Page 1 3Com Switch 4210 Family Configuration Guide Switch 4210 9-Port Switch 4210 18-Port Switch 4210 26-Port Switch 4210 52-Port Switch 4210 PWR 9-Port Switch 4210 PWR 18-Port Switch 4210 PWR 26-Port Product Version: Release 2212 Manual Version: 6W100-20100112 www.3com.com 3Com Corporation...
Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
Page 3: About This Manual
About This Manual Organization 3Com Switch 4210 Family Configuration Guide is organized as follows: Part Contents 1 Login Introduces the ways to log into an Ethernet switch. 2 Configuration File Management Introduces the ways to manage configuration files. 3 VLAN Introduces VLAN fundamental and the related configuration.
Page 4 Part Contents Introduces the configuration to manage network devices 27 SNMP-RMON through SNMP and RMON. 28 NTP Introduces NTP and the related configuration. 29 SSH Introduces SSH and the related configuration. 30 File System Management Introduces basic configuration for file system management. Introduces basic configuration for FTP, SFTP, TFTP, and the 31 FTP-SFTP-TFTP applications.
Page 5 3Com Switch 4210 Family Getting This guide provides all the information you need to install Started Guide and use the 3Com Switch 4210 Family. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
Page 6: Table Of Contents
Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 Relationship Between a User and a User Interface ········································································1-2 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1...
Page 7 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 CLI Configuration ······································································································································5-1 Introduction to the CLI·····························································································································5-1 Command Hierarchy ·······························································································································5-1 Command Level and User Privilege Level ······················································································5-1 Modifying the Command Level········································································································5-2 Switching User Level ·······················································································································5-3 CLI Views ················································································································································5-7 CLI Features ·········································································································································5-11 Online Help····································································································································5-11 Terminal Display····························································································································5-12 Command History··························································································································5-12 Error Prompts ································································································································5-13...
Page 8: Logging In To An Ethernet Switch
Supported User Interfaces The auxiliary (AUX) port and the console port of a 3Com low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you log in through this port.
Page 9: Relationship Between A User And A User Interface
Table 1-1 Description on user interface User interface Applicable user Port used Remarks Each switch can Users logging in through the Console port accommodate one AUX console port user. Each switch can Telnet users and SSH users Ethernet port accommodate up to five VTY users.
Page 10 To do… Use the command… Remarks Optional Lock the current user Available in user view lock interface A user interface is not locked by default. Specify to send messages Optional to all user interfaces/a send { all | number | type number } Available in user view specified user interface Optional...
Page 11: Logging In Through The Console Port
Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Setting Up a Login Environment for Login Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction...
Page 12 If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4...
Page 13: Console Port Login Configuration
Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.
Page 14 Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...
Page 15: Console Port Login Configurations For Different Authentication Modes
To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number of screen-length to 24 lines. lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to display information in pages.
Page 16: Console Port Login Configuration With Authentication Mode Being None
Changes made to the authentication mode for console port login takes effect after you quit the command-line interface and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure console port login with the authentication mode being none: To do…...
Page 17: Console Port Login Configuration With Authentication Mode Being Password
Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none) GE1/0/1 Ethernet Configuration PC running Telnet Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.
Page 18: Configuration Example
To do… Use the command… Remarks Enter system view — system-view Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate authentication-mode through the console port are not users using the local password authenticated;...
Page 19: Console Port Login Configuration With Authentication Mode Being Scheme
<Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface.
Page 20: Configuration Example
To do… Use the command… Remarks Enter the Optional default ISP domain domain-name By default, the local AAA scheme domain view is applied. If you specify to apply the local Specify the AAA scheme { local | none | AAA scheme, you need to scheme to be radius-scheme perform the configuration...
Page 21 Set the service type of the local user to Terminal and the command level to 2. Configure to authenticate the users in the scheme mode. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands.
Page 22 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.
Page 23: Logging In Through Telnet
Logging In Through Telnet Go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Introduction Switch 4210 supports Telnet. You can manage and maintain a switch remotely by Telnetting to the switch.
Page 24 Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.
Page 25: Telnet Configurations For Different Authentication Modes
To do… Use the command… Remarks Optional The default history command Set the history command buffer history-command buffer size is 10, that is, the history size max-size value command buffer of a user can store up to 10 commands by default.
Page 26: Telnet Configuration With Authentication Mode Being None
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
Page 27: Telnet Configuration With Authentication Mode Being Password
Network diagram Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0.
Page 28: Configuration Example
When the authentication mode is password, the command level available to users logging in to the user interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3).
Page 29: Telnet Configuration With Authentication Mode Being Scheme
Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...
Page 30: Configuration Example
Refer to the AAA part of this manual for information about AAA and RADIUS. Configuration Example Network requirements Assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Configure the local user name as guest.
Page 31: Telnetting To A Switch
# Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch from a Terminal...
Page 32 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com switch can accommodate up to five Telnet connections at same time.
Page 33: Telnetting To Another Switch From The Current Switch
Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.
Page 34: Logging In Using A Modem
Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.
Page 35: Switch Configuration
You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
Page 36 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
Page 37 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.
Page 38: Cli Configuration
Each 3com switch 4210 provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on the 3com switch 4210 provides the following features, and so has good manageability and operability.
Page 39: Modifying The Command Level
Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level.
Page 40: Switching User Level
Operation Command Remarks Configure the level of a command command-privilege level level view view Required in a specific view command You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
Page 41 can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. The high-to-low user level switching is unlimited.
Page 42 When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.
Page 43 Table 5-5 Set the HWTACACS authentication scheme for user level switching Operation Command Description — Enter system view system-view — Enter ISP domain view domain domain-name Required Set the HWTACACS authentication super By default, the HWTACACS authentication scheme for hwtacacs-scheme authentication scheme for user level user level switching hwtacacs-scheme-name...
Page 44: Cli Views
[Sysname-ui-vty0] quit # Set the password used by the current user to switch to level 3. [Sysname] super password level 3 simple 123 A VTY 0 user switches its level to level 3 after logging in. # A VTY 0 user telnets to the switch, and then uses the set password to switch to user level 3. <Sysname>...
Page 45 Table 5-7 lists the CLI views provided by 3com switch 4210, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 5-7 CLI views Available View Prompt example Enter method Quit method...
Page 46 Available View Prompt example Enter method Quit method operation Configure FTP FTP client Execute the ftp command client [ftp] view in user view. parameters Configure SFTP SFTP Execute the sftp command client sftp-client> client view in system view. parameters Configure MST Execute the stp [Sysname-mst-re region...
Page 47 Available View Prompt example Enter method Quit method operation Configure [Sysname-remot Remote-pi Execute the remote-ping remote-ping e-ping-a123-a12 ng view command in system view. parameters Configure Execute the hwtacacs HWTACA [Sysname-hwtac HWTACACS scheme command in CS view acs-a123] parameters system view. Configure PoE profile parameters...
Page 48: Cli Features
CLI Features Online Help When configuring the switch, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial. Complete online help Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions.
Page 49: Terminal Display
<Sysname> display u? unit user-interface users Enter the first several characters of a keyword of a command and then press <Tab>. If there is a unique keyword beginning with the characters just typed, the unique keyword is displayed in its complete form.
Page 50: Error Prompts
The Windows 9x HyperTerminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access history commands in such an environment. However, you can use <Ctrl+ P> and <Ctrl+ N> instead to achieve the same purpose. When you enter the same command multiple times consecutively, only one history command entry is created by the command line interface.
Page 51 Press… To… Use the partial online help. That is, when you input an incomplete keyword and press <Tab>, if the input parameter uniquely identifies a complete keyword, the system substitutes the complete keyword for the input <Tab> parameter; if more than one keywords match the input parameter, you can display them one by one (in complete form) by pressing <Tab>...
Page 52: Introduction
Logging In Through the Web-based Network Management Interface Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction Switch 4210 has a Web server built in. It enables you to log in to Switch 4210 through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.
Page 53: Configuring The Login Banner
Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1. Figure 6-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.
Page 54: Configuration Example
Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
Page 55 To do… Use the command… Remarks Enter system view — system-view Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.
Page 56: Logging In Through Nms
Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a Network Management Station (NMS), and then configure and manage the switch through the agent software on the switch. Simple Network Management Protocol (SNMP) is applied between the NMS and the agent.
Page 57: User Control
User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...
Page 58: Controlling Telnet Users By Acl
If no ACL is configured on the VTY user interface, users are not controlled when establishing a Telnet connection using this user interface. If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configured on the VTY user interface, the connection will be permitted or denied according to the ACL rule;...
Page 59: Configuration Example
To do… Use the command… Remarks Apply a Required basic or advanced acl acl-number { inbound | Use either command ACL to outbound } Apply an The inbound keyword specifies to control ACL to filter the users trying to Telnet to Telnet users control the current switch.
Page 60: Prerequisites
Defining an ACL Applying the ACL to control users accessing the switch through SNMP To control whether an NMS can manage the switch, you can use this function. Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Page 61: Controlling Web Users By Source Ip Address
Network diagram Figure 8-2 Network diagram for controlling SNMP users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.
Page 62: Logging Out A Web User
To do… Use the command… Remarks Enter system view — system-view As for the acl number Create a basic ACL or enter acl number acl-number command, the config keyword basic ACL view [ match-order { config | auto } ] is specified by default.
Page 63 [Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...
Page 64 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Management of Configuration File··········································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Device Configuration ·····································································································1-5...
Page 65: Configuration File Management
Configuration File Management Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Types of configuration The configuration of a device falls into two types: Saved configuration, a configuration file used for initialization.
Page 66: Management Of Configuration File
When setting the configuration file for next startup, you can specify to use the main or backup configuration file. Startup with the configuration file When booting, the system chooses the configuration files following the rules below: If the main configuration file exists, the device initializes with this configuration. If the main configuration file does not exist but the backup configuration file exists, the device initializes with the backup configuration.
Page 67: Erasing The Startup Configuration File
Switch 4210 do not support the safe mode. When you are saving a configuration file using the save safely command, if the device reboots or the power fails during the saving process, the configuration file will be lost. Three attributes of the configuration file Main attribute.
Page 68: Specifying A Configuration File For Next Startup
While the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute. While the reset saved-configuration backup command erases the configuration file with backup attribute, it only erases the backup attribute of a configuration file having both main and backup attribute.
Page 69: Displaying Device Configuration
Displaying Device Configuration After the above configuration, you can execute the display command in any view to display the current and initial configurations of the device, so as to verify your configuration. Table 1-5 Display Device Configuration Operation Command Description Display the initial configuration file display saved-configuration [ unit saved in the storage device...
Page 70 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Fundamentals ·······················································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-5 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 2 VLAN Configuration ··································································································································2-1 VLAN Configuration ································································································································2-1...
Page 71: Vlan Overview
VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.
Page 72: Advantages Of Vlans
Figure 1-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
Page 73 Figure 1-3 Format of VLAN tag A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the Switch 4210, the default TPID is 0x8100.
Page 74: Vlan Interface
Independent VLAN learning (IVL), where the switch maintains an independent MAC address forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only, and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN.
Page 75: Link Types Of Ethernet Ports
Port-based VLANs are easy to implement and manage and applicable to hosts with relatively fixed positions. Link Types of Ethernet Ports You can configure the link type of a port as access, trunk, or hybrid. The three link types use different VLAN tag handling methods.
Page 76 Table 1-1 Packet processing of an access port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the VLAN ID is just the default VLAN Receive the packet and tag Strip the tag from the ID, receive the packet.
Page 77: Vlan Configuration
VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional...
Page 78: Basic Vlan Interface Configuration
VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.
Page 79: Displaying Vlan Configuration
The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. An Switch S4210 can be configured with a single VLAN interface only, and the VLAN must be the management VLAN.
Page 80: Configuring A Hybrid-Port-Based Vlan
To do… Use the command… Remarks Optional Add the current Access port to port access vlan vlan-id By default, all Access ports a specified VLAN belong to VLAN 1. To add an Access port to a VLAN, make sure the VLAN already exists. Configuring a Hybrid-Port-Based VLAN A Hybrid port may belong to multiple VLANs, and this configuration can only be performed in Ethernet port view.
Page 81: Displaying And Maintaining Port-Based Vlan
To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Configure the port link type as port link-type trunk Required Trunk Required Allow the specified VLANs to port trunk permit vlan By default, all Trunk ports only pass through the current Trunk { vlan-id-list | all }...
Page 82 Network diagram Figure 2-1 Network diagram for VLAN configuration Configuration procedure Configure Switch A. # Create VLAN 101, specify its descriptive string as “DMZ”, and add Ethernet1/0/1 to VLAN 101. <SwitchA> system-view [SwitchA] vlan 101 [SwitchA-vlan101] description DMZ [SwitchA-vlan101] port Ethernet 1/0/1 [SwitchA-vlan101] quit # Create VLAN 201, and add Ethernet1/0/2 to VLAN 201.
Page 83: Troubleshooting Ethernet Port Configuration
[SwitchA-Ethernet1/0/3] port trunk permit vlan 101 [SwitchA-Ethernet1/0/3] port trunk permit vlan 201 # Configure Ethernet1/0/10 of Switch B. [SwitchB] interface Ethernet 1/0/10 [SwitchB-Ethernet1/0/10] port link-type trunk [SwitchB-Ethernet1/0/10] port trunk permit vlan 101 [SwitchB-Ethernet1/0/10] port trunk permit vlan 201 Troubleshooting Ethernet Port Configuration Symptom: Fail to configure the default VLAN ID of an Ethernet port.
Page 84 Table of Contents 1 Management VLAN Configuration ···········································································································1-1 Introduction to Management VLAN·········································································································1-1 Management VLAN ·························································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Management VLAN Configuration ··········································································································1-2 Prerequisites····································································································································1-2 Configuring the Management VLAN································································································1-2 Configuration Example ····················································································································1-3 Displaying and Maintaining management VLAN configuration·······························································1-4...
Page 85: Management Vlan Configuration
To manage an Ethernet switch remotely through Telnet or the built-in Web server, the switch need to be assigned an IP address, and make sure that a route exists between the user and the switch. As for an 3Com series Layer 2 Ethernet switch, only the management VLAN interface can be assigned an IP address.
Page 86: Management Vlan Configuration
If no default route exists and the destination address of the packet is not in the routing table, the packet is discarded, and an ICMP destination unreachable message is returned to the source. The default route can be configured through a static route and exists in the routing table as a route destined to the network 0.0.0.0 (with the mask 0.0.0.0).
Page 87: Configuration Example
Configuration Example Network requirements For a user to manage Switch A remotely through Telnet, these requirements are to be met: Switch A has an IP address, and the remote Telnet user is reachable. You need to configure the switch as follows: Assigning an IP address to the management VLAN interface on Switch A Configuring the default route Network diagram...
Page 88: Displaying And Maintaining Management Vlan Configuration
[SwitchA-Vlan-interface10] ip address 1.1.1.1 255.255.255.0 [SwitchA-Vlan-interface10] quit # Configure the default route. [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 Displaying and Maintaining management VLAN configuration Table 1-2 Displaying and Maintaining management VLAN configuration Operation Command Remarks Display the IP-related information display ip interface about a management VLAN [ Vlan-interface vlan-id ] interface...
Page 89 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Displaying IP Addressing Configuration··································································································1-3 IP Address Configuration Examples ·······································································································1-4 IP Address Configuration Example I ·······························································································1-4 2 IP Performance Configuration··················································································································2-1 IP Performance Overview ·······················································································································2-1 Introduction to IP Performance Configuration ·················································································2-1...
Page 90: Ip Addressing Configuration
IP Addressing Configuration IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary. To make IP addresses in 32-bit form easier to read, they are written in dotted decimal notation, each being four octets in length, for example, 10.1.1.1 for the address just mentioned.
Page 91: Special Case Ip Addresses
Class Address range Description 224.0.0.0 to 239.255.255.255 Multicast address. Reserved for future use except for the 240.0.0.0 to 255.255.255.255 broadcast address 255.255.255.255. Special Case IP Addresses The following IP addresses are for special use, and they cannot be used as host IP addresses: IP address with an all-zeros net ID: Identifies a host on the local network.
Page 92: Configuring Ip Addresses
255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively. Configuring IP Addresses 3Com Switch 4210 Family support assigning IP addresses to VLAN interfaces and loopback interfaces. Besides directly assigning an IP address to a VLAN interface, you may configure a VLAN interface to obtain an IP address through BOOTP or DHCP as alternatives.
Page 93: Ip Address Configuration Examples
Table 1-3 Display IP addressing configuration Operation Command Remarks Display information about a display ip interface specified or all Layer 3 interfaces [ interface-type interface-number ] Available in any view Display brief configuration display ip interface brief information about a specified or all [ interface-type Layer 3 interfaces [ interface-number ] ]...
Page 94: Ip Performance Configuration
IP Performance Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by Switch 4210 Family includes: Configuring TCP attributes Disabling ICMP to send error packets Introduction to FIB Every switch stores a forwarding information base (FIB).
Page 95: Disabling Icmp To Send Error Packets
Table 2-2 Configure TCP attributes Operation Command Remarks Enter system view system-view — Optional Configure TCP synwait timer’s tcp timer syn-timeout By default, the timeout value is timeout value time-value 75 seconds. Optional Configure TCP finwait timer’s tcp timer fin-timeout By default, the timeout value is timeout value time-value...
Page 96 Use the reset command in user view to clear the IP, TCP, and UDP traffic statistics. Table 2-4 Display and maintain IP performance Operation Command Remarks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics...
Page 97 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 Configuring Domain Name Resolution····································································································1-2 Configuring Static Domain Name Resolution ··················································································1-2 Configuring Dynamic Domain Name Resolution·············································································1-3 Displaying and Maintaining DNS ············································································································1-3 DNS Configuration Example ···················································································································1-4 Static Domain Name Resolution Configuration Example································································1-4 Dynamic Domain Name Resolution Configuration Example···························································1-5 Troubleshooting DNS······························································································································1-6...
Page 98: Dns Configuration
DNS Configuration This chapter covers only IPv4 DNS configuration. For details about IPv6 DNS, refer to IPv6 Management Operation. DNS Overview Domain name system (DNS) is a mechanism used for TCP/IP applications to provide domain name-to-IP address translation. With DNS, you can use memorizable and meaningful domain names in some applications and let the DNS server resolve it into correct IP addresses.
Page 99: Configuring Domain Name Resolution
Figure 1-1 Dynamic domain name resolution Figure 1-1 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client run on the same device, while the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between name and IP address in the dynamic domain name cache of the DNS client.
Page 100: Configuring Dynamic Domain Name Resolution
The IP address you assign to a host name last time will overwrite the previous one if there is any. You may create up to 50 static mappings between domain names and IP addresses. Configuring Dynamic Domain Name Resolution Table 1-2 Configure dynamic domain name resolution Operation Command Remarks...
Page 101: Dns Configuration Example
Operation Command… Remarks Clear the information in the Available in user reset dns dynamic-host dynamic domain name cache view DNS Configuration Example Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com.
Page 102: Dynamic Domain Name Resolution Configuration Example
Dynamic Domain Name Resolution Configuration Example Network requirements As shown in Figure 1-3, the switch serving as a DNS client uses dynamic domain name resolution to access the host at 3.1.1.1/16 through its domain name host. The DNS server has the IP address 2.1.1.2/16.
Page 103: Troubleshooting Dns
Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=125 time=5 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms...
Page 104 Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch S4210 Identify Voice Traffic·························································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-3 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6 Voice VLAN Configuration ······················································································································1-7 Configuration Prerequisites ·············································································································1-7...
Page 105: Voice Vlan Configuration
Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration and prioritization for voice traffic as required, thus ensuring the transmission priority of voice traffic and voice quality.
Page 106 Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.
Page 107: How Switch S4210 Identify Voice Traffic
The following table lists the five default OUI addresses on Switch S4210. Table 1-1 Default OUI addresses pre-defined on the switch Number OUI address Vendor 0003-6b00-0000 Cisco phones 000f-e200-0000 3Com Aolynk phones 00d0-1e00-0000 Pingtel phones 00e0-7500-0000 Polycom phones 00e0-bb00-0000 3Com phones Setting the Voice Traffic Transmission Priority...
Page 108: Configuring Voice Vlan Assignment Mode Of A Port
Set the DSCP value to 46. Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode. You can configure the voice VLAN assignment mode for a port according to data traffic passing through the port.
Page 109 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk Tagged a voice VLAN, and the access port permits the traffic of...
Page 110: Security Mode Of Voice Vlan
Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN Port type Supported or not assignment mode Access Not supported Supported Make sure the default VLAN of the port exists and is not a Trunk voice VLAN, and the access port permits the traffic of the Automatic...
