3Com 4500 Configuration Manual
  1. Manuals
  2. Brands
  3. 3Com Manuals
  4. Switch
  5. Switch 4500 Family
  6. Configuration manual

3Com 4500 Configuration Manual

26/50-port
Hide thumbs Also See for 4500:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
Table of Contents

Advertisement

Quick Links

See also: Manual , Quick Reference Manual
3Com Switch 4500 Family

Configuration Guide

Switch 4500 26-Port
Switch 4500 50-Port
Switch 4500 PWR 26-Port
Switch 4500 PWR 50-Port
Product Version: V03.03.00
Manual Version:
6W101-20090811
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough,
MA, USA 01752 3064

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 4500 and is the answer not in the manual?

Questions and answers

Related Manuals for 3Com 4500

Summary of Contents for 3Com 4500

  • Page 1: Configuration Guide

    3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V03.03.00 Manual Version: 6W101-20090811 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

  • Page 3: Table Of Contents

    About This Manual Organization 3Com Switch 4500 Family Configuration Guide is organized as follows: Part Contents Introduces the ways to log into an Ethernet switch and CLI 1 Login related configuration. 2 Configuration File Management Introduces configuration file and the related configuration.
  • Page 4 Part Contents 27 UDP Helper Introduces UDP helper and the related configuration. Introduces the configuration for network management 28 SNMP-RMON through SNMP and RMON 29 NTP Introduces NTP and the related configuration. 30 SSH Introduces SSH2.0 and the related configuration. 31 File System Management Introduces basic configuration for file system management.

  • Page 5: Related Documentation

    3Com Switch 4500 Family Release information in this guide differs from information in the Notes release notes, use the information in the Release Notes. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.

  • Page 6: Login

    Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 Relationship Between a User and a User Interface ········································································1-2 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-3 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1...
  • Page 7 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 CLI Configuration ······································································································································5-1 Introduction to the CLI·····························································································································5-1 Command Hierarchy ·······························································································································5-1 Command Level and User Privilege Level ······················································································5-1 Modifying the Command Level········································································································5-2 Switching User Level ·······················································································································5-3 CLI Views ················································································································································5-5 CLI Features ···········································································································································5-8 Online Help······································································································································5-8 Terminal Display······························································································································5-9 Command History··························································································································5-10 Error Prompts ································································································································5-10...

  • Page 8: Logging In To An Ethernet Switch

    Logging In to an Ethernet Switch Introduction to the User Interface Logging In to an Ethernet Switch To manage or configure a Switch 4500, you can log in to it in one of the following three methods: Command Line Interface Web-based Network Management Interface...

  • Page 9: Relationship Between A User And A User Interface

    VTY user interfaces are numbered VTY0, VTY1, and so on. Switch 4500 supports XRN Fabric. A Fabric can contain up to eight devices. Accordingly, the AUX user interfaces in a Fabric can be numbered from AUX0 to AUX7, through which all the console ports of the...

  • Page 10: Common User Interface Configuration

    Common User Interface Configuration Follow these steps to configure common user interface: To do… Use the command… Remarks Optional Lock the current user Available in user view lock interface A user interface is not locked by default. Specify to send messages Optional to all user interfaces/a send { all | number | type number }...

  • Page 11: Logging In Through The Console Port

    To log in through the console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can locally log in to Switch 4500 through its console port only.
  • Page 12 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...

  • Page 13: Console Port Login Configuration

    Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.
  • Page 14 Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...

  • Page 15: Console Port Login Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number of to 24 lines. screen-length lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to display information in pages.

  • Page 16: Console Port Login Configuration With Authentication Mode Being None

    Changes made to the authentication mode for console port login takes effect after you quit the command-line interface and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure console port login with the authentication mode being none: To do…...

  • Page 17: Console Port Login Configuration With Authentication Mode Being Password

    Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none) GE1/0/1 Ethernet Configuration PC running Telnet Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.

  • Page 18: Configuration Example

    To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate through the console port are not authentication-mode users using the local authenticated;...

  • Page 19: Console Port Login Configuration With Authentication Mode Being Scheme

    <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface.

  • Page 20: Configuration Example

    To do… Use the command… Remarks Enter the Optional default ISP domain domain-name By default, the local AAA scheme domain view is applied. If you specify to apply the local Specify the AAA scheme { local | none | AAA scheme, you need to scheme to be radius-scheme perform the configuration...
  • Page 21 Set the service type of the local user to Terminal and the command level to 2. Configure to authenticate the users in the scheme mode. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands.
  • Page 22 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.

  • Page 23: Logging In Through Telnet

    Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 supports Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log in to a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.
  • Page 24 Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.

  • Page 25: Telnet Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional The default history command Set the history command buffer buffer size is 10, that is, the history history-command size command buffer of a user can max-size value store up to 10 commands by default.

  • Page 26: Telnet Configuration With Authentication Mode Being None

    To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.

  • Page 27: Telnet Configuration With Authentication Mode Being Password

    Network diagram Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0.

  • Page 28: Configuration Example

    When the authentication mode is password, the command level available to users logging in to the user interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3).

  • Page 29: Telnet Configuration With Authentication Mode Being Scheme

    Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view — system-view Enter one or more VTY user user-interface vty —...

  • Page 30: Configuration Example

    Refer to the AAA part of this manual for information about AAA, RADIUS. Configuration Example Network requirements Assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Configure the local user name as guest.

  • Page 31: Telnetting To A Switch

    # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch from a Terminal...
  • Page 32 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com switch can accommodate up to five Telnet connections at same time.

  • Page 33: Telnetting To Another Switch From The Current Switch

    Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

  • Page 34: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 35: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 36 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 37 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.

  • Page 38: Cli Configuration

    Each 3com switch 4500 provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on the 3com switch 4500 provides the following features, and so has good manageability and operability.

  • Page 39: Modifying The Command Level

    Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level.

  • Page 40: Switching User Level

    To do… Use the command… Remarks Enter system view — system-view Configure the level of a command in command-privilege level level view Required a specific view view command You are recommended to use the default command level or modify the command level under the guidance of professional staff;...
  • Page 41 To avoid misoperations, the administrators are recommended to log in to the device by using a lower privilege level and view device operating parameters, and when they have to maintain the device, they can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others.

  • Page 42: Cli Views

    After executing the system-view command, the user enters system view, where the user can go to other views by entering corresponding commands. Table 5-1 lists the CLI views provided by the 3com switch 4500, operations that can be performed in different CLI views and the commands used to enter specific CLI views.
  • Page 43 [Sysname-Gigabit command in view. Ethernet1/0/25] system view. The 3com switch Execute the Aux1/0/0 port 4500 does not [Sysname-Aux1/0/ interface aux 1/0/0 (the console support command in port) view configuration on system view port Aux1/0/0 Execute the vlan...
  • Page 44 Available View Prompt example Enter method Quit method operation Execute the ftp FTP client Configure FTP [ftp] command in user view client parameters view. Execute the sftp SFTP client Configure SFTP sftp-client> command in view client parameters system view. Execute the stp MST region Configure MST [Sysname-mst-regi...

  • Page 45: Cli Features

    Available View Prompt example Enter method Quit method operation Configure RADIUS Execute the radius RADIUS [Sysname-radius-1 scheme scheme command scheme view parameters in system view. Execute the ISP domain Configure ISP [Sysname-isp-aaa domain command view domain parameters 123.net] in system view. Execute the Remote-ping Configure...

  • Page 46: Terminal Display

    Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Display current system information <Other information is omitted> Enter a command, a space, and a question mark (?).

  • Page 47: Command History

    Table 5-2 Display-related operations Operation Function Stop the display output and execution of the Press <Ctrl+C> command. Press any character except <Space>, <Enter>, /, Stop the display output. +, and - when the display output pauses Press the space key Get to the next page.

  • Page 48: Command Edit

    Table 5-3 Common error messages Error message Remarks The command does not exist. The keyword does not exist. Unrecognized command The parameter type is wrong. The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many.

  • Page 49: Introduction

    Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in. It enables you to log in to Switch 4500 through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 50: Configuring The Login Banner

    Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1. Figure 6-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 51: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 52 To do… Use the command… Remarks Enter system view — system-view Required Enable the Web server By default, the Web server is ip http shutdown enabled. Disable the Web server Required undo ip http shutdown To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 53: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a Network Management Station (NMS), and then configure and manage the switch through the agent software on the switch. Simple Network Management Protocol (SNMP) is applied between the NMS and the agent.

  • Page 54: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security.

  • Page 55: Displaying Source Ip Address Configuration

    Operation Command Description Specify a source interface for telnet-server source-interface Optional Telnet server interface-type interface-number Specify source IP address for Optional telnet source-ip ip-address Telnet client Specify a source interface for telnet source-interface interface-type Optional Telnet client interface-number To perform the configurations listed in Table 8-1 Table 8-2, make sure that:...

  • Page 56: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 57: Controlling Telnet Users By Acl

    If no ACL is configured on the VTY user interface, users are not controlled when establishing a Telnet connection using this user interface. If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configured on the VTY user interface, the connection will be permitted or denied according to the ACL rule;...

  • Page 58: Configuration Example

    [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage Switch 4500 through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP...

  • Page 59: Prerequisites

    Defining an ACL Applying the ACL to control users accessing the switch through SNMP To control whether an NMS can manage the switch, you can use this function. Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

  • Page 60: Controlling Web Users By Source Ip Address

    [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address You can manage Switch 4500 remotely through Web. Web users can access a switch through HTTP connections. You need to perform the following two operations to control Web users by source IP addresses.

  • Page 61: Logging Out A Web User

    To do… Use the command… Remarks Enter system view — system-view As for the acl number Create a basic ACL or enter acl number acl-number command, the config keyword basic ACL view [ match-order { config | auto } ] is specified by default.
  • Page 62 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...
  • Page 63 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 64: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 65: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.

  • Page 66: Erasing The Startup Configuration File

    When you use the save safely command to save the configuration file, if the switch reboots or the power fails during the saving process, the switch initializes itself in the following two conditions when it starts up next time: If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration file to initialize itself when it starts up next time.

  • Page 67: Specifying A Configuration File For Next Startup

    To do… Use the command… Remarks Required Erase the startup configuration reset saved-configuration file from the storage switch [ backup | main ] Available in user view You may need to erase the configuration file for one of these reasons: After you upgrade software, the old configuration file does not match the new software.

  • Page 68: Vlan

    The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory of the switch. Displaying Switch Configuration To do… Use the command… Remarks Display the initial configuration display saved-configuration [ unit unit-id ] file saved in the Flash of a [ by-linenum ] switch...
  • Page 69 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Principles·······························································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-4 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 2 VLAN Configuration ··································································································································2-1 VLAN Configuration ································································································································2-1...

  • Page 70: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 71: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. Broadcasts are confined to VLANs. This decreases bandwidth consumption and improves network performance. Network security is improved. Because each VLAN forms a broadcast domain, hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used.
  • Page 72 tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3, a VLAN tag contains four fields, including the tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

  • Page 73: Vlan Interface

    VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used to do Layer 3 forwarding. The Switch 4500 series Ethernet switches support VLAN interfaces configuration to forward packets in Layer 3.

  • Page 74: Assigning An Ethernet Port To Specified Vlans

    A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged. The three types of ports can coexist on the same device. Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch.
  • Page 75 Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already If the VLAN ID is one of the If the VLAN ID is just the been added to its default VLAN IDs allowed to pass default VLAN ID, strip off the...

  • Page 76: Vlan Configuration

    VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional Displaying VLAN Configuration...

  • Page 77: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 78: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface information Vlan-interface [ vlan-id ] Available in any view.

  • Page 79: Assigning An Ethernet Port To A Vlan

    Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view. You can assign an access port to a VLAN in either Ethernet port view or VLAN view. You can assign a trunk port or hybrid port to a VLAN only in Ethernet port view.

  • Page 80: Configuring The Default Vlan For A Port

    Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, its default VLAN is the VLAN it resides in and cannot be configured. This section describes how to configure a default VLAN for a trunk or hybrid port. Follow these steps to configure the default VLAN for a port: To do…...
  • Page 81 Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 Server1 SwitchA GE1/0/12 GE1/0/13 GE1/0/2 GE1/0/10 SwitchB GE1/0/11 GE1/0/1 Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. <SwitchA>...
  • Page 82 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 200...
  • Page 83 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Configuring IP Addresses················································································································1-3 Configuring Static Domain Name Resolution ··················································································1-4 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example ·································································································1-4 Static Domain Name Resolution Configuration Example································································1-5 2 IP Performance Optimization Configuration···························································································2-1...

  • Page 84: Ip Addressing Configuration

    IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For details about IPv6 address, refer to IPv6 Management. When configuring IP addressing, go to these sections for information you are interested in: IP Addressing OverviewConfiguring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Examples IP Addressing Overview...

  • Page 85: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test.

  • Page 86: Configuring Ip Addresses

    subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534 – 2. Of the two deducted Class B addresses, one with an all-ones host ID is the broadcast address and the other with an all-zero host ID is the network address) hosts before being subnetted.

  • Page 87: Configuring Static Domain Name Resolution

    A newly specified IP address overwrites the previous one if there is any. The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device. Configuring Static Domain Name Resolution Follow these steps to configure static domain name resolution: To do…...

  • Page 88: Static Domain Name Resolution Configuration Example

    Network diagram Figure 1-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com.
  • Page 89 round-trip min/avg/max = 2/3/5 ms...

  • Page 90: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance Optimization Displaying and Maintaining IP Performance Optimization Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 91: Disabling Sending Of Icmp Error Packets

    synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created. finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.

  • Page 92: Displaying And Maintaining Ip Performance Optimization Configuration

    If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source. When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable”...
  • Page 93 To do… Use the command… Remarks Display ICMP traffic statistics display icmp statistics Display the current socket display ip socket [ socktype sock-type ] information of the system [ task-id socket-id ] Display the forwarding information display fib base (FIB) entries display fib ip_address1 [ { mask1 | Display the FIB entries matching the mask-length1 } [ ip_address2 { mask2 |...
  • Page 94 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch 4500 Series Switches Identify Voice Traffic ································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6...

  • Page 95: Voice Vlan Configuration

    Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are allocated specially for voice traffic. After creating a voice VLAN and assigning ports that connect voice devices to the voice VLAN, you can have voice traffic transmitted in the dedicated voice VLAN and configure quality of service (QoS) parameters for the voice traffic to improve its transmission priority and ensure voice quality.
  • Page 96 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.

  • Page 97: How Switch 4500 Series Switches Identify Voice Traffic

    NCP is reachable to the IP address to be set. How Switch 4500 Series Switches Identify Voice Traffic Switch 4500 series Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier (OUI) list. If a match is found, the packet is considered as a voice packet.

  • Page 98: Configuring Voice Vlan Assignment Mode Of A Port

    Processing mode of untagged packets sent by IP voice devices Automatic voice VLAN assignment mode. An Switch 4500 Ethernet switch automatically adds a port connecting an IP voice device to the voice VLAN by learning the source MAC address in the untagged packet sent by the IP voice device when it is powered on.
  • Page 99 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk Tagged a voice VLAN, and the access port permits the traffic of...

  • Page 100: Security Mode Of Voice Vlan

    Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN Port type Supported or not assignment mode Access Not supported Supported Make sure the default VLAN of the port exists and is not a Trunk voice VLAN, and the access port permits the traffic of the Automatic...

  • Page 101: Voice Vlan Configuration

    Voice VLAN Packet Type Processing Method Mode matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN. Otherwise, the packet is VLAN tag dropped. The packet is forwarded or dropped based on whether the receiving port is assigned to the Packet carrying any other carried VLAN.

