regional root bridge The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the IST or the MSTI. Based on the topology, different spanning trees in an MST region may have different regional roots.
  • Page 219 MST region to the common root bridge. If the region is seen as a node, the master port is the root port of the region on the CST. The master port is a root port on IST/CIST and still a master port on the other MSTIs.
  • Page 220 1-5, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, port 3 and port 4 of Device D are connected downstream to the other MST regions.

  • Page 221: How Mstp Works

    The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process, the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within each MST region through calculation, and, at the same time, MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation.

  • Page 222: Protocols And Standards

    Information of a Port port belongs, and the path cost and priority of the port. Configuring an MST Region Select Network > MSTP from the navigation tree to enter the page as shown in Figure 1-6. Figure 1-6 MST region...

  • Page 223: Configuring Mstp Globally

    MSTIs based on the modulo value. Return to MSTP configuration task list. Configuring MSTP Globally Select Network > MSTP from the navigation tree, and then click Global to enter the page for configuring MSTP globally, as shown in Figure 1-8. 1-16...
  • Page 224 STP-compatible mode when detecting that it is connected with a device running STP. The working mode is RSTP by default. Set the maximum number of hops in an MST region to restrict the region size. Max Hops The setting can take effect only when it is configured on the regional root bridge.
  • Page 225 Instance Set the role of the device in the MSTI or the bridge priority of the device, which is one of the factors deciding whether the device can be elected as the root bridge.

  • Page 226: Configuring Mstp On A Port

    Configuring MSTP on a Port Select Network > MSTP from the navigation tree, and then click Port Setup to enter the page for configuring MSTP on ports, as shown in Figure 1-9. Figure 1-9 MSTP configuration on a port Table 1-10 describes the configuration items of configuring MSTP on a port.
  • Page 227 If a port is configured as connecting to a point-to-point link, the setting takes effect for the port in all MSTIs. If the physical link to which the port connects is not a point-to-point link and you force it to be a point-to-point link by configuration, the configuration may incur a temporary loop.

  • Page 228: Displaying Mstp Information Of A Port

    Return to MSTP configuration task list. Displaying MSTP Information of a Port Select Network > MSTP from the navigation tree, and then click Port Summary to enter the page shown in Figure 1-10. Figure 1-10 The Port Summary tab...
  • Page 229 MSTI 0 (when STP is enabled globally) or the STP status and statistics (when STP is not enabled globally), the MSTI to which the port belongs, and the path cost and priority of the port in the MSTI.

  • Page 230: Mstp Configuration Example

    VLAN 10 and VLAN 20 are terminated on the distribution layer devices, and VLAN 30 is terminated on the access layer devices, so the root bridges of MSTI 1 and MSTI 2 are Switch A and Switch B respectively, while the root bridge of MSTI 3 is Switch C.
  • Page 231 Figure 1-11 Network diagram for MSTP configuration “Permit:“ next to a link in the figure is followed by the VLANs the packets of which are permitted to pass this link. Configuration procedure Configure Switch A. # Configure an MST region.
  • Page 232 Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-MSTI mapping entry to the VLAN-to-MSTI mapping list. Repeat the steps above to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-MSTI mapping entries to the VLAN-to-MSTI mapping list.
  • Page 233 Set the Root Type field to Primary. Click Apply. Configure Switch B. # Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) # Configure MSTP globally. Select Network > MSTP from the navigation tree, and then click Global to enter the page for configuring MSTP globally.
  • Page 234 Set the Root Type field to Primary. Click Apply. Configure Switch C. # Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) # Configure MSTP globally. Select Network > MSTP from the navigation tree, and then click Global to enter the page for configuring MSTP globally.

  • Page 235: Guidelines

    If the device is not enabled with BPDU guard, when a boundary port receives a BPDU from another port, it transits into a non-boundary port. To restore its port role as a boundary port, you need to restart the port.
  • Page 236 Configure ports that are directly connected to terminals as boundary ports and enable BPDU guard for them. In this way, these ports can rapidly transit to the forwarding state, and the network security can be ensured. 1-29...
  • Page 237 1 Link Aggregation and LACP Configuration ····························································································1-1 Overview ·················································································································································1-1 Basic Concepts of Link Aggregation ·······························································································1-1 Link Aggregation Modes··················································································································1-3 Load Sharing Mode of an Aggregation Group ················································································1-4 Configuring Link Aggregation and LACP ································································································1-4 Configuration Task List····················································································································1-4 Creating a Link Aggregation Group·································································································1-5 Displaying Information of an Aggregate Interface ···········································································1-7...

  • Page 238: Link Aggregation And Lacp Configuration

    If the aggregate interface is a Layer 2 interface, a Layer 2 aggregation group is created. You can assign only Layer 2 Ethernet interfaces to the group.
  • Page 239 The rate of an aggregate interface is the sum of the selected member ports’ rates. The duplex mode of an aggregate interface is consistent with that of the selected member ports. Note that all selected member ports use the same duplex mode.

  • Page 240: Link Aggregation Modes

    A port that joins the aggregation group after the limit on the number of selected ports has been reached will not be placed in the selected state even if it should be in normal cases. This can prevent the ongoing traffic on the current selected ports from being interrupted.

  • Page 241: Load Sharing Mode Of An Aggregation Group

    Compare the system ID (comprising the system LACP priority and the system MAC address) of the actor with that of the partner. The system with the lower LACP priority wins out. If they are the same, compare the system MAC addresses. The system with the smaller MAC address wins out.

  • Page 242: Creating A Link Aggregation Group

    Displaying Information of LACP-Enabled Ports LACP-enabled ports and the corresponding remote (partner) ports. Creating a Link Aggregation Group Select Network > Link Aggregation from the navigation tree, and then click Create to enter the page as shown in Figure 1-1.
  • Page 243 Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface You can view the result in the Summary list box at the bottom of the page. Set the type of the link aggregation interface to be created:...

  • Page 244: Displaying Information Of An Aggregate Interface

    Return to Static aggregation group configuration task list. Return to Dynamic aggregation group configuration task list. Setting LACP Priority Select Network > LACP from the navigation tree, and then click Setup to enter the page shown in Figure 1-3.

  • Page 245: Displaying Information Of Lacp-Enabled Ports

    Set the LACP priority of the local system Return to Dynamic aggregation group configuration task list. Displaying Information of LACP-Enabled Ports Select Network > LACP from the navigation tree. The Summary tab is displayed by default, as shown Figure 1-4.
  • Page 246 Figure 1-4 Display the information of LACP-enabled ports The upper part of the page displays a list of all LACP-enabled ports on the device and information about them. To view information about the partner port of a LACP-enabled port, select it in the port list, and then click View Details.

  • Page 247: Link Aggregation And Lacp Configuration Example

    As shown in Figure 1-5, Switch A and Switch B are connected to each other through their Layer 2 Ethernet ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3. Aggregate the ports on each device to form a link aggregation group, thus balancing incoming/outgoing traffic across the member ports.
  • Page 248 You can create a static or dynamic link aggregation group to achieve load balancing. Approach 1: Create a static link aggregation group # Create static link aggregation group 1. Select Network > Link Aggregation from the navigation tree, and then click Create to enter the page as shown in Figure 1-6.

  • Page 249: Configuration Guidelines

    Follow these guidelines when configuring a link aggregation group: In an aggregation group, the port to be a selected port must be the same as the reference port in port attributes, and class-two configurations. To keep these configurations consistent, you should configure the port manually.
  • Page 250 Reference port: Select a port as the reference port from the ports that are in up state and with the same class-two configurations as the corresponding aggregate interface. The selection order is as follows: full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duplex/low speed, with full duplex/high speed being the most preferred.
  • Page 251 Configuring LLDP Settings on Ports································································································1-8 Configuring Global LLDP Setup ····································································································1-12 Displaying LLDP Information for a Port ·························································································1-14 Displaying Global LLDP Information ·····························································································1-19 Displaying LLDP Information Received from LLDP Neighbors ·····················································1-20 LLDP Configuration Examples··············································································································1-20 LLDP Basic Settings Configuration Example ················································································1-20 CDP-Compatible LLDP Configuration Example············································································1-25...

  • Page 252: Lldp

    This calls for a standard configuration exchange platform. To address the needs, the IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
  • Page 253 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. Type The Ethernet type for the upper layer protocol. It is 0x88CC for LLDP.
  • Page 254 An LLDPDU can carry up 28 types of TLVs, of which the chassis ID TLV, port ID TLV, TTL TLV, and end of LLDPDU TLV (end TLV in the figure) are mandatory TLVs that must be carried and other TLVs are optional.
  • Page 255 LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs satisfy the voice device vendors’ requirements for cost effectiveness, ease of deployment, and ease of management. In addition, LLDP-MED TLVs make deploying voice devices in Ethernet easier.