Page 111: Voice Vlan Configuration
Table 1-4 How a packet is handled when the voice VLAN is operating in different modes Voice VLAN Packet Type Processing Method Mode Untagged packet If the source MAC address of the packet matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN.
Page 112: Configuring The Voice Vlan To Operate In Automatic Voice Vlan Assignment Mode
To do... Use the command... Remarks and the voice vlan qos trust command can overwrite each other, whichever is configured last. Configure the QoS priority settings for voice traffic on an interface before enabling voice VLAN on the interface. If the configuration order is reversed, your priority trust setting will fail. Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in automatic voice VLAN assignment mode:...
Page 113: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode
A port working in automatic voice VLAN assignment mode cannot be assigned to the voice VLAN manually. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the same time, the protocol-based VLAN function cannot be bound with the port. For information about protocol-based VLANs, refer to VLAN Configuration in this manual.
Page 114 To do… Use the command… Remarks interface interface-type Enter port view Required interface-number Required Enable voice VLAN on a port voice vlan enable By default, voice VLAN is disabled on a port. Optional Enable the voice VLAN legacy function on voice vlan legacy By default, voice VLAN the port...
Page 115: Displaying And Maintaining Voice Vlan
VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...
Page 116: Voice Vlan Configuration Example
Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.
Page 117: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)
[DeviceA-Ethernet1/0/1] voice vlan mode auto # Configure Ethernet 1/0/1 as a hybrid port. [DeviceA-Ethernet1/0/1] port link-type hybrid # Configure VLAN 6 as the default VLAN of Ethernet 1/0/1, and configure Ethernet 1/0/1 to permit packets with the tag of VLAN 6. [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 6 [DeviceA-Ethernet1/0/1] port hybrid vlan 6 tagged # Enable the voice VLAN function on Ethernet 1/0/1.
Page 118 # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports. <DeviceA> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 3Com Aolynk phone 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000...
Page 119 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-7 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...
Page 120: Gvrp Configuration
GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
Page 121 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
Page 122 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two parts: Message — Attribute Type and Attribute List. Defined by the specific GARP Attribute Type The attribute type of GVRP is 0x01.
Page 123: Gvrp
GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.
Page 124: Configuring Gvrp Timers
To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.
Page 125: Configuring Gvrp Port Registration Mode
Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time Hold 10 centiseconds of the Join timer. You can change the threshold by changing the timeout time of the Join timer.
Page 126: Displaying And Maintaining Gvrp
Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics [ interface Display GARP statistics interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics [ interface Display GVRP statistics interface-list ]...
Page 127 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] port trunk permit vlan all # Enable GVRP on Ethernet1/0/1. [SwitchA-Ethernet1/0/1] gvrp [SwitchA-Ethernet1/0/1] quit # Configure Ethernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP on Ethernet1/0/2.
Page 128 The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
Page 129 5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 1-10...
Page 130 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-2 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-4 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-5 Configuring Loopback Detection for Ethernet Port(s) ·····································································1-6 Enabling Loopback Test··················································································································1-7...
Page 131: Port Basic Configuration
GigabitEthernet1/0/17 Switch 4210 18-Port Switch 4210 PWR 18-Port GigabitEthernet1/0/20 GigabitEthernet1/0/18 Switch 4210 9-Port GigabitEthernet1/0/10 GigabitEthernet1/0/9 Switch 4210 PWR 9-Port Switch 4210 52-Port does not support Combo port, but it provides two 10/100/1000Base-T auto-sensing Ethernet ports and two 100/1000Base-X SFP ports on the front panel.
Page 132: Initially Configuring A Port
In case of a Combo port, only one interface (either the optical port or the electrical port) is active at a time. That is, once the optical port is active, the electrical port will be inactive automatically, and vice versa. Initially Configuring a Port Table 1-2 Initially configure a port Operation...
Page 133: Limiting Traffic On Individual Ports
If you expect that 10 Mbps and 1000 Mbps are the available auto-negotiation speeds of the port, you just need to configure speed auto 10 1000. Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view system-view...
Page 134: Enabling Flow Control On A Port
Operation Command Remarks Optional The switch will suppress the unknown multicast and Limit unknown multicast and unknown unicast traffic multicast-suppression bps unknown unicast traffic simultaneously after the max-bps received on the current port configuration. By default, the switch does not suppress unknown multicast and unknown unicast traffic.
Page 135: Configuring Loopback Detection For An Ethernet Port
If you specify a source aggregation group ID, the system will use the port with the smallest port number in the aggregation group as the source. If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port.
Page 136: Configuring Loopback Detection For Ethernet Port
Configuring Loopback Detection for Ethernet Port(s) Table 1-6 Configure loopback detection for Ethernet port(s) Operation Command Remarks Enter system view system-view — Optional By default, the global loopback detection function is enabled if the Enable loopback loopback-detection enable device boots with the default detection globally configuration file (config.def);...
Page 137: Enabling Loopback Test
To enable loopback detection on a specific port, you must use the loopback-detection enable command in both system view and the specific port view. After you use the undo loopback-detection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally.
Page 138: Configuring The Interval To Perform Statistical Analysis On Port Traffic
Table 1-8 Enable the system to test connected cables Operation Command Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Enable the system to test virtual-cable-test Required connected cables Currently, the device is only capable of testing the cable status and cable length. For the testing items that are currently not supported, “-”...
Page 139: Configuring Storm Control On A Port
After you allow a port to output the Up/Down log information, if the physical link status of the port does not change, the switch does not send log information to the log server but monitors the port in real time. Disable Up/Down log output on a port Table 1-10 Disable UP/Down log output on a port Operation...
Page 140: Setting The Port State Change Delay
When a type of traffic on the port falls back to the specified lower threshold, the system cancels the blocking of this type of traffic on the port or brings up the port to restore traffic forwarding for the port, and outputs log/trap information according to your configuration.
Page 141 The port state change delay takes effect when the port goes down but not when the port goes up. Table 1-11 set the port state change delay Operation Command Remarks — Enter system view system-view Enter Ethernet interface interface interface-type —...
Page 142: Displaying And Maintaining Basic Port Configuration
Displaying and Maintaining Basic Port Configuration Table 1-12 Display and maintain basic port configuration Operation Command Remarks display interface Display port configuration [ interface-type | interface-type information interface-number ] Display the enable/disable status of port loopback display loopback-detection detection display brief interface [ interface-type Display brief information about [ interface-number ] ] [ | { begin...
Page 143: Troubleshooting Ethernet Port Configuration
Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet 1/0/1 port view. <Sysname>...
Page 144 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Operational Key·······························································································································1-2 Requirements on Ports for Link Aggregation ··················································································1-2 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...
Page 145: Link Aggregation Configuration
Link Aggregation Configuration Overview Introduction to Link Aggregation Link aggregation can aggregate multiple Ethernet ports together to form a logical aggregation group. To upper layer entities, all the physical links in an aggregation group are a single logical link. Link aggregation is designed to increase bandwidth by implementing outgoing/incoming load sharing among the member ports in an aggregation group.
Page 146: Operational Key
Switch 4210 Family that support extended LACP functions can be used as intermediate devices in LACP MAD implementation. For details about IRF, member devices, intermediate devices, and the LACP MAD mechanism, see the operation manuals of IRF-supported devices. Operational Key Operation key is generated by the system.
Page 147: Static Lacp Aggregation Group
LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on ports in a manual aggregation group. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation group, only the selected ports can forward user service packets.
Page 148: Dynamic Lacp Aggregation Group
The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. The system sets the ports with basic port configuration different from that of the master port to unselected state.
Page 149: Aggregation Group Categories
When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state; if the port belongs to a dynamic LACP aggregation group, deaggregation will occur on the port.
Page 150: Link Aggregation Configuration
Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.
Page 151: Configuring A Static Lacp Aggregation Group
If the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from dynamic to static; and no other kinds of type change can occur. When you change a dynamic/static group to a manual group, the system will automatically disable LACP on the member ports.
Page 152: Configuring A Dynamic Lacp Aggregation Group
Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled ports. The adding and removing of ports to/from a dynamic aggregation group are automatically accomplished by LACP. You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups.
Page 153: Displaying And Maintaining Link Aggregation Configuration
Operation Command Remarks Optional Configure a description for an link-aggregation group agg-id By default, no description is aggregation group description agg-name configured for an aggregation group. If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost.
Page 154 Network diagram Figure 1-1 Network diagram for link aggregation configuration Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname>...
Page 155 [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] port link-aggregation group 1 Adopting dynamic LACP aggregation mode # Enable LACP on Ethernet1/0/1 through Ethernet1/0/3. <Sysname> system-view [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] lacp enable [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet1/0/2 [Sysname-Ethernet1/0/2] lacp enable [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement...
Page 156 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying Port Isolation Configuration ···································································································1-2 Port Isolation Configuration Example······································································································1-2...
Page 157: Port Isolation Configuration
Port Isolation Configuration Port Isolation Overview Through the port isolation feature, you can add the ports to be controlled into an isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can construct your network in a more flexible way and improve your network security.
Page 158: Displaying Port Isolation Configuration
When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local device will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
Page 159 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
Page 160 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode ······························1-8 Ignoring the Authorization Information from the RADIUS Server····················································1-9...
Page 161: Port Security Configuration
Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Example Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
Page 162 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.
Page 163 Security mode Description Feature MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user In any of these modes, the can pass through the port.
Page 164: Port Security Configuration Task List
Security mode Description Feature This mode is similar to the macAddressElseUs macAddressElseUserLoginSecure mode, erLoginSecureExt except that there can be more than one 802.1x-authenticated user on the port. In this mode, a port firstly performs MAC authentication for a user and then performs 802.1x authentication for the user if the user passes MAC authentication.
Page 165: Enabling Port Security
Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default...
Page 166: Setting The Port Security Mode
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Set the maximum number of Required port-security max-mac-count MAC addresses allowed on the count-value Not limited by default port Setting the Port Security Mode Follow these steps to set the port security mode: To do...
Page 167: Configuring Port Security Features
If the port-security port-mode mode command has been executed on a port, none of the following can be configured on the same port: Maximum number of MAC addresses that the port can learn Reflector port for port mirroring Link aggregation Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK feature:...
Page 168: Configuring Guest Vlan For A Port In Macaddressoruserloginsecure Mode
If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.
Page 169: Ignoring The Authorization Information From The Radius Server
To do… Use the command… Remarks Enter system view system-view — Set the interval at which the switch triggers MAC address port-security timer Optional authentication after a port is guest-vlan-reauth interval added to the guest VLAN interface interface-type Enter Ethernet port view —...
Page 170: Configuring Security Mac Addresses
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Ignore the authorization port-security authorization By default, a port uses the information from the RADIUS ignore authorization information from server the RADIUS server. Configuring Security MAC Addresses A port in autolearn mode performs MAC address learning and maintains a security MAC address forwarding table.
Page 171: Displaying And Maintaining Port Security Configuration
To do... Use the command... Remarks security MAC interface interface-type interface-number address is In Ethernet configured. port view mac-address security mac-address vlan vlan-id Configuring an aging time for learned security MAC address entries By default, learned security MAC address entries will never be aged; they are deleted only when the port security feature is disabled or the security mode is not autolearn any more.
Page 172: Port Security Configuration Example
To do... Use the command... Remarks Display information about display mac-address security [ interface security MAC address interface-type interface-number ] [ vlan vlan-id ] configuration [ count ] Port Security Configuration Example Port Security Configuration Example Network requirements Implement access user restrictions through the following configuration on Ethernet 1/0/1 of the switch. Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.
Page 173: Guest Vlan Configuration Example
[Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 Guest VLAN Configuration Example Network requirements As shown in Figure 1-2, Ethernet 1/0/2 connects to a PC and a printer, which are not used at the same time. Configure the port to operate in macAddressOrUserLoginSecure mode and specify a guest VLAN for the port.
Page 174 [Switch] radius scheme 2000 [Switch-radius-2000] primary authentication 10.11.1.1 1812 [Switch-radius-2000] primary accounting 10.11.1.1 1813 [Switch-radius-2000] key authentication abc [Switch-radius-2000] key accounting abc [Switch-radius-2000] user-name-format without-domain [Switch-radius-2000] quit # Configure the ISP domain and apply the scheme 2000 to the domain. [Switch] domaim system [Switch-isp-system] scheme radius-scheme 2000 [Switch-isp-system] quit...
Page 175: Port Binding Configuration
Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Binding Overview Introduction Binding is a simple security mechanism. Through the binding configuration on the switch, you can filter the packets forwarded on the ports.
Page 176: Displaying And Maintaining Port Binding Configuration
To do... Use the command... Remarks specific port address is bound to a interface interface-type interface-number port. In Ethernet am user-bind { mac-addr mac-address port view [ ip-addr ip-address ] | ip-addr ip-address } An IP address can be bound to only one port at a time. A MAC address can be bound to only one port at a time.
Page 177 Configuration procedure Configure Switch A as follows: # Enter system view. <SwitchA> system-view # Enter Ethernet 1/0/1 port view. [SwitchA] interface Ethernet 1/0/1 # Bind the MAC address and the IP address of Host A to Ethernet 1/0/1. [SwitchA-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1...
Page 178 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets··································································································································1-2 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-4 DLDP Operating Mode ····················································································································1-5 DLDP Implementation ·····················································································································1-6 DLDP Neighbor State ······················································································································1-8 Link Auto-recovery Mechanism ·······································································································1-8 DLDP Configuration ································································································································1-9 Performing Basic DLDP Configuration ····························································································1-9 Resetting DLDP State ···················································································································1-10 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-11...
Page 179: Dldp Configuration
DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Fundamentals DLDP Configuration DLDP Configuration Example Overview Device link detection protocol (DLDP) is a kind of technology for dealing with unidirectional links that may occur in a network.
Page 180: Dldp Fundamentals
Figure 1-2 Fiber broken or not connected Switch A GE1/1/1 GE1/1/2 GE1/1/1 GE1/1/2 Switch B Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
Page 181 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.
Page 182: Dldp Status
DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared All neighbors communicate normally in both directions, or DLDP...
Page 183: Dldp Operating Mode
Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when Entry aging timer...
Page 184: Dldp Implementation
Table 1-4 DLDP operating mode and neighbor entry aging Detecting a neighbor Removing the DLDP after the corresponding neighbor entry Triggering the Enhanced timer operating neighbor entry ages immediately after the after an Entry timer expires mode Entry timer expires Normal mode Yes (When the enhanced timer...
Page 185 Table 1-5 DLDP state and DLDP packet type DLDP state Type of the DLDP packets sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication.
Page 186: Dldp Neighbor State
Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is received DLDP switches to the disable state, outputs log and when the echo waiting timer expires. tracking information, and sends flush packets.
Page 187: Dldp Configuration
DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Remarks Enter system view — system-view Enable DLDP on all optical dldp enable ports of the switch Required. Enable DLDP Enter Ethernet interface interface-type Enable...
Page 188: Resetting Dldp State
When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently.
Page 189: Dldp Configuration Example
DLDP Configuration Example Network requirements As shown in Figure 1-4, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected.
Page 190 # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
Page 191 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to MAC Address Table ································································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-4 MAC Address Table Management··········································································································1-5 MAC Address Table Management Configuration Task List ····························································1-5 Configuring a MAC Address Entry ··································································································1-5 Setting the MAC Address Aging Timer····························································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-7 Displaying MAC Address Table Information ···························································································1-7...
Page 192: Mac Address Table Management
MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
Page 193 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on Ethernet 1/0/1.
Page 194 Because the switch broadcasts the packet, both User B and User C can receive the packet. However, User C is not the destination device of the packet, and therefore does not process the packet. Normally, User B will respond to User A, as shown in Figure 1-4.
Page 195: Managing Mac Address Table
Managing MAC Address Table Aging of MAC address table To fully utilize a MAC address table, which has a limited capacity, the switch uses an aging mechanism for updating the table. That is, the switch starts an aging timer for an entry when dynamically creating the entry.
Page 196: Mac Address Table Management
MAC Address Table Management MAC Address Table Management Configuration Task List Complete the following tasks to configure MAC address table management: Task Remarks Configuring a MAC Address Entry Required Setting the MAC Address Aging Timer Optional Setting the Maximum Number of MAC Addresses a Port Can Learn Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a...
Page 197: Setting The Mac Address Aging Timer
To do… Use the command… Remarks mac-address { static | Add a MAC address entry dynamic | blackhole } Required mac-address vlan vlan-id When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command.
Page 198: Setting The Maximum Number Of Mac Addresses A Port Can Learn
Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of the network devices on the segment connected to the ports of the switch. By searching the MAC address table, the switch directly forwards the packets destined for these MAC addresses through the hardware, improving the forwarding efficiency.
Page 199: Adding A Static Mac Address Entry Manually
Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through Ethernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through Ethernet 1/0/2.
Page 200 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-17 Configuring an MST Region ··········································································································1-17 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-20...
Page 201 Introduction····································································································································1-40 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-44 MSTP Maintenance Configuration ········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45 Configuration Example ··················································································································1-45 Enabling Trap Messages Conforming to 802.1d Standard···································································1-46 Displaying and Maintaining MSTP ········································································································1-46 MSTP Configuration Example···············································································································1-47 VLAN-VPN Tunnel Configuration Example ··························································································1-49...
Page 202: Mstp Configuration
MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
Page 203 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
Page 204 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of the 3Com switch 4210 is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
Page 205 Port ID A port ID used on the 3Com switch 4210 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on the 3Com switch 4210 is 128. You can use commands to configure port priorities.
Page 206 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
Page 207 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
Page 208 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device...
Page 209 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
Page 210 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.
Page 211: Rapid Spanning Tree Protocol Overview
For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
Page 212 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
Page 213 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
Page 214 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.
Page 215: Mstp Implementation On Switches
STP and RSTP and use them for their respective spanning tree calculation. The 3Com switches 4210 support MSTP. After MSTP is enabled, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol, you can use commands to...
Page 216: Protocols And Standards
In addition to the basic MSTP functions, the 3Com switches 4210 also provide the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard BPDU dropping Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...
Page 217 Task Remarks Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter...
Page 218: Configuring Root Bridge
Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...
Page 219: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge
802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 4210 support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
Page 220 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...
Page 221: Configuring The Bridge Priority Of The Current Switch
Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.
Page 222: Configuring The Mstp Operation Mode
In auto mode, if a port frequently receives MSTP packets of different formats alternately, the port will be forcibly placed in the discarding state and no longer forwards MSTP packets. The physical state of the port will be displayed as STP DOWN. To restore such a port, you can first run the shutdown command and then the undo shutdown command on it.
Page 223: Configuring The Maximum Hop Count Of An Mst Region
STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If STP-enabled switches exist in a switched network, you can use the stp mode stp command to configure an MSTP-enabled switch to operate in STP-compatible mode. RSTP-compatible mode, where the ports of a switch send RSTP BPDUs to neighboring devices.
Page 224: Configuring The Network Diameter Of The Switched Network
To do... Use the command... Remarks Required Configure the maximum hop stp max-hops hops By default, the maximum hop count of the MST region count of an MST region is 20. The bigger the maximum hop count, the larger the MST region is. Note that only the maximum hop settings on the switch operating as a region root can limit the size of the MST region.
Page 225 Configuration procedure Follow these steps to configure MSTP time-related parameters: To do... Use the command... Remarks Enter system view — system-view Required Configure the forward delay stp timer forward-delay The forward delay parameter parameter centiseconds defaults to 1,500 centiseconds (namely, 15 seconds). Required Configure the hello time The hello time parameter defaults to...
Page 226: Configuring The Timeout Time Factor
Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge). <Sysname>...
Page 227: Configuring The Current Port As An Edge Port
To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum stp interface interface-list The maximum transmitting rate transmitting rate for specified transmit-limit packetnum of all Ethernet ports on a switch ports defaults to 10. Configure the maximum transmitting rate in Ethernet port view Follow these steps to configure the maximum transmitting rate in Ethernet port view: To do...
Page 228: Setting The Link Type Of A Port To P2P
To do... Use the command... Remarks Required Configure the specified ports as stp interface interface-list By default, all the Ethernet edge ports edged-port enable ports of a switch are non-edge ports. Configure a port as an edge port in Ethernet port view Follow these steps to configure a port as an edge port in Ethernet port view: To do...
Page 229 You can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways. Setting the Link Type of a Port to P2P in system view Follow these steps to specify whether the link connected to a port is point-to-point link in system view: To do...
Page 230: Enabling Mstp
Enabling MSTP Configuration procedure Follow these steps to enable MSTP in system view: Use the To do... Remarks command... Enter system view — system-view Required Enable MSTP stp enable MSTP is enabled globally by default. Optional By default, MSTP is enabled on all ports. stp interface Disable MSTP on To enable a switch to operate more flexibly, you can...