  • Page 102: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    To do… Use the command… Remarks Optional Set the voice VLAN aging timer The default aging timer is 1440 voice vlan aging minutes minutes. Enable the voice VLAN function Required voice vlan vlan-id enable globally interface interface-type Enter Ethernet port view Required interface-number Required...
  • Page 103 To do… Use the command… Remarks Optional By default, the voice Enable the voice VLAN security mode voice vlan security enable VLAN security mode is enabled. Optional Set the voice VLAN aging timer The default aging timer voice vlan aging minutes is 1,440 minutes.

  • Page 104: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...

  • Page 105: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2, The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A.
  • Page 106 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the current states of voice VLANs. <DeviceA> display voice vlan state Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...

  • Page 107: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in manual voice VLAN assignment mode. Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN.
  • Page 108 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 109 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-4 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-5 Enabling Loopback Test··················································································································1-6 Enabling the System to Test Connected Cable ··············································································1-6...

  • Page 110: Port Basic Configuration

    Port Basic Configuration When performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface.

  • Page 111: Configuring Port Auto-Negotiation Speed

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdown command to disable the port. Optional Set the description string By default, the description string of an...

  • Page 112: Limiting Traffic On Individual Ports

    Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet interface interface interface-type — view interface-number Optional By default, the port speed is Configure the available speed auto [ 10 | 100 | determined through auto-negotiation speed(s)

  • Page 113: Enabling Flow Control On A Port

    To do... Use the command... Remarks Optional Limit unknown unicast traffic unicast-suppression { ratio | By default, the switch does not received on the current port pps max-pps } suppress unknown unicast traffic. Enabling Flow Control on a Port Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: The local switch sends a message to notify the peer switch of stopping sending packets to itself or reducing the sending rate temporarily.

  • Page 114: Configuring Loopback Detection For An Ethernet Port

    If you specify a source aggregation group ID, the system will use the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.

  • Page 115: Enabling Loopback Test

    To enable loopback detection on a specific port, you must use the loopback-detection enable command in both system view and the specific port view. After you use the undo loopback-detection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally.

  • Page 116: Configuring The Interval To Perform Statistical Analysis On Port Traffic

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Enable the system to test Required virtual-cable-test connected cables Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port.

  • Page 117: Displaying And Maintaining Basic Port Configuration

    The port state change delay takes effect when the port goes down but not when the port goes up. Follow these steps to set the port state change delay: To do … Use the command … Remarks Enter system view —...

  • Page 118: Ethernet Port Configuration Example

    To do... Use the command... Remarks Available in user view After 802.1x is reset counters interface [ interface-type | Clear port statistics enabled on a port, interface-type interface-number ] clearing the statistics on the port will not work. Ethernet Port Configuration Example Network requirements Switch A and Switch B are connected to each other through two trunk port (Ethernet 1/0/1).

  • Page 119: Troubleshooting Ethernet Port Configuration

    Troubleshooting Ethernet Port Configuration Symptom: Fail to configure the default VLAN ID of an Ethernet port. Solution: Take the following steps: Use the display interface or display port command to check if the port is a trunk port or a hybrid port.
  • Page 120 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Consistency Considerations for the Ports in Aggregation·······························································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 121: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.

  • Page 122: Link Aggregation Classification

    TPID on the ports State of inner-to-outer tag priority replication (enabled or disabled) The Switch 4500 family support cross-device link aggregation if XRN fabric is enabled. Link Aggregation Classification Depending on different aggregation modes, the following three types of link aggregation exist:...

  • Page 123: Static Lacp Aggregation Group

    In a manual aggregation group, the system sets the ports to selected or unselected state according to the following rules. Among the ports in an aggregation group that are in up state, the system determines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed.

  • Page 124: Dynamic Lacp Aggregation Group

    There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device, those with lower port numbers operate as the selected ports, and others as unselected ports. Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system.

  • Page 125: Aggregation Group Categories

    Aggregation Group Categories Depending on whether or not load sharing is implemented, aggregation groups can be load-sharing or non-load-sharing aggregation groups. When load sharing is implemented, For IP packets, the system will implement load-sharing based on source IP address and destination IP address;...

  • Page 126: Link Aggregation Configuration

    Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.

  • Page 127: Configuring A Static Lacp Aggregation Group

    When you change a dynamic/static group to a manual group, the system will automatically disable LACP on the member ports. When you change a dynamic group to a static group, the system will remain the member ports LACP-enabled. When a manual or static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group.

  • Page 128: Configuring A Description For An Aggregation Group

    You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups. You cannot enable LACP on a port which is already in a manual aggregation group.

  • Page 129: Displaying And Maintaining Link Aggregation Configuration

    If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do…...
  • Page 130 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1.
  • Page 131 [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on). 1-11...

  • Page 132: Port Isolation

    Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 133: Port Isolation Configuration

    The ports in an isolation group must reside on the same switch or different units of an XRN fabric. Currently, you can create only on isolation group on a Switch 4500 series switch. The number of Ethernet ports in an isolation group is not limited.

  • Page 134: Port Isolation Configuration Example

    Switch 4500 series switches support cross-device port isolation if XRN fabric is enabled. For Switch 4500 series switches belonging to the same XRN Fabric, the port isolation configuration performed on a port of a cross-device aggregation group cannot be synchronized to the other ports of the aggregation group if the ports reside on other units.
  • Page 135 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
  • Page 136 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Ignoring the Authorization Information from the RADIUS Server····················································1-8 Configuring Security MAC Addresses ·····························································································1-9...

  • Page 137: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Examples Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 138 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses.
  • Page 139 Security mode Description Feature In this mode, neither NTK In this mode, port-based 802.1x authentication nor intrusion protection userlogin is performed for access users. will be triggered. MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds.

  • Page 140: Port Security Configuration Task List

    Security mode Description Feature In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs macAddressElseUs 802.1x authentication of the user. erLoginSecure In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.

  • Page 141: Enabling Port Security

    Task Remarks Configuring Security MAC Addresses Optional Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do... Use the command... Remarks Enter system view —...

  • Page 142: Setting The Port Security Mode

    This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management. Follow these steps to set the maximum number of MAC addresses allowed on a port: To do... Use the command...

  • Page 143: Configuring Port Security Features

    Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command. When the port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

  • Page 144: Ignoring The Authorization Information From The Radius Server

    To do... Use the command... Remarks Optional Set the timer during which the port-security timer disableport port remains disabled 20 seconds by default timer The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.

  • Page 145: Configuring Security Mac Addresses

    Configuring Security MAC Addresses Security MAC addresses are special MAC addresses that never age out. One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN.

  • Page 146: Displaying And Maintaining Port Security Configuration

    Displaying and Maintaining Port Security Configuration To do... Use the command... Remarks Display information about port display port-security [ interface interface-list ] security configuration Available in Display information about display mac-address security [ interface any view security MAC address interface-type interface-number ] [ vlan vlan-id ] configuration [ count ] Port Security Configuration Examples...
  • Page 147 [Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seconds after intrusion protection is triggered. [Switch-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 1-11...

  • Page 148: Dldp

    Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets··································································································································1-2 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-4 DLDP Operating Mode ····················································································································1-5 DLDP Implementation ·····················································································································1-6 DLDP Neighbor State ······················································································································1-8 Link Auto-recovery Mechanism ·······································································································1-8 DLDP Configuration ································································································································1-9 Performing Basic DLDP Configuration ····························································································1-9 Resetting DLDP State ···················································································································1-10 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-11...

  • Page 149: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Fundamentals DLDP Configuration DLDP Configuration Example Overview Device link detection protocol (DLDP) is an technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).

  • Page 150: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
  • Page 151 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.

  • Page 152: Dldp Status

    DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared All neighbors communicate normally in both directions, or DLDP...

  • Page 153: Dldp Operating Mode

    Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when Entry aging timer...

  • Page 154: Dldp Implementation

    Table 1-4 DLDP operating mode and neighbor entry aging Detecting a neighbor Removing the DLDP after the corresponding neighbor entry Triggering the Enhanced timer operating neighbor entry ages immediately after the after an Entry timer expires mode Entry timer expires Normal mode Yes (When the enhanced timer...
  • Page 155 Table 1-5 DLDP state and DLDP packet type DLDP state Type of the DLDP packets sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication.

  • Page 156: Dldp Neighbor State

    Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is received DLDP switches to the disable state, outputs log and when the echo waiting timer expires. tracking information, and sends flush packets.

  • Page 157: Dldp Configuration

    DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Remarks Enter system view — system-view Enable DLDP on all optical dldp enable ports of the switch Required. Enable DLDP Enter Ethernet interface interface-type Enable...

  • Page 158: Resetting Dldp State

    When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.

  • Page 159: Dldp Configuration Example

    DLDP Configuration Example Network requirements As shown in Figure 1-4, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected.
  • Page 160 # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
  • Page 161 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to the MAC Address Table ··························································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 MAC Address Table Management··········································································································1-4 MAC Address Table Management Configuration Task List ····························································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6...

  • Page 162: Mac Address Table Management

    MAC Address Table Management When MAC address table management functions, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
  • Page 163 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on GigabitEthernet 1/0/1.

  • Page 164: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/1 (technically called unicast), because MAC-A is already in the MAC address table.

  • Page 165: Mac Address Table Management

    The MAC address aging timer only takes effect on dynamic MAC address entries. With the “destination MAC address triggered update function” enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging timer.

  • Page 166: Configuring A Mac Address Entry

    Task Remarks Enabling Destination MAC Address Triggered Update Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). Adding a MAC address entry in system view You can add a MAC address entry in either system view or Ethernet port view.

  • Page 167: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.

  • Page 168: Enabling Destination Mac Address Triggered Update

    By setting the maximum number of MAC addresses that can be learned from individual ports, the administrator can control the number of the MAC address entries the MAC address table can dynamically maintain. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.

  • Page 169: Configuration Examples

    To do… Use the command… Remarks Display the aging time of the dynamic MAC address entries in the MAC address display mac-address aging-time table Display the configured start port MAC display port-mac address Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2.
  • Page 170 Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 Auto Detect Basic Configuration ·····································································································1-2 Auto Detect Implementation in Static Routing·················································································1-2 Auto Detect Implementation in VLAN Interface Backup··································································1-3 Auto Detect Configuration Examples ······································································································1-4 Configuration Example for Auto Detect Implementation with Static Routing ··································1-4 Configuration Example for Auto Detect Implementation with VLAN Interface Backup ···················1-5...

  • Page 171: Auto Detect Configuration

    Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Function Auto Detect Configuration Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.

  • Page 172: Auto Detect Basic Configuration

    Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view — system-view Create a detected group and Required detect-group group-number enter detected group view detect-list list-number ip...

  • Page 173: Auto Detect Implementation In Vlan Interface Backup

    To avoid such problems, you can configure another route to back up the static route and use the Auto Detect function to judge the validity of the static route. If the static route is valid, packets are forwarded according to the static route, and the other route is standby. If the static route is invalid, packets are forwarded according to the backup route.

  • Page 174: Auto Detect Configuration Examples

    Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interfaces backup. When data can be transmitted through two VLAN interfaces on the switch to the same destination, configure one of the VLAN interface as the active interface and the other as the standby interface.

  • Page 175: Configuration Example For Auto Detect Implementation With Vlan Interface Backup

    On switch A, configure a static route to Switch C. Enable the static route when the detected group 8 is reachable. To ensure normal operating of the auto detect function, configure a static route to Switch A on Switch C. Network diagram Figure 1-2 Network diagram for implementing the auto detect function in static route Configuration procedure...
  • Page 176 Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3. The configuration procedure is omitted. # Enter system view. <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.

  • Page 177: Mstp

    Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-16 Configuring an MST Region ··········································································································1-16 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-19...
  • Page 178 Configuring Digest Snooping·········································································································1-39 Configuring Rapid Transition ················································································································1-40 Introduction····································································································································1-40 Configuring Rapid Transition·········································································································1-42 MSTP Maintenance Configuration ········································································································1-43 Introduction····································································································································1-43 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-43 Configuration Example ··················································································································1-43 Enabling Trap Messages Conforming to 802.1d Standard···································································1-43 Displaying and Maintaining MSTP ········································································································1-44 MSTP Configuration Example···············································································································1-44...

  • Page 179: Overview

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example Overview...
  • Page 180 In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any. Basic concepts in STP Root bridge A tree network must have a root;...
  • Page 181 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of a 3Com switch 4500 is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
  • Page 182 Port ID A port ID used on a 3Com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 4500 is 128. You can use commands to configure port priorities.
  • Page 183 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 184 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 185 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device...
  • Page 186 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 187 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.

  • Page 188: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 189 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 190 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 191 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.

  • Page 192: Mstp Implementation On Switches

    STP and RSTP and use them for their respective spanning tree calculation. The 3com switches 4500 support MSTP. After MSTP is enabled on a switch 4500, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol, you can...

  • Page 193: Protocols And Standards

    In addition to the basic MSTP functions, 3com Switch 4500 also provides the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...

  • Page 194: Configuring Root Bridge

    Task Remarks Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter Enabling MSTP caused by other related configurations, you are recommended to enable MSTP...
  • Page 195 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 4500 support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.

  • Page 196: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    Configuration example # Configure an MST region named info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2. <Sysname> system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10 [Sysname-mst-region] instance 2 vlan 20 to 30...

  • Page 197: Configuring The Bridge Priority Of The Current Switch

    Using the stp root primary/stp root secondary command, you can specify the current switch as the root bridge or the secondary root bridge of the MSTI identified by the instance-id argument. If the value of the instance-id argument is set to 0, the stp root primary/stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST.

  • Page 198: Configuring How A Port Recognizes And Sends Mstp Packets

    To do... Use the command... Remarks Required Set the bridge priority for the stp [ instance instance-id ] The default bridge priority of a current switch priority priority switch is 32,768. Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command, the bridge priority of the switch cannot be configured any more.

  • Page 199: Configuring The Mstp Operation Mode

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required By default, a port recognizes and sends Configure how a port stp compliance { auto | MSTP packets in the automatic mode. recognizes and sends dot1s | legacy } That is, it determines the format of...

  • Page 200: Configuring The Maximum Hop Count Of An Mst Region

    <Sysname> system-view [Sysname] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count limits the size of the MST region. A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU.

  • Page 201: Configuring The Mstp Time-Related Parameters

    To do... Use the command... Remarks Enter system view — system-view Required Configure the network diameter stp bridge-diameter The default network diameter of of the switched network bridgenumber a network is 7. The network diameter parameter indicates the size of a network. The bigger the network diameter is, the larger the network size is.

  • Page 202: Configuring The Timeout Time Factor

    The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network.

  • Page 203: Configuring The Maximum Transmitting Rate On The Current Port

    Configuration procedure Follow these steps to configure the timeout time factor: To do... Use the command... Remarks Enter system view — system-view Required Configure the timeout time stp timer-factor number The timeout time factor defaults factor for the switch to 3. For a steady network, the timeout time can be five to seven times of the hello time.

  • Page 204: Configuring The Current Port As An Edge Port

    As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting rate of Ethernet 1/0/1 to 15.

  • Page 205: Setting The Link Type Of A Port To P2P

    You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time. This not only enables these ports to turn to the forwarding state rapidly but also secures your network. Configuration example # Configure Ethernet 1/0/1 as an edge port.

  • Page 206: Enabling Mstp

    To do... Use the command... Remarks Required Specify whether the link stp point-to-point { force-true connected to a port is a The auto keyword is adopted | force-false | auto } point-to-point link by default. If you configure the link connected to a port in an aggregation group as a point-to-point link, the configuration will be synchronized to the rest ports in the same aggregation group.