  • Page 256: Operating Modes Of Lldp

    Disable mode. A port in this mode does not send or receive LLDPDUs. Each time the LLDP operating mode of a port changes, its LLDP protocol state machine re-initializes. To prevent LLDP from being initialized too frequently at times of frequent operating mode change, an initialization delay, which is user configurable, is introduced.

  • Page 257: Compatibility Of Lldp With Cdp

    An LLDP-enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDPDU it receives for validity violation. If valid, the information is saved and an aging timer is set for it based on the time to live (TTL) TLV carried in the LLDPDU. If the TTL TLV is zero, the information is aged out immediately.

  • Page 258: Enabling Lldp On Ports

    Figure 1-4. This tab displays the enabling status and operating mode of LLDP on a port. Select one or more ports and click Enable beneath the port list to enable LLDP on them. To disable LLDP on a port, select the port and click Disable.
  • Page 259 Return to LLDP Configuration Task List. Configuring LLDP Settings on Ports Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-4. You can configure LLDP settings on ports individually or in batch.
  • Page 260 1-5, you can modify or view the LLDP settings of the port. Figure 1-5 The page for modifying LLDP settings on a port To configure LLDP settings on ports in batch, select one or more ports and click Modify Selected. The page shown in Figure 1-6...
  • Page 261 Figure 1-6 The page for modifying LLDP settings on ports in batch Table 1-8 describes the port LLDP configuration items. Table 1-8 Port LLDP configuration items Item Description Interface Name Displays the name of the port or ports you are configuring.
  • Page 262 To enable LLDP to be compatible with CDP on the port, you must enable CDP compatibility on the Global Setup tab and set the CDP operating mode on the port to TxRx. Enable LLDP polling and set the polling interval.
  • Page 263 Return to LLDP Configuration Task List. Configuring Global LLDP Setup Select Network > LLDP from the navigation tree and click Global Setup tab to enter the page shown in Figure 1-7. 1-12...
  • Page 264 Select from the dropdown list to enable or disable CDP compatibility of LLDP. To enable LLDP to be compatible with CDP on a port, you must set the CDP Compatibility CDP work mode (or the CDP operating mode) on the port to TxRx in addition to enabling CDP compatibility on the Global Setup tab.
  • Page 265 Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-4. In the port list click a port name to display its LLDP information at the lower half of the page. The LLDP 1-14...
  • Page 266 Voice Voice signaling Guest voice Media policy type Guest voice signaling Soft phone voice Videoconferencing Streaming video Video signaling The type of PSE power source advertised by the local device, which can be PoE PSE power Primary source Backup 1-15...
  • Page 267 Chassis type MAC address Network address Interface name Locally assigned, namely, local configuration Chassis ID depending on the chassis type, which can be a MAC Chassis ID address of the device Port ID type, which can be Interface alias Port component...
  • Page 268 The support of the neighbor for link aggregation Link aggregation enabled The enable status of link aggregation on the neighbor Link aggregation group ID. It is 0 if the neighbor port is not assigned Aggregation port ID to any link aggregation group.
  • Page 269 Field Description Asset ID advertised by the neighbor. This ID is used for the purpose Asset tracking identifier of inventory management and asset tracking. The type of PSE power source advertised by the neighbor, which can PoE PSE power source...
  • Page 270 Displaying Global LLDP Information Select Network > LLDP from the navigation tree, and click the Global Summary tab to display global local LLDP information and statistics, as shown in Figure 1-12. Figure 1-12 The Global Summary tab Table 1-12 describes the global LLDP information.

  • Page 271: Lldp Configuration Examples

    Return to LLDP Configuration Task List. Displaying LLDP Information Received from LLDP Neighbors Select Network > LLDP from the navigation tree and click the Neighbor Summary tab to display the global LLDP neighbor information, as shown in Figure 1-13. Figure 1-13 The Neighbor Summary tab...
  • Page 272 Ethernet ports.) # Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-15. Select port GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and click Modify Selected. The...
  • Page 273 Figure 1-16 The page for setting LLDP on multiple ports Select Rx from the LLDP Operating Mode dropdown list. Click Apply. # Enable global LLDP. Click the Global Setup tab, as shown in Figure 1-17. Figure 1-17 The Global Setup tab...
  • Page 274 # Enable LLDP on port GigabitEthernet 1/0/1. (Optional. By default, LLDP is enabled on Ethernet ports.) # Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1. Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-18.
  • Page 275 Click the GigabitEthernet1/0/2 port name in the port list. Click the Status Information tab at the lower half of the page. The output shows that port GigabitEthernet 1/0/2 is connected to a non-MED neighbor device, that is, Switch B, as shown in Figure 1-20.

  • Page 276: Cdp-Compatible Lldp Configuration Example

    1-22, port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch A are each connected to a Cisco IP phone. On Switch A configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, thus confining their voice traffic within the voice VLAN to be separate from other types of traffic.
  • Page 277 # Configure the voice VLAN function on the two ports. Select Network > Voice VLAN from the navigation bar and click the Port Setup tab to enter the page for configuring the voice VLAN function on ports, as shown in Figure 1-25.
  • Page 278 # Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. If LLDP is enabled (the default), skip this step. # Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
  • Page 279 Figure 1-26 The Port Setup tab 1-28...
  • Page 280 Figure 1-27 The page for modifying LLDP settings on ports Select TxRx from the LLDP Operating Mode dropdown list. Select TxRx from the CDP Operating Mode dropdown list. Click Apply. # Enable global LLDP and CDP compatibility of LLDP. Click the Global Setup tab, as shown in Figure 1-28.

  • Page 281: Lldp Configuration Guidelines

    Configuration verification # Display information about LLDP neighbors on Switch A. Display information about LLDP neighbors on Switch A after completing the configuration. You can see that Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.

  • Page 282: Igmp Snooping

    Protocols and Standards ·················································································································1-4 Configuring IGMP Snooping ···················································································································1-4 Configuration Task List····················································································································1-4 Enabling IGMP snooping Globally···································································································1-5 Configuring IGMP Snooping in a VLAN ··························································································1-6 Configuring IGMP Snooping Port Functions ···················································································1-7 Display IGMP Snooping Multicast Entry Information ······································································1-8 IGMP Snooping Configuration Examples ·······························································································1-9...

  • Page 283: Igmp Snooping

    1-1, when IGMP snooping is not running on the switch, multicast packets are flooded to all devices at Layer 2. However, when IGMP snooping is running on the switch, multicast packets for known multicast groups are multicast to the receivers, rather than broadcast to all hosts, at Layer 2.

  • Page 284: Work Mechanism Of Igmp Snooping

    IGMP snooping related ports include: Router port: A router port is a port on an Ethernet switch that leads the switch towards the Layer 3 multicast device (DR or IGMP querier). In the figure, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
  • Page 285 The switch resets the aging timer for the receiving port if the port is in the router port list; The switch adds the receiving port to the router port list if it is not in the list and starts the aging timer for the port.

  • Page 286: Protocols And Standards

    If the forwarding table entry does not exist or if its outgoing port list does not contain the port, the switch discards the IGMP leave group message instead of forwarding it to any port.

  • Page 287: Enabling Igmp Snooping Globally

    IGMP snooping is enabled in the VLAN. Display IGMP Snooping Optional Multicast Entry Information Enabling IGMP snooping Globally Select Network > IGMP Snooping in the navigation tree to enter the basic configuration page shown in Figure 1-3. Figure 1-3 Basic IGMP snooping configurations Table 1-2...

  • Page 288: Configuring Igmp Snooping In A Vlan

    IGMP snooping configuration task list. Configuring IGMP Snooping in a VLAN Select Network > IGMP Snooping in the navigation tree to enter the basic configuration page shown in Figure 1-3. Click the icon corresponding to the VLAN to enter the page you can configure IGMP...

  • Page 289: Configuring Igmp Snooping Port Functions

    Return to IGMP snooping configuration task list. Configuring IGMP Snooping Port Functions Select Network > IGMP Snooping in the navigation tree to enter the basic configuration page and then click the Advanced tab to enter the page shown in Figure 1-5.

  • Page 290: Display Igmp Snooping Multicast Entry Information

    Fast Leave function helps improve bandwidth and resource usage. If fast leave is enabled for a port to which more than one host is attached, when one host leaves a multicast group, the other hosts listening to the same multicast group will fail to receive multicast data.

  • Page 291: Igmp Snooping Configuration Examples

    1-8, Router A connects to a multicast source (Source) through Ethernet 1/2, and to Switch A through Ethernet 1/1. The multicast source sends multicast data to group 224.1.1.1. Host A is a receiver of the multicast group. IGMPv2 runs on Router A and IGMP snooping version 2 runs on Switch A.