Page 231: Configuring Leaf Nodes
Configuring Leaf Nodes Configuring the MST Region Refer to Configuring an MST Region. Configuring How a Port Recognizes and Sends MSTP Packets Refer to Configuring How a Port Recognizes and Sends MSTP Packets. Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor.
Page 232 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Half-duplex/Full-duplex 2,000,000 2,000 Aggregated link 2 ports 1,000,000 1,800 10 Mbps Aggregated link 3 ports 666,666 1,600 Aggregated link 4 ports 500,000 1,400 Half-duplex/Full-duplex 200,000 Aggregated link 2 ports 100,000 100 Mbps Aggregated link 3 ports 66,666 Aggregated link 4 ports...
Page 233: Configuring Port Priority
Follow these steps to configure the path cost for a port in Ethernet port view: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the path cost for the stp [ instance instance-id ] An MSTP-enabled switch can port...
Page 234: Setting The Link Type Of A Port To P2P
Configure port priority in system view Follow these steps to configure port priority in system view: To do... Use the command... Remarks Enter system view — system-view stp interface interface-list Required Configure port priority for instance instance-id port specified ports The default port priority is 128.
Page 235: Performing Mcheck Operation
Performing mCheck Operation Ports on an MSTP-enabled switch can operate in three modes: STP-compatible, RSTP-compatible, and MSTP. If a port on a device running MSTP (or RSTP) connects to a device running STP, this port will automatically migrate to the STP-compatible mode. However, it will not be able to migrate automatically back to the MSTP (or RSTP) mode, but will remain working in the STP-compatible mode under the following circumstances: The device running STP is shut down or removed.
Page 236: Configuring Guard Functions
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp mcheck Configuring Guard Functions The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop guard, TC-BPDU attack guard, and BPDU drop. Configuring BPDU Guard Normally, the access ports of the devices operating on the access layer are directly connected to terminals (such as PCs) or file servers.
Page 237: Configuring Root Guard
Configuring Root Guard A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology jitter to occur.
Page 238: Configuring Loop Guard
Configuration example # Enable the root guard function on Ethernet 1/0/1. Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 root-protection Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection Configuring Loop Guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch.
Page 239: Configuring Tc-Bpdu Attack Guard
Configuration example # Enable the loop guard function on Ethernet 1/0/1. <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp loop-protection Configuring TC-BPDU Attack Guard Normally, a switch removes its MAC address table and ARP entries upon receiving Topology Change BPDUs (TC-BPDUs). If a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.
Page 240: Configuring Bpdu Dropping
# Set the maximum times for the switch to remove the MAC address table and ARP entries within 10 seconds to 5. <Sysname> system-view [Sysname] stp tc-protection threshold 5 Configuring BPDU Dropping In a STP-enabled network, attackers may send BPDUs to switches continuously in order to destroy the network.
Page 241: Configuring Digest Snooping
MST region. This problem can be overcome by implementing the digest snooping feature. If a port on an 3Com switches 4210 is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
Page 242: Configuring Rapid Transition
To do... Use the command... Remarks Return to system view — quit Required Enable the digest snooping stp config-digest-snooping The digest snooping feature is feature globally disabled globally by default. Display the current Available in any view display current-configuration configuration When the digest snooping feature is enabled on a port, the port state turns to the discarding state.
Page 243 3Com switch operating as the downstream switch. Among these ports, those operating as the root ports will then send agreement...
Page 244: Configuring Rapid Transition
The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports. Port 1 is the designated port. The downstream 3Com switch is running MSTP. Port 2 is the root port. Figure 1-8 Network diagram for rapid transition configuration...
Page 245: Configuring Vlan-Vpn Tunnel
The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.
Page 246: Mstp Maintenance Configuration
To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...
Page 247: Enabling Trap Messages Conforming To 802.1D Standard
# Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard When enabled, the switch sends the following two types of 802.1d-compliant traps to the network management device: When the switch is configured to be the root bridge of a spanning tree instance, it sends 802.1d-compliant newroot traps to the network management device.
Page 248: Mstp Configuration Example
MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
Page 249 # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...
Page 250: Vlan-Vpn Tunnel Configuration Example
VLAN-VPN Tunnel Configuration Example Network requirements Switch C and Switch D are the access devices for the service provider network. Switches 4210 operate as the access devices of the customer networks, that is, Switch A and Switch B in the network diagram. Switch C and Switch D are connected to each other through the configured trunk ports of the switches.
Page 251 [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Enable the VLAN VPN function on GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
Page 252 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-2 Roles in Multicast ····························································································································1-3 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-4 Multicast Architecture······························································································································1-5 Multicast Address ····························································································································1-6 Multicast Protocols ··························································································································1-8...
Page 253 Configuring Dropping Unknown Multicast Packets ·········································································3-2 Displaying Common Multicast Configuration ··························································································3-3...
Page 254: Multicast Overview
Multicast Overview Multicast Overview With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks. In addition, highly bandwidth- and time-critical services, such as e-commerce, Web conference, online auction, video on demand (VoD), and tele-education have come into being.
Page 255: Information Transmission In The Broadcast Mode
Information Transmission in the Broadcast Mode When you adopt broadcast, the system transmits information to all users on a network. Any user on the network can receive the information, no matter the information is needed or not. Figure 1-2 shows information transmission in broadcast mode.
Page 256: Roles In Multicast
Figure 1-3 Information transmission in the multicast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts B, D and E into a receiver set.
Page 257: Advantages And Applications Of Multicast
Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission A TV station transmits a TV program A multicast source sends multicast data to a through a television channel. multicast group. A user tunes the TV set to the channel. A receiver joins the multicast group.
Page 258: Multicast Architecture
ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of a multicast source in advance.
Page 259: Multicast Address
Multicast Address As receivers are multiple hosts in a multicast group, you should be concerned about the following questions: What destination should the information source send the information to in the multicast mode? How to select the destination address? These questions are about multicast addressing. To enable the communication between the information source and members of a multicast group (a group of information receivers), network-layer multicast addresses, namely, IP multicast addresses must be provided.
Page 260 Class D address range Description Available source-specific multicast (SSM) multicast 232.0.0.0 to 232.255.255.255 group addresses. Administratively scoped multicast addresses, which 239.0.0.0 to 239.255.255.255 are for specific local use only. As specified by IANA, the IP addresses ranging from 224.0.0.0 to 224.0.0.255 are reserved for network protocols on local networks.
Page 261: Multicast Protocols
Ethernet multicast MAC address When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC address of the receiver. When a multicast packet is transported in an Ethernet network, a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members.
Page 262 Figure 1-5 Positions of Layer 3 multicast protocols AS 1 Receiver AS 2 Receiver IGMP IGMP MSDP IGMP Receiver Source Multicast management protocols Typically, the Internet Group Management Protocol (IGMP) is used between hosts and Layer 3 multicast devices directly connected with the hosts. These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices.
Page 263: Multicast Packet Forwarding Mechanism
Figure 1-6 Positions of Layer 2 multicast protocols Source IGMP Snooping Receiver Receiver multicast packets Running on Layer 2 devices, Internet Group Management Protocol Snooping (IGMP Snooping) are multicast constraining mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices, thus effectively controlling the flooding of multicast data in a Layer 2 network.
Page 264: Rpf Check
If the corresponding (S, G) entry exists, but the interface on which the packet actually arrived is not the incoming interface in the multicast forwarding table, the multicast packet is subject to an RPF check. If the result of the RPF check shows that the RPF interface is the incoming interface of the existing (S, G) entry, this means that the (S, G) entry is correct but the packet arrived from a wrong path and is to be discarded.
Page 265 A multicast packet from Source arrives to VLAN-interface 1 of Switch C, and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C. Switch C performs an RPF check, and finds in its unicast routing table that the outgoing interface to 192.168.0.0/24 is VLAN-interface 2.
Page 266: Igmp Snooping Configuration
IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
Page 267: Work Mechanism Of Igmp Snooping
Figure 2-2 IGMP Snooping related ports Receiver Router A Switch A Eth1/0/1 Eth1/0/2 Host A Eth1/0/3 Host B Receiver Eth1/0/1 Source Eth1/0/2 Host C Switch B Router port Member port Multicast packets Host D Ports involved in IGMP Snooping, as shown in Figure 2-2, are described as follows: Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the...
Page 268 Upon receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port: If the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port.
Page 269: Igmp Snooping Configuration
group-specific query, a switch forwards it through all the router ports in the VLAN and all member ports of that multicast group, and performs the following to the receiving port: If any IGMP report in response to the group-specific query arrives to the member port before its aging timer expires, this means that some other members of that multicast group still exist under that port: the switch resets the aging timer of the member port.
Page 270: Enabling Igmp Snooping
Enabling IGMP Snooping Table 2-3 Enable IGMP Snooping Operation Command Remarks — Enter system view system-view Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is globally disabled globally. — Enter VLAN view vlan vlan-id Required Enable IGMP Snooping on the igmp-snooping enable By default, IGMP Snooping is VLAN...
Page 271: Configuring Timers
Before configuring related IGMP Snooping functions, you must enable IGMP Snooping in the specified VLAN. Different multicast group addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multicast group.
Page 272: Configuring A Multicast Group Filter
Enabling fast leave processing in Ethernet port view Table 2-7 Enable fast leave processing in Ethernet view Operation Command Remarks — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs [ vlan vlan-list ]...
Page 273: Configuring The Maximum Number Of Multicast Groups On A Port
Operation Command Remarks Required Configure a multicast igmp-snooping group-policy No group filter is configured by group filter acl-number [ vlan vlan-list ] default, namely hosts can join any multicast group. Configuring a multicast group filter in Ethernet port view Table 2-9 Configure a multicast group filter in Ethernet port view Operation Command Remarks...
Page 274: Configuring Igmp Snooping Querier
Operation Command Remarks Configure the maximum igmp-snooping group-limit Required number of multicast groups limit [ vlan vlan-list The system default is 512. allowed on the port [ overflow-replace ] ] To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process.
Page 275: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan
Operation Command Remarks Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is disabled. Required Enable IGMP Snooping querier igmp-snooping querier By default, IGMP Snooping querier is disabled. Configuring IGMP query interval Follow these steps to configure IGMP query interval: Operation Command Remarks...
Page 276: Configuring Static Member Port For A Multicast Group
Operation Command Remarks Required Enable unknown multicast igmp-snooping By default, unknown multicast flooding suppression nonflooding-enable flooding suppression If the function of dropping unknown multicast packets is enabled, you cannot enable unknown multicast flooding suppression. Unknown multicast flooding suppression and multicast source port suppression cannot take effect at the same time.
Page 277: Configuring A Static Router Port
Operation Command Remarks Required Configure specified port(s) as multicast static-group By default, no port is configured static member port(s) of a group-address interface as a static multicast group multicast group in the VLAN interface-list member port. Configuring a Static Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives IGMP messages from that router.
Page 278: Configuring A Vlan Tag For Query Messages
When an Ethernet port is configured as a simulated member host, the switch sends an IGMP report through this port. Meanwhile, the switch sends the same IGMP report to itself and establishes a corresponding IGMP entry based on this report. When receiving an IGMP general query, the simulated host responds with an IGMP report.
Page 279: Configuring Multicast Vlan
It is not recommended to configure this function while the multicast VLAN function is in effect. Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth.
Page 280: Displaying And Maintaining Igmp Snooping
Table 2-19 Configure multicast VLAN on the Layer 2 switch Operation Command Remarks — Enter system view system-view — Enable IGMP Snooping igmp-snooping enable — Enter VLAN view vlan vlan-id Enable IGMP Snooping Required igmp-snooping enable Enable multicast VLAN service-type multicast Required —...
Page 281: Igmp Snooping Configuration Examples
You can execute the reset command in user view to clear the statistics information about IGMP Snooping. Table 2-20 Display and maintain IGMP Snooping Operation Command Remarks Display the current IGMP display igmp-snooping Snooping configuration configuration Display IGMP Snooping display igmp-snooping You can execute the display message statistics statistics...
Page 282 Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 2-3. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet1/0/1. <RouterA>...
Page 283: Configuring Multicast Vlan
Host port(s):Ethernet1/0/3 Ethernet1/0/4 As shown above, the multicast group 224.1.1.1 is established on Switch A, with the dynamic router port Ethernet1/0/1 and dynamic member ports Ethernet1/0/3 and Ethernet1/0/4. This means that Host A and Host B have joined the multicast group 224.1.1.1. Configuring Multicast VLAN Network requirements As shown in...
Page 284 Network diagram Figure 2-4 Network diagram for multicast VLAN configuration Vlan-int20 Vlan-int10 HostA Eth1/0/10 168.10.1.1 168.10.2.1 Eth1/0/10 Vlan10 Eth1/0/1 WorkStation SwitchA SwitchB HostB Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured.
Page 285: Troubleshooting Igmp Snooping
[SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged packets for VLAN 2, VLAN 3, and VLAN 10. [SwitchB] interface Ethernet 1/0/10 [SwitchB-Ethernet1/0/10] port link-type hybrid [SwitchB-Ethernet1/0/10] port hybrid vlan 2 3 10 tagged...
Page 286: Common Multicast Configuration
Common Multicast Configuration Common Multicast Configuration Table 3-1 Common multicast configuration tasks Configuration task Remarks Configuring Suppression on the Multicast Source Port Optional Configuring a Multicast MAC Address Entry Optional Configuring Dropping Unknown Multicast Packets Optional Configuring Suppression on the Multicast Source Port Some users may deploy unauthorized multicast servers on the network.
Page 287: Configuring A Multicast Mac Address Entry
Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol. Alternatively, you can statically bind a port to a multicast MAC address entry by configuring a multicast MAC address entry manually. Generally, when receiving a multicast packet for a multicast group not yet registered on the switch, the switch will flood the packet within the VLAN to which the port belongs.
Page 288 packets is enabled, the switch will drop any multicast packets whose multicast address is not registered. Thus, the bandwidth is saved and the processing efficiency of the system is improved. Table 3-6 Configure dropping unknown multicast packet Operation Command Remarks —...
Page 289 Table of Contents 1 802.1x Configuration ·································································································································1-1 Introduction to 802.1x······························································································································1-1 Architecture of 802.1x Authentication······························································································1-1 The Mechanism of an 802.1x Authentication System ·····································································1-2 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-8 802.1x Implementation on an S4210 Series Switch········································································1-9 Introduction to 802.1x Configuration ·····································································································1-12 Basic 802.1x Configuration ···················································································································1-12 Configuration Prerequisites ···········································································································1-12...
Page 290: X Configuration
The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a 3Com series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.
Page 291: The Mechanism Of An 802.1X Authentication System
By default, a controlled port is a unidirectional port. The way a port is controlled A port of a 3Com series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.
Page 292: Encapsulation Of Eapol Messages
Figure 1-2 The mechanism of an 802.1x authentication system EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAPoL packets. EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server can either be encapsulated as EAP over RADIUS (EAPoR) packets or be terminated at system PAEs.
Page 293 The Packet body field differs with the Type field. Note that EAPoL-Start, EAPoL-Logoff, and EAPoL-Key packets are only transmitted between the supplicant system and the authenticator system. EAP-packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers. Network management-related information (such as alarming information) is encapsulated in EAPoL-Encapsulated-ASF-Alert packets, which are terminated by authenticator systems.
Page 294: 802.1X Authentication Procedure
Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure A 3Com S4210 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. EAP relay mode This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server.
Page 295 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOR EAPOL Authenticator System RADUIS Supplicant System server EAPOL-Start EAP-Request / Identity RADIUS Access-Request EAP-Response / Identity (EAP-Response / Identity) RADIUS Access-Challenge EAP-Request / MD5 challenge (EAP-Request / MD5 challenge) RADIUS Access-Request EAP-Response / MD5 challenge (EAP-Response / MD5 challenge) RADIUS Access-Accept...
Page 296 The RADIUS server compares the received encrypted password (contained in a RADIUS access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated.
Page 297: Timers Used In 802.1X
Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant EAPOL RADIUS Authenticator system RADIUS server system PAE EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge RADIUS Access-Request (CHAP-Response/MD5 Challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [EAP-Request/Identity] Handshake response [EAP-Response/Identity] ..
Page 298: 802.1X Implementation On An S4210 Series Switch
Checking client version The Guest VLAN function 3Com's CAMS Server is a service management system used to manage networks and to secure networks and user information. With the cooperation of other networking devices (such as switches) in the network, a CAMS server can implement the AAA functions and rights management.
Page 299 This function makes the switch to send version-requesting packets again if the 802.1x client fails to send version-reply packet to the switch when the version-checking timer times out. The 802.1x client version-checking function needs the support of 3Com’s 802.1x client program. The Guest VLAN function The Guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way.
Page 300 Refer to AAA Operation Manual for detailed information about the dynamic VLAN delivery function. Enabling 802.1x re-authentication 802.1x re-authentication is timer-triggered or packet-triggered. It re-authenticates users who have passed authentication. With 802.1x re-authentication enabled, the switch can monitor the connection status of users periodically.
Page 301: Introduction To 802.1X Configuration
802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but not accounting. This is because a CAMS server establishes a user session after it begins to perform accounting. Therefore, to enable 802.1x re-authentication, do not configure the accounting none command in the domain.
Page 302: Configuring Basic 802.1X Functions
Configuring Basic 802.1x Functions Table 1-1 Configure basic 802.1x functions Operation Command Remarks Enter system view system-view — Required Enable 802.1x globally dot1x By default, 802.1x is disabled globally. In system dot1x interface interface-list view Enable Required interface interface-type 802.1x for interface-number By default, 802.1x is disabled on all specified...
Page 303: Timer And Maximum User Number Configuration
Handshaking packets need the support of the 3Com-proprietary client. They are used to test whether or not a user is online. As clients that are not of 3Com do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.
Page 304: Advanced 802.1X Configuration
Operation Command Remarks dot1x timer Optional { handshake-period The settings of 802.1x timers are as handshake-period-value | follows. quiet-period quiet-period-value | handshake-period-value: 15 seconds Set 802.1x timers server-timeout quiet-period-value: 60 seconds server-timeout-value | server-timeout-value: 100 seconds supp-timeout supp-timeout-value: 30 seconds supp-timeout-value | tx-period-value: 30 seconds tx-period tx-period-value |...
Page 305 authority (that is, the user domain names are the same). This allows you to deploy 802.1X access policies flexibly. Table 1-3 shows the relations of the 802.1X username entered for authentication, mandatory authentication domain configured for the port connecting users, authentication domain for users, and username suffix on the RADIUS server.
Page 306: Configuring Proxy Checking
{ logoff | trap } quit The proxy checking function needs the cooperation of 3Com's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first.
Page 307: Enabling Dhcp-Triggered Authentication
Operation Command Remarks Optional Set the client version dot1x timer ver-period By default, the timer is set to 30 checking period timer ver-period-value seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports.
Page 308: Configuring 802.1X Re-Authentication
The Guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one Guest VLAN can be configured for each switch. The Guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets unsolicitedly in that case.
Page 309: Displaying And Debugging 802.1X
During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
Page 310 The switch is connected to a server comprising of two RADIUS servers whose IP addresses are 10.11.1.1 and 10.11.1.2. The RADIUS server with an IP address of 10.11.1.1 operates as the primary authentication server and the secondary accounting server. The other operates as the secondary authentication server and primary accounting server.
Page 311 # Create a RADIUS scheme named “radius1” and enter RADIUS scheme view. [Sysname] radius scheme radius1 # Assign IP addresses to the primary authentication and accounting RADIUS servers. [Sysname-radius-radius1] primary authentication 10.11.1.1 [Sysname-radius-radius1] primary accounting 10.11.1.2 # Assign IP addresses to the secondary authentication and accounting RADIUS server. [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages.
Page 312: 802.1X Mandatory Authentication Domain Configuration Example
802.1X Mandatory Authentication Domain Configuration Example Network Requirements As shown in Figure 1-13, Host A (an 802.1X user) and Host B (a telnet user) are connected to the Internet through Ethernet 1/0/1 and Ethernet 1/0/2 on Switch, respectively. It is required to implement RADIUS authentication and local authentication for Host A and Host B (that do not support usernames with suffixes) by performing the following configurations on Switch: Host A belongs to domain aabbcc and Host B belongs to domain test;...