  • Page 207: Configuring Leaf Nodes

    To do... Use the command... Remarks Enter system view — system-view Required Enable MSTP stp enable MSTP is enabled globally by default. interface interface-type Enter Ethernet port view — interface-number Optional By default, MSTP is enabled on all ports. To enable a switch to operate more Disable MSTP on the flexibly, you can disable MSTP on stp disable...

  • Page 208: Configuring The Path Cost For A Port

    Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be different in different MSTIs. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that VLAN-based load balancing can be implemented.
  • Page 209 When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000,000 / link transmission rate Where, “link transmission rate”...

  • Page 210: Configuring Port Priority

    [Sysname] undo stp interface Ethernet 1/0/1 instance 1 cost [Sysname] stp pathcost-standard dot1d-1998 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo stp instance 1 cost [Sysname-Ethernet1/0/1] quit [Sysname] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an important criterion on determining the root port.

  • Page 211: Setting The Link Type Of A Port To P2P

    Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 port priority 16 Setting the Link Type of a Port to P2P Refer to Setting the Link Type of a Port to P2P.

  • Page 212: Configuration Example

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Perform the mCheck operation Required stp mcheck Configuration Example # Perform the mCheck operation on Ethernet 1/0/1. Perform this configuration in system view <Sysname>...

  • Page 213: Configuring Root Guard

    <Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.

  • Page 214: Configuring Loop Guard

    Configuration procedure Follow these steps to configure the root guard function in system view: To do... Use the command... Remarks Enter system view — system-view Required Enable the root guard function stp interface interface-list The root guard function is on specified ports root-protection disabled by default.

  • Page 215: Configuring Tc-Bpdu Attack Guard

    You are recommended to enable loop guard on the root port and alternate port of a non-root bridge. Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions enabled on a port, any of the other two functions cannot take effect even if you have configured it on the port.

  • Page 216: Configuring Digest Snooping

    MST region. This problem can be overcome by implementing the digest snooping feature. If a port on a 3Com switch 4500 is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
  • Page 217 BPDUs to be sent to the another manufacturer's switch. In this way, the switch 4500 can communicate with another manufacturer’s switches in the same MST region. The digest snooping function is not applicable to edge ports.

  • Page 218: Configuring Rapid Transition

    When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
  • Page 219 MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the switch 4500 operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports, instead of waiting for agreement packets from the upstream switch.

  • Page 220: Configuring Rapid Transition

    Configuration prerequisites As shown in Figure 1-8, a 3Com switch 4500 is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 221: Mstp Maintenance Configuration

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. MSTP Maintenance Configuration Introduction In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently.

  • Page 222: Displaying And Maintaining Mstp

    Configuration procedure Follow these steps to enable trap messages conforming to 802.1d standard: To do... Use the command... Remarks Enter system view — system-view Enable trap messages conforming stp [ instance instance-id ] dot1d-trap Required to 802.1d standard in an instance [ newroot | topologychange ] enable Configuration example # Enable a switch to send trap messages conforming to 802.1d standard to the network management...
  • Page 223 Network diagram Figure 1-9 Network diagram for MSTP configuration The word “permit” shown in Figure 1-9 means the corresponding link permits packets of specific VLANs. Configuration procedure Configure Switch A # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region.
  • Page 224 # Activate the settings of the MST region manually. [Sysname-mst-region] active region-configuration # Specify Switch B as the root bridge of MSTI 3. [Sysname] stp instance 3 root primary Configure Switch C. # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the MST region.
  • Page 225 Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··································································································································1-1 Routing Protocol Overview ·····················································································································1-3 Static Routing and Dynamic Routing·······························································································1-3 Classification of Dynamic Routing Protocols···················································································1-3 Routing Protocols and Routing Priority ···························································································1-3 Load Sharing and Route Backup ····································································································1-4 Routing Information Sharing············································································································1-4 Displaying and Maintaining a Routing Table···························································································1-5...
  • Page 226 Filters ···············································································································································4-1 IP Route Policy Configuration Task List··································································································4-2 Route Policy Configuration ·····················································································································4-2 Configuration Prerequisites ·············································································································4-3 Defining a Route Policy ···················································································································4-3 Defining if-match Clauses and apply Clauses·················································································4-3 IP-Prefix Configuration ····························································································································4-5 Configuration Prerequisites ·············································································································4-5 Configuring an ip-prefix list··············································································································4-5 Displaying IP Route Policy······················································································································4-5 IP Route Policy Configuration Example ··································································································4-6 Controlling RIP Packet Cost to Implement Dynamic Route Backup ···············································4-6 Troubleshooting IP Route Policy·············································································································4-9...

  • Page 227: Ip Routing Protocol Overview

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet. As a router receives a packet, it selects an appropriate route (through a network) according to the destination address of the packet and forwards the packet to the next router.
  • Page 228 Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing protocols, or be manually configured static routes. The one with the highest preference (the smallest numerical value) will be selected as the current optimal route.

  • Page 229: Multicast

    Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.

  • Page 230: Load Sharing And Route Backup

    each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their default route Routing approach Priority DIRECT...

  • Page 231: Displaying And Maintaining A Routing Table

    routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism. Displaying and Maintaining a Routing Table To do… Use the command… Remarks Display brief information about display ip routing-table [ | { begin | a routing table exclude | include } regular-expression ] Display detailed information...

  • Page 232: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 233: Default Route

    Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.

  • Page 234: Static Route Configuration Example

    To do... Use the command... Remarks Display the brief information of a display ip routing-table routing table Display the detailed information of a display ip routing-table verbose routing table Display the information of static display ip routing-table protocol static routes [ inactive | verbose ] Available in Delete all static routes...

  • Page 235: Troubleshooting A Static Route

    Perform the following configurations on the switch. # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a static route on Switch A. <SwitchA>...

  • Page 236: Rip Configuration

    RIP Configuration When configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 237: Rip Startup And Operation

    Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric: Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.

  • Page 238: Basic Rip Configuration

    Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional...

  • Page 239: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.

  • Page 240: Configuration Prerequisites

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 241 Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Enable RIP-2 automatic summary route summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
  • Page 242 The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.

  • Page 243: Rip Network Adjustment And Optimization

    RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
  • Page 244 Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Enable the check of the must be zero checkzero...

  • Page 245: Displaying And Maintaining Rip Configuration

    Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view — system-view Enter RIP view — Required Configure RIP to When RIP runs on the link that does not support peer ip-address unicast RIP packets broadcast or multicast, you must configure RIP to...

  • Page 246: Troubleshooting Rip Configuration

    Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP.

  • Page 247: Ip Route Policy Configuration

    IP Route Policy Configuration When configuring an IP route policy, go to these sections for information you are interested in: IP Route Policy Overview IP Route Policy Configuration Task List Displaying IP Route Policy IP Route Policy Configuration Example Troubleshooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 248: Ip Route Policy Configuration Task List

    For ACL configuration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information.

  • Page 249: Configuration Prerequisites

    if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. apply clause: Specifies actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clause.
  • Page 250 To do... Use the command... Remarks Enter system view — system-view route-policy Enter the route-policy route-policy-name { permit Required view | deny } node node-number Optional Define a rule to match the if-match { acl acl-number | IP address of routing By default, no matching is performed on ip-prefix ip-prefix-name } information...

  • Page 251: Ip-Prefix Configuration

    IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...

  • Page 252: Ip Route Policy Configuration Example

    IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the purpose of reliability. The main link of one service serves as the backup link of the other.
  • Page 253 For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C.
  • Page 254 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 6 and prefix list 1. [SwitchC] route-policy in permit node 30 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match ip-prefix 1...

  • Page 255: Troubleshooting Ip Route Policy

    Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Cost Nexthop Interface 1.0.0.0/8 6.6.6.5 Vlan-interface2 3.0.0.0/8 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 6.6.6.6 Vlan-interface6...
  • Page 256 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-3 Roles in Multicast ····························································································································1-3 Common Notations in Multicast·······································································································1-4 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-6 Multicast Address ····························································································································1-6...
  • Page 257 Configuring IGMP Snooping··········································································································1-17 Configuring Multicast VLAN ··········································································································1-18 Troubleshooting IGMP Snooping··········································································································1-21...

  • Page 258: Multicast Overview

    Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.

  • Page 259: Information Transmission In The Broadcast Mode

    Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.

  • Page 260: Information Transmission In The Multicast Mode

    Information Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast and broadcast not efficient. Multicast solves this problem.

  • Page 261: Common Notations In Multicast

    All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.

  • Page 262: Multicast Models

    Distributive application: Multicast makes multiple-point application possible. Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an IP network, multicast greatly saves network bandwidth and reduces network load. Multicast provides the following applications: Applications of multimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing.

  • Page 263: Multicast Architecture

    Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers. You should be concerned about: Host registration: What receivers reside on the network? Technologies of discovering a multicast source: Which multicast source should the receivers receive information from? Multicast addressing mechanism: Where should the multicast source transports information?
  • Page 264 The membership of a group is dynamic. A host can join and leave a multicast group at any time. A multicast group can be either permanent or temporary. A multicast group whose addresses are assigned by IANA is a permanent multicast group. It is also called reserved multicast group.
  • Page 265 Class D address range Description 224.0.0.13 All Protocol Independent Multicast (PIM) routers Resource Reservation Protocol (RSVP) 224.0.0.14 encapsulation 224.0.0.15 All core-based tree (CBT) routers The specified subnetwork bandwidth 224.0.0.16 management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the...

  • Page 266: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.

  • Page 267: Multicast Packet Forwarding Mechanism

    Among a variety of mature intra-domain multicast routing protocols, Protocol Independent Multicast (PIM) is a popular one. Based on the forwarding mechanism, PIM comes in two modes – dense mode (often referred to as PIM-DM) and sparse mode (often referred to as PIM-SM). An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs.

  • Page 268: Implementation Of The Rpf Mechanism

    In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface.
  • Page 269 considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 1-7. Multicast packets travel along the SPT from the multicast source to the receivers.

  • Page 270: Common Multicast Configuration

    Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Common Multicast Configuration Table 2-1 Complete the following tasks to perform common multicast configurations: Task Remarks Configuring Suppression on the Multicast...

  • Page 271: Configuring A Multicast Mac Address Entry

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional Configure multicast source port Multicast source port multicast-source-deny suppression suppression is disabled by default. Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol.

  • Page 272: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.

  • Page 273: Igmp Snooping Configuration

    IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.

  • Page 274: Basic Concepts In Igmp Snooping

    Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...

  • Page 275: Work Mechanism Of Igmp Snooping

    member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 3-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
  • Page 276 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.

  • Page 277: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Optional Groups on a Port Configuring IGMP Snooping Querier...

  • Page 278: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 279: Configuring Timers

    Configuring Timers This section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports, and the query response timer. Follow these steps to configure timers: To do... Use the command... Remarks Enter system view —...

  • Page 280: Configuring A Multicast Group Filter

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs [ vlan vlan-list ] processing feature is disabled. The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3.

  • Page 281: Configuring The Maximum Number Of Multicast Groups On A Port

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional Configure a multicast group No group filter is configured by igmp-snooping group-policy filter acl-number [ vlan vlan-list ] default, namely hosts can join any multicast group.

  • Page 282: Configuring Igmp Snooping Querier

    To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.

  • Page 283: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    To do... Use the command... Remarks Required Enable IGMP Snooping querier By default, IGMP Snooping igmp-snooping querier querier is disabled. Configuring IGMP query interval Follow these steps to configure IGMP query interval: To do... Use the command... Remarks Enter system view —...

  • Page 284: Configuring Static Member Port For A Multicast Group

    You can configure up to 200 static member ports on an Switch 4500 series switch. If a port has been configured as an XRN fabric port or a reflect port, it cannot be configured as a static member port.

  • Page 285: Configuring A Static Router Port

    Configuring a Static Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives IGMP messages from that router.

  • Page 286: Configuring A Vlan Tag For Query Messages

    Therefore, to ensure that IGMP entries will not age out, the port must receive IGMP general queries periodically. Follow these steps to configure a port as a simulated group member: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view...

  • Page 287: Configuring Multicast Vlan

    Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth. In an IGMP Snooping environment, by configuring a multicast VLAN and adding ports to the multicast VLAN, you can allow users in different VLANs to share the same multicast VLAN.

  • Page 288: Displaying And Maintaining Igmp Snooping

    To do... Use the command... Remarks Enter Ethernet port view for the interface interface-type — Layer 3 switch interface-number Define the port as a trunk or port link-type { trunk | Required hybrid port hybrid } Required port hybrid vlan vlan-list { tagged | untagged } The multicast VLAN must be Specify the VLANs to be...

  • Page 289: Igmp Snooping Configuration Examples

    IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements To prevent multicast traffic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. As shown in Figure 3-3, Router A connects to a multicast source (Source) through Ethernet 1/0/2, and to Switch A through Ethernet 1/0/1.
  • Page 290 Configure Switch A # Enable IGMP Snooping globally. <SwitchA> system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign Ethernet 1/0/1 through Ethernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable [SwitchA-vlan100] quit Verify the configuration...
  • Page 291 Table 3-2 Network devices and their configurations Device Device description Networking description The interface IP address of VLAN 20 is 168.10.1.1. Ethernet 1/0/1 is connected to the workstation and belongs to VLAN 20. Switch A Layer 3 switch The interface IP address of VLAN 10 is 168.10.2.1.
  • Page 292 Network diagram Figure 3-4 Network diagram for multicast VLAN configuration Vlan-int20 Vlan-int10 HostA 168.10.1.1 168.10.2.1 Eth1/0/10 Eth1/0/10 Vlan10 Eth1/0/1 WorkStation SwitchA SwitchB HostB Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured.

  • Page 293: Troubleshooting Igmp Snooping

    # Create VLAN 2, VLAN 3 and VLAN 10, configure VLAN 10 as the multicast VLAN, and then enable IGMP Snooping on it. [SwitchB] vlan 2 to 3 Please wait..Done. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged packets for VLAN 2, VLAN 3, and VLAN 10.
  • Page 294 If the multicast group set up by IGMP Snooping is not correct, contact your technical support personnel. 1-22...
  • Page 295 The Mechanism of an 802.1x Authentication System ·····································································1-3 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-9 Additional 802.1x Features on Switch 4500 ··················································································1-10 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-14 Configuration Prerequisites ···········································································································1-14 Configuring Basic 802.1x Functions······························································································1-14...
  • Page 296 Layer 3 Error Control ·······················································································································4-1 Configuring System Guard······················································································································4-1 Configuring System Guard Against IP Attacks················································································4-1 Configuring System Guard Against TCN Attacks············································································4-2 Enabling Layer 3 Error Control········································································································4-3 Displaying and Maintaining System Guard Configuration ······································································4-3...

  • Page 297: 802.1X Configuration

    802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: Introduction to 802.1x Introduction to 802.1x Configuration Basic 802.1x Configuration Advanced 802.1x Configuration Displaying and Maintaining 802.1x Configuration Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
  • Page 298 Figure 1-1 Architecture of 802.1x authentication The supplicant system is the entity seeking access to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment. The supplicant system is usually a user terminal device.

  • Page 299: The Mechanism Of An 802.1X Authentication System

    The controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state. In this case, no packets can pass through it. Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are visible to both the controlled port and uncontrolled port of the port.
  • Page 300 Figure 1-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.

  • Page 301: 802.1X Authentication Procedure

    EAP-message field must also have the Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded. Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure Switch 4500 can authenticate supplicant systems in EAP terminating mode or EAP relay mode.
  • Page 302 EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
  • Page 303 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 304 feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch.