  • Page 292: Routing

    Configure Switch A # Create VLAN 100 and add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100. Select Network > VLAN in the navigation tree and click the Create tab to enter the configuration page shown in Figure 1-9.
  • Page 293 Figure 1-9 Create VLAN 100 Type the VLAN ID 100. Click Apply to complete the operation. Click the Modify Port tab to enter the configuration page shown in Figure 1-10. 1-11...
  • Page 294 Type the VLAN ID 100. Click Apply to complete the operation. # Enable IGMP snooping globally. Select Network > IGMP snooping in the navigation tree to enter the basic configuration page and perform the following as shown in Figure 1-11.
  • Page 295 Figure 1-11 Enable IGMP snooping globally Select Enable and click Apply to globally enable IGMP snooping. # In VLAN 100, enable IGMP snooping and the function of dropping unknown multicast data. Click the icon corresponding to VLAN 100 to enter its configuration page and perform the...
  • Page 296 Select Network > IGMP Snooping in the navigation tree to enter the basic configuration page. Click the plus sign (+) in front of Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast entries, as shown in Figure 1-14.
  • Page 297 (0.0.0.0, 224.1.1.1) to view details about this entry, as shown in Figure 1-15. Figure 1-15 Details about an IGMP snooping multicast entry As shown above, GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for multicast group 224.1.1.1. 1-15...
  • Page 298 Table of Contents 1 Routing Configuration·······························································································································1-1 Overview ·················································································································································1-1 Routing Table ··································································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-2 Configuring IPv4 Routing ························································································································1-2 Displaying the IPv4 Active Route Table ··························································································1-2 Creating an IPv4 Static Route ·········································································································1-3 Static Route Configuration Examples ·····································································································1-4 Precautions ·············································································································································1-8...

  • Page 299: Routing Configuration

    Routing Table Routers forward packets through a routing table. Each entry in the table specifies which physical interface a packet should go out to reach the next hop (the next router) or the directly connected destination. Routes in a routing table fall into three categories by origin: Direct routes: Routes discovered by data link protocols, also known as interface routes.

  • Page 300: Default Route

    A router selects the default route when it cannot find any matching entry in the routing table for a packet. If there is no default route, the packet will be discarded and an ICMP packet will be sent to the source to report that the destination is unreachable.

  • Page 301: Creating An Ipv4 Static Route

    Creating an IPv4 Static Route Select Network > IPv4 Routing from the navigation tree and click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 1-2.

  • Page 302: Static Route Configuration Examples

    Configuration outlines On Switch A, configure a default route with Switch B as the next hop. On Switch B, configure one static route with Switch A as the next hop and the other with Switch C as the next hop.
  • Page 303 # Configure a static route to Switch A and Switch C respectively on Switch B. After you log in to the Web interface of Switch B, select Network > IPv4 Routing from the navigation tree and then click the Create tab to enter the page shown in Figure 1-5.
  • Page 304 # Configure a default route to Switch B on Switch C. After you log in to the Web interface of Switch C, select Network > IPv4 Routing from the navigation tree and then click the Create tab to enter the page as shown in Figure 1-6.
  • Page 305 Verify the configuration # Display the route table. Enter the IPv4 route page of Switch A, Switch B, and Switch C respectively to verify that the newly configured static routes are displayed as active routes on the page. # Use the ping command for verification.

  • Page 306: Precautions

    When configuring a static route, the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface, such as a VLAN interface. When specifying the output interface, note that: If NULL 0 interface is specified as the output interface, there is no need to configure the next hop address.
  • Page 307 Application Environment··················································································································2-1 Fundamentals··································································································································2-1 DHCP Relay Agent Configuration Task List ···························································································2-2 Enabling DHCP and Configuring Advanced Parameters for the DHCP Relay Agent ····························2-3 Creating a DHCP Server Group··············································································································2-4 Enabling the DHCP Relay Agent on an Interface ···················································································2-5 Configuring and Displaying Clients' IP-to-MAC Bindings ·······································································2-6 DHCP Relay Agent Configuration Example····························································································2-6...

  • Page 308: Dhcp Overview

    Dynamic Host Configuration Protocol (DHCP) was introduced to solve these problems. DHCP is built on a client-server model, in which a client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client.

  • Page 309: Dynamic Ip Address Allocation Process

    Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way.

  • Page 310: Ip Address Lease Extension

    The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast; if this flag is set to 1, the DHCP server sent a reply back by broadcast.

  • Page 311: Dhcp Options

    Option 33: Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table. If Option 121 exists, Option 33 is ignored.

  • Page 312: Protocols And Standards

    Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client’s request, it adds Option 82 to the request message before forwarding the message to the server.

  • Page 313: Dhcp Relay Agent Configuration

    DHCP relay agent DHCP client DHCP client DHCP server No matter whether a relay agent exists or not, the DHCP server and client interact with each other in a similar way (see section Dynamic IP Address Allocation Process). The following describes the...

  • Page 314: Dhcp Relay Agent Configuration Task List

    2-2, the DHCP relay agent works as follows: After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode.

  • Page 315: Enabling Dhcp And Configuring Advanced Parameters For The Dhcp Relay Agent

    Enabling DHCP and Configuring Advanced Parameters for the DHCP Relay Agent Select Network > DHCP from the navigation tree to enter the default DHCP Relay page. Enable or disable DHCP in the DHCP Service field. Click Display Advanced Configuration to expand the...

  • Page 316: Creating A Dhcp Server Group

    DHCP Relay Agent Configuration Task List. Creating a DHCP Server Group Select Network > DHCP from the navigation tree to enter the default DHCP Relay page shown in Figure 2-3. In the Server Group field, click Add to enter the page shown in Figure 2-4.

  • Page 317: Enabling The Dhcp Relay Agent On An Interface

    List. Enabling the DHCP Relay Agent on an Interface Select Network > DHCP from the navigation tree to enter the default DHCP Relay page shown in Figure 2-3. In the Interface Config field, the DHCP relay agent state of interfaces is displayed. Click the...

  • Page 318: Configuring And Displaying Clients' Ip-To-Mac Bindings

    Configuring and Displaying Clients' IP-to-MAC Bindings Select Network > DHCP from the navigation tree to enter the default DHCP Relay page shown in Figure 2-3. In the User Information field, click the User Information button to view static and dynamic...
  • Page 319 Configuration procedure Specify IP addresses for interfaces (omitted) Configure the DHCP relay agent # Enable DHCP. Select Network > DHCP from the navigation tree to enter the default DHCP Relay page. Perform the following operations, as shown in Figure 2-9.
  • Page 320 Click on the Enable radio button next to DHCP Service. Click Apply. # Configure a DHCP server group. In the Server Group field, click Add and then perform the following operations, as shown in Figure 2-10. Figure 2-10 Add a DHCP server group Type 1 for Server Group ID.
  • Page 321 Click on the Enable radio button next to DHCP Relay. Select 1 for Server Group ID. Click Apply. Because the DHCP relay agent and server are on different subnets, you need to configure a static route or dynamic routing protocol to make them reachable to each other.

  • Page 322: Dhcp Snooping Configuration

    A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.

  • Page 323: Application Environment Of Trusted Ports

    3-1, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.

  • Page 324: Dhcp Snooping Support For Option 82

    Option 82, if any. The handling strategies are described in the table below. If a reply returned by the DHCP server contains Option 82, the DHCP snooping device will remove the Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP snooping device forwards it directly.

  • Page 325: Enabling Dhcp Snooping

    Display clients' IP-to-MAC bindings recorded by DHCP snooping. Bindings Enabling DHCP Snooping Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab to enter the page shown in Figure 3-3. You can enable or disable DHCP snooping in the DHCP Snooping field.

  • Page 326: Configuring Dhcp Snooping Functions On An Interface

    Configuring DHCP Snooping Functions on an Interface Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab to enter the page shown in Figure 3-3. You can view trusted and untrusted ports in the Interface Config field. Click...

  • Page 327: Dhcp Snooping Configuration Example

    DHCP-ACK messages received from a trusted port. Figure 3-6 Network diagram for DHCP snooping configuration Configuration procedure # Enable DHCP snooping. Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab. Perform the following operation, as shown in Figure 3-7.
  • Page 328 Click on the Enable radio button next to DHCP Snooping. # Configure DHCP snooping functions on GigabitEthernet 1/0/1. Click the icon of GigabitEthernet 1/0/1 on the interface list. Perform the following operations on the DHCP Snooping Interface Configuration page shown in Figure...
  • Page 329 Click on the Trust radio button next to Interface State. Click Apply. # Configure DHCP snooping functions on GigabitEthernet 1/0/2. Click the icon of GigabitEthernet 1/0/2 on the interface list. Perform the following operations on the DHCP Snooping Interface Configuration page shown in Figure 3-9.
  • Page 330 Click on the Untrust radio button for Interface State. Click on the Enable radio button next to Option 82 Support. Select Replace for Option 82 Strategy. Click Apply.