Page 313 [Switch-isp-aabbcc] scheme radius-scheme radius1 [Switch-isp-aabbcc] quit # Configure RADIUS scheme radius1. [Switch] radius scheme radius1 [Switch-radius-radius1] primary authentication 10.110.91.164 1812 [Switch-radius-radius1] primary accounting 10.110.91.164 1813 [Switch-radius-radius1] key authentication aabbcc [Switch-radius-radius1] key accounting aabbcc [Switch-radius-radius1] server-type extended [Switch-radius-radius1] user-name-format with-domain [Switch-radius-radius1] quit # Specify aabbcc as the mandatory authentication domain for Ethernet 1/0/1.
Page 314: Habp Configuration
HABP Configuration Introduction to HABP With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. For ports with switches attached and are not authenticated and authorized by 802.1x, their received packets will be filtered. This means that you cannot manage the attached switches.
Page 315: Habp Client Configuration
HABP Client Configuration HABP clients reside on switches attached to HABP servers. After you enable HABP for a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client.
Page 316: System-Guard Configuration
System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU is under attack to implement system guard for the CPU. You should not determine whether the CPU is under attack just according to whether congestion occurs in a queue. Instead, you must do that in the following ways: According to the number of packets processed in the CPU in a time range.
Page 317: Displaying And Maintaining System-Guard
Displaying and Maintaining System-Guard After the above configuration, execute the display command in any view to display the running status of the system-guard feature, and to verify the configuration. Table 3-2 Display and maintain system-guard Operation Command Display the record of detected attacks display system-guard attack-record Display the state of the system-guard feature display system-guard state...
Page 318 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-2 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-3 Introduction to RADIUS ···················································································································1-3 Introduction to HWTACACS ············································································································1-7 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Configuration introduction ···············································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3...
Page 319 Per User Type AAA Configuration Example··················································································2-30 Remote RADIUS Authentication of Telnet/SSH Users ·································································2-31 Local Authentication of FTP/Telnet Users·····················································································2-32 HWTACACS Authentication and Authorization of Telnet Users ···················································2-34 Troubleshooting AAA ····························································································································2-35 Troubleshooting RADIUS Configuration························································································2-35 Troubleshooting HWTACACS Configuration ················································································2-35...
Page 320: Aaa Overview
Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a 3Com series switch) acts as the client to communicate with the RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction with such systems as iTELLIN/CAMS for user authentication.
Page 321: Accounting
Accounting AAA supports the following accounting methods: None accounting: No accounting is performed for users. Local accounting: It is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP.
Page 322: Introduction To Aaa Services
Introduction to AAA Services Introduction to RADIUS AAA is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used service for AAA is RADIUS. What is RADIUS RADIUS (remote authentication dial-in user service) is a distributed service based on client/server structure.
Page 323 the authentication response message. Figure 1-3 depicts the message exchange procedure between user, switch and RADIUS server. Figure 1-3 Basic message exchange procedure of RADIUS Host RADIUS Client RADIUS Server The user inputs the user ( 1 ) name and password ( 2 ) Access-Request ( 3 )
Page 324 Figure 1-4 RADIUS message format The Code field (one byte) decides the type of RADIUS message, as shown in Table 1-1. Table 1-1 Description on the major values of the Code field Code Message type Message description Direction: client->server. The client transmits this message to the server to determine if the user can access the network.
Page 325 The Authenticator field (16 bytes) is used to authenticate the response from the RADIUS server; and is used in the password hiding algorithm. There are two kinds of authenticators: Request Authenticator and Response Authenticator. The Attributes field contains specific authentication/authorization/accounting information to provide the configuration details of a request or response message.
Page 326: Introduction To Hwtacacs
Figure 1-5 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies four bytes, where the first byte is 0, and the other three bytes are defined in RFC 1700. Here, the vendor can encapsulate multiple customized sub-attributes (containing vendor-specific Type, Length and Value) to implement a RADIUS extension.
Page 327 Figure 1-6 Network diagram for a typical HWTACACS application HWTACACS server HWTACACS client Host HWTACACS server Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication, authorization, and accounting for a user. Figure 1-7 illustrates the basic message exchange procedure:...
Page 328 A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username. Upon receiving the response, the TACACS client requests the user for the username. After receiving the username from the user, the TACACS client sends an authentication continuance message carrying the username.
Page 329: Aaa Configuration
AAA Configuration AAA Configuration Task List Configuration introduction You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Table 2-1 AAA configuration tasks (configuring a combined AAA scheme for an ISP domain) Task Remarks Creating an ISP Domain and Configuring...
Page 330: Creating An Isp Domain And Configuring Its Attributes
Task Remarks Cutting Down User Connections Forcibly Optional Creating an ISP Domain and Configuring Its Attributes Table 2-3 Create an ISP domain and configure its attributes Operation Command Remarks Enter system view system-view — Optional Configure the form of the delimiter between the user By default, the delimiter domain delimiter { at | dot }...
Page 331: Configuring An Aaa Scheme For An Isp Domain
A server installed with self-service software is called a self-service server. 3Com's CAMS Server is a service management system used to manage networks and ensure network and user information security. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management.
Page 332 Operation Command Remarks Create an ISP domain and enter its view, or enter the view Required domain isp-name of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain hwtacacs-scheme...
Page 333 You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be implemented. If you execute the scheme radius-scheme radius-scheme-name local command, the local scheme is used as the secondary scheme in case no RADIUS server is available.
Page 334 Local authentication (local): Authentication is performed by the NAS, which is configured with the user information, including the usernames, passwords, and attributes. Local authentication features high speed and low cost, but the amount of information that can be stored is limited by the hardware.
Page 335 Operation Command Remarks Optional Specify the default authorization { local | none | By default, no separate authorization method for all hwtacacs-scheme authorization scheme is types of users hwtacacs-scheme-name [ local ] } configured. authorization login Optional Specify the authorization { hwtacacs-scheme The default authorization method for login users...
Page 336: Configuring Dynamic Vlan Assignment
Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. Currently, the switch supports the following two types of assigned VLAN IDs: integer and string.
Page 337: Configuring The Attributes Of A Local User
Configuring the Attributes of a Local User When local scheme is chosen as the AAA scheme, you should create local users on the switch and configure the relevant attributes. The local users are users set on the switch, with each user uniquely identified by a user name. To make a user who is requesting network service pass local authentication, you should add an entry in the local user database on the switch for the user.
Page 338: Cutting Down User Connections Forcibly
You can use the display connection command to view the connections of Telnet users, but you cannot use the cut connection command to cut down their connections. RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. 2-10...
Page 339 Table 2-9 RADIUS configuration tasks (the switch functions as a RADIUS client) Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring Ignorance of Assigned RADIUS Authorization Attributes Optional Configuring the Sending Mode of Accounting Start Requests Optional Configuring RADIUS Accounting Servers Required...
Page 340: Creating A Radius Scheme
The RADIUS service configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme.
Page 341: Configuring Radius Authentication/Authorization Servers
Configuring RADIUS Authentication/Authorization Servers Table 2-12 Configure RADIUS authentication/authorization servers Operation Command Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port primary authentication...
Page 342: Configuring The Sending Mode Of Accounting Start Requests
use the assigned Attribute 28, idle-timeout. You can configure the attribute ignoring function on NAS 2 to ignore Attribute 28. Figure 2-1 Network diagram for the RADIUS authorization attribute ignoring function IP network Switch RADIUS server NAS 2 NAS 1 Host 2 Host 1 Follow these steps to configure the RADIUS authorization attribute ignoring function:...
Page 343: Configuring Radius Accounting Servers
Operation Command Remarks Required Configure the sending mode of accounting start-mode accounting start requests { with-ip | without-ip } without-ip by default. The sending mode of accounting start requests depends on the RADIUS server. If the RADIUS server can perform accounting for only the accounting start requests carrying an IP address, configure the sending mode as with-ip.
Page 344: Configuring Shared Keys For Radius Messages
Operation Command Remarks Optional By default, the maximum allowed Set the maximum allowed number of continuous real-time retry realtime-accounting number of continuous accounting failures is five. If five retry-times real-time accounting failures continuous failures occur, the switch cuts down the user connection.
Page 345: Configuring The Maximum Number Of Radius Request Transmission Attempts
Operation Command Remarks Required Set a shared key for RADIUS key accounting string By default, no shared key is accounting messages created. The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.
Page 346: Configuring The Status Of Radius Servers
If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit. When the third party RADIUS server is used, you can select standard or extended as the server-type in a RADIUS scheme;...
Page 347: Configuring The Attributes Of Data To Be Sent To Radius Servers
Configuring the Attributes of Data to be Sent to RADIUS Servers Table 2-19 Configure the attributes of data to be sent to RADIUS servers Operation Command Remarks Enter system view system-view — Required Create a RADIUS scheme radius scheme By default, a RADIUS scheme and enter its view radius-scheme-name named "system"...
Page 348: Configuring The Local Radius Authentication Server Function
Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the user names that carry ISP domain names.
Page 349: Configuring Timers For Radius Servers
If you adopt the local RADIUS authentication server function, the UDP port number of the authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified...
Page 350: Enabling Sending Trap Message When A Radius Server Goes Down
Operation Command Remarks Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Optional Set the response timeout time timer response-timeout By default, the response timeout of RADIUS servers seconds time of RADIUS servers is three...
Page 351 In an environment that a CAMS server is used to implement AAA functions, if the switch reboots after an exclusive user (a user whose concurrent online number is set to 1 on the CAMS) gets authenticated and authorized and begins being charged, the switch will give a prompt that the user has already been online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated.
Page 352: Hwtacacs Configuration Task List
HWTACACS Configuration Task List Table 2-24 HWTACACS configuration tasks Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...
Page 353: Configuring Tacacs Authorization Servers
Operation Command Remarks Required Set the IP address and port By default, the IP address of the primary authentication number of the primary TACACS primary authentication server is ip-address [ port ] authentication server 0.0.0.0, and the port number is Optional Set the IP address and port By default, the IP address of the...
Page 354: Configuring Tacacs Accounting Servers
Configuring TACACS Accounting Servers Table 2-28 Configure TACACS accounting servers Operation Command Remarks Enter system view system-view — Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Required Set the IP address and port By default, the IP address of primary accounting number of the primary...
Page 355: Configuring The Attributes Of Data To Be Sent To Tacacs Servers
Operation Command Remarks Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Set a shared key for HWTACACS key { accounting | Required authentication, authorization or authorization | By default, no such key is set. accounting messages authentication } string Configuring the Attributes of Data to be Sent to TACACS Servers...
Page 356: Configuring The Timers Regarding Tacacs Servers
Configuring the Timers Regarding TACACS Servers Table 2-31 Configure the timers regarding TACACS servers Operation Command Remarks Enter system view system-view — Required Create a HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Optional Set the response timeout time timer response-timeout...
Page 357 Operation Command Remarks command in display connection [ access-type { dot1x | any view. mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user ip-address | ipv6 ipv6-address | mac connections mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name ] display local-user [ domain isp-name | idle-cut...
Page 358: Aaa Configuration Examples
Operation Command Remarks reset stop-accounting-buffer Delete buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name AAA Configuration Examples Per User Type AAA Configuration Example Network Requirements As shown in Figure 2-2, Host A, serving as an 802.1X user, accesses the network through Ethernet 1/0/1 of Switch, and Host B, serving as a telnet user, accesses the network through Ethernet 1/0/2 of Switch.
Page 359: Remote Radius Authentication Of Telnet/Ssh Users
# Configure RADIUS scheme radius1. [Switch] radius scheme radius1 [Switch-radius-radius1] primary authentication 10.110.91.164 1812 [Switch-radius-radius1] primary accounting 10.110.91.164 1813 [Switch-radius-radius1] key authentication aabbcc [Switch-radius-radius1] server-type extended [Switch-radius-radius1] user-name-format with-domain [Switch-radius-radius1] quit # In the test domain, specify the authentication method for 802.1X users as radius1, and that for telnet users as local.
Page 360: Local Authentication Of Ftp/Telnet Users
The Telnet user names added to the RADIUS server must be in the format of userid@isp-name if you have configured the switch to include domain names in the user names to be sent to the RADIUS server in the RADIUS scheme. Network diagram Figure 2-3 Remote RADIUS authentication of Telnet users Configuration procedure...
Page 361 The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-4, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally.
Page 362: Hwtacacs Authentication And Authorization Of Telnet Users
Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in section Remote RADIUS Authentication of Telnet/SSH Users. Enable the local RADIUS server function, set the IP address and shared key for the network access server to 127.0.0.1 and aabbcc, respectively.
Page 363: Troubleshooting Aaa
Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other. Symptom 1: User authentication/authorization always fails. Possible reasons and solutions: The user name is not in the userid@isp-name or userid.isp-name format, or the default ISP domain is not correctly specified on the switch —...
Page 364 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 Performing MAC Authentication on a RADIUS Server····································································1-1 Performing MAC Authentication Locally··························································································1-1 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Authentication Functions ··················································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-3 MAC Address Authentication Enhanced Function Configuration Tasks ·········································1-3 Configuring a Guest VLAN ··············································································································1-4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port...
Page 365: Mac Authentication Configuration
MAC Authentication Configuration MAC Authentication Overview MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC address, it initiates the authentication process. During authentication, the user does not need to enter username or password manually.
Page 366: Related Concepts
Related Concepts MAC Authentication Timers The following timers function in the process of MAC authentication: Offline detect timer: At this interval, the switch checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the switch sends a stop-accounting notice to the RADIUS server.
Page 367: Mac Address Authentication Enhanced Function Configuration
Operation Command Remarks Set the user name in fixed mac-authentication authmode mode for MAC usernamefixed Optional authentication Set the user name in By default, the user fixed mode for MAC name is “mac” and Configure the mac-authentication authentication no password is user name authusername username configured.
Page 368: Configuring A Guest Vlan
Operation Description Related section Configuring quiet MAC function Section “Configuring the Quiet MAC Optional on a port Function on a Port” Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication. After completing configuration tasks in Configuring Basic MAC Authentication Functions for a switch,...
Page 369: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port
Table 1-3 Configure a Guest VLAN Operation Command Description — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Required Configure the Guest VLAN for mac-authentication By default, no Guest VLAN is the current port guest-vlan vlan-id configured for a port by default.
Page 370: Configuring The Quiet Mac Function On A Port
Table 1-4 Configure the maximum number of MAC address authentication users allowed to access a port Operation Command Description — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Required Configure the maximum By default, the maximum number number of MAC address mac-authentication of MAC address authentication...
Page 371: Mac Authentication Configuration Example
Table 1-6 Display and debug MAC Authentication Operation Command Description Display global or on-port display mac-authentication information about MAC Available in any view [ interface interface-list ] authentication reset mac-authentication Clear the statistics of global or statistics [ interface Available in user view on-port MAC authentication interface-type interface-number ]...
Page 372 # Specify to perform local authentication. [Sysname-isp-aabbcc.net] scheme local [Sysname-isp-aabbcc.net] quit # Specify aabbcc.net as the ISP domain for MAC authentication [Sysname] mac-authentication domain aabbcc.net # Enable MAC authentication globally (This is usually the last step in configuring access control related features.
Page 373 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-2 ARP Process ···································································································································1-3 Introduction to ARP Attack Detection ······························································································1-4 Introduction to ARP Packet Rate Limit ····························································································1-5 Introduction to Gratuitous ARP········································································································1-5 ARP Configuration ··································································································································1-5 Configuring ARP Basic Functions ···································································································1-5 Configuring ARP Attack Detection ··································································································1-6...
Page 374: Introduction To Arp
ARP Configuration Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the data link layer address (MAC address, for example) of the destination host or the next hop.
Page 375: Arp Table
Table 1-1 describes the fields of an ARP packet. Table 1-1 Description on the fields of an ARP packet Field Description Type of the hardware interface. Refer to Table 1-2 Hardware Type the information about the field values. Type of protocol address to be mapped. 0x0800 Protocol type indicates an IP address.
Page 376: Arp Process
Table 1-3 ARP entries ARP entry Generation Method Maintenance Mode Static ARP entry Manually configured Manual maintenance ARP entries of this type age with time. Dynamic ARP entry Dynamically generated The aging period is set by the ARP aging timer. ARP Process Figure 1-2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B.
Page 377: Introduction To Arp Attack Detection
Introduction to ARP Attack Detection Man-in-the-middle attack According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the ARP traffic in the network, but it also makes ARP spoofing possible.
Page 378: Introduction To Arp Packet Rate Limit
packets, or through trusted ports if the MAC address table contains no such destination MAC addresses. Introduction to ARP Packet Rate Limit To prevent the man-in-the-middle attack, a switch enabled with the ARP attack detection function delivers ARP packets to the CPU to check the validity of the packets. However, this causes a new problem: If an attacker sends a large number of ARP packets to a port of a switch, the CPU will get overloaded, causing other functions to fail, and even the whole device to break down.
Page 379: Configuring Arp Attack Detection
Operation Command Remarks Optional Configure the ARP aging timer arp timer aging aging-time By default, the ARP aging timer is set to 20 minutes. Optional Enable the ARP entry checking function (that is, disable the switch By default, the ARP entry arp check enable from learning ARP entries with checking function is...
Page 380: Configuring The Arp Packet Rate Limit Function
Operation Command Remarks Optional Configure the port as an ARP arp detection trust By default, a port is an untrusted trusted port port. Quit to system view quit — Enter VLAN view vlan vlan-id — Optional By default, the ARP restricted Enable ARP restricted arp restricted-forwarding forwarding function is disabled.
Page 381: Gratuitous Arp Packet Configuration
Operation Command Remarks Quit to system view quit — Optional Enable the port state arp protective-down recover By default, the port state auto-recovery function enable auto-recovery function is disabled. Optional By default, when the port state Configure the port state arp protective-down recover auto-recovery function is auto-recovery interval...
Page 382: Arp Configuration Example
Table 1-8 Display and debug ARP Operation Command Remarks Display specific ARP mapping display arp [ static | dynamic | table entries ip-address ] Display the ARP mapping entries display arp [ dynamic | static ] | { begin related to a specified string in a | include | exclude } regular-expression specified way display arp count [ [ dynamic | static ]...
Page 383 Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval to 200 seconds. Network diagram Figure 1-4 ARP attack detection and packet rate limit configuration Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA>...
Page 384 # Configure the port state auto recovery function, and set the recovery interval to 200 seconds. [SwitchA] arp protective-down recover enable [SwitchA] arp protective-down recover interval 200 1-11...
Page 385 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-2 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Server Configuration······················································································································2-1 Introduction to DHCP Server ··················································································································2-1 Usage of DHCP Server ···················································································································2-1 DHCP Address Pool ························································································································2-1 DHCP IP Address Preferences ·······································································································2-3...
Page 386 Introduction to DHCP Accounting··································································································2-23 DHCP Accounting Fundamentals··································································································2-23 DHCP Accounting Configuration ···································································································2-24 Enabling the DHCP Server to Process Option 82 ················································································2-24 Displaying and Maintaining the DHCP Server ······················································································2-25 DHCP Server Configuration Examples ·································································································2-26 DHCP Server Configuration Example ···························································································2-26 DHCP Server with Option 184 Support Configuration Example ···················································2-28 DHCP Accounting Configuration Example ····················································································2-29 Troubleshooting a DHCP Server ··········································································································2-31 3 DHCP Snooping Configuration ················································································································3-1...
Page 387: Introduction To Dhcp
DHCP Overview Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology.
Page 388: Obtaining Ip Addresses Dynamically
Obtaining IP Addresses Dynamically A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server: Discover: In this phase, the DHCP client tries to find a DHCP server by broadcasting a DHCP-DISCOVER packet. Offer: In this phase, the DHCP server offers an IP address.
Page 389: Dhcp Packet Format
If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP servers again when seven-eighths of the lease time elapses. The DHCP server performs the same operations as those described above.
Page 390: Protocol Specification
Protocol Specification Protocol specifications related to DHCP include: RFC2131: Dynamic Host Configuration Protocol RFC2132: DHCP Options and BOOTP Vendor Extensions RFC1542: Clarifications and Extensions for the Bootstrap Protocol RFC3046: DHCP Relay Agent Information option...
Page 391: Dhcp Server Configuration
DHCP Server Configuration When configuring the DHCP server, go to these sections for information you are interested in: Introduction to DHCP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Based DHCP Server Configuring DHCP Server Security Functions Configuring DHCP Accounting Functions Enabling the DHCP Server to Process Option 82...
Page 392 Types of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool. A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. If an interface is configured with a valid unicast IP address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view.
Page 393: Dhcp Ip Address Preferences
If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client. Otherwise, the DHCP server observes the following principles to select a dynamic address pool.
Page 394: Configuring The Global Address Pool Based Dhcp Server
To do… Use the command… Remarks Optional Enable DHCP dhcp enable By default, DHCP is enabled. To improve security and avoid malicious attacks to unused sockets, Switch 4210 Family provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled.