  • Page 305: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 306: Additional 802.1X Features On Switch 4500

    Additional 802.1x Features on Switch 4500 In addition to the earlier mentioned 802.1x features, Switch 4500 is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, etc. (This function needs the cooperation of a CAMS server.)
  • Page 307 Only disconnects the supplicant system but sends no Trap packets. Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies.
  • Page 308 After the maximum number retries have been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.

  • Page 309: Introduction To 802.1X Configuration

    The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically.

  • Page 310: Basic 802.1X Configuration

    Basic 802.1x Configuration Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted.

  • Page 311: Timer And Maximum User Number Configuration

    To do… Use the command… Remarks Optional Enable online user By default, online user handshaking dot1x handshake enable handshaking is enabled. 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa.

  • Page 312: Advanced 802.1X Configuration

    To do… Use the command... Remarks Optional The settings of 802.1x timers are as follows. dot1x timer { handshake-period handshake-period-value: handshake-period-value | 15 seconds quiet-period quiet-period-value | quiet-period-value: seconds server-timeout Set 802.1x timers server-timeout-value | server-timeout-value: supp-timeout seconds supp-timeout-value | tx-period supp-timeout-value: tx-period-value | ver-period seconds...

  • Page 313: Configuring Client Version Checking

    To do... Use the command... Remarks Required Enable proxy checking function By default, the 802.1x proxy dot1x supp-proxy-check globally { logoff | trap } checking function is globally disabled. dot1x supp-proxy-check In system { logoff | trap } [ interface view interface-list ] Enable proxy...

  • Page 314: Enabling Dhcp-Triggered Authentication

    As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed.

  • Page 315: Configuring 802.1X Re-Authentication

    The guest VLAN function is available only when the switch operates in the port-based access control mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication.

  • Page 316: Displaying And Maintaining 802.1X Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 317 a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively.
  • Page 318 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.

  • Page 319: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the Switch 4500 provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.

  • Page 320: Mac Address Authentication

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...

  • Page 321: Displaying And Maintaining Quick Ead Deployment

    large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.

  • Page 322: Troubleshooting

    Configuration procedure Before enabling quick EAD deployment, make sure sure that: The Web server is configured properly. The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # Configure the URL for HTTP redirection.

  • Page 323: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 324: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operates as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 325: System Guard Configuration

    System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious source IP addresses.

  • Page 326: Configuring System Guard Against Tcn Attacks

    To do... Use the command... Remarks Set the maximum number of Optional system-guard ip infected hosts that can be 30 by default detect-maxnum number concurrently monitored Set the maximum number of addresses that the system can learn, the maximum number of system-guard ip Optional times an address can be hit...

  • Page 327: Enabling Layer 3 Error Control

    Enabling Layer 3 Error Control Follow these steps to enable Layer 3 error control: To do... Use the command... Remarks Enter system view — system-view Required Enable Layer 3 error control system-guard l3err enable Enabled by default Displaying and Maintaining System Guard Configuration To do...
  • Page 328 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-1 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-5 Configuring the Attributes of a Local User·······················································································2-6...

  • Page 329: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS protocol. This device (for example, a 3Com switch) acts as the client to communicate with the RADIUS or TACACS server. Remote authentication allows convenient centralized management and is feature-rich.

  • Page 330: Introduction To Isp Domain

    Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@" character is the ISP domain name. The access device uses userid as the username for authentication, and isp-name as the domain name.
  • Page 331 Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
  • Page 332 The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources.
  • Page 333 Code Message type Message description Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting Accounting-Request (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the message). This message carries almost the same attributes as those carried in the Access-Request message.
  • Page 334 Type field Type field Attribute type Attribute type value value Framed-Routing NAS-Identifier Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.

  • Page 335: Aaa Configuration

    AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...
  • Page 336 Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, Configuring an AAA Scheme for an ISP authorization and accounting Domain schemes respectively. configuration You need to configure RADIUS or HWATACACS before performing RADIUS authentication.
  • Page 337 Note that: On a Switch 4500, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the username, the switch assumes that the user belongs to the default ISP domain.
  • Page 338 To do… Use the command… Remarks Required Configure an AAA scheme for scheme { local | none | radius-scheme By default, an ISP the ISP domain radius-scheme-name [ local ] } domain uses the local AAA scheme. You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions.

  • Page 339: Configuring Dynamic Vlan Assignment

    To do… Use the command… Remarks Optional authentication Configure an authentication { radius-scheme By default, no separate scheme for the ISP domain radius-scheme-name [ local ] | authentication scheme is local | none } configured. Optional Configure an authorization By default, no separate authorization { none } scheme for the ISP domain authorization scheme is...

  • Page 340: Configuring The Attributes Of A Local User

    Currently, the switch supports the following two types of assigned VLAN IDs: integer and string. Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then, upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID.
  • Page 341 The local users are users set on the switch, with each user uniquely identified by a username. To make a user who is requesting network service pass local authentication, you should add an entry in the local user database on the switch for the user. Follow these steps to configure the attributes of a local user: To do…...

  • Page 342: Cutting Down User Connections Forcibly

    RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...
  • Page 343 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the Configuring the Type of RADIUS Servers to be Supported Optional RADIUS client Configuring the Status of RADIUS Servers...

  • Page 344: Creating A Radius Scheme

    creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server.

  • Page 345: Configuring Radius Accounting Servers

    To do… Use the command… Remarks Required Create a RADIUS scheme and By default, a RADIUS scheme radius scheme enter its view named "system" has already radius-scheme-name been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS UDP port number of the primary authentication...

  • Page 346: Configuring Shared Keys For Radius Messages

    To do… Use the command… Remarks Optional Set the IP address and By default, the IP address and UDP port port number of the secondary accounting number of the secondary accounting secondary RADIUS ip-address [ port-number ] server are 0.0.0.0 and 1813 for a newly accounting server created RADIUS scheme.

  • Page 347: Configuring The Maximum Number Of Radius Request Transmission Attempts

    To do… Use the command… Remarks Enter system view — system-view Required Create a RADIUS scheme and By default, a RADIUS scheme radius scheme enter its view named "system" has already radius-scheme-name been created in the system. Required Set a shared key for RADIUS authentication/authorization By default, no shared key is key authentication string...

  • Page 348: Configuring The Status Of Radius Servers

    To do… Use the command… Remarks Required Create a RADIUS scheme and By default, a RADIUS scheme radius scheme enter its view named "system" has already radius-scheme-name been created in the system. Configure the type of RADIUS server-type { extended | Optional servers to be supported standard }...

  • Page 349: Configuring The Attributes Of Data To Be Sent To Radius Servers

    To do… Use the command… Remarks Set the status of the secondary state secondary RADIUS authentication { block | authentication/authorization active } server Set the status of the secondary state secondary accounting RADIUS accounting server { block | active } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be sent to RADIUS servers: To do…...

  • Page 350: Configuring The Local Radius Server

    Generally, the access users are named in the userid@isp-name format. Here, isp-name after the “@” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.

  • Page 351: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

  • Page 352: Enabling Sending Trap Message When A Radius Server Goes Down

    To do… Use the command… Remarks Optional Set the response timeout time By default, the response timer response-timeout of RADIUS servers timeout time of RADIUS seconds servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary minutes before it restores the...
  • Page 353 online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.

  • Page 354: Displaying And Maintaining Aaa Configuration

    Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | Display information about user interface interface-type interface-number | ip Available in...
  • Page 355 The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for remote authentication. Network requirements In the network environment shown in Figure 2-1, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server.

  • Page 356: Local Authentication Of Ftp/Telnet Users

    [Sysname-isp-cams] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] accounting optional [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] key authentication aabbcc [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius-cams] quit # Associate the ISP domain with the RADIUS scheme. [Sysname] domain cams [Sysname-isp-cams] scheme radius-scheme cams A Telnet user logging into the switch by a name in the format of userid @cams belongs to the cams...

  • Page 357: Troubleshooting Aaa

    [Sysname-ui-vty0-4] quit # Create and configure a local user named telnet. [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple aabbcc [Sysname-luser-telnet] quit # Configure an authentication scheme for the default “system” domain. [Sysname] domain system [Sysname-isp-system] scheme local A Telnet user logging into the switch with the name telnet@system belongs to the "system" domain and will be authenticated according to the configuration of the "system"...

  • Page 358: Ead Configuration

    None or incorrect RADIUS server IP address is set on the switch — Be sure to set a correct RADIUS server IP address. One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as those on the RADIUS server.

  • Page 359: Ead Configuration

    Figure 3-1 Typical network application of EAD EAD Configuration The EAD configuration includes: Configuring the attributes of access users (such as username, user type, and password). For local authentication, you need to configure these attributes on the switch; for remote authentication, you need to configure these attributes on the AAA sever.
  • Page 360 You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users. The following are the configuration tasks: Connect the RADIUS authentication server 10.110.91.164 and the switch, and configure the switch to use port number 1812 to communicate with the server.
  • Page 361 [Sysname-isp-system] radius-scheme cams 3-27...
  • Page 362 Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···········································································1-1 Related Concepts····································································································································1-2 MAC Address Authentication Timers ······························································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Address Authentication Functions ····································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-3 MAC Address Authentication Enhanced Function Configuration Task List ····································1-3 Configuring a Guest VLAN ··············································································································1-4...

  • Page 363: Mac Address Authentication Configuration

    During authentication, the user does not need to enter username or password manually. For Switch 4500, MAC address authentication can be implemented locally or on a RADIUS server. After determining the authentication method, users can select one of the following types of user name as required: MAC address mode, where the MAC address of a user serves as the user name for authentication.

  • Page 364: Related Concepts

    format configured with mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames. The service type of a local user needs to be configured as lan-access. Related Concepts MAC Address Authentication Timers The following timers function in the process of MAC address authentication:...

  • Page 365: Mac Address Authentication Enhanced Function Configuration

    To do... Use the command... Remarks quit Optional Set the user name in mac-authentication authmode By default, the MAC MAC address mode usernameasmacaddress [ usernameformat address of a user is for MAC address { with-hyphen | without-hyphen } { lowercase | used as the user authentication uppercase } | fixedpassword password ]...

  • Page 366: Configuring A Guest Vlan

    Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a...
  • Page 367 After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.

  • Page 368: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port

    If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 369: Displaying And Maintaining Mac Address Authentication Configuration

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 370 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 371 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to Gratuitous ARP········································································································1-4 Introduction to ARP Source MAC Address Consistency Check······················································1-4 Configuring ARP ·····································································································································1-5 Configuring Gratuitous ARP····················································································································1-5 Configuring ARP Source MAC Address Consistency Check··································································1-6 Displaying and Debugging ARP··············································································································1-6 ARP Configuration Examples ·················································································································1-6...

  • Page 372: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Configuring ARP Source MAC Address Consistency Check Displaying and Debugging ARP ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.
  • Page 373 Figure 1-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...

  • Page 374: Arp Table

    Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.

  • Page 375: Introduction To Gratuitous Arp

    mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

  • Page 376: Configuring Arp

    If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is not learned. Configuring ARP Follow these steps to configure ARP basic functions: To do… Use the command… Remarks Enter system view — system-view Optional arp static ip-address mac-address [ vlan-id...

  • Page 377: Configuring Arp Source Mac Address Consistency Check

    The sending of gratuitous ARP packets is enabled as long as an S4500 switch operates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets whenever a VLAN interface is enabled (such as when a link is enabled or an IP address is configured for the VLAN interface) or whenever the IP address of a VLAN interface is changed.
  • Page 378 Configuration procedure <Sysname> system-view [Sysname] undo arp check enable [Sysname] interface vlan 1 [Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.1 000f-e201-0000 1 Ethernet 1/0/10...
  • Page 379 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-2 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Relay Agent Configuration ············································································································2-1 Introduction to DHCP Relay Agent ·········································································································2-1 Usage of DHCP Relay Agent ··········································································································2-1 DHCP Relay Agent Fundamentals··································································································2-1...

  • Page 380: Dhcp Overview

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.

  • Page 381: Obtaining Ip Addresses Dynamically

    Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently. Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period.

  • Page 382: Dhcp Packet Format

    By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client.

  • Page 383: Protocol Specification

    file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server. Protocol Specification Protocol specifications related to DHCP include: RFC2131: Dynamic Host Configuration Protocol...

  • Page 384: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 385: Option 82 Support On Dhcp Relay Agent

    Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.

  • Page 386: Configuring The Dhcp Relay Agent

    Figure 2-2 Padding contents for sub-option 1 of Option 82 Figure 2-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 387: Dhcp Relay Agent Configuration Task List

    If a switch belongs to an XRN fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent. DHCP Relay Agent Configuration Task List Complete the following tasks to configure the DHCP relay agent: Task Remarks Enabling DHCP...

  • Page 388: Configuring Dhcp Relay Agent Security Functions

    To improve security and avoid malicious attack to the unused SOCKETs, S4500 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled.
  • Page 389 To do… Use the command… Remarks Optional Create a static dhcp-security static IP-to-MAC binding Not created by default. ip-address mac-address interface interface-type Enter interface view — interface-number Required Enable the address address-check enable checking function Disabled by default. The address-check enable command is independent of other commands of the DHCP relay agent.

  • Page 390: Configuring The Dhcp Relay Agent To Support Option 82

    Currently, the DHCP relay agent handshake function on an S4500 series switch can only interoperate with a Windows 2000 DHCP server. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client.

  • Page 391: Displaying And Maintaining Dhcp Relay Agent Configuration

    To do… Use the command… Remarks Required Enable Option 82 support on dhcp relay information the DHCP relay agent Disabled by default. enable Configure the strategy for the Optional dhcp relay information DHCP relay agent to process strategy { drop | keep | By default, the replace strategy request packets containing replace }...

  • Page 392: Troubleshooting Dhcp Relay Agent Configuration

    Network diagram Figure 2-4 Network diagram for DHCP relay agent DHCP client DHCP client Vlan-int1 Vlan-int2 10.10.1.1/24 10.1.1.2/24 Vlan-int2 10.1.1.1/24 Switch A Switch B DHCP relay DHCP server DHCP client DHCP client Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. <SwitchA>...
  • Page 393 Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. Check if a reachable route is configured between the DHCP relay agent and the DHCP server. Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides.

  • Page 394: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Displaying and Maintaining DHCP Snooping Configuration DHCP Snooping Configuration Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

  • Page 395: Introduction To Dhcp-Snooping Option 82

    Figure 3-1 Typical network diagram for DHCP snooping application DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82...
  • Page 396 Figure 3-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S4500 Series Ethernet Switches support Option 82 in the standard format.

  • Page 397: Configuring Dhcp Snooping

    When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet. For details, see Table 3-2. Table 3-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will …...

  • Page 398: Configuring Dhcp Snooping To Support Option 82

    If an S4500 Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
  • Page 399 Configuring a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do… Use the command… Remarks Enter system view — system-view Optional Configure a global handling dhcp-snooping information policy for requests that contain strategy { drop | keep |...
  • Page 400 To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional By default, the circuit ID dhcp-snooping Configure the circuit ID sub-option contains the VLAN ID information [ vlan vlan-id ] sub-option in Option 82 and port index related to the port circuit-id string string that receives DHCP request packets from DHCP clients...

  • Page 401: Displaying And Maintaining Dhcp Snooping Configuration

    If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured. If you have configured a remote ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former remote ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs.
  • Page 402 Enable DHCP-snooping Option 82 support on the switch and set the remote ID field in Option 82 to the system name of the switch. Set the circuit ID sub-option to abcd in DHCP packets from VLAN 1 on Ethernet 1/0/3. Network diagram Figure 3-6 Network diagram for DHCP-snooping Option 82 support configuration Configuration procedure...