  • Page 331: Service Management

    Table of Contents 1 Service Management ·································································································································1-1 Overview ·················································································································································1-1 Configuring Service Management···········································································································1-2...

  • Page 332: Service Management

    The secure file transfer protocol (SFTP) is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to login from the device to a remote device for secure file transfer.

  • Page 333: Configuring Service Management

    Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, thus realizing the security management of the device; Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients.
  • Page 334 HTTP. Port Number HTTP When you modify a port, ensure that the port is not used by other service. Associates the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service.

  • Page 335: Diagnostic Tools

    Table of Contents 1 Diagnostic Tools········································································································································1-1 Overview ·················································································································································1-1 Ping··················································································································································1-1 Trace Route·····································································································································1-1 Diagnostic Tool Operations·····················································································································1-2 Ping Operation·································································································································1-2 Trace Route Operation ····················································································································1-3...

  • Page 336: Diagnostic Tools

    Diagnostic Tools Overview Ping You can use the ping function to check whether a device with a specified address is reachable, and to examine network connectivity. A successful execution of the ping command involves the following steps: The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.

  • Page 337: Diagnostic Tool Operations

    1-1. Figure 1-1 Ping configuration page Type the IPv4 address of the destination device in the Ping text box, and click Start to execute the ping command. You will see the result in the Summary area. Figure 1-2 Ping operation result...

  • Page 338: Trace Route Operation

    1-3. Figure 1-3 Trace Route configuration page Type the destination IP address in the Trace Route text box, and click Start to execute the trace route command. You will see the result in the Result area, as shown in Figure 1-4.
  • Page 339 ARP Message Format ·····················································································································1-1 ARP Operation ································································································································1-2 ARP Table ·······································································································································1-2 Managing ARP Entries····························································································································1-3 Displaying ARP Entries ···················································································································1-3 Creating a Static ARP Entry ············································································································1-4 Static ARP Configuration Example··································································································1-4 Gratuitous ARP ·······································································································································1-8 Introduction to Gratuitous ARP········································································································1-8 Configuring Gratuitous ARP ············································································································1-8 2 ARP Attack Defense Configuration ·········································································································2-1 ARP Detection·········································································································································2-1...

  • Page 340: Arp Management

    The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of the destination device to the corresponding MAC address.

  • Page 341: Arp Operation

    1-2. The resolution process is as follows: Host A looks into its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

  • Page 342: Managing Arp Entries

    Static ARP entry A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Using static ARP entries enhances communication security. After a static ARP entry is specified, only a specific MAC address is associated with the specified IP address.

  • Page 343: Creating A Static Arp Entry

    Creating a Static ARP Entry Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 1-3. Click Add to enter the New Static ARP Entry page. Select the Advanced Options checkbox to expand advanced configuration items, as shown in Figure 1-4.
  • Page 344 Figure 1-5 Network diagram for configuring static ARP entries Configuration procedure # Create VLAN 100. Select Network > VLAN from the navigation tree, click the Add tab, and then perform the following operations, as shown in Figure 1-6. Figure 1-6 Create VLAN 100 Type 100 for VLAN ID.
  • Page 345 Figure 1-8 Configuration progress dialog box After the configuration process is complete, click Close. # Create VLAN-interface 100. Select Network > VLAN Interface from the navigation tree, click the Create tab, and then perform the following operations, as shown in Figure...
  • Page 346 Select 24 (255.255.255.0) for Mask Length. Click Apply to complete the configuration. # Create a static ARP entry. Select Network > ARP Management from the navigation tree to enter the default ARP Table page. Click Add Perform the following operations, as shown in Figure 1-10.

  • Page 347: Gratuitous Arp

    Introduction to Gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
  • Page 348 To remove an interface from the Sending Interfaces(Period) list box, Periodical gratuitous ARP select the interface from the list box and click the >> button. packets sending settings This function takes effect only when the link of the interface goes up and an IP address has been assigned to the interface.

  • Page 349: Arp Attack Defense Configuration

    2-1, Host A communicates with Host C through a switch. After intercepting the traffic between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B (MAC_B).
  • Page 350 Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet. If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received from an ARP untrusted port.
  • Page 351 ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP packet against the static IP-to-MAC bindings. If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded.

  • Page 352: Configuring Arp Detection

    Configuring ARP Detection If both the ARP detection based on specified objects and the ARP detection based on static IP-to-MAC bindings/DHCP snooping entries/802.1X security entries are enabled, the former one applies first, and then the latter applies. Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page...

  • Page 353: Creating A Static Binding Entry

    If you select Using Static-Binding entries to anti fake gateway attack, you can configure static IP-to-MAC binding entries. To create a static binding entry, type an IP address and MAC address in the Static Bindings field, and then click Add, as shown in Figure 2-2.
  • Page 354 If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded. If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid and can pass the detection.
  • Page 355 Authentication Process of 802.1X ···································································································1-5 802.1X Timers ·································································································································1-8 802.1X Extensions···························································································································1-9 Features Working Together with 802.1X·························································································1-9 Configuring 802.1X ·······························································································································1-10 Configuration Task List··················································································································1-10 Configuring 802.1X Globally··········································································································1-11 Configuring 802.1X on a Port ········································································································1-12 Configuration Examples ························································································································1-14 802.1X Configuration Example······································································································1-14 ACL Assignment Configuration Example ······················································································1-20 Configuration Guidelines·······················································································································1-28...

  • Page 356: Architecture Of 802.1X

    Figure 1-1 Architecture of 802.1X Client is an entity seeking access to the LAN. It resides at one end of a LAN segment and is authenticated by Device at the other end of the LAN segment. Client is usually a user-end device such as a PC.

  • Page 357: Basic Concepts Of 802.1X

    Controlled port and uncontrolled port A device provides ports for clients to access the LAN. Each port can be regarded as a unity of two logical ports: a controlled port and an uncontrolled port. Any packets arriving at the port are visible to both of the logical ports.

  • Page 358: Eap Over Lans

    EAPOL-Logoff (a value of 0x02) device. Length: Length of the data, that is, length of the Packet body field, in bytes. If the value of this field is 0, no subsequent data field is present. Packet body: Content of the packet. The format of this field depends on the value of the Type field.

  • Page 359: Eap Over Radius

    The value of the Type field is 79. The String field can be up to 253 bytes long. If the EAP packet is longer than 253 bytes, it can be fragmented and encapsulated into multiple EAP-Message attributes.

  • Page 360: 802.1X Authentication Triggering

    EAP relay EAP relay is defined in IEEE 802.1X. In this mode, EAP packets are carried in an upper layer protocol, such as RADIUS, so that they can go through complex networks and reach the authentication server.
  • Page 361 Port unauthorized When a user launches the 802.1X client software and enters the registered username and password, the 802.1X client software generates an EAPOL-Start frame and sends it to the device to initiate an authentication process. Upon receiving the EAPOL-Start frame, the device responds with an EAP-Request/Identity packet for the username of the client.
  • Page 362 EAP-Failure packet to the client. In EAP relay mode, a client must use the same authentication method as that of the RADIUS server. On the device, however, you only need to enable EAP relay.

  • Page 363: 802.1X Timers

    RADIUS server for authentication. 802.1X Timers This section describes the timers used on an 802.1X device to guarantee that the client, the device, and the RADIUS server can interact with each other in a reasonable manner.

  • Page 364: 802.1X Extensions

    If the port link type is Hybrid, the assigned VLAN is allowed to pass the current port without carrying the tag. The default VLAN ID of the port is that of the assigned VLAN. Note that if the Hybrid port is...

  • Page 365: Radius

    With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to carry tags. With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been assigned. ACL assignment ACLs provide a way of controlling access to network resources and defining access rights.

  • Page 366: Configuring 802.1X Globally

    Configuring 802.1X Globally From the navigation tree, select Authentication > 802.1X to enter the 802.1X configuration page. Click the expansion mark + before Advanced to display the complete 802.1X configuration page, as shown Figure 1-10. In the 802.1X Configuration area, you can view and configure the 802.1X feature globally.

  • Page 367: Configuring 802.1X On A Port

    802.1X configuration procedure. Configuring 802.1X on a Port From the navigation tree, select Authentication > 802.1X to enter the 802.1X configuration page, as shown in Figure 1-10. In the Ports With 802.1X Enabled area, the 802.1X configuration on ports are listed.
  • Page 368 Select the port to be enabled with 802.1X authentication. Port Only ports not enabled with 802.1X authentication are available. Specify the 802.1X port access control method for the port, which can be Port Control MAC Based or Port Based. Specify the 802.1X authorization mode for the port.