Page 395: Enabling The Global Address Pool Mode On Interface
Enabling the Global Address Pool Mode on Interface(s) You can configure the global address pool mode on the specified or all interfaces of a DHCP server. After that, when the DHCP server receives DHCP packets from DHCP clients through these interfaces, it assigns IP addresses in the global address pool to the DHCP clients.
Page 396 address, the DHCP server searches for the IP address corresponding to the MAC address of the DHCP client and assigns the IP address to the DHCP client. When some DHCP clients send DHCP-DISCOVER packets to the DHCP server to apply for IP addresses, they construct client IDs and add them in the DHCP-DISCOVER packets.
Page 397 To improve security and avoid malicious attack to the unused sockets, Switch 4210 Family provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.
Page 398: Configuring A Domain Name Suffix For The Dhcp Client
In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.
Page 399: Configuring Wins Servers For The Dhcp Client
Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.
Page 400: Configuring Gateways For The Dhcp Client
Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
Page 401 Sub-option 4: Fail-over call routing. Meanings of the sub-options for Option 184 Figure 2-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option When used in Option The NCP-IP sub-option 184 is intended for 184, this sub-option...
Page 402 For the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you need to configure the DHCP server to add sub-option 1. Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients.
Page 403: Configuring A Self-Defined Dhcp Option
Specify an IP address for the network calling processor before performing other configuration. Configuring a Self-Defined DHCP Option By configuring self-defined DHCP options, you can: Define new DHCP options. New configuration options will come out with DHCP development. To support new options, you can add them into the attribute list of the DHCP server. Extend existing DHCP options.
Page 404: Configuring The Interface Address Pool Based Dhcp Server
Configuring the Interface Address Pool Based DHCP Server In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the network segment of the interface address pool and assigns them to the DHCP clients. As a result, the IP addresses obtained from global address pools and those obtained from interface address pools are not on the same network segment, so the clients cannot communicate with each other.
Page 405: Enabling The Interface Address Pool Mode On Interface
Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring an Configuring the static IP address Address Allocation allocation mode One of the two options is required. And these two options can be configured at Mode for an Configuring the dynamic IP address the same time.
Page 406: Configuring An Address Allocation Mode For An Interface Address Pool
To improve security and avoid malicious attack to the unused sockets, S3600 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
Page 407 The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.
Page 408: Configuring A Domain Name Suffix For The Dhcp Client
To do… Use the command… Remarks Optional Specify the IP addresses By default, all IP addresses in a dhcp server forbidden-ip that are not dynamically DHCP address pool are low-ip-address [ high-ip-address ] assigned available for being dynamically assigned. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients.
Page 409: Configuring Wins Servers For The Dhcp Client
To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server dns-list ip-address&<1-8> Required Configure interface DNS server By default, no quit addresses DNS server for DHCP Configure address is dhcp server dns-list ip-address&<1-8> clients multiple configured.
Page 410: Configuring Bims Server Information For The Dhcp Client
To do… Use the command… Remarks configured. Configure dhcp server nbns-list ip-address&<1-8> multiple { interface interface-type interface-number [ to interfaces in interface-type interface-number ] | all } system view interface interface-type interface-number Configure the dhcp server netbios-type { b-node | h-node | current m-node | p-node } Required...
Page 411: Configuring A Self-Defined Dhcp Option
Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Specify the primary dhcp server voice-config ncp-ip network calling Not specified by ip-address...
Page 412: Configuring Dhcp Server Security Functions
Define new DHCP options. New configuration options will come out with DHCP development. To support new options, you can add them into the attribute list of the DHCP server. Extend existing DHCP options. When the current DHCP options cannot meet customers’ requirements (for example, you cannot use the dns-list command to configure more than eight DNS server addresses), you can configure a self defined option for extension.
Page 413: Configuring Ip Address Detecting
To do… Use the command… Remarks Required Enable the unauthorized DHCP server dhcp server detect detecting function Disabled by default. With the unauthorized DHCP server detection enabled, the relay agent will log all DHCP servers, including authorized ones, and each server is recorded only once. The administrator needs to find unauthorized DHCP servers from the system log information.
Page 414: Dhcp Accounting Configuration
After sending a DHCP-ACK packet with the IP configuration parameters to the DHCP client, the DHCP server sends an Accounting START packet to a specified RADIUS server. The RADIUS server processes the packet, makes a record, and sends a response to the DHCP server. Once releasing a lease, the DHCP server sends an Accounting STOP packet to the RADIUS server.
Page 415: Displaying And Maintaining The Dhcp Server
If a DHCP server is configured to ignore Option 82, after the DHCP server receives packets containing Option 82, the DHCP server will not add Option 82 into the responses when assigning IP addresses and other configuration information to the clients. Follow these steps to configure the DHCP server to process Option 82: To do…...
Page 416: Dhcp Server Configuration Examples
DHCP Server Configuration Examples DHCP Server Configuration Example Network requirements The DHCP server (Switch A) assigns IP address to clients in subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of VLAN-interface 1 and VLAN-interface 2 on Switch A are 10.1.1.1/25 and 10.1.1.129/25 respectively.
Page 417 If you use the inheriting relation of parent and child address pools, make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool; otherwise extra IP addresses will be obtained from the parent address pool, and the attributes (for example, gateway) also are based on the configuration of the parent address pool.
Page 418: Dhcp Server With Option 184 Support Configuration Example
DHCP Server with Option 184 Support Configuration Example Network requirements A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. A switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool.
Page 419: Dhcp Accounting Configuration Example
Figure 2-3 Network diagram for Option 184 support configuration Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184. (Configuration process omitted) Configure the DHCP server.
Page 420 The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24. DHCP accounting is enabled on the DHCP server. The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0. The DHCP server operates as a RADIUS client and adopts AAA for authentication.
Page 421: Troubleshooting A Dhcp Server
[Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server. [Sysname] dhcp server ip-pool test [Sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # Enable DHCP accounting. [Sysname-dhcp-pool-test] accounting domain 123 Troubleshooting a DHCP Server Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of another host.
Page 422: Dhcp Snooping Configuration
DHCP Snooping Configuration Introduction Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.
Page 423: Overview Of Dhcp-Snooping Option 82
Overview of DHCP-Snooping Option 82 Introduction to Option 82 Option 82 is the relay agent information option in the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent (or a device enabled with DHCP snooping) receives a client’s request, it adds the Option 82 to the request message and sends it to the server.
Page 424 default padding contents). In the standard format, the Circuit ID or Remote ID sub-option does not contain the two-byte type and length fields of the circuit ID or remote ID. Figure 3-4 Standard format of the circuit ID sub-option Figure 3-5 Standard format of the remote ID sub-option Mechanism of DHCP-snooping Option 82 With DHCP snooping and DHCP-snooping Option 82 support enabled, when the DHCP snooping device receives a DHCP client’s request containing Option 82, it will handle the packet according to the...
Page 425: Overview Of Ip Filtering
Sub-option configuration The DHCP-Snooping device will … Circuit ID sub-option is Forward the packet after adding Option 82 with the configured circuit configured. ID sub-option in ASCII format. Remote ID sub-option is Forward the packet after adding Option 82 with the configured remote configured.
Page 426: Dhcp Snooping Configuration
Filtering the source IP address in a packet. If the source IP address and the number of the port that receives the packet are consistent with entries in the DHCP-snooping table or static binding table, the switch regards the packet as a valid packet and forwards it; otherwise, the switch drops it directly.
Page 427: Configuring Dhcp Snooping To Support Option 82
After DHCP snooping is enabled, all ports of a Switch 4210 are untrusted ports. You need to specify the port of the Switch 4210 connected to the valid DHCP server as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP clients must be in the same VLAN.
Page 428 Operation Command Description Optional Configure a global handling dhcp-snooping information policy for requests that contain strategy { drop | keep | The default handling policy is Option 82 replace } replace. interface interface-type Enter Ethernet port view — interface-number Configure a handling policy for dhcp-snooping information Optional requests that contain Option 82...
Page 429 Operation Command Description Optional By default, the circuit ID dhcp-snooping information sub-option contains the VLAN Configure the circuit ID [ vlan vlan-id ] circuit-id string ID and port index related to the sub-option in Option 82 string port that receives DHCP request packets from DHCP clients If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one...
Page 430: Configuring Ip Filtering
If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured. If you have configured a remote ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former remote ID applies to the DHCP messages from the specified VLAN, while the latter one applies to DHCP messages from other VLANs.
Page 431: Displaying Dhcp Snooping Configuration
Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering. You are not recommended to configure IP filtering on the ports of an aggregation group. To create a static binding after IP filtering is enabled with the mac-address keyword specified on a port, the mac-address argument must be specified;...
Page 432: Ip Filtering Configuration Example
Network diagram Figure 3-8 Network diagram for DHCP-snooping Option 82 support configuration DHCP Server Eth1/0/5 Switch DHCP Snooping Eth1/0/1 Eth1/0/3 Eth1/0/2 Client A Client B Client C Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify Ethernet1/0/5 as the trusted port.
Page 433 Enable IP filtering on Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to prevent attacks to the server from clients using fake source IP addresses. Create static binding entries on the switch, so that Host A using a fixed IP address can access the external network.
Page 434 [Switch-Ethernet1/0/2] source static binding ip-address 1.1.1.1 mac-address 0001-0001-0001 3-13...
Page 435: Dhcp Packet Rate Limit Configuration
DHCP Packet Rate Limit Configuration Introduction to DHCP Packet Rate Limit To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP packets will be processed by the switch CPU for validity checking. But, if attackers generate a large number of ARP packets or DHCP packets, the switch CPU will be under extremely heavy load.
Page 436: Configuring Dhcp Packet Rate Limit
Configuring DHCP Packet Rate Limit Configuring DHCP Packet Rate Limit Follow these steps to configure rate limit of DHCP packets: Operation Command Description Enter system view system-view — interface interface-type Enter port view — interface-number Required Enable the DHCP packet rate dhcp rate-limit enable By default, DHCP packet rate limit function...
Page 437 Networking diagram Figure 4-1 Network diagram for DHCP packet rate limit configuration DHCP Server Ethernet1/0/1 DHCP Snooping Ethernet1/0/11 Ethernet1/0/2 Client A Client B Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify Ethernet1/0/1 as the trusted port. [Switch] interface Ethernet1/0/1 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit...
Page 438: Dhcp/Bootp Client Configuration
DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management. Refer to “Obtaining IP Addresses Dynamically”...
Page 439: How Automatic Configuration Works
How Automatic Configuration Works Figure 5-1 Network diagram for automatic configuration The Switch 4210 supports automatic configuration. The working process is as follows: As shown in the above figure, when the switch starts up, it automatically configures the VLAN interface of the default VLAN (in UP state) as a DHCP client. The DHCP client broadcasts a DHCP request.
Page 440: Introduction To Bootp Client
An intermediate file maintains the IP address-to-host name mappings which are created using the ip host hostname ip-address command. When you use this command: The hostname argument is a character string consisting of letters, digits, “.” and “_” only, which cannot start with “.”.
Page 441: Configuring A Dhcp/Bootp Client
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client, without needing to configure any BOOTP server. Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: Operation Command Description...
Page 442: Dhcp Client Configuration Example
DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch A is connected to the LAN to obtain an IP address from the DHCP server. Network diagram Figure 5-2 A DHCP network Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
Page 443 Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch·································································································1-2 Types of ACLs Supported by Switch 4210 Series ··········································································1-3 ACL Configuration···································································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-4 Configuring Advanced ACL ·············································································································1-5 Configuring Layer 2 ACL ·················································································································1-7 ACL Assignment ·····································································································································1-8 Assigning an ACL Globally··············································································································1-8...
Page 444: Acl Configuration
ACL Configuration ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources.
Page 445: Ways To Apply An Acl On A Switch
Depth-first match order for rules of an advanced ACL Protocol range: A rule which has specified the types of the protocols carried by IP is prior to others. Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.
Page 446: Types Of Acls Supported By Switch 4210 Series
When an ACL is directly applied to hardware for packet filtering, the switch will permit packets if the packets do not match the ACL. When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL.
Page 447: Configuring Basic Acl
Note that: If only a periodic time section is defined in a time range, the time range is active only when the system time is within the defined periodic time section. If multiple periodic time sections are defined in a time range, the time range is active only when the system time is within one of the periodic time sections.
Page 448: Configuring Advanced Acl
Configuration Procedure Table 1-2 Define a basic ACL rule Operation Command Description Enter system view system-view — Required Create an ACL and acl number acl-number [ match-order enter basic ACL view { auto | config } ] config by default Required rule [ rule-id ] { deny | permit } For information about...
Page 449 Advanced ACLs support analysis and processing of three packet priority levels: type of service (ToS) priority, IP priority and differentiated services codepoint (DSCP) priority. Using advanced ACLs, you can define classification rules that are more accurate, more abundant, and more flexible than those defined for basic ACLs. Configuration Prerequisites To configure a time range-based advanced ACL rule, you need to create the corresponding time ranges first.
Page 450: Configuring Layer 2 Acl
[Sysname] acl number 3000 [Sysname-acl-adv-3000] rule permit tcp source 129.9.0.0 0.0.255.255 destination-port eq 80 # Display the configuration information of ACL 3000. [Sysname-acl-adv-3000] display acl 3000 Advanced ACL 3000, 1 rule Acl's step is 1 rule 0 permit tcp source 129.9.0.0 0.0.255.255 destination-port eq www Configuring Layer 2 ACL Layer 2 ACLs filter packets according to their Layer 2 information, such as the source and destination MAC addresses, VLAN priority, and Layer 2 protocol types.
Page 451: Acl Assignment
Configuration Example # Configure ACL 4000 to deny packets sourced from the MAC address 000d-88f5-97ed, and with their 802.1p priority being 3. <Sysname> system-view [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule deny cos 3 source 000d-88f5-97ed ffff-ffff-ffff # Display the configuration information of ACL 4000. [Sysname-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule...
Page 452: Assigning An Acl To A Vlan
Operation Command Description Required Assign an ACL packet-filter inbound acl-rule For description on the acl-rule globally argument, refer to ACL Command. Configuration example # Apply ACL 2000 globally to filter the inbound packets on all the ports. <Sysname> system-view [Sysname] packet-filter inbound ip-group 2000 Assigning an ACL to a VLAN Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs.
Page 453: Displaying Acl Configuration
Configuration procedure Table 1-7 Apply an ACL to a port Operation Command Description — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Required For description on the acl-rule Apply an ACL to the port packet-filter inbound acl-rule argument, refer to ACL Command.
Page 454: Example For Upper-Layer Software Referencing Acls
Example for Upper-layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements Apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switch. Network diagram Figure 1-1 Network diagram for controlling Telnet login users by source IP Internet Switch 10.110.100.52...
Page 455: Example For Applying Acls To Hardware
Configuration procedure # Define ACL 2001. <Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 Example for Applying ACLs to Hardware Basic ACL Configuration Example Network requirements PC 1 and PC 2 connect to the switch through Ethernet 1/0/1.
Page 456: Advanced Acl Configuration Example
Advanced ACL Configuration Example Network requirements Different departments of an enterprise are interconnected through a switch. The R&D department is connected to Ethernet 1/0/1 of the switch. Apply an ACL to deny requests from the R&D department and destined for Internet (TCP packets with the destination port number of 80) during the working hours (8:00 to 18:00).
Page 457 Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 0011-0011-0011. [Sysname] acl number 4000 [Sysname-acl-ethernetframe-4000] rule...
Page 458 Table of Contents 1 QoS Configuration·····································································································································1-1 Overview ·················································································································································1-1 Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Service····························································································1-1 New Applications and New Requirements ······················································································1-1 Major Traffic Control Techniques ····································································································1-2 QoS Supported by the 4210 Series Ethernet Switches ··········································································1-3 Introduction to QoS Features··················································································································1-3 Traffic Classification ························································································································1-3 Priority Trust Mode ··························································································································1-4 Priority Marking································································································································1-8 Traffic Policing ·································································································································1-8...
Page 459: Qos Configuration
QoS Configuration Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving services under certain conditions. In an internet, QoS refers to the ability of the network to forward packets.
Page 460: Major Traffic Control Techniques
traffic, and setting priority of the packets. To meet those requirements, the network should be provided with better service capability. Major Traffic Control Techniques Figure 1-1 End-to-end QoS model Traffic classification, traffic policing, traffic shaping, congestion management, and congestion avoidance are the foundations for a network to provide differentiated services. Mainly they implement the following functions.
Page 461: Qos Supported By The 4210 Series Ethernet Switches
QoS Supported by the 4210 Series Ethernet Switches The 4210 series Ethernet switches support the QoS features listed in Table 1-1. Table 1-1 QoS features supported by the 4210 series Ethernet switches Category Features Refer to… Incoming traffic classification based on ACLs of the For detailed information about ACLs, refer to following types: the ACL module in this manual.
Page 462: Priority Trust Mode
Priority Trust Mode Precedence types IP precedence, ToS precedence, and DSCP precedence Figure 1-2 DS field and ToS byte The ToS field in an IP header contains eight bits numbered 0 through 7, among which, The first three bits indicate IP precedence in the range 0 to 7. Bit 3 to bit 6 indicate ToS precedence in the range of 0 to 15.
Page 463 Best Effort (BE) class: This class is a special class without any assurance in the CS class. The AF class can be degraded to the BE class if it exceeds the limit. Current IP network traffic belongs to this class by default. Table 1-3 Description on DSCP precedence values DSCP value (decimal) DSCP value (binary)
Page 464 The 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 1-4 describes the detailed contents of an 802.1Q tag header. Figure 1-4 802.1Q tag headers In the figure above, the priority field (three bits in length) in TCI is 802.1p priority (also known as CoS precedence), which ranges from 0 to 7.
Page 465 For incoming 802.1q tagged packets, you can configure the switch to trust packet priority with the priority trust command or to trust port priority with the undo priority trust command. By default, the 4210 series switches trust port priority. Trusting port priority In this mode, the switch replaces the 802.1p priority of the received packet with the port priority, searches for the local precedence corresponding to the port priority of the receiving port in the 802.1p-to-local precedence mapping table, and assigns the local precedence to the packet.
Page 466: Priority Marking
DSCP Local precedence 32 to 47 48 to 63 Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to the local precedence.
Page 467 Figure 1-5 Evaluate the traffic with the token bucket Evaluating the traffic with the token bucket When token bucket is used for traffic evaluation, the number of the tokens in the token bucket determines the amount of the packets that can be forwarded. If the number of tokens in the bucket is enough to forward the packets, the traffic is conforming to the specification;...
Page 468: Port Rate Limiting
Port Rate Limiting Port rate limiting refers to limiting the total rate of inbound or outbound packets on a port. Port rate limiting can be implemented through token buckets. That is, if you perform port rate limiting configuration for a port, the token bucket determines the way to process the packets to be sent by this port or packets reaching the port.
Page 469: Flow-Based Traffic Accounting
service packets are sent preferentially and non-critical service packets are sent when critical service groups are not sent. The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be “starved” because they are not served.
Page 470: Traffic Mirroring
Large amount of broadcast/multicast packets and large burst traffic exist. Packets of high-rate links are forwarded to low-rate links or packets of multiple links with the equal rates are forwarded to a single link that is of the same rate as that of the incoming links. Although the burst function helps reduce the packet loss ratio and improve packet processing capability in the networks mentioned above, it may affect QoS performance.
Page 471 Configuration procedure You can configure to trust port priority or packet priority. Table 1-9 shows the detailed configuration procedure. Table 1-9 Configure priority trust mode Operation Command Description Enter system view system-view — Optional Configure to trust port undo priority trust By default, the 4210 series priority switches trust port priority.
Page 472 # Configure to trust the DSCP precedence of the received packets. <Sysname> system-view [Sysname] priority trust [Sysname] priority-trust dscp # Configure to trust the 802.1p priority of the received packets. Approach I: <Sysname> system-view [Sysname] priority trust Approach II: <Sysname> system-view [Sysname] priority-trust cos Configuring Priority Mapping You can modify the CoS-precedence-to-local-precedence and DSCP-precedence-to-local-precedence...
Page 473 [Sysname] qos cos-local-precedence-map 0 0 1 1 2 2 3 3 [Sysname] display qos cos-local-precedence-map cos-local-precedence-map: cos(802.1p) : local precedence(queue) : Marking Packet Priority Refer to section Priority Marking for information about marking packet priority. Marking packet priority can be implemented in the following two ways: Through traffic policing When configuring traffic policing, you can define the action of marking the 802.1p priority and DSCP precedence for packets exceeding the traffic specification.