  • Page 403: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management.

  • Page 404: Configuring A Dhcp/Bootp Client

    Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: To do… Use the command… Remarks Enter system view — system-view interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc | By default, no IP address is to obtain IP address through dhcp-alloc }...

  • Page 405: Bootp Client Configuration Example

    Network diagram Figure 4-1 A DHCP network Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP. <SwitchA> system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address dhcp-alloc BOOTP Client Configuration Example Network requirement...
  • Page 406 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch·································································································1-2 Types of ACLs Supported by Switch 4500 Series ··········································································1-3 ACL Configuration Task List ···················································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-5 Configuring Advanced ACL ·············································································································1-6 Configuring Layer 2 ACL ·················································································································1-7...

  • Page 407: Acl Configuration

    ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACLs to Hardware ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.

  • Page 408: Ways To Apply An Acl On A Switch

    ACL are matched in the order determined by the hardware instead of that defined in the ACL. For Switch 4500 series, the later the rule applies, the higher the match priority. ACLs are directly applied to hardware when they are used for:...

  • Page 409: Types Of Acls Supported By Switch 4500 Series

    Advanced ACL Layer 2 ACL User-defined ACL In addition, ACLs defined on Switch 4500 series can be applied to hardware directly or referenced by upper-layer software for packet filtering. ACL Configuration Task List Complete the following tasks to configure ACL:...
  • Page 410 An absolute time range on Switch 4500 Series can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure Follow these steps to configure a time range: To do... Use the command... Remarks Enter system view — system-view time-range time-name { start-time to end-time...

  • Page 411: Configuring Basic Acl

    <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999.

  • Page 412: Configuring Advanced Acl

    Configuration example # Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's step is 1 rule 0 deny source 192.168.0.1 0...

  • Page 413: Configuring Layer 2 Acl

    Note that: With the config match order specified for the advanced ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot modify any existent rule; otherwise the system prompts error information. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

  • Page 414: Configuring User-Defined Acl

    To do... Use the command... Remarks Required rule [ rule-id ] { permit | deny } For information about Define an ACL rule rule-string, refer to ACL rule-string Commands. Optional Assign a description string to rule rule-id comment text the ACL rule No description by default Optional Assign a description string to...
  • Page 415 To do... Use the command... Remarks Enter system view — system-view Create a user-defined ACL and enter Required acl number acl-number user-defined ACL view Required rule [ rule-id ] { permit | deny } For information about Define an ACL rule [ rule-string rule-mask offset ] &<1-8>...

  • Page 416: Applying Acl Rules On Ports

    Acl's step is 1 rule 0 deny 06 ff 27 Applying ACL Rules on Ports By applying ACL rules on ports, you can filter packets on the corresponding ports. Configuration prerequisites You need to define an ACL before applying it on a port. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced...

  • Page 417: Displaying And Maintaining Acl Configuration

    Configuration procedure Follow these steps to apply ACL rules to ports in a VLAN: To do... Use the command... Remarks Enter system view — system-view Required packet-filter vlan vlan-id Apply ACL rules to ports in a { inbound | outbound } For information about acl-rule, VLAN refer to ACL Commands.

  • Page 418: Example For Controlling Web Login Users By Source Ip

    Configuration procedure # Define ACL 2000. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control Telnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch...

  • Page 419: Advanced Acl Configuration Example

    Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit...

  • Page 420: Layer 2 Acl Configuration Example

    Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter packets destined for wage query server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [Sysname-acl-adv-3000] quit # Apply ACL 3000 on Ethernet 1/0/1.

  • Page 421: User-Defined Acl Configuration Example

    User-defined ACL Configuration Example Network requirements As shown in Figure 1-6, PC 1 and PC 2 are connected to the switch through Ethernet 1/0/1 and Ethernet 1/0/2 respectively. They belong to VLAN 1 and access the Internet through the same gateway, which has an IP address of 192.168.0.1 (the IP address of VLAN-interface 1).
  • Page 422 Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 Eth1/0/1 Eth1/0/3 Eth1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. <Sysname>...

  • Page 423: Mirroring

    Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Service····························································································1-1 New Applications and New Requirements ······················································································1-1 Major Traffic Control Techniques ····································································································1-2 QoS Supported By Switch 4500 Series ··································································································1-3 Introduction to QoS Functions ················································································································1-3 Traffic Classification ························································································································1-3 Priority Trust Mode ··························································································································1-4 Protocol Priority ·······························································································································1-7 Priority Marking································································································································1-8...

  • Page 424: Overview

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported By Switch 4500 Series QoS Configuration Displaying and Maintaining QoS QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 425: Major Traffic Control Techniques

    and VoD. As for other applications, such as transaction processing and Telnet, although bandwidth is not as critical, a too long delay may cause unexpected results. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications demand higher service performance from IP networks. In addition to simply delivering packets to their destinations, better network services are demanded, such as allocating dedicated bandwidth, reducing packet loss ratio, avoiding congestion, regulating network traffic, and setting priority of the packets.

  • Page 426: Qos Supported By Switch 4500 Series

    QoS Supported By Switch 4500 Series The Switch 4500 series support the QoS features listed in Table 1-1: Table 1-1 QoS features supported by Switch 4500 series QoS Feature Description Refer to … Classify incoming traffic based on ACLs. The Switch 4500...

  • Page 427: Priority Trust Mode

    protocol or the port number of an application. Normally, traffic classification is done by checking the information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol number, destination address, and destination port number.
  • Page 428 Assured forwarding (AF) class: This class is further divided into four subclasses (AF1/2/3/4) and a subclass is further divided into three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; Class selector (CS) class: This class comes from the IP ToS field and includes eight subclasses;...
  • Page 429 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure above, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length).

  • Page 430: Protocol Priority

    Priority trust mode After a packet enters a switch, the switch sets the 802.1p priority and local precedence for the packet according to its own capability and the corresponding rules. For a packet carrying no 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch uses the port priority as the 802.1p precedence value of the received packet, searches for the local precedence corresponding to the port priority of the receiving port in the 802.1p-to-local precedence mapping table, and assigns the local precedence to the packet.

  • Page 431: Priority Marking

    Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to the local precedence.

  • Page 432: Line Rate

    enough to forward the packets, the traffic is conforming to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: Average rate: The rate at which tokens are put into the bucket, namely, the permitted average rate of the traffic.
  • Page 433 The Switch 4500 series support three queue scheduling algorithms: Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted Round Robin (WRR) queuing. SP queuing Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
  • Page 434 Figure 1-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: Different queues are scheduled fairly, so the delay of each flow is balanced globally.

  • Page 435: Congestion Avoidance

    In a typical 3Com switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.

  • Page 436: Traffic Mirroring

    In WRED algorithm, an upper limit and a lower limit are set for each queue, and the packets in a queue are processed as follows. When the current queue length is smaller than the lower limit, no packet is dropped; When the queue length exceeds the upper limit, all the newly received packets are dropped;...

  • Page 437: Configuring The Mapping Between 802.1P Priority And Local Precedence

    Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Optional Configure to trust port priority By default, the switch trusts priority priority-level and configure the port priority port priority and the priority of a...

  • Page 438: Setting The Priority Of Protocol Packets

    You can modify the IP precedence or specific protocol protocol-type { ip-precedence DSCP precedence of the packets ip-precedence | dscp dscp-value } corresponding protocol packets. On Switch 4500, you can set the priority for protocol packets of Telnet, SNMP, and ICMP. 1-15...

  • Page 439: Marking Packet Priority

    Configuration example Set the IP precedence of ICMP packets to 3. Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to section Priority Marking for information about marking packet priority. Marking packet priority can be implemented in the following two ways: Through traffic policing When configuring traffic policing, you can define the action of marking the DSCP precedence for...

  • Page 440: Configuring Traffic Policing

    To do… Use the command… Remarks Enter system view — system-view traffic-priority vlan vlan-id { inbound Required Mark the priorities for the | outbound } acl-rule { { dscp Refer to the command packets belonging to a VLAN dscp-value | ip-precedence manual for information and matching specific ACL { pre-value | from-cos } } | cos...

  • Page 441: Configuring Line Rate

    To do… Use the command… Remarks Required Specify a committed information rate traffic-limit inbound acl-rule (CIR) for the target-rate argument, Configure traffic [ union-effect ] target-rate and specify a committed bust size policing [ burst-bucket burst-bucket-size ] (CBS) for the burst-bucket-size [ exceed action ] argument.

  • Page 442: Configuring Vlan Mapping

    To do… Use the command… Remarks Required Specify a committed information line-rate { inbound | rate (CIR) for the target-rate outbound } target-rate Configure line rate argument, and specify a [ burst-bucket committed bust size (CBS) for the burst-bucket-size ] burst-bucket-size argument.
  • Page 443 } A port of a Switch 4500 supports eight output queues. These queue scheduling algorithms are available: SP, WRR, and WFQ. With WRR (or WFQ) adopted, if you set the weight or the bandwidth of one or multiple queues to 0, the switch will add the queue or these queues to the SP group, where SP is adopted.

  • Page 444: Configuring Wred

    The queue scheduling algorithm specified by using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorithm configured in port view must be the same as that configured in system view. Otherwise, the system prompts configuration errors. If the weight (or bandwidth value) specified in system view for a queue of WRR queuing or WFQ queuing cannot meet the requirement of a port, you can modify the weight (or bandwidth value) for this port in the corresponding Ethernet port view.

  • Page 445: Configuring Traffic Mirroring

    To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required wred queue-index qstart Configure WRED By default, WRED is not probability configured. Configuration example Configure WRED for queue 2 of Ethernet 1/0/1 to drop the packets in queue 2 randomly when the number of packets in queue 2 exceeds 64, setting the dropping probability being 20%.

  • Page 446: Displaying And Maintaining Qos

    For information about the mirroring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example Network requirements: Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segment. Duplicate the packets from network segment 10.1.1.0/24 to the destination mirroring port Ethernet 1/0/4.

  • Page 447: Qos Configuration Examples

    QoS Configuration Examples Configuration Example of Traffic policing and Line Rate Network requirement An enterprise network connects all the departments through an Ethernet switch. PC 1, with the IP address 192.168.0.1 belongs to the R&D department and is connected to Ethernet 1/0/1 of the switch. The marketing department is connected to Ethernet 1/0/2 of the switch.

  • Page 448: Configuration Example Of Priority Marking And Queue Scheduling

    Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 1-10, an enterprise network connects all the departments through an Ethernet switch. Clients PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; clients PC 4 through PC 6 are connected to Ethernet 1/0/3 of the switch.

  • Page 449: Vlan Mapping Configuration Example

    [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2] quit Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration Example Network requirements Two customer networks are connected to the public network through Switch A and Switch B. Configure the VLAN mapping function on the switches to enable the hosts on the two customer networks to communicate through public network VLANs.
  • Page 450 Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/11 of Switch A as a trunk port and configure its default VLAN as VLAN 100.
  • Page 451 # Configure VLAN mapping on Ethernet 1/0/11 to replace VLAN tag 100 with VLAN tag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-remark-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLAN tag 200 with VLAN tag 600. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] traffic-remark-vlanid inbound link-group 4001 remark-vlan 600 [SwitchA-Ethernet1/0/12] quit...
  • Page 452 Table of Contents 1 Mirroring Configuration ····························································································································1-1 Mirroring Overview ··································································································································1-1 Local Port Mirroring ·························································································································1-1 Remote Port Mirroring ·····················································································································1-2 Traffic Mirroring ·······························································································································1-3 Mirroring Configuration····························································································································1-3 Configuring Local Port Mirroring······································································································1-4 Configuring Remote Port Mirroring··································································································1-4 Displaying and Maintaining Port Mirroring ······························································································1-7 Mirroring Configuration Examples···········································································································1-8 Local Port Mirroring Configuration Example····················································································1-8 Remote Port Mirroring Configuration Example ···············································································1-9...

  • Page 453: Mirroring Configuration

    Figure 1-1 Mirroring The Switch 4500 series support three types of port mirroring: Local Port Mirroring Remote Port Mirroring Traffic Mirroring They are described in the following sections.

  • Page 454: Remote Port Mirroring

    Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.

  • Page 455: Traffic Mirroring

    Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional On a Switch 4500, only one destination port for local port mirroring and only one reflector port can be configured, and the two types of ports cannot both exist.

  • Page 456: Configuring Local Port Mirroring

    LACP or STP. Configuring Remote Port Mirroring A Switch 4500 can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment.
  • Page 457 Configuration on a switch acting as a source switch Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined. Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. The direction of the packets to be monitored is determined. Configuration procedure Follow these steps to perform configurations on the source switch: To do…...
  • Page 458 Required remote-probe-vlan-id remote-probe VLAN Note that a Switch 4500 acting as the intermediate switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). Configuration on a switch acting as a destination switch Configuration prerequisites The destination port and the remote-probe VLAN are determined.

  • Page 459: Displaying And Maintaining Port Mirroring

    When configuring a destination switch, note that: A Switch 4500 acting as the destination switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). The destination port of remote port mirroring cannot be a member port of an existing mirroring group, a fabric port, a member port of an aggregation group, or a port enabled with LACP or STP.

  • Page 460: Mirroring Configuration Examples

    Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1. Marketing department is connected to Switch C through Ethernet 1/0/2.

  • Page 461: Remote Port Mirroring Configuration Example

    Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: Switch A, Switch B, and Switch C are Switch 4500 series. Department 1 is connected to Ethernet 1/0/1 of Switch A.
  • Page 462 Configuration procedure Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring group.
  • Page 463 [Sysname-Ethernet1/0/2] port trunk permit vlan 10 Configure the destination switch (Switch C) # Create remote destination mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destination mirroring group.
  • Page 464 Table of Contents 1 XRN Fabric Configuration·························································································································1-1 Introduction to XRN·································································································································1-1 Establishment of an XRN Fabric ·····································································································1-1 How XRN Works······························································································································1-4 XRN Fabric Configuration ·······················································································································1-4 XRN Fabric Configuration Task List ································································································1-4 Specifying the Fabric Port of a Switch·····························································································1-5 Specifying the VLAN Used to Form an XRN Fabric········································································1-6 Setting a Unit ID for a Switch ··········································································································1-7 Assigning a Unit Name to a Switch ·································································································1-8 Assigning an XRN Fabric Name to a Switch ···················································································1-8...

  • Page 465: Xrn Fabric Configuration

    XRN Fabric Configuration Example Introduction to XRN Expandable Resilient Networking (XRN), a feature particular to 3Com Switch 4500 series switches, is a new technology for building the core of a network. This feature allows you to build an XRN fabric by interconnecting several Switch 4500 series switches to provide more ports for network devices and improve the reliability of your network.
  • Page 466 Figure 1-2 Port connection mode for Switch 4500 series bus topology XRN fabric H3C S3600 Speed :Green=100Mbps ,Yellow=10Mbps Duplx :Green=Full Duplx ,Yellow=Half Duplx Series 11 12 15 16 17 18 19 20 21 22 23 24 Console Unit Mode Green=Speed...
  • Page 467 The number of the existing devices in the fabric does not reach the maximum number of devices allowed by the fabric (up to eight devices can form a fabric). The fabric name of the device and the existing devices in the fabric are the same. The software version of the device is the same as that of the existing devices in the fabric.

  • Page 468: How Xrn Works

    Status Analysis Solution of the fabric are not the same, or the passwords for the local device password configured does not match. and the fabric as the same. How XRN Works When a fabric is established, the devices determine their respective roles in the fabric by comparing their CPU MAC addresses.

  • Page 469: Specifying The Fabric Port Of A Switch

    Task Remarks Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fabric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch You can specify the fabric port of a switch in either system view or Ethernet interface view.