  • Page 369: Configuration Examples

    Specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server, and to send real time accounting packets to the accounting server every 15 minutes.
  • Page 370 Select the check box before Enable 802.1X. Select the authentication method as CHAP. Click Apply to finish the operation. # Enable and configure 802.1X on port GigabitEthernet 1/0/1. In the Ports With 802.1X Enabled area, click Add. Figure 1-14 802.1X configuration of GigabitEthernet 1/0/1...
  • Page 371 # Configure the RADIUS authentication servers. From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears. Figure 1-15 RADIUS authentication server configuration Perform the following configurations as shown in Figure 1-15. Select Authentication Server as the server type.
  • Page 372 Select active as the secondary server’s status. Click Apply to finish the operation. # Configure the scheme used for communication between the device and the RADIUS servers. Select the RADIUS Setup tab to enter the RADIUS parameter configuration page. Perform the...
  • Page 373 From the navigation tree, select Authentication > AAA. The domain setup page appears. Perform the following configurations as shown in Figure 1-18. Figure 1-18 Create an ISP domain Enter test in the Domain Name textbox. Select Enable to use the domain as the default domain.
  • Page 374 Select system from the Name drop-down list to use it as the authentication scheme. Click Apply. A configuration progress dialog box appears, as shown in Figure 1-20. Figure 1-20 Configuration progress dialog box After the configuration process is complete, click Close.

  • Page 375: Acl Assignment Configuration Example

    Figure 1-23, the switch and the RADIUS authentication servers (iMC servers) work together to authenticate the host that is to access the Internet. An FTP server is on the Internet, and its IP address is 10.0.0.1. Configure the authentication server to assign ACL 3000.
  • Page 376 Configure the IP addresses of the interfaces. (Omitted) Configure the RADIUS scheme system # Configure the RADIUS authentication server. From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears. Figure 1-24 RADIUS authentication server configuration Perform the following configurations as shown in Figure 1-24.
  • Page 377 Select active as the primary server status. Click Apply to finish the operation. # Configure the scheme to be used for communication between the switch and the RADIUS servers. Select the RADIUS Setup tab to enter the RADIUS parameter configuration page.
  • Page 378 Click Apply to finish the operation. # Configure the AAA authentication method for the ISP domain. Select the Authentication tab. Figure 1-28 Configure the AAA authentication method for the ISP domain Perform the following configurations as shown in Figure 1-28.
  • Page 379 Select the Default AuthN checkbox and then select RADIUS as the authentication mode. Select system from the Name drop-down list to use it as the authentication scheme. Click Apply. The configuration progress dialog box appears, as shown in Figure 1-29.
  • Page 380 Configure an ACL # Create ACL 3000 that denies packets with destination IP address 10.0.0.1. From the navigation tree, select QoS > ACL IPv4 to enter the IPv4 ACL configuration page, and then select the Create tab. Figure 1-32 Create ACL 3000...
  • Page 381 Select the Rule ID check box, and enter 0 as the rule ID. Select Deny as the operation action. In the IP Address Filter area, select the Destination IP Address check box, and enter 10.0.0.1 in the text box. 1-26...
  • Page 382 Click Add to finish the operation. Configure the 802.1X feature # Enable the 802.1X feature globally. From the navigation tree, select Authentication > 802.1X to enter the 802.1X configuration page. Figure 1-34 Global 802.1X globally Perform the following configuration as shown in Figure 1-34.

  • Page 383: Configuration Guidelines

    Click Apply to finish the operation. Configuration verification # After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect. From the navigation tree, select Network > Diagnostic Tools. The ping page appears.
  • Page 384 Introduction to ISP Domain ·············································································································1-2 Configuring AAA······································································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuration Task List····················································································································1-2 Configuring an ISP Domain ·············································································································1-3 Configuring Authentication Methods for the ISP Domain································································1-4 Configuring Authorization Methods for the ISP Domain··································································1-6 Configuring Accounting Methods for the ISP Domain·····································································1-7 AAA Configuration Example ···················································································································1-8...

  • Page 385: Aaa Configuration

    Figure 1-1 AAA networking diagram When a user tries to establish a connection to the NAS and to obtain the rights to access other networks or some network resources, the NAS authenticates the user or the corresponding connection. The NAS takes the responsibility to transparently pass the user’s AAA information to the server (RADIUS server,...

  • Page 386: Introduction To Isp Domain

    AAA methods for the ISP domains. For the NAS, each user belongs to an ISP domain. If a user does not provide the ISP domain name, the system considers that the user belongs to the default ISP domain.

  • Page 387: Configuring An Isp Domain

    Command users. Methods for the ISP of users. Domain By default, all types of users use local accounting. Configuring an ISP Domain Select Authentication > AAA from the navigation tree. The Domain Setup page appears, as shown in Figure 1-2.
  • Page 388 Return to Configuration Task List. Configuring Authentication Methods for the ISP Domain Select Authentication > AAA from the navigation tree and then select the Authentication tab to enter the authentication method configuration page, as shown in Figure 1-3.
  • Page 389 Figure 1-3 Authentication method configuration page Table 1-3 describes the configuration items for specifying the authentication methods for an ISP domain. Table 1-3 Authentication method configuration items Item Description Select an ISP Select the ISP domain for which you want to specify authentication methods.
  • Page 390 Configuring Authorization Methods for the ISP Domain Select Authentication > AAA from the navigation tree and then select the Authorization tab to enter the authorization method configuration page, as shown in Figure 1-4. Figure 1-4 Authorization method configuration page Table 1-4 describes the configuration items for configuring the authorization methods for an ISP domain.
  • Page 391 Return to Configuration Task List. Configuring Accounting Methods for the ISP Domain Select Authentication > AAA from the navigation tree and then select the Accounting tab to enter the accounting method configuration page, as shown in Figure 1-5. Figure 1-5 Accounting method configuration page Table 1-5 describes the configuration items for configuring the accounting methods for an ISP domain.

  • Page 392: Aaa Configuration Example

    Telnet users. Figure 1-6 Network diagram for AAA configuration example Configuration procedure Enable the Telnet server function, and configure the switch to use AAA for Telnet users. The configuration steps are omitted. # Configure IP addresses for the interfaces. (Omitted)
  • Page 393 Select Device > Users from the navigation tree and then select the Create tab to configure a local user as shown in Figure 1-7. Figure 1-7 Configure a local user Enter telnet as the username. Select Management as the access level.
  • Page 394 Enter test as the domain name. Click Apply. # Configure the ISP domain to use local authentication. Select Authentication > AAA from the navigation tree and then select the Authentication tab and configure AAA authentication as shown in Figure 1-9.
  • Page 395 Figure 1-10 Configuration progress dialog box After the configuration process is complete, click Close. # Configure the ISP domain to use local authorization. Select Authentication > AAA from the navigation tree and then select the Authorization tab and configure AAA authorization as shown in Figure 1-11.
  • Page 396 Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Now, if you telnet to the switch and enter username telnet@test and password abcd, you should be serviced as a user in domain test.
  • Page 397 1 RADIUS ·······················································································································································1-1 Overview ·················································································································································1-1 Introduction to RADIUS ···················································································································1-1 Client/Server Model ·························································································································1-1 Security and Authentication Mechanisms ·······················································································1-2 Basic Message Exchange Process of RADIUS ··············································································1-2 RADIUS Packet Format···················································································································1-3 Extended RADIUS Attributes ··········································································································1-5 Protocols and Standards·························································································································1-6 Configuring RADIUS ·······························································································································1-6 Configuration Task List····················································································································1-6 Configuring RADIUS Servers ··········································································································1-7...

  • Page 398: Radius

    RADIUS uses UDP, and its packet format and message transfer mechanism are based on UDP. It uses UDP port 1812 for authentication and 1813 for accounting.

  • Page 399: Security And Authentication Mechanisms

    The RADIUS server returns a start-accounting response (Accounting-Response) and starts accounting. The user accesses the network resources. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server.

  • Page 400: Radius Packet Format

    The user stops access to network resources. RADIUS Packet Format RADIUS uses UDP to transmit messages. It ensures the smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, retransmission mechanism, and slave server mechanism.
  • Page 401 4096. Bytes beyond the length are considered the padding and are neglected upon reception. If the length of a received packet is less than that indicated by the Length field, the packet is dropped. The Authenticator field (16-byte long) is used to authenticate replies from the RADIUS server, and is also used in the password hiding algorithm.