Page 474 Table 1-13 Mark the priority for packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view system-view — traffic-priority vlan vlan-id inbound Mark the priorities for acl-rule { dscp dscp-value | cos packets matching specific Required cos-value | local-precedence ACL rules...
Page 475 Configuration prerequisites The ACL rules used for traffic classification are defined. Refer to the ACL module of this manual for information about defining ACL rules. The rate limit for traffic policing, and the actions for the packets exceeding the rate limit are determined.
Page 476 Traffic policing configured on a VLAN is only applicable to packets tagged with 802.1Q header. Configuration example Ethernet 1/0/1 belongs to VLAN 2 and is connected to the 10.1.1.0/24 network segment Perform traffic policing on the packets from the 10.1.1.0/24 network segment, setting the rate to 128 kbps Mark the DSCP precedence as 56 for the inbound packets exceeding the rate limit.
Page 477: Configuring Traffic Redirecting
Configuration example Configure port rate limiting for inbound packets on Ethernet 1/0/1. The rate limit is 1,024 Kbps Configuration procedure: <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] line-rate inbound 1024 Configuring Traffic Redirecting Refer to section Traffic Redirecting for information about traffic redirecting. Configuration prerequisites The ACL rules used for traffic classification are defined.
Page 478: Configuring Queue Scheduling
The traffic redirecting function configured on a VLAN is only applicable to packets tagged with 802.1Q header. Packets redirected to the CPU are not forwarded. If the traffic is redirected to a Combo port in down state, the system automatically redirects the traffic to the port corresponding to the Combo port in up state.
Page 479: Configuring Traffic Accounting
Configuration example # Adopt the WRR queue scheduling algorithm, with the weight for queue 0, queue 1, queue 2, and queue 3 as 12, 8, 4, and 1. Display the configuration information after configuration. Configuration procedure: <Sysname> system-view [Sysname] queue-scheduler wrr 12 8 4 1 [Sysname] display queue-scheduler Queue scheduling mode: weighted round robin weight of queue 0: 12...
Page 480: Enabling The Burst Function
Table 1-25 Generate traffic statistics on packets passing a port and matching specific ACL rules Operation Command Description Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Generate the statistics on the packets traffic-statistic inbound Required matching specific ACL rules acl-rule Clear the statistics on the packets matching...
Page 481: Configuring Traffic Mirroring
Configuration procedure Table 1-26 Enable the burst function Operation Command Description Enter system view system-view — Required Enable the burst burst-mode enable By default, the burst function is function disabled. Configuration example Enable the burst function. Configuration procedure: <Sysname> system-view [Sysname] burst-mode enable Configuring Traffic Mirroring Refer to section...
Page 482 Operation Command Description destination port interface-number Define the current port as the monitor-port Required destination port Exit current view quit — Reference ACLs for identifying traffic mirrored-to vlan vlan-id flows and perform traffic mirroring for inbound acl-rule { cpu | Required packets that match.
Page 483: Displaying Qos
[Sysname-Ethernet1/0/1] mirrored-to inbound ip-group 2000 monitor-interface Method II: configure traffic mirroring for VLAN 2 <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] monitor-port [Sysname-Ethernet1/0/4] quit [Sysname] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying QoS After the above configuration, you can execute the display command in any view to view the running status of QoS and verify the configuration.
Page 484: Qos Configuration Example
Operation Command Description Display the configuration of traffic display qos-vlan [ vlan-id ] { all | mirroring, traffic policing, priority marking, mirrored-to | traffic-limit | traffic redirecting, or traffic accounting traffic-priority | traffic-redirect | performed for packets of a VLAN traffic-statistic } QoS Configuration Example Configuration Example of Traffic Policing...
Page 485 [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule permit source 192.168.2.0 0.0.0.255 [Sysname-acl-basic-2001] quit Configure traffic policing # Set the maximum rate of outbound IP packets sourced from the R&D department to 128 kbps. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] traffic-limit inbound ip-group 2000 128 exceed drop # Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps.
Page 486: Qos Profile Configuration
QoS Profile Configuration Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration. A QoS profile can contain one or multiple QoS actions. In networks where hosts change their positions frequently, you can define QoS policies for the specific hosts and add the QoS policies to a QoS profile.
Page 487: Qos Profile Configuration
Manual application mode You can use the apply command to manually apply a QoS profile to a port. QoS Profile Configuration Table 2-1 QoS profile configuration tasks Operation Description Related section Configure a QoS Profile Required Section Configuring a QoS Profile Configure to apply a QoS Profile Optional Section...
Page 488: Displaying Qos Profile Configuration
Configuration prerequisites To configure to apply a QoS profile dynamically, make sure 802.1x is enabled both globally and on the port, and the authentication mode is determined. For information about 802.1x, refer to the 802.1x and System Guard module of this manual. To apply a QoS profile manually, make sure the port to which the QoS profile is to be applied is determined.
Page 489: Qos Profile Configuration Example
Operation Command Description configuration profile-name | interface interface-type interface-number | user user-name } Configuration Example QoS Profile Configuration Example Network requirements All departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. A user name is someone, and the authentication password is hello.
Page 490 # Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers. [Sysname-radius-radius1] key authentication money [Sysname-radius-radius1] key accounting money # Configure the switch to delete the user domain name from the user name and then send the user name to the RADIUS sever.
Page 491 Table of Contents 1 Mirroring Configuration ····························································································································1-1 Mirroring Overview ··································································································································1-1 Local Port Mirroring ·························································································································1-1 Remote Port Mirroring ·····················································································································1-1 Mirroring Configuration····························································································································1-3 Configuring Local Port Mirroring······································································································1-3 Configuring Remote Port Mirroring··································································································1-4 Displaying Port Mirroring ·················································································································1-7 Mirroring Configuration Example ············································································································1-7 Local Port Mirroring Configuration Example····················································································1-7 Remote Port Mirroring Configuration Example ···············································································1-8...
Page 492: Mirroring Configuration
Figure 1-1 A port mirroring implementation 3Com Switch 4210 series support two kinds of port mirroring: local port mirroring and remote port mirroring. Local port mirroring: a device copies packets passing through one or more source ports of the device to the destination port.
Page 493 To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is needed. All mirrored packets are sent from the reflector port of the source switch to the monitor port (destination port) of the destination switch through the remote-probe VLAN, so as to implement the monitoring of packets received on and sent from the source switch on the destination switch.
Page 494: Mirroring Configuration
Switch Ports involved Function Trunk port Receives remote mirrored packets. Receives packets forwarded from the trunk port Destination switch Destination port and transmits the packets to the data detection device. Do not configure a default VLAN, a management VLAN, or a dynamic VLAN as the remote-probe VLAN.
Page 495: Configuring Remote Port Mirroring
The destination port cannot be a member port of an aggregation group or a port enabled with LACP or STP. Configuring Remote Port Mirroring 3Com Switch 4210 series can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. Configuration on a switch acting as a source switch Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined.
Page 496 Operation Command Description Configure the current VLAN Required remote-probe vlan enable as the remote-probe VLAN Return to system view quit — Enter the view of the Ethernet port that connects to the interface interface-type — intermediate switch or interface-number destination switch Required Configure the current port as port link-type trunk...
Page 497 Table 1-5 Configuration on the intermediate switch Operation Command Description Enter system view system-view — Create a VLAN and enter vlan-id is the ID of the vlan vlan-id VLAN view remote-probe VLAN. Configure the current VLAN as remote-probe vlan enable Required the remote-probe VLAN Return to system view...
Page 498: Displaying Port Mirroring
Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through 3Com 4210 switches: Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1. Marketing department is connected to Switch C through Ethernet 1/0/2.
Page 499: Remote Port Mirroring Configuration Example
Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through 3Com 4210 switches: Switch A, Switch B, and Switch C are 3Com 4210 series switches. Department 1 is connected to Ethernet 1/0/1 of Switch A.
Page 500 The administrator wants to monitor the packets sent from Department 1 and 2 through the data detection device. Use the remote port mirroring function to meet the requirement. Perform the following configurations: Use Switch A as the source switch, Switch B as the intermediate switch, and Switch C as the destination switch.
Page 501 [Sysname-Ethernet1/0/3] port link-type trunk [Sysname-Ethernet1/0/3] port trunk permit vlan 10 [Sysname-Ethernet1/0/3] quit # Display configuration information about remote source mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: remote-source status: active mirroring port: Ethernet1/0/1 inbound Ethernet1/0/2 inbound reflector port: Ethernet1/0/4 remote-probe vlan: 10 Configure the intermediate switch (Switch B) # Configure VLAN 10 as the remote-probe VLAN.
Page 502 # Display configuration information about remote destination mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: remote-destination status: active monitor port: Ethernet1/0/2 remote-probe vlan: 10 After the configurations, you can monitor all packets sent from Department 1 and 2 on the data detection device.
Page 503 Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ····························································································································1-2 How a Cluster Works·······················································································································1-3 Cluster Configuration Tasks····················································································································1-8 Configuring the Management Device ······························································································1-9 Configuring Member Devices ········································································································1-13 Managing a Cluster through the Management Device··································································1-15 Configuring the Enhanced Cluster Features ·················································································1-16 Configuring the Cluster Synchronization Function ········································································1-18 Displaying and Maintaining Cluster Configuration ················································································1-22...
Page 504: Cluster
Cluster Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way. Cluster management is implemented through Huawei group management protocol (HGMP). HGMP version 2 (HGMPv2) is used at present. A switch in a cluster plays one of the following three roles: Management device Member device...
Page 505: Roles In A Cluster
you can configure and manage all the member devices through the management device without the need to log onto them one by one. It provides the topology discovery and display function, which assists in monitoring and maintaining the network. It allows you to configure and upgrade multiple switches at the same time. It enables you to manage your remotely devices conveniently regardless of network topology and physical distance.
Page 506: How A Cluster Works
Figure 1-2 State machine of cluster role A candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On becoming a management device, the device collects network topology information and tries to discover and determine candidate devices, which can then be added to the cluster through configurations.
Page 507 The management device adds the candidate devices to the cluster or removes member devices from the cluster according to the candidate device information collected through NTDP. Introduction to NDP NDP is a protocol used to discover adjacent devices and provide information about them. NDP operates on the data link layer, and therefore it supports different network layer protocols.
Page 508 device busy processing of the NTDP topology collection responses. To avoid such cases, the following methods can be used to control the NTDP topology collection request advertisement speed. Configuring the devices not to forward the NTDP topology collection request immediately after they receive an NTDP topology collection request.
Page 509 To create a cluster, you need to determine the device to operate as the management device first. The management device discovers and determines candidate devices through NDP and NTDP, and adds them to the cluster. You can also add candidate devices to a cluster manually. After a candidate device is added to a cluster, the management device assigns a member number and a private IP address (used for cluster management) to it.
Page 510 Additionally, on the management device, you can configure the FTP server, TFTP server, logging host and SNMP host to be shared by the whole cluster. When a member device in the cluster communicates with an external server, the member device first transmits data to the management device, which then forwards the data to the external server.
Page 511: Cluster Configuration Tasks
Determine whether the destination MAC address or destination IP address is used to trace a device in the cluster If you use the tracemac command to trace the device by its MAC address, the switch will query its MAC address table according to the MAC address and VLAN ID in the command to find out the port connected with the downstream switch.
Page 512: Configuring The Management Device
Configuration task Remarks Configuring the Cluster Synchronization Function Optional Configuring the Management Device Management device configuration tasks Complete the following tasks to configure management device: Task Remarks Enabling NDP globally and on specific ports Required Configuring NDP-related parameters Optional Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional...
Page 513 Operation Command Description specified enabled on a port. Enter Ethernet interface interface-type Ethernet port view interface-number ports Ethernet Enable NDP on port view ndp enable the port Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: Operation Command Description Enter system view system-view —...
Page 514 Operation Command Description Optional Configure the port forward delay of topology collection ntdp timer port-delay time By default, the port forward requests delay is 20 ms. Optional Configure the interval to collect By default, the topology topology information ntdp timer interval-in-minutes collection interval is one periodically minute.
Page 515 Operation Command Description Optional Set the interval for the cluster-mac syn-interval management device to send By default, the interval to send time-interval multicast packets multicast packets is one minutes. Optional Set the holdtime of member holdtime seconds By default, the holdtime is 60 switches seconds.
Page 516: Configuring Member Devices
Operation Command Description Optional Configure a shared TFTP tftp-server ip-address By default, no shared TFTP server for the cluster server is configured. Optional Configure a shared logging logging-host ip-address By default, no shared logging host for the cluster host is configured. Optional Configure a shared SNMP host snmp-host ip-address...
Page 517 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4210 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
Page 518: Managing A Cluster Through The Management Device
Operation Command Description interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: Operation Command Description Enter system view system-view — Optional Enable the cluster function cluster enable By default, the cluster function...
Page 519: Configuring The Enhanced Cluster Features
Operation Command Description Enter system view system-view — Enter cluster view cluster — Configuring MAC address of administrator-address Optional Management device mac-address name name add-member Add a candidate device to the [ member-number ] Optional cluster mac-address H-H-H [ password password ] Remove a member device from delete-member Optional...
Page 520 The topology information is saved as a topology.top file in the Flash memory to the administrative device. You cannot specify the file name manually. Cluster device blacklist function To ensure stability and security of the cluster, you can use the blacklist to restrict the devices to be added to the cluster.
Page 521: Configuring The Cluster Synchronization Function
Operation Command Description be executed in any display cluster current-topology view. [ mac-address mac-address1 Display the topology of the [ to-mac-address mac-address2 ] | current cluster member-id member-id1 [ to-member-id member-id2 ] ] display cluster base-topology Display the information about [ mac-address mac-address | member the base topology of the cluster member-id ]...
Page 522 SNMP configuration synchronization With this function, you can configure the public SNMP community name, SNMP group, SNMP users and MIB views. These configurations will be synchronized to the member devices of the cluster automatically, which not only simplifies the configurations on the member devices, but also enables the network management station (NMS) to access any member device of the cluster conveniently.
Page 523 Perform the above operations on the management device of the cluster. Configuring the public SNMP information is equal to executing these configurations on both the management device and the member devices (refer to the SNMP-RMON Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.
Page 524 Member 2 succeeded in the usm-user configuration. Member 1 succeeded in the usm-user configuration. Finish to synchronize the command. # After the above configuration, you can see that the public SNMP configurations for the cluster are saved to the management device and member devices by viewing the configuration files. Configuration file content on the management device (only the SNMP-related information is displayed) [test_0.Sysname-cluster] display current-configuration...
Page 525: Displaying And Maintaining Cluster Configuration
A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize local user configurations: To do… Use the command… Remarks Enter system view system-view —...
Page 526: Cluster Configuration Example
Operation Command Description You can execute reset ndp statistics [ interface Clear the statistics on NDP ports the reset command port-list ] in user view. When you display the cluster topology information, the devices attached to the switch that is listed in the backlist will not be displayed.
Page 527 Network diagram Figure 1-4 Network diagram for HGMP cluster configuration SNMP host/logging host 69.172.55.4/24 FTP server/TFTP server 63.172.55.1/24 Network Vlan-int2 Eth1/0/1 163.172.55.1/24 Management Switch Eth1/0/2 Eth1/0/3 Cluster Eth1/0/1 Eth1/0/1 Member Switch Member switch MAC:000f.e001.0011 MAC: 000f.e001.0012 Configuration procedure Configure the member devices (taking one member as an example) # Enable NDP globally and on Ethernet1/0/1.
Page 528 # Set the holdtime of NDP information to 200 seconds. [Sysname] ndp timer aging 200 # Set the interval to send NDP packets to 70 seconds. [Sysname] ndp timer hello 70 # Enable NTDP globally and on Ethernet 1/0/2 and Ethernet 1/0/3. [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] ntdp enable...
Page 529: Enhanced Cluster Feature Configuration Example
[aaa_0.Sysname-cluster] tftp-server 63.172.55.1 [aaa_0.Sysname-cluster] logging-host 69.172.55.4 [aaa_0.Sysname-cluster] snmp-host 69.172.55.4 Perform the following operations on the member devices (taking one member as an example) After adding the devices under the management device to the cluster, perform the following operations on a member device. # Connect the member device to the remote shared FTP server of the cluster.
Page 530 Network diagram Figure 1-5 Network diagram for the enhanced cluster feature configuration Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology. [aaa_0.Sysname-cluster] topology accept all save-to local-flash 1-27...
Page 531 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by Switch 4210 ·······················································································1-1 PoE Configuration ···································································································································1-3 PoE Configuration Tasks·················································································································1-3 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-4 Setting PoE Management Mode and PoE Priority of a Port····························································1-4 Setting the PoE Mode on a Port······································································································1-5 Configuring the PD Compatibility Detection Function ·····································································1-5...
Page 532: Poe Overview
PoE Configuration PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously. Advantages of PoE Reliability: The centralized power supply provides backup convenience, unified management, and safety.
Page 533 Number of Maximum power Total Input electrical Maximum provided by Maximum Switch power ports each electrical PoE output supply supplying distance port power power Switch 4210 PWR AC input 135 W 18-Port DC input 400 W Switch 4210 PWR 26-Port AC input 370 W A PoE-enabled Switch 4210 has the following features:...
Page 534: Enabling The Poe Feature On A Port
When you use the PoE-enabled Switch 4210 to supply power, the PDs need no external power supply. If a remote PD has an external power supply, the PoE-enabled Switch 4210 and the external power supply will backup each other for the PD. Only the 100 Mbps Ethernet electrical ports of the PoE-enabled Switch 4210 support the PoE feature.
Page 535: Setting The Maximum Output Power On A Port
By default, the PoE function on a port is enabled by the default configuration file config.def when the device is delivered. If you delete the default configuration file without specifying another one, the PoE function on a port will be disabled after you restart the device. Setting the Maximum Output Power on a Port The maximum power that can be supplied by each Ethernet electrical port of a PoE-enabled Switch 4210 to its PD is 15,400 mW.
Page 536: Setting The Poe Mode On A Port
Operation Command Description Required Set the PoE management poe power-management mode for the switch { auto | manual } auto by default. interface interface-type Enter Ethernet port view — interface-number Required poe priority { critical | high | Se the PoE priority of a port low } low by default.
Page 537: Configuring Poe Over-Temperature Protection On The Switch
Configuring PoE Over-Temperature Protection on the Switch If this function is enabled, the switch disables the PoE feature on all ports when its internal temperature exceeds 65°C (149°F) for self-protection, and restores the PoE feature settings on all its ports when the temperature drops below 60°C (140°F).
Page 538: Displaying Poe Configuration
In the case that the PSE processing software is damaged (that is, no PoE command can be executed successfully), use the full update mode to upgrade and thus restore the software. The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software, while the full update mode is to delete the original processing software in PSE completely and then reload the software.
Page 539 Networking diagram Figure 1-1 Network diagram for PoE Network Switch A Eth1/0/1 Eth1/0/8 Eth1/0/2 Switch B Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.
Page 540: Poe Profile Configuration
PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 4210 provide the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.
Page 541: Displaying Poe Profile Configuration
Operation Command Description apply poe-profile profile-name interface interface-type In system view interface-number [ to interface-type Apply the interface-number ] existing PoE profile to the Enter Use either approach. interface interface-type specified Ethernet interface-number Ethernet port port view Ethernet Apply the port view existing apply poe-profile...
Page 542 Ethernet 1/0/1 through Ethernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use. Signal mode is used to supply power. The PoE priority for Ethernet 1/0/1 through Ethernet 1/0/5 is Critical, whereas the PoE priority for Ethernet 1/0/6 through Ethernet 1/0/10 is High.
Page 543 # Display detailed configuration information for Profile1. [SwitchA] display poe-profile name Profile1 Poe-profile: Profile1, 3 action poe enable poe max-power 3000 poe priority critical # Create Profile2, and enter PoE profile view. [SwitchA] poe-profile Profile2 # In Profile2, add the PoE policy configuration applicable to Ethernet 1/0/6 through Ethernet 1/0/10 ports for users of group A.
Page 544 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-1 Configuring Basic SNMP Functions········································································································1-2 Configuring Trap Parameters··················································································································1-4 Configuring Basic Trap ····················································································································1-4 Configuring Extended Trap ·············································································································1-5 Enabling Logging for Network Management···························································································1-5 Displaying SNMP ····································································································································1-6 SNMP Configuration Examples ··············································································································1-6 SNMP Configuration Examples·······································································································1-6 2 RMON Configuration ·································································································································2-1 Introduction to RMON ·····························································································································2-1...
Page 545: Snmp Configuration
SNMP Configuration SNMP Overview The simple network management protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes. In this way, network administrators can easily retrieve and modify the information about any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating.