  • Page 470: Specifying The Vlan Used To Form An Xrn Fabric

    Establishing an XRN system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the XRN for other ports or globally. Otherwise, you cannot enable the fabric port.

  • Page 471: Setting A Unit Id For A Switch

    Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will automatically number the switches to constitute an XRN fabric by default, so that each switch has a unique unit ID in the fabric. You can use the command in the following table to set unit IDs for switches.

  • Page 472: Assigning A Unit Name To A Switch

    By default, the XRN fabric sysname sysname switch name is 4500. Setting the XRN Fabric Authentication Mode Only the switches with the same XRN fabric authentication mode can form an XRN fabric. Follow these steps to set the XRN fabric authentication mode for a switch:...

  • Page 473: Displaying And Maintaining Xrn Fabric

    To do… Use the command… Remarks Enter system view — system-view Optional Set the XRN fabric xrn-fabric authentication mode for the authentication-mode { simple By default, no authentication switch password | md5 key } mode is set on a switch. When an XRN fabric operates normally, you can regard the whole fabric as a single device and perform configuration on it.

  • Page 474: Network Diagram

    Network Diagram Figure 1-3 Network diagram for forming an XRN fabric Configuration Procedure Configure Switch A. # Configure fabric ports. <Sysname> system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable # Configure the unit name as Unit 1. [Sysname] set unit 1 name Unit1 # Configure the fabric name as hello.
  • Page 475 # Configure the unit name as Unit 3. [Sysname] set unit 1 name unit3 # Configure the fabric name as hello. [Sysname] sysname hello # Configure the fabric authentication mode as simple and the password as welcome. [hello] xrn-fabric authentication-mode simple welcome Configure Switch D.
  • Page 476 Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ····························································································································1-2 How a Cluster Works·······················································································································1-4 Cluster Configuration Task List···············································································································1-9 Configuring the Management Device ······························································································1-9 Configuring Member Devices ········································································································1-14 Managing a Cluster through the Management Device··································································1-16 Configuring the Enhanced Cluster Features ·················································································1-17 Configuring the Cluster Synchronization Function ········································································1-19 Displaying and Maintaining Cluster Configuration ················································································1-23...

  • Page 477: Cluster

    Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way.

  • Page 478: Roles In A Cluster

    Figure 1-1 A cluster implementation HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster; and then you can configure and manage all the member devices through the management device without the need to log onto them one by one.
  • Page 479 Table 1-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that forwards commands intended specific member devices. Configured with a external IP Management device Discovers neighbors, address...

  • Page 480: How A Cluster Works

    A management device becomes a candidate device only after the cluster is removed. After you create a cluster on a Switch 4500 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster. The interval for a management device to collect network topology information is determined by the NTDP timer.
  • Page 481 packet data. The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet. When they receive another NDP packet, if the information carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated.
  • Page 482 To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. On member/candidate devices, you only need to enable NTDP globally and on specific ports. Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device.
  • Page 483 Figure 1-3 State machine of the connection between the management device and a member device Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both...
  • Page 484 Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. Enabling the management device and the member devices to communicate with each other in the management VLAN.

  • Page 485: Cluster Configuration Task List

    downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command. If the two MAC addresses are different, the downstream switch will query the port connected with its downstream switch based on the MAC address and VLAN ID, and then forward the packet to its downstream switch.
  • Page 486 Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 487 Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: To do… Use the command… Remarks Enter system view — system-view Optional Configure the holdtime of NDP ndp timer aging By default, the holdtime of NDP information aging-in-seconds information is 180 seconds. Optional Configure the interval to send By default, the interval to send...
  • Page 488 To do… Use the command… Remarks Launch topology information Optional ntdp explore collection manually Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view — system-view Required Enable the cluster function By default, the cluster function cluster enable globally...
  • Page 489 Establish a cluster in automatic mode Follow these steps to establish a cluster in automatic mode: To do… Use the command… Remarks Enter system view — system-view Enter cluster view — cluster ip-pool Configure the IP address range Required administrator-ip-address for the cluster { ip-mask | ip-mask-length } Required...

  • Page 490: Configuring Member Devices

    The cluster switches are properly connected; The shared servers are properly connected to the management switch. Configuration procedure Follow these steps to configure the network management interface for a cluster: To do… Use the command… Remarks Enter system view — system-view Enter cluster view Required...
  • Page 491 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 492: Managing A Cluster Through The Management Device

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port Required ntdp enable Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view —...

  • Page 493: Configuring The Enhanced Cluster Features

    To do… Use the command… Remarks Return to system view — quit Return to user view — quit Optional cluster switch-to Switch between management { member-number | You can use this command device and member device mac-address H-H-H | switch to the view of a member administrator } device and switch back.
  • Page 494 Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management Required function Configuring cluster device blacklist Required Configuring cluster topology management function Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed.

  • Page 495: Configuring The Cluster Synchronization Function

    If the management device of a cluster is a slave device in an XRN fabric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric. Configuring cluster device blacklist Follow these steps to configure the cluster device blacklist on a management device: To do…...
  • Page 496 NDP and NTDP have been enabled on the management device and member devices, and NDP- and NTDP-related parameters have been configured. A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations: To do…...

  • Page 497: Community Name

    The MIB view name is mib_a, which includes all objects of the subtree org The SNMPv3 user is user_a, which belongs to the group group_a. # Create a community with the name of read_a, allowing read-only access right using this community name.
  • Page 498 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard Configuration file content on a member device (only the SNMP-related information is displayed) <test_2.Sysname>...

  • Page 499: Displaying And Maintaining Cluster Configuration

    Perform the above operations on the management device of the cluster. Creating a public local user is equal to executing these configurations on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.

  • Page 500: Cluster Configuration Examples

    A Switch 4500 series switch serves as the management device. The rest are member devices. Serving as the management device, the Switch 4500 switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through Ethernet 1/0/2 and Ethernet 1/0/3.
  • Page 501 [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2] quit # Configure the IP address of VLAN-interface 2 as 163.172.55.1.
  • Page 502 # Set the delay for a member device to forward topology collection requests to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topology collection requests to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology information to 3 minutes.

  • Page 503: Network Management Interface Configuration Example

    After completing the above configuration, you can execute the cluster switch-to { member-number | mac-address H-H-H } command on the management device to switch to member device view to maintain and manage a member device. After that, you can execute the cluster switch-to administrator command to return to management device view.

  • Page 504: Enhanced Cluster Feature Configuration Example

    <Sysname> system-view [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.168.5.30 255.255.255.0 [Sysname-Vlan-interface3] quit # Add Ethernet 1/0/2 to VLAN 2.
  • Page 505 Network diagram Figure 1-6 Network diagram for the enhanced cluster feature configuration FTP server 192. 168.0.4 192. 168.0.1 Member Management device device Member Member device device 0001- 2034-a0e5 Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology.
  • Page 506 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by Switch 4500 ·······················································································1-1 PoE Configuration ···································································································································1-2 PoE Configuration Task List············································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-3 Setting PoE Management Mode and PoE Priority of a Port····························································1-3...

  • Page 507: Poe Overview

    PoE-capable 4500 switches include: Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port A PoE-capable Switch 4500 has the following features: As the PSE, it supports the IEEE802.3af standard. It can also supply power to the PDs that do not support the 802.3af standard.

  • Page 508: Poe Configuration Task List

    When you use the PoE-capable Switch 4500 to supply power, the PDs need no external power supply. If a remote PD has an external power supply, the PoE-capable Switch 4500 and the external power supply will backup each other for the PD.

  • Page 509: Enabling The Poe Feature On A Port

    The maximum power that can be supplied by each Ethernet electrical port of a PoE-capable Switch 4500 to its PD is 15,400 mW. In practice, you can set the maximum power on a port depending on the actual power of the PD, in the range of 1,000 to 15,400 mW and in the granularity of 100 mW.

  • Page 510: Setting The Poe Mode On A Port

    Spare mode: DC power is carried over the spare pairs (4,5,7,and 8) of category-3/5 twisted pairs. Currently, Switch 4500 does not support the spare mode. After the PoE feature is enabled on the port, perform the following configuration to set the PoE mode on a port.

  • Page 511: Configuring The Pd Compatibility Detection Function

    Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them. After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function.

  • Page 512: Upgrading The Pse Processing Software Online

    When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C<Y≤65°C, or 140°F<Y≤149°F), the switch still keeps the PoE function enabled on all the ports.

  • Page 513: Displaying Poe Configuration

    PoE Configuration Example Network requirements Switch A is a Switch 4500 supporting PoE, Switch B can be PoE powered. The Ethernet 1/0/1 and Ethernet 1/0/2 ports of Switch A are connected to Switch B and an AP respectively; the Ethernet 1/0/8 port is intended to be connected with an important AP.
  • Page 514 Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.

  • Page 515: Poe Profile Configuration

    On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 4500 provides the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.
  • Page 516 PoE profile can be applied successfully while some cannot. PoE profiles are applied to Switch 4500 according to the following rules: When the apply poe-profile command is used to apply a PoE profile to a port, the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly.

  • Page 517: Displaying Poe Profile Configuration

    PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is a Switch 4500 supporting PoE. Ethernet 1/0/1 through Ethernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use.
  • Page 518 Network diagram Figure 2-1 PoE profile application Network Switch A Eth1/0/1~Eth1/0/5 Eth1/0/6~Eth1/0/10 IP Phone IP Phone IP Phone IP Phone Configuration procedure # Create Profile 1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A.
  • Page 519 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority high # Apply the configured Profile 1 to Ethernet 1/0/1 through Ethernet 1/0/5 ports. [SwitchA] apply poe-profile Profile1 interface Ethernet1/0/1 to Ethernet1/0/5 # Apply the configured Profile 2 to Ethernet 1/0/6 through Ethernet 1/0/10 ports.
  • Page 520 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-2 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 521: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.

  • Page 522: Configuring Udp Helper

    Protocol UDP port number Time Service Configuring UDP Helper Follow these steps to configure UDP Helper: To do… Use the command… Remarks Enter system view — system-view Required Enable UDP Helper udp-helper enable Disabled by default. Optional By default, the device enabled udp-helper port { port-number with UDP Helper forwards the Specify a UDP port number...

  • Page 523: Udp Helper Configuration Example

    To do… Use the command… Remarks Clear statistics about packets Available in user view reset udp-helper packet forwarded by UDP Helper UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.168.1.0/24 and PC B on 192.168.10.0/24; they are connected through Switch A and are routable to each other.
  • Page 524 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-2 Configuring Basic SNMP Functions········································································································1-2 Configuring Trap-Related Functions ·······································································································1-4 Configuring Basic Trap Functions ···································································································1-4 Configuring Extended Trap Function·······························································································1-5 Enabling Logging for Network Management···························································································1-5 Displaying SNMP ····································································································································1-6 SNMP Configuration Example ················································································································1-6 SNMP Configuration Example·········································································································1-6 2 RMON Configuration ·································································································································2-1...

  • Page 525: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.

  • Page 526: Supported Mibs

    By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is " 3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation.", the system the switch version { { v1 | v2c | v3 }* | location is "...
  • Page 527 By default, the contact information for system snmp-agent sys-info Set system information and { contact sys-contact | maintenance is " 3Com specify to enable SNMPv3 on location sys-location | version Corporation.", the system the switch { { v1 | v2c | v3 }* | all } } location is "...

  • Page 528: Configuring Trap-Related Functions

    ViewDefault and OID is 1. mask-value ] A Switch 4500 provides the following functions to prevent attacks through unused UDP ports. Executing the snmp-agent command or any of the commands used to configure SNMP agent enables the SNMP agent, and at the same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap respectively.

  • Page 529: Configuring Extended Trap Function

    To do… Use the command… Remarks snmp-agent trap enable [ configuration | Enable the switch to send flash | standard [ authentication | coldstart traps to NMS | linkdown | linkup | warmstart ]* | system ] Enter port view or Optional interface interface-type interface-number interface view...

  • Page 530: Displaying Snmp

    To do… Use the command… Remarks snmp-agent log Optional Enable logging for network { set-operation | management Disabled by default. get-operation | all } When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device.
  • Page 531 Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and switch location, and enabling the switch to sent traps. Thus, the NMS is able to access Switch A and receive the traps sent by Switch A. Network diagram Figure 1-2 Network diagram for SNMP configuration Switch A...
  • Page 532 Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products. You can query and configure an Ethernet switch through the NMS.

  • Page 533: Rmon Configuration

    RMON MIB): alarm group, event group, history group, and statistics group. A Switch 4500 implements RMON in the second way. With an RMON agent embedded in, A Switch 4500 can serve as a network device with the RMON probe function. Through the RMON-capable SNMP...

  • Page 534: Commonly Used Rmon Groups

    statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.

  • Page 535: Rmon Configuration

    Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.

  • Page 536: Displaying Rmon

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 537 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by Ethernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 538 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 539: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 540: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16.

  • Page 541: Ntp Implementation Modes

    Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
  • Page 542 Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer Network Clock synchronization Works in passive peer request packet mode automatically Response packet In peer mode, both sides can be synchronized to Synchronize each other In the symmetric peer mode, the local S4500 Ethernet switch serves as the symmetric-active peer and...
  • Page 543 Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on 3Com S4500 series Ethernet switches. Table 1-1 NTP implementation modes on 3Com S4500 series Ethernet switches NTP implementation mode Configuration on S4500 series switches Configure the local S4500 Ethernet switch to work in the NTP client mode.

  • Page 544: Ntp Configuration Task List

    When a 3Com S4500 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the 3Com S4500 Ethernet switch has been synchronized.

  • Page 545: Configuring Ntp Server/Client Mode

    Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time. Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time.

  • Page 546: Configuring Ntp Broadcast Mode

    To do… Use the command… Remarks Required ntp-service unicast-peer { remote-ip | Specify a peer-name } [ authentication-keyid key-id | By default, a switch is not symmetric-passive priority | source-interface Vlan-interface configured to work in the peer for the switch vlan-id | version number ]* symmetric mode.

  • Page 547: Configuring Ntp Multicast Mode

    To do… Use the command… Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required the NTP broadcast server [ authentication-keyid key-id | Not configured by default. mode version number ]* Configuring a switch to work in the NTP broadcast client mode Follow these steps to configure a switch to work in the NTP broadcast client mode: To do…...

  • Page 548: Configuring Access Control Right

    To do… Use the command… Remarks Enter system view — system-view interface Vlan-interface Enter VLAN interface view — vlan-id Required Configure the switch to work in ntp-service multicast-client the NTP multicast client mode [ ip-address ] Not configured by default. Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local switch for a peer device.

  • Page 549: Configuring Ntp Authentication

    The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP.

  • Page 550: Configuration Procedure

    Configuration Procedure Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view — system-view Required Enable the NTP authentication ntp-service authentication function Disabled by default. enable Required ntp-service...

  • Page 551: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks Required Configure the specified key as a By default, no trusted ntp-service reliable trusted key authentication key is authentication-keyid key-id configured. Enter VLAN interface view — interface Vlan-interface vlan-id In NTP broadcast server Configure on the mode and NTP multicast ntp-service broadcast-server NTP broadcast...

  • Page 552: Configuring The Number Of Dynamic Sessions Allowed On The Local Switch

    If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.

  • Page 553: Configuration Examples

    To do… Use the command… Remarks Display the information about the display ntp-service sessions maintained by NTP sessions [ verbose ] Display the brief information about NTP servers along the path display ntp-service trace from the local device to the reference clock source Configuration Examples Configuring NTP Server/Client Mode...

  • Page 554: Configuring Ntp Symmetric Peer Mode

    [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.
  • Page 555 Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration.