  • Page 402: Extended Radius Attributes

    Extended RADIUS Attributes The RADIUS protocol features excellent extensibility. Attribute 26 (Vender-Specific) defined by RFC 2865 allows a vender to define extended attributes to implement functions that the standard RADIUS protocol does not provide. A vendor can encapsulate multiple type-length-value (TLV) sub-attributes in RADIUS packets for extension in applications.

  • Page 403: Protocols And Standards

    Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. Vendor-Type: Indicates the type of the sub-attribute. Vendor-Length: Indicates the length of the sub-attribute.

  • Page 404: Configuring Radius Servers

    Configure the parameters that are necessary for information exchange Parameters between the device and RADIUS servers. Configuring RADIUS Servers From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page Figure 1-5. appears, as shown in Figure 1-5 RADIUS server configuration Table 1-4 lists the RADIUS server configuration items.
  • Page 405 IP address is to be removed, the status is blocked. Return to RADIUS configuration task list. Configuring RADIUS Parameters From the navigation tree, select Authentication > RADIUS and then select the RADIUS Setup tab to enter the RADIUS parameter configuration page, as shown in Figure 1-6.
  • Page 406 Confirm Accounting Shared Key Specify the source IP address for the device to use in RADIUS packets to be sent to the RADIUS server. It is recommended to use a loopback interface NAS-IP address instead of a physical interface address as the source IP address, because if the physical interface is down, the response packets from the server cannot reach the device.
  • Page 407 The product of the timeout value and the number of retransmission attempts Times cannot exceed 75. Set the real-time accounting interval, whose value must be n times 3 (n is an integer). To implement real-time accounting on users, it is necessary to set the real-time accounting interval.

  • Page 408: Radius Configuration Example

    On the switch, it is required to configure the shared key for packet exchange with the RADIUS server as expert, and configure the system to remove the domain name of a username before sending it to the RADIUS server.
  • Page 409 Enter 1813 as the UDP port of the primary accounting server. Select active as the primary server status. Click Apply. # Configure the parameters for communication between the switch and the RADIUS servers. Select the RADIUS Setup tab and perform the following configurations, as shown in Figure 1-10.
  • Page 410 Figure 1-10 Configure RADIUS parameters Select extended as the server type. Select the Authentication Server Shared Key check box and enter expert in the text box. Enter expert in the Confirm Authentication Shared Key text box. Select the Accounting Server Shared Key check box and enter expert in the text box.
  • Page 411 Select the domain name test. Select the Default AuthN checkbox and then select RADIUS as the authentication mode. Select system from the Name drop-down list to use it as the authentication scheme. Click Apply. A configuration progress dialog box appears, as shown in Figure 1-13.
  • Page 412 Select the domain name test. Select the Default AuthZ checkbox and then select RADIUS as the authorization mode. Select system from the Name drop-down list to use it as the authorization scheme. Click Apply. A configuration progress dialog box appears.

  • Page 413: Configuration Guidelines

    RADIUS does not support accounting for FTP users. If the iMC server is used as the RADIUS server, it is necessary to configure accounting as optional for users in the ISP domain because the iMC server does not respond to accounting packets.
  • Page 414 Table of Contents 1 Users···························································································································································1-1 Overview ·················································································································································1-1 Configuring Users ···································································································································1-1 Configuring a Local User ·················································································································1-1 Configuring a User Group ···············································································································1-3...

  • Page 415: Configuring Users

    All local users in a user group inherit the user attributes of the group, but if you configure user attributes for a local user, the settings of the local user take precedence over the settings for the user group.
  • Page 416 (accessing through the Ethernet, such as 802.1x users), and SSH. Service-type If you do not specify any service type for a local user who uses local authentication, the user cannot pass authentication and therefore cannot log Specify an expiration time for the local user, in the format HH:MM:SS-YYYY/MM/DD.
  • Page 417 Currently, switch 2900 series do not support user-profile configuration. Configuring a User Group Select Authentication > Users from the navigation tree, and then select the User Group tab to display the existing user groups, as shown in Figure 1-3. Then, click Add to enter the user group configuration...
  • Page 418 Specify the VLAN to be authorized to users of the user group after the users VLAN pass authentication. Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication. Specify the user profile for the user group.
  • Page 419 Generating an RSA Key Pair·········································································································1-10 Destroying the RSA Key Pair ········································································································1-11 Retrieving a Certificate ··················································································································1-11 Requesting a Local Certificate ······································································································1-13 Retrieving and Displaying a CRL ··································································································1-14 PKI Configuration Example···················································································································1-15 Configuring a PKI Entity to Request a Certificate from a CA ························································1-15 Configuration Guidelines·······················································································································1-20...

  • Page 420: Pki Configuration

    ITU-T_X.509. This manual involves two types of certificates: local certificate and CA certificate. A local certificate is a digital certificate signed by a CA for an entity, while a CA certificate, also known as a root certificate, is signed by the CA for itself.

  • Page 421: Architecture Of Pki

    Figure 1-1 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates.

  • Page 422: Operation Of Pki

    Operation of PKI In a PKI-enabled network, an entity can request a local certificate from the CA and the device can check the validity of certificate. The following describes how it works: An entity submits a certificate request to the CA.

  • Page 423: Creating A Pki Entity

    Required Create a PKI entity and configure the identity information. A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate Creating a PKI applicant by entity.

  • Page 424: Destroying The Rsa Key Pair

    Required Create a PKI entity and configure the identity information. A certificate is the binding of a public key and an entity, where an entity is the Creating a PKI collection of the identity information of a user. A CA identifies a certificate Entity applicant by entity.
  • Page 425 Displaying a CRL Retrieve a CRL and display its contents. Creating a PKI Entity Select Authentication > PKI from the navigation tree. The PKI entity list page is displayed by default, as shown in Figure 1-2. Click Add on the page to enter the PKI entity configuration page, as shown in Figure 1-3.
  • Page 426 Type the IP address of the entity. Type the fully qualified domain name (FQDN) for the entity. An FQDN is a unique identifier of an entity on the network. It consists of a host FQDN name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www indicates the host name and...
  • Page 427 CA Identifier responsibility of certificate registration, distribution, and revocation, and query. In offline mode, this item is optional; while in other modes, this item is required. Select the local PKI entity. When submitting a certificate request to a CA, an entity needs to show its Entity Name identity information.
  • Page 428 Item Description Type the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority. Requesting URL In offline mode, this item is optional;...
  • Page 429 Configuration task list for requesting a certificate automatically. Generating an RSA Key Pair Select Authentication > PKI from the navigation tree, and then select the Certificate tab to enter the page displaying existing PKI certificates, as shown in Figure 1-6. Then, click Create Key to enter RSA...
  • Page 430 You can download an existing CA certificate or local certificate from the CA server and save it locally. To do so, you can use two ways: online and offline. In offline mode, you need to retrieve a certificate by an out-of-band means like FTP, disk, e-mail and then import it into the local PKI system.
  • Page 431 If the certificate file is saved on the device, select Get File From Device and then specify the path of the file on the device. If the certificate file is saved on a local PC, select Get File From PC and. Get File From PC then specify the path to the file and select the partition of the device for saving the file.

  • Page 432: Requesting A Local Certificate

    Configuration task list for requesting a certificate automatically. Requesting a Local Certificate Select Authentication > PKI from the navigation tree, and then select the Certificate tab to enter the page displaying existing PKI certificates, as shown in Figure 1-6. Click Request Cert to enter the local...

  • Page 433: Retrieving And Displaying A Crl

    Retrieving and Displaying a CRL Select Authentication > PKI from the navigation tree, and then select the CRL tab to enter the page displaying CRLs, as shown in Figure 1-13. Figure 1-13 CRL page Click Retrieve CRL to retrieve the CRL of a domain.

  • Page 434: Pki Configuration Example

    Configuration procedure Configure the CA server # Create a CA server named myca. In this example, you need to configure the basic attributes of Nickname and Subject DN on the CA server at first: Nickname: Name of the trusted CA.
  • Page 435 After the above configuration, make sure that the system clock of the Switch is synchronous to that of the CA, so that the Switch can request certificates and retrieve CRLs properly. Configure Switch # Create a PKI entity. Select Authentication > PKI from the navigation tree. The PKI entity list page is displayed by default.
  • Page 436 Select the Enable CRL Checking check box. Type http://4.4.4.133:447/myca.crl as the CRL URL. Click Apply. A dialog box appears, asking "Fingerprint of the root certificate not specified. No root certificate validation will occur. Continue?" Click OK. # Generate an RSA key pair.
  • Page 437 Select the Certificate tab, and then click Create Key, as shown in Figure 1-20, and perform the configuration as shown in Figure 1-21. Figure 1-20 Certificate list Figure 1-21 Generate an RSA key pair Click Apply to generate an RSA key pair.
  • Page 438 Select torsa as the PKI domain. Select CA as the certificate type. Click Apply. # Request a local certificate. Select the Certificate tab, and then click Request Cert, as shown in Figure 1-24, and then perform the following configurations as shown in Figure 1-25.