Page 546: Configuring Basic Snmp Functions
By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is " 3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation. ", the system the switch version { { v1 | v2c | v3 }* | location is "...
Page 547 { contact By default, the contact information for Set system information sys-contact | location system maintenance is " 3Com and specify to enable sys-location | version { { v1 | Corporation. ", the system location is SNMPv3 on the switch v2c | v3 }* | all } } "...
Page 548: Configuring Trap Parameters
Operation Command Description snmp-agent usm-user v3 user-name group-name [ cipher ] authentication-mode Add a user to an SNMP { md5 | sha } auth-password Required group [ privacy-mode { des56 | aes128 } priv-password ] ] [ acl acl-number ] Set the maximum size of Optional an SNMP packet for...
Page 549: Configuring Extended Trap
Operation Command Description send Trap Enable the port messages or interface to enable snmp trap updown send Trap messages Quit to system quit view snmp-agent target-host trap address udp-domain { ip-address } [ udp-port Set the destination for Trap port-number ] params securityname Required messages security-string [ v1 | v2c | v3 {authentication...
Page 550: Displaying Snmp
Use the display logbuffer command to view the log of the get and set operations requested by the NMS. Displaying SNMP After the above configuration, you can execute the display command in any view to view the running status of SNMP, and to verify the configuration. Table 1-6 Display SNMP Operation Command...
Page 551 Network diagram Figure 1-2 Network diagram for SNMP configuration Network procedure # Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent sys-info version all [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private # Set the access right of the NMS to the MIB of the SNMP agent.
Page 552 [Sysname] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS You can query and configure an Ethernet switch through the NMS. For more information, refer to the corresponding manuals of NMS products. Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully.
Page 553 RMON Configuration Introduction to RMON Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.
Page 554: Commonly Used Rmon Groups
Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.
Page 555 The statistics include the number of the following items: collisions, packets with cyclic redundancy check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets. With the RMON statistics management function, you can monitor the use of a port and make statistics on the errors occurred when the ports are being used.
Page 556: Displaying Rmon
Displaying RMON After the above configuration, you can execute the display command in any view to display the RMON running status, and to verify the configuration. Table 2-2 Display RMON Operation Command Description display rmon statistics [ interface-type Display RMON statistics interface-number | unit unit-number ] Display RMON history display rmon history [ interface-type...
Page 557 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by Ethernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
Page 558 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Tasks ························································································································1-5 Configuring NTP Implementation Modes ································································································1-5 Configuring NTP Server/Client Mode ······························································································1-6 Configuring the NTP Symmetric Peer Mode ···················································································1-6 Configuring NTP Broadcast Mode···································································································1-7 Configuring NTP Multicast Mode·····································································································1-8 Configuring Access Control Right ···········································································································1-9...
Page 559: Ntp Configuration
NTP Configuration Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined in RFC 1305. It is used for time synchronization between a set of distributed time servers and clients. Carried over UDP, NTP transmits packets through UDP port 123. NTP is intended for time synchronization between all devices that have clocks in a network so that the clocks of all devices can keep consistent.
Page 560: Implementation Principle Of Ntp
The clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock accuracy decreases as the stratum number increases. A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock. The local clock of an Switch 4210 cannot be set as a reference clock.
Page 561: Ntp Implementation Modes
When the message arrives at Device B, Device B inserts its own timestamp 11:00:01 am (T ) into the packet. When the NTP message leaves Device B, Device B inserts its own timestamp 11:00:02 am (T into the packet. When receiving a response packet, the local time of Device A is 10:00:03 am (T4). At this time, Device A has enough information to calculate the following two parameters: Delay for an NTP message to make a round trip between Device A and Device B: Delay = (T...
Page 562 In the symmetric peer mode, the local Switch 4210 serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer automatically. If both of the peers have reference clocks, the one with a smaller stratum number is adopted. Broadcast mode Figure 1-4 Broadcast mode Multicast mode...
Page 563: Ntp Configuration Tasks
NTP implementation Configuration on Switch 4210 mode Configure the local Switch 4210 to work in NTP multicast server mode. In this mode, the local switch sends multicast NTP messages through the VLAN interface configured on the switch. Multicast mode Configure the local Switch 4210 to work in NTP multicast client mode.
Page 564 UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled. These functions are implemented as follows: Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time.
Page 565 Table 1-4 Configure a symmetric-active switch Operation Command Description Enter system view system-view — ntp-service unicast-peer { remote-ip | Required Specify a peer-name } [ authentication-keyid By default, a switch is not symmetric-passive key-id | priority | source-interface configured to work in the peer for the switch Vlan-interface vlan-id | version symmetric mode.
Page 566 Configuring a switch to work in the NTP broadcast server mode Table 1-5 Configure a switch to work in the NTP broadcast server mode Operation Command Description Enter system view system-view — interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required...
Page 567: Configuring Access Control Right
A multicast server can synchronize multicast clients only after its clock has been synchronized. A Switch 4210 working in the multicast server mode supports up to 1,024 multicast clients. Configuring a switch to work in the multicast server mode Table 1-7 Configure a switch to work in the NTP multicast server mode Operation Command Description...
Page 568: Configuration Prerequisites
From the highest NTP service access-control right to the lowest one are peer, server, synchronization, and query. When a device receives an NTP request, it will perform an access-control right match in this order and use the first matched right. Configuration Prerequisites Prior to configuring the NTP service access-control right to the local switch for peer devices, you need to create and configure an ACL associated with the access-control right.
Page 569: Configuration Prerequisites
Configuration Prerequisites NTP authentication configuration involves: Configuring NTP authentication on the client Configuring NTP authentication on the server Observe the following principles when configuring NTP authentication: If the NTP authentication function is not enabled on the client, the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server (assuming that other related configurations are properly performed).
Page 570 NTP authentication requires that the authentication keys configured for the server and the client be the same. Besides, the authentication keys must be trusted keys. Otherwise, the clock of the client cannot be synchronized with that of the server. Configuring NTP authentication on the server Table 1-12 Configure NTP authentication on the server Operation Command...
Page 571: Configuring Optional Ntp Parameters
Configuring Optional NTP Parameters Table 1-13 Optional NTP parameters configuration tasks Task Remarks Configuring an Interface on the Local Switch to Send NTP messages Optional Configuring the Number of Dynamic Sessions Allowed on the Local Switch Optional Disabling an Interface from Receiving NTP messages Optional Configuring an Interface on the Local Switch to Send NTP messages Table 1-14 Configure an interface on the local switch to send NTP messages...
Page 572: Disabling An Interface From Receiving Ntp Messages
Operation Command Description Required Configure the maximum number of ntp-service By default, up to 100 dynamic dynamic sessions that can be max-dynamic-sessions sessions can be established established on the local switch number locally. Disabling an Interface from Receiving NTP messages Table 1-16 Disable an interface from receiving NTP messages Operation Command...
Page 573 Network diagram Figure 1-6 Network diagram for the NTP server/client mode configuration Configuration procedure Perform the following configurations on Device B. # View the NTP status of Device B before synchronization. <DeviceB> display ntp-service status Clock status: unsynchronized Clock stratum: 16 Reference clock ID: none Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz...
Page 574: Configuring Ntp Symmetric Peer Mode
source reference stra reach poll now offset delay disper ************************************************************************** [12345]1.0.1.11 127.127.1.0 350.1 15.1 note: source(master),2 source(peer),3 selected,4 candidate,5 configured Total associations : Configuring NTP Symmetric Peer Mode Network requirements The local clock of Device A is set as the NTP master clock, with the clock stratum level of 2. Device C (an Switch 4210) uses Device A as the NTP server, and Device A works in server mode automatically.
Page 575: Configuring Ntp Broadcast Mode
[DeviceC] display ntp-service status Clock status: synchronized Clock stratum: 2 Reference clock ID: 3.0.1.32 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2, one level lower than Device B.
Page 576 Network diagram Figure 1-8 Network diagram for the NTP broadcast mode configuration Vlan-int2 3.0.1.31/24 Device C Vlan-int2 1.0.1.31/24 Device A Device B Vlan-int2 3.0.1.32/24 Device D Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through Vlan-interface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server Configure Device A.
Page 577: Configuring Ntp Multicast Mode
Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with the clock stratum level of 3, one level lower than that of Device C. # View the information about the NTP sessions of Device D and you can see that a connection is established between Device D and Device C.
Page 578: Configuring Ntp Server/Client Mode With Authentication
[DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D). # Enter system view. <DeviceA> system-view # Set Device A as a multicast client to listen to multicast messages through Vlan-interface2. [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service multicast-client After the above configurations, Device A and Device D respectively listen to multicast messages through their own Vlan-interface2, and Device C advertises multicast messages through Vlan-interface2.
Page 579 Network diagram Figure 1-10 Network diagram for NTP server/client mode with authentication configuration Configuration procedure Configure Device B. # Enter system view. <DeviceB> system-view # Enable the NTP authentication function. [DeviceB] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
Page 580 Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that the clock of Device B is synchronized to that of Device A, with a clock stratum level of 3, one stratum level lower than that Device A. # View the information about NTP sessions of Device B (You can see that a connection is established between Device B and Device A).
Page 581 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 Asymmetric Key Algorithm ··············································································································1-2 SSH Operating Process ··················································································································1-2 SSH Server and Client Configuration Task List······················································································1-4 Configuring the SSH Server····················································································································1-4 Configuring the User Interfaces for SSH Clients·············································································1-5 Configuring the SSH Management Functions·················································································1-6 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-7 Generating/Destroying Key Pairs ····································································································1-7...
Page 582: Ssh Configuration
SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Configuration Task List Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments.
Page 583: Asymmetric Key Algorithm
Figure 1-1 Encryption and decryption Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asymmetric Key Algorithm Asymmetric key algorithm means that a key pair exists at both ends. The key pair consists of a private key and a public key.
Page 584 Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary protocol...
Page 585: Ssh Server And Client Configuration Task List
The 3Com switch acts as the SSH server to cooperate with software that supports the SSH client functions. The 3Com switch acts as the SSH server to cooperate with another 3Com switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...
Page 586: Configuring The User Interfaces For Ssh Clients
Table 1-2 Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for SSH Required Clients Preparation Configuring the SSH Management Optional Functions Optional This task determines which SSH Configuring the SSH Server to Be Version versions the server should support.
Page 587 Table 1-3 Follow these steps to configure the user interface for SSH clients: To do... Use the command... Remarks Enter system view system-view — Enter user interface view of user-interface vty first-number — one or more user interfaces [ last-number ] Required Configure the authentication-mode scheme...
Page 588: Generating/Destroying Key Pairs
You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User. For details of the header command, refer to the corresponding section in Login Command. Configuring the SSH Server to Be Compatible with SSH1 Clients Follow these steps to configure the SSH server to be compatible with SSH1 clients: To do...
Page 589 The SSH server’s key pairs are for generating session keys and for SSH clients to authenticate the server. As different clients may support different public key algorithms, the server may use different key pair for negotiation with different clients. Therefore, you need to generate both RSA and DSA key pairs on the server to help ensure that clients can log in to the server successfully.
Page 590: Configuring The Public Key Of A Client On The Server
For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user.
Page 591: Assigning A Public Key To An Ssh User
This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication. You can manually configure the public key or import it from a public key file.
Page 592: Exporting The Rsa Or Dsa Public Key
This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Table 1-10 Follow these steps to assign a public key for an SSH user: To do...
Page 593: Configuring The Ssh Client
Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses. In addition, if an SSH client does not support first-time authentication, you need to configure the public key of the server on the client, so that the client can authenticate the server. SSH Client Configuration Task List Table 1-13 Complete the following tasks to configure the SSH client: SSH client configuration task...
Page 594 Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH Selecting the SSH version. Since the device supports SSH2.0 now, select 2.0 or lower for the client.
Page 595 Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 1-4 Generate the client keys (3) 1-14...
Page 596 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-5 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
Page 597 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
Page 598 Figure 1-8 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...
Page 599 Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
Page 600 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.
Page 601: Displaying And Maintaining Ssh Configuration
To do... Use the command... Remarks Required ssh2 { host-ip | host-name } In this command, you can also specify [ port-num ] [ identity-key the preferred key exchange algorithm, { dsa | rsa } | prefer_kex encryption algorithms and HMAC { dh_group1 | algorithms between the server and dh_exchange_group } |...
Page 602: Ssh Configuration Examples
Operation Original commands Current commands Display information about display rsa peer-public-key display public-key peer [ brief | the peer RSA public keys [ brief | name keyname ] name pubkey-name ] Generate a RSA key pair rsa local-key-pair create public-key local create rsa Destroy a RSA key pair rsa local-key-pair destroy public-key local destroy rsa...
Page 603 Network diagram Figure 1-10 Switch acts as server for local password authentication Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch>...
Page 604 # Configure the SSH client software to establish a connection to the SSH server. Take SSH client software Putty (version 0.58) as an example: Run PuTTY.exe to enter the following configuration interface. Figure 1-11 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection.
Page 605: When Switch Acts As Server For Password And Radius Authentication
Figure 1-12 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-12, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
Page 606 Network diagram Figure 1-13 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log into the CAMS management platform and select System Management >...
Page 607 Figure 1-14 Add an access device # Add a user for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account window and perform the following configurations: Add a user named hello, and specify the password.
Page 608 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
Page 609 Figure 1-16 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-17 appears.
Page 610: When Switch Acts As Server For Password And Hwtacacs Authentication
authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1-15.
Page 611 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit...
Page 612: When Switch Acts As Server For Publickey Authentication
From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-20 appears. Figure 1-20 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
Page 613 Configuration procedure Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example. Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
Page 614 # Import the client’s public key named Switch001 from file public. [Switch] public-key peer Switch001 import sshkey public # Assign the public key Switch001 to client client001. [Switch] ssh user client001 assign publickey Switch001 Configure the SSH client (taking PuTTY version 0.58 as an example) # Generate an RSA key pair.
Page 615 Figure 1-23 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-24 Generate a client key pair (3) 1-34...
Page 616 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case). Figure 1-25 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client.
Page 617 Figure 1-27 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-28 SSH client configuration interface (2) 1-36...
Page 618: When Switch Acts As Client For Password Authentication
Click Browse… to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-28, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...
Page 619: When Switch Acts As Client For Publickey Authentication
The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ***************************************************************************** Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ***************************************************************************** <SwitchB>...
Page 620 Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example. Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
Page 621 The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ***************************************************************************** Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.
Page 622: When Switch Acts As Client And First-Time Authentication Is Not Supported
When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in Figure 1-31, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136.
Page 623 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the following “Configure Switch A”.
Page 624 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ***************************************************************************** Copyright(c) 2004-2009 3Com Corp. and its licensors. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ***************************************************************************** <SwitchB> 1-43...
Page 625 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Tasks·····································································································1-1 Directory Operations························································································································1-1 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-3 File System Configuration Example ································································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6 Configuring File Attributes ···············································································································1-6...
Page 626: File System Management Configuration
File System Management Configuration File System Configuration Introduction to File System To facilitate management on the switch memory, Switch 4210 provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.
Page 627: File Operations
Table 1-2 Directory operations To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory Optional rmdir directory Display the current work directory Optional Display the information about specific dir [ /all ] [ file-url ] Optional directories and files Enter a specified directory...
Page 628: Flash Memory Operations
To do… Use the command… Remarks Enter system view system-view — Optional Execute the specified batch file execute filename This command should be executed in system view. For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored.
Page 629: File System Configuration Example
Table 1-5 Configuration on prompt mode of file system To do… Use the command… Remarks Enter system view system-view — Required Configure the prompt mode of file prompt { alert | quiet } By default, the prompt mode of the the file system file system is alert.
Page 630: File Attribute Configuration
(*b) -with both main and backup attribute <Sysname> dir unit1>flash:/test/ Directory of unit1>flash:/test/ -rw- 1235 Apr 05 2000 01:51:34 test.cfg -rw- 1235 Apr 05 2000 01:56:44 1.cfg 7239 KB total (3585 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes...
Page 631: Booting With The Startup File
with the main attribute in the Flash memory will lose its main attribute. This circumstance also applies to the file with the backup attribute in the Flash memory. File operations and file attribute operations are independent. For example, if you delete a file with the main attribute from the Flash memory, the other files in the flash memory will not possess the main attribute.
Page 632 To do… Use the command… Remarks Optional Specify to enable user to use By default, the user is enabled startup bootrom-access the customized password to to use the customized enable enter the BOOT menu password to enter the BOOT menu. Display the information about display boot-loader [ unit the app file used as the startup...
Page 633 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-1 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-5 Configuration Example: A Switch Operating as an FTP Server······················································1-7 FTP Banner Display Configuration Example···················································································1-9 FTP Configuration: A Switch Operating as an FTP Client ····························································1-10...
Page 634: Ftp And Sftp Configuration
FTP and SFTP Configuration Introduction to FTP and SFTP Introduction to FTP FTP (file transfer protocol) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP.
Page 635: Ftp Configuration
FTP Configuration Table 1-2 FTP configuration tasks Item Configuration task Description Creating an FTP user Required Enabling an FTP server Required Configuring connection idle time Optional FTP Configuration: A Switch Disconnecting a specified user Optional Operating as an FTP Server Configuring the banner for an FTP Optional server...
Page 636 Only one user can access a Switch 4210 at a given time when the latter operates as an FTP server. Operating as an FTP server, a Switch 4210 cannot receive a file whose size exceeds its storage space. The clients that attempt to upload such a file will be disconnected with the FTP server due to lack of storage space on the FTP server.
Page 637 With a Switch 4210 acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the Switch 4210 will disconnect the user after the data transmission is completed. Configuring the banner for an FTP server Displaying a banner: With a banner configured on the FTP server, when you access the FTP server through FTP, the configured banner is displayed on the FTP client.
Page 638: Ftp Configuration: A Switch Operating As An Ftp Client
Table 1-7 Configure the banner display for an FTP server Operation Command Description Enter system view system-view — Configure a login banner header login text Required Use either command or both. Configure a shell banner header shell text By default, no banner is configured. For details about the header command, refer to the Login part of the manual.
Page 639 Operation Command Description Change the working directory cd pathname on the remote FTP server Change the working directory cdup to be the parent directory Get the local working path on the FTP client Display the working directory Optional on the FTP server Create a directory on the mkdir pathname remote FTP server...
Page 640: Configuration Example: A Switch Operating As An Ftp Server
Configuration Example: A Switch Operating as an FTP Server Network requirements A switch operates as an FTP server and a remote PC as an FTP client. The application switch.bin of the switch is stored on the PC. Upload the application to the remote switch through FTP and use the boot boot-loader command to specify switch.bin as the application for next startup.
Page 641 Connected to 1.1.1.1. 220 FTP service ready. User (1.1.1.1:(none)): switch 331 Password required for switch. Password: 230 User logged in. ftp> # Upload the switch.bin file. ftp> put switch.bin 200 Port command okay. 150 Opening ASCII mode data connection for switch.bin. 226 Transfer complete.
Page 642: Ftp Banner Display Configuration Example
For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging part of this manual. FTP Banner Display Configuration Example Network requirements Configure the Ethernet switch as an FTP server and the remote PC as an FTP client. After a connection between the FTP client and the FTP server is established and login succeeds, the banner is displayed on the FTP client.
Page 643: Ftp Configuration: A Switch Operating As An Ftp Client
331 Password required for switch. Password: 230-shell banner appears 230 User logged in. ftp> FTP Configuration: A Switch Operating as an FTP Client Network requirements A switch operates as an FTP client and a remote PC as an FTP server. The switch application named switch.bin is stored on the PC.
Page 644: Sftp Configuration: A Switch Operating As An Sftp Server
# Connect to the FTP server using the ftp command in user view. You need to provide the IP address of the FTP server, the user name and the password as well to enter FTP view. <Sysname> ftp 2.2.2.2 Trying ... Press CTRL+K to abort Connected.
Page 645 Item Configuration task Description SFTP Configuration: A Switch Basic configurations on an SFTP client — Operating as an SFTP Client SFTP Configuration: A Switch Operating as an SFTP Server Enabling an SFTP server Before enabling an SFTP server, you need to enable the SSH server function and specify the service type of the SSH user as SFTP or all.
Page 646 Currently a Switch 4210 operating as an SFTP server supports the connection of only one SFTP user. When multiple users attempt to log in to the SFTP server or multiple connections are enabled on a client, only the first user can log in to the SFTP user. The subsequent connection will fail. When you upload a large file through WINSCP, if a file with the same name exists on the server, you are recommended to set the packet timeout time to over 600 seconds, thus to prevent the client from failing to respond to device packets due to timeout.