  • Page 556: Configuring Ntp Broadcast Mode

    Configuring NTP Broadcast Mode Network requirements The local clock of Device C is set as the NTP master clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2.
  • Page 557 View the NTP status of Device D after the clock synchronization. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
  • Page 558 Network diagram Figure 1-9 Network diagram for NTP multicast mode configuration Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).

  • Page 559: Configuring Ntp Server/Client Mode With Authentication

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
  • Page 560 To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
  • Page 561 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 SSH Operating Process ··················································································································1-2 SSH Server and Client ····························································································································1-4 Configuring the SSH Server····················································································································1-5 Configuring the User Interfaces for SSH Clients·············································································1-6 Configuring the SSH Management Functions·················································································1-7 Configuring Key Pairs······················································································································1-8 Creating an SSH User and Specifying an Authentication Type ······················································1-9 Specifying a Service Type for an SSH User on the Server···························································1-10...

  • Page 562: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a switch for configuration and management.

  • Page 563: Ssh Operating Process

    The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 564 Currently, the switch supports only SSH2 Version. Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary protocol...

  • Page 565: Ssh Server And Client

    The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process. The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.

  • Page 566: Configuring The Ssh Server

    The 3Com switch acts as the SSH server to cooperate with software that supports the SSH client functions. The 3Com switch acts as the SSH server to cooperate with another 3Com switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...

  • Page 567: Configuring The User Interfaces For Ssh Clients

    Task Remarks Configuring the User Interfaces for Required SSH Clients Preparation Configuring the SSH Management Optional Functions Configuring Key Pairs Required Creating an SSH User and Specifying Authentication Required an Authentication Type Optional Specifying a Service Type for an SSH Authorization By default, an SSH user can use the User...
  • Page 568 To do... Use the command... Remarks Optional Specify supported protocol inbound { all |ssh } By default, both Telnet and protocol(s) SSH are supported. If you have configured a user interface to support SSH protocol, you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login.

  • Page 569: Configuring Key Pairs

    You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User. For details of the header command, refer to the corresponding section in Login Command. Configuring Key Pairs The SSH server’s key pairs are for generating session keys and for SSH clients to authenticate the server.

  • Page 570: Creating An Ssh User And Specifying An Authentication Type

    To do… Use the command… Remarks Destroy the RSA key pair Optional public-key local destroy rsa Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login.

  • Page 571: Specifying A Service Type For An Ssh User On The Server

    To do... Use the command... Remarks are used and different authentication types are ssh user username Create an SSH user, and specified, the authentication authentication-type { all | specify an authentication type type specified with the ssh password | password-publickey for it | publickey } user authentication-type...

  • Page 572: Configuring The Public Key Of A Client On The Server

    If the ssh user service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users.

  • Page 573: Assigning A Public Key To An Ssh User

    To do... Use the command... Remarks Enter system view — system-view Import the public key from a public-key peer keyname Required public key file import sshkey filename Assigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication.

  • Page 574: Configuring The Ssh Client

    With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format. Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses.
  • Page 575 Task Remarks Opening an SSH connection with publickey Required for publickey authentication; authentication unnecessary for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1; OpenSSH_4.2p1 is also supported. Any other version or other client, please be careful to use.
  • Page 576 Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 1-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.
  • Page 577 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-6 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
  • Page 578 Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 579 Figure 1-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...

  • Page 580: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
  • Page 581 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.

  • Page 582: Displaying And Maintaining Ssh Configuration

    Follow these steps to specify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter system view — system-view Optional Specify a source IP address for default, source ssh2 source-ip ip-address the SSH client address is configured. Optional Specify a source interface for ssh2...

  • Page 583: Comparison Of Ssh Commands With The Same Functions

    To do... Use the command... Remarks Display information about all display user-information SSH users [ username ] Display the current source IP address or the IP address of display ssh-server source-ip the source interface specified for the SSH server. Display the mappings between host public keys and SSH display ssh server-info servers saved on a client...

  • Page 584: Ssh Configuration Examples

    The results of the display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they cannot be directly used as parameters in the public-key peer command. For the same reason, neither can the results of the display public-key local rsa public command be used in the rsa peer-public-key command directly.
  • Page 585 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001, and set the authentication password to abc, protocol type to SSH, and command privilege level to 3 for the client. [Switch] local-user client001 [Switch-luser-client001] password simple abc [Switch-luser-client001] service-type ssh level 3...

  • Page 586: When Switch Acts As Server For Password And Radius Authentication

    Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 587 Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 588 Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
  • Page 589 Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 590 Figure 1-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-18 appears.

  • Page 591: When Switch Acts As Server For Password And Hwtacacs Authentication

    Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server.
  • Page 592 [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain...

  • Page 593: When Switch Acts As Server For Publickey Authentication

    In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-21 appears. Figure 1-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version.
  • Page 594 Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.
  • Page 595 Figure 1-23 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-24. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 596 Figure 1-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-25 Generate a client key pair (3) Likewise, to save the private key, click Save private key.
  • Page 597 Figure 1-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client. # Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface.
  • Page 598 Figure 1-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-29 SSH client configuration interface (3) 1-37...

  • Page 599: When Switch Acts As Client For Password Authentication

    Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-29, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...

  • Page 600: When Switch Acts As Client For Publickey Authentication

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
  • Page 601 Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <SwitchB> system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.

  • Page 602: When Switch Acts As Client And First-Time Authentication Is Not Supported

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.
  • Page 603 Network diagram Figure 1-32 Switch acts as client and first-time authentication is not supported Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client.
  • Page 604 # Import the client’s public key file Switch001 and name the public key as Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign public key Switch001 to user client001 [SwitchB] ssh user client001 assign publickey Switch001 # Export the generated RSA host public key pair to a file named Switch002. [SwitchB] public-key local export rsa ssh2 Switch002 When first-time authentication is not supported, you must first generate a RSA key pair on the server and save the key pair in a file named Switch002, and then upload the file to the SSH client through FTP...
  • Page 605 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************** Copyright(c) 2004-2008 3Com Corp. and its licensors. All rights reserved. Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> 1-44...
  • Page 606 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Task List································································································1-1 Directory Operations························································································································1-2 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-4 File System Configuration Examples ······························································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6...

  • Page 607: File System Management Configuration

    File System Configuration Introduction to File System To facilitate management on the switch memory, 4500 series Ethernet switches provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.

  • Page 608: Directory Operations

    Directory Operations The file system provides directory-related functions, such as: Creating/deleting a directory Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations: To do… Use the command… Remarks Optional Create a directory mkdir directory Available in user view Optional...

  • Page 609: Flash Memory Operations

    To do… Use the command… Remarks Optional rename fileurl-source Rename a file Available in user view fileurl-dest Optional Copy a file copy fileurl-source fileurl-dest Available in user view Optional Move a file move fileurl-source fileurl-dest Available in user view Optional Available in user view Display the content of a file more file-url...

  • Page 610: Prompt Mode Configuration

    The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration You can set the prompt mode of the current file system to alert or quiet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, deleting or overwriting a file.

  • Page 611: File Attribute Configuration

    Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin -rwh Apr 01 2000 23:55:49 snmpboots -rwh Apr 02 2000 00:47:30 hostkey -rwh Apr 02 2000 00:47:38 serverkey -rw- 1220 Apr 02 2000 00:06:57 song.cfg -rw- 26103 Jan 01 1970 00:04:34 testv1r1.bin -rwh Apr 01 2000 23:55:53...

  • Page 612: Booting With The Startup File

    For the Web file and configuration file, 3com may provide corresponding default file when releasing software versions. When booting, the device selects the startup files based on certain order. The device selects Web files in the following steps: If the default Web file exists, the device will boot with the default Web file;...

  • Page 613: Configuring File Attributes

    Configuring File Attributes You can configure and view the main attribute or backup attribute of the file used for the next startup of a switch, and change the main or backup attribute of the file. Follow these steps to configure file attributes: To do…...

  • Page 614: Configuration File Backup And Restoration

    Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file backup and restoration feature, you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit.
  • Page 615 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-6 Configuration Example: A Switch Operating as an FTP Server······················································1-9 FTP Banner Display Configuration Example·················································································1-11 FTP Configuration: A Switch Operating as an FTP Client ····························································1-12...

  • Page 616: Ftp And Sftp Configuration

    Binary mode for program file transfer ASCII mode for text file transfer A 3com switch 4500 can act as an FTP client or the FTP server in FTP-employed data transmission: Table 1-1 Roles that a 3com switch 4500 acts as in FTP...

  • Page 617: Introduction To Sftp

    files from an FTP server, and stops rotating when the file downloading is finished, as shown in Figure 1-1. Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to a switch to manage and transmit files, providing a securer guarantee for data transmission.
  • Page 618 Disabled by default. Only one user can access a 3com switch 4500 at a given time when the latter operates as an FTP server. Operating as an FTP server, a 3com switch 4500 cannot receive a file whose size exceeds its storage space.
  • Page 619 Follow these steps to configure connection idle time: To do… Use the command… Remarks Enter system view — system-view Optional Configure the connection idle time ftp timeout minutes for the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
  • Page 620 With a 3com switch 4500 acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the 3com switch 4500 will disconnect the user after the data transmission is completed.

  • Page 621: Ftp Configuration: A Switch Operating As An Ftp Client

    Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view — system-view Configure a login banner Required header login text Use either command or both. By default, no banner is Configure a shell banner header shell text...
  • Page 622 To do… Use the command… Remarks ftp [ cluster | remote-server Enter FTP client view — [ port-number ] ] Specify to transfer files in ASCII Use either command. ascii characters By default, files are transferred Specify to transfer files in in ASCII characters.
  • Page 623 To do… Use the command… Remarks Download a remote file from get remotefile [ localfile ] the FTP server Upload a local file to the remote put localfile [ remotefile ] FTP server Rename a file on the remote rename remote-source server remote-dest Log in with the specified user...

  • Page 624: Configuration Example: A Switch Operating As An Ftp Server

    The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
  • Page 625 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.

  • Page 626: Ftp Banner Display Configuration Example

    Boot ROM menu. 3com switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.

  • Page 627: Ftp Configuration: A Switch Operating As An Ftp Client

    Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section Configuration Example: A Switch Operating as an FTP Server.
  • Page 628 Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello. (For detailed configuration, refer to the configuration instruction relevant to the FTP server software.) Configure the switch (FTP client) # Log in to the switch.

  • Page 629: Sftp Configuration: A Switch Operating As An Sftp Server

    <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server...

  • Page 630: Sftp Configuration: A Switch Operating As An Sftp Client

    10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
  • Page 631 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | Required dh_exchange_group } | Support for the 3des keyword prefer_ctos_cipher { 3des | depends on the number of des | aes128 } | Enter SFTP client view...

  • Page 632: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 633 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 634 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 635 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.

  • Page 636: Tftp Configuration

    A 3com switch 4500 can act as a TFTP client only. When a 3com switch 4500 serving as a TFTP client downloads files from the TFTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise, and it stops rotating when...

  • Page 637: Tftp Configuration: A Switch Operating As A Tftp Client

    TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP — client TFTP Configuration: A Switch Specifying the source interface Operating as a TFTP Client or source IP address for an Optional FTP client For details, see the TFTP server configuration —...

  • Page 638: Tftp Configuration Example

    To do… Use the command… Remarks tftp tftp-server source-ip Optional Specify the source IP address ip-address { get source-file used for the current connection [ dest-file ] | put source-file-url Not specified by default. [ dest-file ] } Enter system view —...
  • Page 639 Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 640 For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
  • Page 641 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-6 Information Center Configuration Task List·····················································································1-6 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-7 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ··························································1-9 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 642: Information Center

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 643 Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 644 Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3. Table 1-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...

  • Page 645: System Information Format

    Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output destinations.
  • Page 646 Note that a space separates the time stamp and the host name. Sysname Sysname is the system name of the local switch and defaults to “3Com”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields.

  • Page 647: Information Center Configuration

    Module The module field represents the name of the module that generates system information. You can enter the info-center source ? command in system view to view the module list. Refer to Table 1-3 module name and description. Between “module” and “level” is a “/”. Level (Severity) System information can be divided into eight levels based on its severity, from 1 to 8.

  • Page 648: Configuring Synchronous Information Output

    Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the command line prompt (in command editing mode a prompt, or a [Y/N] string in interaction mode) and the input information are echoed after the output.

  • Page 649: Setting To Output System Information To The Console

    To do… Use the command… Remarks Required Set to display the UTC time zone By default, no UTC time zone is in the output information of the info-center timestamp utc displayed in the output information center information Setting to Output System Information to the Console Setting to output system information to the console Follow these steps to set to output system information to the console: To do…...

  • Page 650: Setting To Output System Information To A Monitor Terminal

    TRAP DEBUG Output Modules Enable destination allowed Severit Enabled/ Enabled/ d/disab Severity Severity disabled disabled Monitor default (all warning debuggin debuggin Enabled Enabled Enabled terminal modules) default (all informati debuggin debuggin Log host Enabled Enabled Disabled modules) onal default (all Disable informati debuggin...
  • Page 651 Setting to output system information to a monitor terminal Follow these steps to set to output system information to a monitor terminal: To do… Use the command… Remarks Enter system view — system-view Optional Enable the information info-center enable center Enabled by default.

  • Page 652: Setting To Output System Information To A Log Host

    To do… Use the command… Remarks Optional Enable trap information terminal terminal trapping display function Enabled by default Make sure that the debugging/log/trap information terminal display function is enabled (use the terminal monitor command) before you enable the corresponding terminal display function by using the terminal debugging, terminal logging, or terminal trapping command.

  • Page 653: Setting To Output System Information To The Trap Buffer

    After the switches form a fabric, you can use the info-center switch-on command to enable the information output for the switches to make the log, debugging and trap information of each switch in the fabric synchronous. Each switch sends its own information to other switches in the fabric and receives information sent by other switches at the same time to update the information on itself.

  • Page 654: Setting To Output System Information To The Snmp Nms

    To do… Use the command… Remarks Optional By default, the switch uses info-center logbuffer [ channel Enable information information channel 4 to output log { channel-number | output to the log buffer information to the log buffer, which channel-name } | size buffersize ]* can holds up to 512 items by default.

  • Page 655: Displaying And Maintaining Information Center

    Displaying and Maintaining Information Center To do… Use the command… Remarks Display information on an information display channel [ channel-number | channel channel-name ] Display the operation status of information center, the configuration of information channels, the format of time display info-center [ unit unit-id ] stamp and the information output in case of fabric...
  • Page 656 # Disable the function of outputting information to log host channels, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log host.

  • Page 657: Log Output To A Linux Log Host

    Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to a Linux Log Host Network requirements The switch sends the following log information to the Linux log host whose IP address is 202.38.1.10: All modules' log information, with severity higher than “errors”.

  • Page 658: Log Output To The Console

    Note the following items when you edit file “/etc/syslog.conf”. A note must start in a new line, starting with a “#" sign. In each pair, a tab should be used as a separator instead of a space. No space is permitted at the end of the file name. The device name (facility) and received log information severity specified in file “/etc/syslog.conf”...
  • Page 659 <Switch> system-view [Switch] info-center enable # Disable the function of outputting information to the console channels. [Switch] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output log information with severity level higher than informational to the console.
  • Page 660 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-7 Loading by FTP through Ethernet Port····························································································1-9 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-15...

  • Page 661: Boot Rom And Host Software Loading

    Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

  • Page 662: Boot Menu

    BOOT Menu Starting..****************************************************************** Switch 4500 26-Port BOOTROM, Version 3.01 ****************************************************************** Copyright (c) 2004-2008 3Com Corporation and its licensors. Creation date : Sep 8 2008, 14:35:39 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size...