  • Page 439: Configuration Guidelines

    PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request. The SCEP plug-in is required when you use the Windows Server as the CA. In this case, you need to specify RA as the authority for certificate request when configuring the PKI domain.

  • Page 440: Port Isolation Group

    Table of Contents 1 Port Isolation Group Configuration ·········································································································1-1 Overview ·················································································································································1-1 Configuring a Port Isolation Group··········································································································1-1 Port Isolation Group Configuration Example ··························································································1-2...

  • Page 441: Port Isolation Group Configuration

    Configuring a Port Isolation Group Select Security > Port Isolate Group from the navigation tree and in the page that appears, click the Modify tab to enter the page shown in Figure 1-1.

  • Page 442: Port Isolation Group Configuration Example

    GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 belong to the same VLAN. It is required that Host A, Host B, and Host C can access the Internet while being isolated from one another. Figure 1-2 Networking diagram for port isolation group configuration...
  • Page 443 # View information about the isolation group. Click Summary. The page shown in Figure 1-4 appears. Figure 1-4 Information about port isolation group 1 As shown on the page, port isolation group 1 contains these isolated ports: GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4.

  • Page 444: Authorized Ip

    Table of Contents 1 Authorized IP Configuration·····················································································································1-1 Overview ·················································································································································1-1 Configuring Authorized IP ·······················································································································1-1 Authorized IP Configuration Example ·····································································································1-2 Authorized IP Configuration Example ·····························································································1-2...

  • Page 445: Authorized Ip Configuration

    Authorized IP Configuration Overview The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuring Authorized IP Select Security >...

  • Page 446: Authorized Ip Configuration Example

    HTTP requests from Host B. Figure 1-2 Network diagram for authorized IP Configuration procedure # Create an ACL. Select QoS > ACL IPv4 from the navigation tree and then click the Create tab to enter the ACL configuration page shown in Figure 1-3.
  • Page 447 Type 0.0.0.0 in the Source Wildcard text box. Click Add. # Configure authorized IP. Select Security > Authorized IP from the navigation tree and then click the Setup tab to enter the authorized IP configuration page shown in Figure 1-5.
  • Page 448 Figure 1-5 Configure authorized IP Make the following configurations on the page: Select 2001 for IPv4 ACL in the Telnet field. Select 2001 for IPv4 ACL in the Web(HTTP) field. Click Apply.
  • Page 449 Creating an IPv4 ACL······················································································································1-5 Configuring a Rule for a Basic IPv4 ACL ························································································1-5 Configuring a Rule for an Advanced IPv4 ACL ···············································································1-7 Configuring a Rule for an Ethernet Frame Header ACL ·································································1-9 Configuration Guidelines·······················································································································1-11 2 QoS Configuration·····································································································································2-1 Introduction to QoS ·································································································································2-1 Networks Without QoS Guarantee ··································································································2-1...

  • Page 450: Acl Configuration

    (ACLs). An ACL is a set of rules (or a set of permit or deny statements) for determining which packets can pass and which ones should be rejected based on matching criteria such as source address, destination address, and port number.

  • Page 451: Effective Period Of An Acl

    As for the configuration of a rule of an IPv4 ACL, you can specify that the rule applies to non-first fragment packets only, and does not apply to non-fragment packets or the first fragment packets. ACL rules that do not contain this keyword is applicable to both non-fragment packets and fragment packets.

  • Page 452: Acl Step

    For example, with a step of five, if the biggest number is currently 28, the newly defined rule will get a number of 30. If the ACL has no rule defined already, the first defined rule will get a number of 0.

  • Page 453: Configuring A Time Range

    Configuring a Time Range Select QoS > Time Range from the navigation tree and then select the Create tab to enter the time range configuration page, as shown in Figure 1-1. Figure 1-1 The page for creating a time range Table 1-4 describes the configuration items for creating a time range.

  • Page 454: Creating An Ipv4 Acl

    Return to IPv4 ACL configuration task list. Creating an IPv4 ACL Select QoS > ACL IPv4 from the navigation tree and then select the Create tab to enter the IPv4 ACL configuration page, as shown in Figure 1-2. Figure 1-2 The page for creating an IPv4 ACL Table 1-5 describes the configuration items for creating an IPv4 ACL.
  • Page 455 Figure 1-3 The page for configuring an basic IPv4 ACL Table 1-6 describes the configuration items for creating a rule for a basic IPv4 ACL. Table 1-6 Configuration items for a basic IPv4 ACL rule Item Description Select the basic IPv4 ACL for which you want to configure rules.

  • Page 456: Configuring A Rule For An Advanced Ipv4 Acl

    Configuring a Rule for an Advanced IPv4 ACL Select QoS > ACL IPv4 from the navigation tree and then select the Advance Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as shown in Figure 1-4.
  • Page 457 Table 1-7 describes the configuration items for creating a rule for an advanced IPv4 ACL. Table 1-7 Configuration items for an advanced IPv4 ACL rule Item Description Select the advanced IPv4 ACL for which you want to configure rules. Select Access Control List (ACL) Available ACLs are advanced IPv4 ACLs that have been configured.

  • Page 458: Configuring A Rule For An Ethernet Frame Header Acl

    Configuring a Rule for an Ethernet Frame Header ACL Select QoS > ACL IPv4 from the navigation tree and then select the Link Setup tab to enter the rule configuration page for an Ethernet frame header IPv4 ACL, as shown in Figure 1-5.
  • Page 459 Figure 1-5 The page for configuring a rule for an Ethernet frame header ACL Table 1-8 describes the configuration items for creating a rule for an Ethernet frame header IPv4 ACL. Table 1-8 Configuration items for an Ethernet frame header IPv4 ACL rule...

  • Page 460: Configuration Guidelines

    You can only modify the existing rules of an ACL that uses the match order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same.

  • Page 461: Qos Configuration

    On traditional IP networks without QoS guarantee, devices treat all packets equally and handle them using the first in first out (FIFO) policy. All packets share the resources of the network and devices. How many resources the packets can obtain completely depends on the time they arrive. This service is called best-effort.
  • Page 462 (1) (2) The traffic enters a device from a high speed link and is forwarded over a low speed link. The packet flows enter a device from several incoming interfaces and are forwarded out an outgoing interface, whose rate is smaller than the total rate of these incoming interfaces.

  • Page 463: End-To-End Qos

    Traffic Classification When defining match criteria for classifying traffic, you can use IP precedence bits in the type of service (ToS) field of the IP packet header, or other header information such as IP addresses, MAC addresses, IP protocol field and port numbers.

  • Page 464: Packet Precedences

    According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a DSCP value is represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and 7) are reserved.
  • Page 465 Class selector (CS) class: This class is derived from the IP ToS field and includes eight subclasses; Best effort (BE) class: This class is a special CS class that does not provide any assurance. AF traffic exceeding the limit is degraded to the BE class. Currently, all IP network traffic belongs to this class by default.

  • Page 466: Queue Scheduling

    5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0 The priority in the 802.1Q tag header is called 802.1p precedence, because its use is defined in IEEE 802.1p. Table 2-3 presents the values for 802.1p precedence.
  • Page 467 SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first. When the queue with the highest priority is empty, it sends packets in the queue with the second highest priority, and so on. Thus, you can assign...

  • Page 468: Line Rate

    (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively).
  • Page 469 excessive.

  • Page 470: Priority Mapping

    In this way, the traffic rate is restricted to the rate for generating tokens, thus limiting traffic rate and allowing bursty traffic.

  • Page 471: Introduction To Priority Mapping Tables

    CoS to DSCP: 802.1p-precedence-to-DSCP mapping table. CoS to Queue: 802.1p-precedence-to-local-precedence mapping table. DSCP to CoS: DSCP-to-802.1p-precedence mapping table, which is applicable to only IP packets. DSCP to DSCP: DSCP-to-DSCP mapping table, which is applicable to only IP packets. DSCP to Queue: DSCP-to-local-precedence mapping table, which is applicable to only IP packets.

  • Page 472: Qos Configuration

    You can apply a QoS policy to a port. Applies a QoS policy to a port to regulate the inbound traffic of the port. A QoS policy can be applied to multiple ports. Only one policy can be applied in inbound direction of a port.
  • Page 473 Configure a class in the QoS policy. policy Configuring Classifier-Behavior A class can be associated with only one Associations for the Policy traffic behavior in a QoS policy. Therefore, associating a class that is already associated with a traffic behavior will overwrite the old association.
  • Page 474 Configuring Priority Trust Mode on a Port Set the priority trust mode of a port. Creating a Class Select QoS > Classifier from the navigation tree and click Create to enter the page for creating a class, as shown in Figure 2-11.
  • Page 475 Return to QoS policy configuration task list. Configuring Classification Rules Select QoS > Classifier from the navigation tree and click Setup to enter the page for setting a class, as shown in Figure 2-12. Figure 2-12 The page for configuring classification rules...
  • Page 476 If multiple such rules are configured for a class, the new configuration Source MAC does not overwrite the previous one. A rule to match a source MAC address is significant only to Ethernet interfaces. Define a rule to match a destination MAC address.

  • Page 477: Creating A Traffic Behavior

    Return to QoS policy configuration task list. Creating a Traffic Behavior Select QoS > Behavior from the navigation tree and click the Create tab to enter the page for creating a traffic behavior, as shown in Figure 2-13. Figure 2-13 The page for creating a traffic behavior Table 2-13 describes the configuration items of creating a behavior.

  • Page 478: Configuring Traffic Mirroring And Traffic Redirecting For A Traffic Behavior

    QoS policy configuration task list. Configuring Traffic Mirroring and Traffic Redirecting for a Traffic Behavior Select QoS > Behavior from the navigation tree and click Port Setup to enter the port setup page for a traffic behavior, as shown in Figure 2-14.

  • Page 479: Configuring Other Actions For A Traffic Behavior

    Configuring Other Actions for a Traffic Behavior Select QoS > Behavior from the navigation tree and click Setup to enter the page for setting a traffic behavior, as shown in Figure 2-15. Figure 2-15 The page for setting a traffic behavior Table 2-15 describes the configuration items of configuring other actions for a traffic behavior.

  • Page 480: Creating A Policy

    Specify a name for the policy to be created. Return to QoS policy configuration task list. Configuring Classifier-Behavior Associations for the Policy Select QoS > QoS Policy from the navigation tree and click Setup to enter the page for setting a policy, as shown in Figure 2-17. 2-20...

  • Page 481: Applying A Policy To A Port

    Return to QoS policy configuration task list. Applying a Policy to a Port Select QoS > Port Policy from the navigation tree and click Setup to enter the page for applying a policy to a port, as shown in Figure 2-18.

  • Page 482: Configuring Queue Scheduling On A Port

    Return to QoS policy configuration task list. Configuring Queue Scheduling on a Port Select QoS > Queue from the navigation tree and click Setup to enter the queue scheduling configuration page, as shown in Figure 2-19. Figure 2-19 The page for configuring queue scheduling...

  • Page 483: Configuring Line Rate On A Port

    Not Set: Restores the default queuing algorithm on selected ports. Select the queue to be configured. Queue Its value range is 0 to 7, but only 0 to 3 is user configurable and 4 to 7 are reserved. Specify the group the current queue is to be assigned to.

  • Page 484: Configuring Priority Mapping Tables

    Click the ports to be configured with line rate in the port list. You can select one or more ports. Return to Line rate configuration task list. Configuring Priority Mapping Tables Select QoS > Priority Mapping from the navigation tree to enter the page shown in Figure 2-21. 2-24...

  • Page 485: Configuring Priority Trust Mode On A Port

    Priority mapping table configuration task list. Configuring Priority Trust Mode on a Port Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 2-23. Click the icon corresponding to a port to enter the page shown in Figure 2-24.
  • Page 486 The interface to be configured. Priority Set a local precedence value for the port. Select a priority trust mode for the port, which can be Untrust: where packet priority is not trusted. CoS: where the 802.1p precedence of the incoming packets is Trust Mode trusted and used for priority mapping.

  • Page 487: Configuration Guidelines

    When configuring QoS, note that: When an ACL is referenced to implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect; actions to be taken on packets matching the ACL depend on the traffic behavior definition in QoS.

  • Page 488: Acl/Qos Configuration Examples

    3-1, in the network, the FTP server at IP address 10.1.1.1/24 is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Create an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
  • Page 489 Figure 3-2 Define a time range covering 8:00 to 18:00 every day Type the time range name test-time. Select the Periodic Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and then select the checkboxes Sun through Sat.
  • Page 490 Figure 3-3 Create an advanced IPv4 ACL Type the ACL number 3000. Click Apply. # Define an ACL rule for traffic to the FTP server. Click Advance Setup. Perform configuration as shown in Figure 3-4.
  • Page 491 Select the Rule ID option, and type rule ID 2. Select Permit in the Operation drop-down list. Select the Destination IP Address option, and type IP address 10.1.1.1 and destination wildcard mask 0.0.0.0. Select test-time in the Time Range drop-down list.
  • Page 492 Select QoS > Classifier from the navigation tree and click Create. Perform configuration as shown Figure 3-5. Figure 3-5 Create a class Type the class name class1. Click Create. # Define classification rules. Click Setup. Perform configuration as shown in Figure 3-6.
  • Page 493 Figure 3-6 Define classification rules Select the class name class1 in the drop-down list. Select the ACL IPv4 option, and select ACL 3000 in the following drop-down list. Click Apply. A configuration progress dialog box appears, as shown in Figure...
  • Page 494 Figure 3-7 Configuration progress dialog box After the configuration is complete, click Close on the dialog box. # Create a traffic behavior. Select QoS > Behavior from the navigation tree and click Create. Perform configuration as shown Figure 3-8. Figure 3-8 Create a traffic behavior Type the behavior name behavior1.
  • Page 495 Click Apply. A configuration progress dialog box appears. After the configuration is complete, click Close on the dialog box. # Create a policy. Select QoS > QoS Policy from the navigation tree and click the Create tab. Perform configuration as shown in Figure...
  • Page 496 Select behavior1 in the Behavior Name drop-down list. Click Apply. # Apply the QoS policy in the inbound direction of GigabitEthernet 1/0/1. Select QoS > Port Policy from the navigation tree and click the Setup tab. Perform configuration as shown in Figure...
  • Page 497 Figure 3-12 Apply the QoS policy in the inbound direction of GigabitEthernet 1/0/1 Select policy1 in the Please select a policy drop-down list. Select Inbound in the Direction drop-down list. Select port GigabitEthernet 1/0/1. Click Apply. A configuration progress dialog box appears.
  • Page 498 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Advantages······································································································································1-1 Composition·····································································································································1-1 Protocol Specification ······················································································································1-2 Configuring PoE ······································································································································1-2 Configuring PoE Ports ·····················································································································1-3 Displaying Information About PSE and PoE Ports··········································································1-4 PoE Configuration Example····················································································································1-5...

  • Page 499: Poe Configuration

    The whole PoE system is powered by the PoE power. A PSE is a device supplying power for PDs. A PSE can be built-in (Endpoint) or external (Midspan). A built-in PSE is integrated in a switch or router, and an external PSE is independent from a switch or router.

  • Page 500: Protocol Specification

    The PSE supplies power for a PoE interface in the following two modes: Over signal wires: The PSE uses the pairs (1, 2, 3, 6) for transmitting data in a category 3/5 twisted pair cable to supply DC power while transmitting data to PDs.

  • Page 501: Configuring Poe Ports

    PoE port if the PoE port is not enabled with the PoE function. You are allowed to enable PoE for a PoE port if the PoE port will not result in PoE power overload; otherwise, you are not allowed to enable PoE for the PoE port.

  • Page 502: Displaying Information About Pse And Poe Ports

    Displaying Information About PSE and PoE Ports Select PoE > PoE from the navigation tree to enter the page of the Summary tab. The upper part of the page displays the PSE summary; Click a port on the chassis front panel, the configuration and power Figure 1-3.

  • Page 503: Poe Configuration Example

    GigabitEthernet 1/0/11 is connected to AP whose maximum power does not exceed 9000 milliwatts. The power supply priority of IP telephones is higher than that of AP; therefore, the PSE supplies power to IP telephones first when the PSE power is overloaded.
  • Page 504 Configuration procedure # Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and configure their power supply priority to critical. Select PoE > PoE from the navigation tree and click the Setup tab to perform the following configurations, as shown in Figure 1-5.
  • Page 505 Click to select port GigabitEthernet 1/0/11 from the chassis front panel. Select Enable from the Power State drop-down list. Select the check box before Power Max and type 9000. Click Apply. After the configuration takes effect, the IP telephones and AP are powered and can work normally.

This manual is also suitable for:

Baseline switch 2928-hpwr plus3crbsg2893 - baseline smart 28port gig sfp 10/100/1000Baseline switch 2920-sfp plusBaseline switch 2928-sfp plusBaseline switch 2952-sfp plusBaseline switch 2928-pwr plus

Table of Contents

Save PDF