  • Page 663: Loading By Xmodem Through Console Port

    1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9.
  • Page 664 0. Return Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading. For example, if you press 5, the baudrate 115200 bps is chosen and the system displays the following information: Download baudrate is 115200 bit/s Please change the terminal's baudrate to 115200 bit/s and select XMODEM protocol Press enter key when ready If you have chosen 9600 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly.
  • Page 665 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
  • Page 666 Figure 1-4 Send file dialog box Step 8: Click <Send>. The system displays the page, as shown in Figure 1-5. Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5).

  • Page 667: Loading By Tftp Through Ethernet Port

    Loading host software Follow these steps to load the host software: Step 1: Select <1> in BOOT Menu and press <Enter>. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
  • Page 668 Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.

  • Page 669: Loading By Ftp Through Ethernet Port

    0. Return to boot menu Enter your choice(0-3): Step 2: Enter 1 in the above menu to download the host software using TFTP. The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading.
  • Page 670 Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm...

  • Page 671: Remote Boot Rom And Software Loading

    Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely. Remote Loading Using FTP Loading Procedure Using FTP Client Loading the Boot ROM As shown in...
  • Page 672 Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch.
  • Page 673 System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 Step 3: Enable FTP service on the switch, and configure the FTP user name to test and password to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New local user added.
  • Page 674 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.

  • Page 675: Remote Loading Using Tftp

    Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...

  • Page 676: Basic System Configuration And Debugging

    Optional Set the system sysname sysname name of the switch By default, the name is 3Com. Optional Return from current view to lower level If the current view is user view, you will quit the quit view current user interface.

  • Page 677: Displaying The System Status

    Displaying the System Status To do… Use the command… Remarks Display the current date and time of the system display clock Display the version of the system Available in display version any view Display the information about users logging onto the display users [ all ] switch Debugging the System...

  • Page 678: Displaying Debugging Status

    You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do… Use the command… Remarks Required Enable system debugging for debugging module-name Disabled for all modules by specific module [ debugging-option ] default.

  • Page 679: Network Connectivity Test

    Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. To do…...

  • Page 680: Introduction To Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot...

  • Page 681: Scheduling A Reboot On The Switch

    Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...

  • Page 682: Specifying The App To Be Used At Reboot

    Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.
  • Page 683 Table 4-1 Commonly used pluggable transceivers Whether can be Whether can be an Transceiver type Applied environment an optical electrical transceiver transceiver Generally used for 100M/1000M Ethernet SFP (Small Form-factor interfaces or POS Pluggable) 155M/622M/2.5G interfaces Generally used for GBIC (GigaBit Interface 1000M Ethernet Converter) interfaces...

  • Page 684: Displaying The Device Management Configuration

    To do… Use the command… Remarks Display the current alarm Available for all pluggable display transceiver alarm interface information of the pluggable [ interface-type interface-number ] transceivers transceiver(s) Display the currently measured Available for anti-spoofing value of the digital diagnosis display transceiver diagnosis pluggable optical parameters of the anti-spoofing...
  • Page 685 Make configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is reachable to each other. The host software switch.app and the Boot ROM file boot.btm of the switch are stored in the directory switch on the PC.
  • Page 686 331 Give me your password, please Password: 230 Logged in successfully [ftp] Enter the authorized path on the FTP server. [ftp] cd switch Execute the get command to download the switch.app and boot.btm files on the FTP server to the Flash memory of the switch.
  • Page 687 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Configuring the TPID for VLAN-VPN Packets·················································································1-2 Inner-to-Outer Tag Priority Replicating and Mapping······································································1-3 Transparent IGMP Message Transmission on a VLAN-VPN Port ··················································1-3 VLAN-VPN Configuration························································································································1-3 VLAN-VPN Configuration Task List·································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-4 Configuring the TPID Value for VLAN-VPN Packets on a Port·······················································1-4 Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature·······························1-5...

  • Page 688: Vlan-Vpn Configuration

    VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.

  • Page 689: Implementation Of Vlan-Vpn

    Figure 1-3 The structure of the VLAN tag in an Ethernet frame A Switch 4500 switch determines whether a received frame is VLAN tagged by comparing its own TPID with the TPID field in the received frame. If they match, the frame is considered as a VLAN tagged frame.

  • Page 690: Inner-To-Outer Tag Priority Replicating And Mapping

    frame as needed. When doing that, you should set the same TPID on both the customer-side port and the service provider-side port. The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag.

  • Page 691: Enabling The Vlan-Vpn Feature For A Port

    Enter Ethernet port view — interface-number Required Do not set the TPID value to any of the protocol type values Set the TPID value on the port vlan-vpn tpid value listed in Table 1-1. For 3Com series switches, the TPID defaults to 0x8100.

  • Page 692: Configuring The Inner-To-Outer Tag Priority Replicating And Mapping Feature

    Besides the default TPID 0x8100, you can configure only one TPID value on a Switch 4500 switch. For the Switch 4500 series to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.

  • Page 693: Vlan-Vpn Configuration Example

    As shown in Figure 1-4, Switch A and Switch B are both Switch 4500 series switches. They connect the users to the servers through the public network. PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
  • Page 694 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit # Set the TPID value of Ethernet 1/0/12 to 0x9200 (for intercommunication with the devices in the public network) and configure the port as a trunk port permitting packets of VLAN 1040. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 [SwitchA-Ethernet1/0/12] port link-type trunk [SwitchA-Ethernet1/0/12] port trunk permit vlan 1040...
  • Page 695 The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. The outer VLAN tag of the packet remains unchanged while the packet travels in the public network, till it reaches Ethernet1/0/22 of Switch B.

  • Page 696: Selective Qinq Configuration

    Selective QinQ Configuration When configuring selective QinQ, go to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature. With the selective QinQ feature, you can configure inner-to-outer VLAN tag mapping, according to which you can add different outer VLAN tags to the packets with different inner VLAN tags.

  • Page 697: Mac Address Replicating

    VLAN 4, which wastes the network resources and incurs potential security risks. The Switch 4500 series Ethernet switches provide the inter-VLAN MAC address replicating feature, which can replicate the entries in the MAC address table of the default VLAN to that of the VLAN...

  • Page 698: Selective Qinq Configuration

    device receives a packet from the service provider network, this device will find the path for the packet by searching the MAC address table of the VLAN corresponding to the outer tag and unicast the packet. Thus, packet broadcast is reduced in selective QinQ applications. Likewise, the entries in the MAC address table of the outer VLAN can also be replicated to that of the default VLAN on a port, through which the outbound port to the service provider network can be determined through the MAC address table of the default VLAN and user packets destined for the...

  • Page 699: Selective Qinq Configuration Example

    Do not enable both the selective QinQ function and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may operate improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to enable the inter-VLAN MAC address replicating feature: To do...
  • Page 700 The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
  • Page 701 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type hybrid [SwitchA-Ethernet1/0/3] port hybrid pvid vlan 5...
  • Page 702 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000. [SwitchB] interface Ethernet 1/0/12 [SwitchB-Ethernet1/0/12] port link-type hybrid [SwitchB-Ethernet1/0/12] port hybrid pvid...
  • Page 703 Table of Contents 1 Remote-ping Configuration ······················································································································1-1 Introduction to remote-ping ·····················································································································1-1 remote-ping Configuration ······················································································································1-1 Introduction to remote-ping Configuration ·······················································································1-1 Configuring remote-ping ··················································································································1-2 Displaying remote-ping Configuration ·····························································································1-2 Configuration Example ····················································································································1-3...

  • Page 704: Remote-Ping Configuration

    Remote-ping Configuration Introduction to remote-ping remote-ping is a network diagnostic tool used to test the performance of protocols (only ICMP by far) running on network. It is an enhanced alternative to the ping command. remote-ping test group is a set of remote-ping test parameters. A test group contains several test parameters and is uniquely identified by an administrator name plus a test tag.

  • Page 705: Configuring Remote-Ping

    This parameter is used to enable the system to automatically perform the same test at regular intervals. Test timeout time Test timeout time is the duration while the system waits for an ECHO-RESPONSE packet after it sends out an ECHO-REQUEST packet. If no ECHO-RESPONSE packet is received within this duration, this test is considered a failure.
  • Page 706 Table 1-2 Display remote-ping configuration Operation Command Description display remote-ping history Display the information of [ administrator-name remote-ping test history operation-tag ] The display command can be executed in any view. display remote-ping results Display the latest remote-ping [ administrator-name test results operation-tag ] Configuration Example...
  • Page 707 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 [Sysname-remote-ping-administrator-icmp] display remote-ping history administrator icmp remote-ping entry(admin administrator, tag icmp) history record: Index Response...
  • Page 708 Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-6 Protocols and Standards ·················································································································1-8 IPv6 Configuration Task List ···················································································································1-8 Configuring an IPv6 Unicast Address······························································································1-9 Configuring IPv6 NDP ···················································································································1-10 Configuring a Static IPv6 Route ····································································································1-12 Configuring IPv6 TCP Properties ··································································································1-12 Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time····1-13...

  • Page 709: Ipv6 Configuration

    The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. The 3com switch 4500 supports IPv6 management features, but does not support IPv6 forwarding and related features. IPv6 Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol Version 4 (IPv4).
  • Page 710 Figure 1-1 Comparison between IPv4 header format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 10 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses.

  • Page 711: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet Control Message Protocol Version 6 (ICMPv6) messages. The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes (nodes on the same link). The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP), Internet Control Message Protocol Version 4 (ICMPv4), and ICMPv4 redirect messages to provide a series of other functions.
  • Page 712 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the nearest one, according to the routing protocols’...
  • Page 713 Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address. Multicast address Multicast addresses listed in Table 1-2...

  • Page 714: Introduction To Ipv6 Neighbor Discovery Protocol

    The 3com switch 4500 does not support the RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, 3com switches 4500 support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
  • Page 715 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message.

  • Page 716: Protocols And Standards

    Figure 1-4 Duplicate address detection The duplicate address detection procedure is as follows: Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected.

  • Page 717: Configuring An Ipv6 Unicast Address

    Task Remarks Configuring the Maximum Number of IPv6 ICMP Error Packets Sent Optional within a Specified Time Configuring the Hop Limit of ICMPv6 Reply Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address An IPv6 address is required for a host to access an IPv6 network. A host can be assigned a global unicast address, a site-local address, or a link-local address.

  • Page 718: Configuring Ipv6 Ndp

    If XRN fabric ports are configured on a 3com switch 4500, no IPv6 address can be configured for the switch. IPv6 unicast addresses can be configured for only one VLAN interface on a 3com switch 4500. The total number of global unicast addresses and site-local addresses on the VLAN interface can be up to four.
  • Page 719 Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view — system-view ipv6 neighbor ipv6-address Configure a static neighbor mac-address { vlan-id port-type Required entry port-number | interface interface-type interface-number } Configuring the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table.

  • Page 720: Configuring A Static Ipv6 Route

    Configuring the NS Interval After a device sends an NS message, if it does not receive a response within a specific period, the device will send another NS message. You can configure the interval for sending NS messages. Follow these steps to configure the NS interval: To do…...

  • Page 721: Configuring The Maximum Number Of Ipv6 Icmp Error Packets Sent Within A Specified Time

    packets are received, the IPv6 TCP connection status becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires. Size of IPv6 TCP receiving/sending buffer. Follow these steps to configure IPv6 TCP properties: To do…...

  • Page 722: Displaying And Maintaining Ipv6

    To do… Use the command… Remarks Enter system view — system-view Optional Configure the hop limit of ipv6 nd hop-limit value ICMPv6 reply packets 64 by default. Displaying and Maintaining IPv6 To do… Use the command… Remarks Display the FIB entries display ipv6 fib Display the mapping between display ipv6 host...

  • Page 723: Ipv6 Configuration Example

    IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements Two switches are directly connected through two Ethernet ports. The Ethernet ports belong to VLAN 2. Different types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches.
  • Page 724 Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B.
  • Page 725 Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/66/80 ms...
  • Page 726 0.00% packet loss round-trip min/avg/max = 50/60/70 ms 1-18...

  • Page 727: Ipv6 Application Configuration

    IPv6 Application Configuration Example Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applications supported on 3com switch 4500 are: Ping Traceroute TFTP...

  • Page 728: Ipv6 Traceroute

    IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Traceroute process Figure 2-1 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1.

  • Page 729: Ipv6 Telnet

    To do… Use the command… Remarks tftp ipv6 remote-system [ -i interface-type Required Download/Upload files from interface-number ] { get | put } TFTP server Available in user view source-filename [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.

  • Page 730: Ipv6 Application Configuration Example

    Network requirements Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is a 3com switch 4500, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively. It is required that you telnet to the telnet server from SWA and download files from the TFTP server.

  • Page 731: Troubleshooting Ipv6 Application

    bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received...

  • Page 732: Unable To Run Traceroute

    Solution Check that the IPv6 addresses are configured correctly. Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.
  • Page 733 Table of Contents 1 Access Management Configuration ·············································································· 1-1 Access Management Overview ···················································································· 1-1 Configuring Access Management ················································································· 1-2 Access Management Configuration Examples ······························································ 1-3 Access Management Configuration Example·························································· 1-3 Combining Access Management with Port Isolation ················································ 1-4...

  • Page 734: Access Management Configuration

    Access Management Configuration When configuring access management, go to these sections for information you are interested in: Access Management Overview Configuring Access Management Access Management Configuration Examples Access Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches;...

  • Page 735: Configuring Access Management

    A port without an access management IP address pool configured allows the hosts to access external networks only if their IP addresses are not in the access management IP address pools of other ports of the switch. Note that the IP addresses in the access management IP address pool configured on a port must be in the same network segment as the IP address of the VLAN (where the port belongs to) interface.
  • Page 736 Access Management Configuration Examples Access Management Configuration Example Network requirements Client PCs are connected to the external network through Switch A (an Ethernet switch). The IP addresses of the PCs of Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24. The IP address of PC 2 is 202.10.20.100/24, and that of PC 3 is 202.10.20.101/24.
  • Page 737 [Sysname-Ethernet1/0/1] am ip-pool 202.10.20.1 20 Combining Access Management with Port Isolation Network requirements Client PCs are connected to the external network through Switch A (an Ethernet switch). The IP addresses of the PCs of Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24, and those of the PCs in Organization 2 are in the range 202.10.20.25/24 to 202.10.20.50/24 and the range 202.10.20.55 to 202.10.20.65/24.
  • Page 738 # Set the IP address of VLAN-interface 1 to 202.10.20.200/24. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.10.20.200 24 [Sysname-Vlan-interface1] quit # Configure the access management IP address pool on Ethernet 1/0/1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] am ip-pool 202.10.20.1 20 # Add Ethernet 1/0/1 to the port isolation group.
  • Page 739 Table of Contents Appendix A Acronyms ································································································································ A-1...
  • Page 740 Appendix A Acronyms Authentication, Authorization and Accounting Area Border Router Access Control List Address Resolution Protocol Autonomous System ASBR Autonomous System Border Router Backup Designated Router Committed Access Rate Command Line Interface Class of Service DHCP Dynamic Host Configuration Protocol DLDP Device Link Detection Protocol Designated Router...
  • Page 741 LSDB Link State DataBase Medium Access Control Management Information Base NBMA Non Broadcast MultiAccess Network Information Center Network Management System Network Time Protocol NVRAM Nonvolatile RAM OSPF Open Shortest Path First Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode Power over Ethernet Quality of Service...
  • Page 742 Virtual private network Weighted Round Robin eXchange Identification eXpandable Resilient Networking...

This manual is also suitable for:

4500 pwr

Table of Contents

Save PDF