Page 647 Operation Command Description SFTP server If no file name is provided, all the files in the current directory are displayed. The difference between these two commands is that the dir ls [ -a | -l ] [ remote-path ] command can display the file name, directory as well as file attributes;...
Page 648 Configuration procedure Configure the SFTP server (switch B) # Create key pairs. <Sysname> system-view [Sysname] public-key local create rsa [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server.
Page 649 Connected to 192.168.0.1 ... The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client>...
Page 650 # Rename the directory new1 as new2, and then verify the result. sftp-client> rename new1 new2 File successfully renamed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1...
Page 651: Tftp Configuration
TFTP Configuration Introduction to TFTP Compared with FTP, TFTP (trivial file transfer protocol) features simple interactive access interface and no authentication control. Therefore, TFTP is applicable in the networks where client-server interactions are relatively simple. TFTP is implemented based on UDP. It transfers data through UDP port 69. Basic TFTP operations are described in RFC 1986.
Page 652 Item Configuration task Description For details, see the corresponding TFTP server configuration — manual TFTP Configuration: A Switch Operating as a TFTP Client Basic configurations on a TFTP client By default a switch can operate as a TFTP client. In this case you can connect the switch to the TFTP server to perform TFTP-related operations (such as creating/removing a directory) by executing commands on the switch.
Page 653 Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the “Login”...
Page 654 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Introduction to the Information Center Configuration Tasks····························································1-7 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-12...
Page 655: Information Center
Information Center Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
Page 656 Ten channels and six output directions of system information The system supports six information output directions, including the Console, Monitor terminal (monitor), logbuffer, loghost, trapbuffer and SNMP. The system supports ten channels. The channels 0 through 5 have their default channel names and are associated with six output directions by default.
Page 657 Module name Description Access control list module ADBM Address base module Access management module Address resolution protocol module Command line module Device management module Domain name system module Ethernet module Forwarding module Fabric topology management module FTPS FTP server module High availability module HABP Huawei authentication bypass protocol module...
Page 658: System Information Format
Module name Description TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module Virtual type terminal module Xmodem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output directions.
Page 659 If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
Page 660 locate and solve problems globally. In this case, you can configure the information center to add UTC time zone to the time stamp of the output information, so that you can know the standard time when the information center processing each piece of information. That is, you can know the Greenwich standard time of each switch in the network based on the UTC record in the time stamp.
Page 661: Information Center Configuration
Source This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. Context This field provides the content of the system information. Information Center Configuration Introduction to the Information Center Configuration Tasks Table 1-4 Information center configuration tasks...
Page 662: Configuring To Display The Time Stamp With The Utc Time Zone
If the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output. In the interaction mode, you are prompted for some information input. If the input is interrupted by system output, no system prompt (except the Y/N string) will be echoed after the output, but your input will be displayed in a new line.
Page 663 Operation Command Description Optional info-center console channel By default, the switch uses Enable system information { channel-number | information channel 0 to output output to the console channel-name } log/debugging/trap information to the console. info-center source { modu-name | default } Optional Configure the output rules channel { channel-number |...
Page 664: Setting To Output System Information To A Monitor Terminal
Enabling system information display on the console After setting to output system information to the console, you need to enable the associated display function to display the output information on the console. Table 1-9 Enable the system information display on the console: Operation Command Description...
Page 665 Operation Command Description Optional By default, the time stamp format info-center timestamp { log | Set the format of time stamp of the log and trap output trap | debugging } { boot | date in the output information information is date, and that of the | none } debugging output information is boot.
Page 666: Setting To Output System Information To A Log Host
Setting to Output System Information to a Log Host Table 1-12 Set to output system information to a log host Operation Command Description Enter system view system-view — Optional Enable the information info-center enable center Enabled by default. Required info-center loghost By default, the switch does not host-ip-addr [ channel output information to the log host.
Page 667: Setting To Output System Information To The Log Buffer
Operation Command Description Optional info-center trapbuffer By default, the switch uses Enable system information [channel { channel-number | information channel 3 to output output to the trap buffer channel-name } | size trap information to the trap buffersize]* buffer, which can holds up to 256 items by default.
Page 668: Displaying And Maintaining Information Center
Operation Command Description Optional Enable the information center info-center enable Enabled by default. Optional info-center snmp channel Enable information output to By default, the switch outputs { channel-number | the SNMP NMS trap information to SNMP channel-name } through channel 5. info-center source Optional { modu-name | default }...
Page 669: Information Center Configuration Examples
Operation Command Description Clear information recorded in reset logbuffer [ unit unit-id ] the log buffer Available in user view Clear information recorded in reset trapbuffer [ unit unit-id ] the trap buffer Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements The switch sends the following log information to the Unix log host whose IP address is 202.38.1.10: the log information of the two modules ARP and IP, with severity higher than “informational”.
Page 670: Log Output To A Linux Log Host
# Switch configuration messages local4.info /var/log/Switch/information When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name.
Page 671 Configuration procedure Configure the switch: # Enable the information center. <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off...
Page 672: Log Output To The Console
Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”.
Page 673 Network diagram Figure 1-4 Network diagram Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date. <Switch>...
Page 674 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-7 Loading by FTP through Ethernet Port····························································································1-9 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-15...
Page 675 Configuring a Scheduled Task ········································································································5-1 Scheduled Task Configuration Example·································································································5-2...
Page 676: Boot Rom And Host Software Loading
Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.
Page 677: Boot Menu
BOOT Menu Starting..*********************************************************** Switch 4210 26-Port BOOTROM, Version 607 *********************************************************** Copyright(c) 2004-2009 3Com Corporation and its licensors. Creation date : Nov 27 2009, 10:43:40 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size : 64MB Mac Address : 00e0fc003500 Press Ctrl-B to enter Boot Menu...
Page 678: Loading By Xmodem Through Console Port
Enter your choice(0-9): Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is widely used due to its simplicity and high stability. The XModem protocol transfers files through Console port. It supports two types of data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and multiple attempts of error packet retransmission (generally the maximum number of retransmission attempts is ten).
Page 679 If you have chosen 19200 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly. In this case, the system will not display the above information. Following are configurations on PC.
Page 680 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
Page 681 Step 7: Choose [Transfer/Send File] in HyperTerminal, and click <Browse> in pop-up dialog box, as shown in Figure 1-4. Select the software file that you need to load to the switch, and set the protocol to XModem. Figure 1-4 Send file dialog box Step 8: Click <Send>.
Page 682: Loading By Tftp Through Ethernet Port
If the HyperTerminal’s baudrate is not reset to 19200 bps, the system prompts "Your baudrate should be set to 19200 bps again! Press enter key when ready". You need not reset the HyperTerminal’s baudrate and can skip the last step if you have chosen 19200 bps.
Page 683 Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com family Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.
Page 684: Loading By Ftp Through Ethernet Port
Step 6: Enter Y to start file downloading or N to return to the Boot ROM update menu. If you enter Y, the system begins to download and update the Boot ROM. Upon completion, the system displays the following information: Loading........done Bootrom updating..done! Loading host software...
Page 685 You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory. Step 3: Run the HyperTerminal program on the configuration PC.
Page 686: Remote Boot Rom And Software Loading
The subsequent steps are the same as those for loading the Boot ROM, except for that the system gives the prompt for host software loading instead of Boot ROM loading. When loading the Boot ROM and host software using FTP through BOOT menu, you are recommended to use the PC directly connected to the device as FTP server to promote upgrading reliability.
Page 687 When using different FTP server software on PC, different information will be output to the switch. Step 2: Update the Boot ROM program on the switch. <Sysname> boot bootrom switch.btm This will update BootRom file on unit 1. Continue? [Y/N] y Upgrading BOOTROM, please wait...
Page 688 Step 1: As shown in Figure 1-9, connect the switch through an Ethernet port to the PC (whose IP address is 10.1.1.1) Step 2: Configure the IP address of VLAN-interface 1 on the switch to 192.168.0.28, and subnet mask to 255.255.255.0. You can configure the IP address for any VLAN on the switch for FTP transmission.
Page 689 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.
Page 690: Remote Loading Using Tftp
Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...
Page 691: Basic System Configuration And Debugging
Basic System Configuration and Debugging Basic System Configuration Table 2-1 Basic System Configuration Operation Command Description Required clock datetime HH:MM:SS Set the current date and Execute this command in user view. { YYYY/MM/DD | time of the system The default value is 23:55:00 MM/DD/YYYY } 04/01/2000 when the system starts up.
Page 692: Debugging The System
Table 2-2 System information display commands Operation Command Description Display the current date and time of the display clock system You can execute the display Display the version of the system display version commands in any view Display the information about users display users [ all ] logging onto the switch Debugging the System...
Page 693: Displaying Debugging Status
You can use the following commands to enable the two switches. Table 2-3 Enable debugging and terminal display for a specific module Operation Command Description Required Enable system debugging for debugging module-name Disabled for all modules by specific module [ debugging-option ] default.
Page 694: Command Alias Configuration
Command Alias Configuration Introduction As the network environment becomes more complex and network products become increasingly diverse, users always use network devices from several vendors in real networking environments. In this case, command keywords differences of devices from different vendors greatly increase the complexity of device configurations by network administrators.
Page 696: Network Connectivity Test
Network Connectivity Test Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. Table 3-1 The ping command Operation Command Description ping [ -a ip-address ] [-c count ] [ -d ] [ -f ] Check the IP network [ -h ttl ] [ -i interface-type interface-number ] You can execute this...
Page 697: Device Management
Device Management Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot Update the Boot ROM Identifying and Diagnosing Pluggable Transceivers Device Management Configuration Device Management Configuration Tasks Table 4-1 Device management configuration tasks...
Page 698: Scheduling A Reboot On The Switch
Scheduling a Reboot on the Switch After you schedule a reboot on the switch, the switch will reboot at the specified time. Table 4-3 Schedule a reboot on the switch Operation Command Description Schedule a reboot on the switch, and schedule reboot at hh:mm Optional set the reboot date and time...
Page 699: Upgrading The Boot Rom
Table 4-5 Specify the APP to be used at reboot Operation Command Description Specify the APP to be used boot boot-loader [ backup-attribute ] Required at reboot { file-url | device-name } Upgrading the Boot ROM You can use the Boot ROM program saved in the Flash memory of the switch to upgrade the running Boot ROM.
Page 700 EtherNet Transceiver 10G Ethernet Package) interfaces For pluggable transceivers supported by Switch 4210, refer to 3Com Switch 4210 Family Getting Started Guide. Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors, you can perform the...
Page 701: Displaying The Device Management Configuration
Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers. Optical transceivers customized by H3C also support the digital diagnosis function, which enables a transceiver to monitor the main parameters such as temperature, voltage, laser bias current, TX power, and RX power.
Page 702: Remote Switch App Upgrade Configuration Example
Remote Switch APP Upgrade Configuration Example Network requirements Telnet to the switch from a PC remotely and download applications from the FTP server to the Flash memory of the switch. Update the switch software by using the device management commands through CLI.
Page 703 If the Flash memory of the switch is not sufficient, delete the original applications before downloading the new ones. Initiate an FTP connection with the following command in user view. Enter the correct user name and password to log into the FTP server. <Sysname>...
Page 704 This command will reboot the device. Current configuration may be lost in next startup if you continue. Continue? [Y/N] y This will reboot device. Continue? [Y/N] y...
Page 705: Scheduled Task Configuration
Scheduled Task Configuration What Is a Scheduled Task A scheduled task defines a command or a group of commands and when such commands will be executed. It allows a device to execute specified command(s) at a time when no person is available to maintain the device.
Page 706 To do… Use the command… Description Display information about a display job [ job-name ] Available in any view scheduled task Specify the time delay to execute the commands in the task Follow these steps to configure a scheduled task: To do…...
Page 707 Configuration procedure <Switch> system-view # Create scheduled task phone1, and enter scheduled task view. [Switch] job phone1 # Configure the view where the specified command to be executed as Ethernet interface view. [Switch-job-phone1] view Ethernet1/0/2 # Configure the scheduled task so that PoE can be enabled on Switch at eight AM from Monday to Friday.
Page 708 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 VLAN-VPN Configuration························································································································1-2 Enabling the VLAN-VPN Feature for a Port ····················································································1-2 Displaying and Maintaining VLAN-VPN Configuration ···········································································1-2 VLAN-VPN Configuration Example·········································································································1-2 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN·············1-2...
Page 709 VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.
Page 710 Implementation of VLAN-VPN With the VLAN-VPN feature enabled, no matter whether or not a received packet already carries a VLAN tag, the switch will tag the received packet with the default VLAN tag of the receiving port and add the source MAC address to the MAC address table of the default VLAN. When a packet reaches a VLAN-VPN-enabled port: If the packet already carries a VLAN tag, the packet becomes a dual-tagged packet.
Page 711 Network diagram Figure 1-3 Network diagram for VLAN-VPN configuration PC Server VLAN 100 SwitchB Eth1/0/21 Eth1/0/22 VLAN 200 PC User VLAN 100 VLAN 1040 Terminal Server Eth1/0/12 Eth1/0/11 VLAN 200 SwitchA Terminal User Configuration procedure Configure Switch A. # Enable the VLAN-VPN feature on Ethernet 1/0/11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag.
Page 712 # Set Ethernet 1/0/22 as a trunk port permitting packets of VLAN 1024. [SwitchB-Ethernet1/0/21] quit [SwitchB] interface Ethernet 1/0/22 [SwitchB-Ethernet1/0/22] port link-type trunk [SwitchB-Ethernet1/0/22] port trunk permit vlan 1040 Do not configure VLAN 1040 as the default VLAN of Ethernet 1/0/12 of Switch A and Ethernet 1/0/22 of Switch B.
Page 713 Table of Contents 1 Remote-ping Configuration ······················································································································1-1 Remote-ping Overview····························································································································1-1 Introduction to remote-ping ·············································································································1-1 Test Types Supported by Remote-ping···························································································1-2 Remote-ping Test Parameters ········································································································1-2 Remote-ping Configuration ·····················································································································1-4 Remote-ping Server Configuration··································································································1-4 Remote-ping Client Configuration ···································································································1-5 Displaying Remote-ping Configuration··························································································1-22 Remote-ping Configuration Examples ··································································································1-22 ICMP Test······································································································································1-22 DHCP Test ····································································································································1-24 FTP Test········································································································································1-25 HTTP Test ·····································································································································1-27...
Page 714: Remote-Ping Configuration
Remote-ping Configuration When configuring remote-ping, go to these sections for information you are interested in: Remote-ping Overview Remote-ping Configuration Remote-ping Configuration Examples Remote-ping Overview Introduction to remote-ping Remote-ping is a network diagnostic tool. It is used to test the performance of various protocols running in networks.
Page 715: Test Types Supported By Remote-Ping
Test Types Supported by Remote-ping Table 1-1 Test types supported by remote-ping Supported test types Description ICMP test DHCP test FTP test For these types of tests, you need to configure the remote-ping client and corresponding servers. HTTP test DNS test SNMP test Jitter test These types of tests need the cooperation of the remote-ping...
Page 716 Test parameter Description You can use remote-ping to test a variety of protocols, see Table 1-1 for details. To perform a type of test, you must first create a test group of this Test type (test-type) type. One test group can be of only one remote-ping test type. If you modify the test type of a test group using the test-type command, the parameter settings, test results, and history records of the original test type will be all cleared.
Page 717: Remote-Ping Configuration
Test parameter Description File name for FTP Name of a file to be transferred between remote-ping client and FTP operation (filename) server Size of a file to be uploaded in an FTP Size of a file to be uploaded in an FTP test test(filesize) Jitter test is used to collect statistics about delay jitter in UDP packet transmission...
Page 718: Remote-Ping Client Configuration
Note that: The remote-ping server function is needed only for jitter, TCP, and UDP tests. You can configure multiple TCP/UDP listening services on one remote-ping server, with each listening service corresponding to a specific destination IP address and port number. Remote-ping Client Configuration Remote-ping client configuration After remote-ping client is enabled, you can create multiple test groups for different tests, without the...
Page 719 To do… Use the command… Remarks Optional Configure the maximum number of history records that history-records number By default, the maximum can be saved number is 50. Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the retaining time of history keep-time keep-time...
Page 720 In an ICMP test, after you specify a source interface by the source-interface interface-type interface-number command, the TTL value turns to 1 automatically to test the directly connected devices. Configuring DHCP test on remote-ping client Follow these steps to configure DHCP test on remote-ping client: To do…...
Page 721 To do… Use the command… Remarks Optional test-time begin { hh:mm :ss Configure test start [ yyyy/mm/dd ] | now } lifetime By default, no test start time and lifetime time and lifetime lifetime is configured. Optional Enable routing table sendpacket passroute By default, routing table bypass is bypass...
Page 722 To do… Use the command… Remarks Configure the Optional maximum number of history-records number history records that can By default, the maximum number is 50. be saved Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the retaining history keep-time keep-time...
Page 723 To do… Use the command… Remarks Configure size of a file Required to be uploaded in an filesize file-size By default, the file is 1 MB. FTP test Start the test test-enable Required Required display remote-ping results Display test results You can execute the command in any [ admin-name operation-tag ] view.
Page 724 To do… Use the command… Remarks Optional Configure the maximum number of history records that history-records number By default, the maximum can be saved number is 50. Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the retaining time of history keep-time keep-time...
Page 725 To do… Use the command… Remarks Start the test test-enable Required Required display remote-ping results Display test results You can execute the command [ admin-name operation-tag ] in any view. Configuring jitter test on remote-ping client Follow these steps to configure jitter test on remote-ping client: To do…...
Page 726 To do… Use the command… Remarks Optional Configure the packet size datasize size By default, the packet size is 68 bytes. Optional By default, the numbers Configure a stuffing character datafill string between 0 and 255 are stuffed string into datagrams in a cyclically way.
Page 727 To do… Use the command… Remarks Optional Configure the number of test packets that will be sent in each jitter-packetnum number By default, each jitter probe will jitter probe send 10 packets. Optional Configure the interval to send jitter-interval interval By default, the interval is 20 test packets in the jitter test milliseconds.
Page 728 To do… Use the command… Remarks Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the retaining time of history keep-time keep-time By default, the retaining time of history record history record is 120 minutes. Optional Configure statistics interval and By default, statistics interval is...
Page 729 To do… Use the command… Remarks Required Enable the remote-ping remote-ping-agent enable By default, the remote-ping client client function function is disabled. Create a remote-ping remote-ping Required test group and enter its administrator-name By default, no test group is configured. view operation- tag Required...
Page 730 To do… Use the command… Remarks Configure statistics Optional interval and the statistics { interval interval | By default, statistics interval is 120 maximum number of max-group number } minutes and up to two pieces of statistics retained statistics information can be retained. information Optional Configure the retaining...
Page 731 To do… Use the command… Remarks Required This IP address and the one configured on Configure the the remote-ping server for listening service destination-ip ip-address destination address must be the same. By default, no destination address is configured. Required in a Udpprivate test A Udppublic test is a UDP connection test port...
Page 732 To do… Use the command… Remarks Configure statistics Optional interval and the statistics { interval interval | By default, statistics interval is 120 minutes maximum number of max-group number } and up to two pieces of statistics retained statistics information can be retained. information Optional Configure the...
Page 733 To do… Use the command… Remarks Required Configure the test type test-type dns By default, the test type is ICMP. Optional Configure the number of count times By default, one probe is made probes per test per test. Optional Configure a test description description string By default, no description information is configured.
Page 734 To do… Use the command… Remarks Optional Configure the type of service tos value By default, the service type is zero. Required Configure the domain name to dns resolve-targetdomai By default, the domain name to be resolved domainname be resolved by DNS is not specified.
Page 735: Displaying Remote-Ping Configuration
To do… Use the command… Remarks Required remote-ping Create a remote-ping test administrator-name operation- By default, no test group is group and enter its view configured. Required Enable the remote-ping client send-trap { all | { probefailure By default, Trap sending is to send Trap messages | testcomplete | testfailure }* } disabled.
Page 736 [Sysname] remote-ping-agent enable # Create a remote-ping test group, setting the administrator name to administrator and test tag to ICMP. [Sysname] remote-ping administrator icmp # Configure the test type as icmp. [Sysname-remote-ping-administrator-icmp] test-type icmp # Configure the destination IP address as 10.2.2.2. [Sysname-remote-ping-administrator-icmp] destination-ip 10.2.2.2 # Configure to make 10 probes per test.
Page 737: Dhcp Test
DHCP Test Network requirements Both the remote-ping client and the DHCP server are switches. Perform a remote-ping DHCP test between the two switches to test the time required for the remote-ping client to obtain an IP address from the DHCP server. Network diagram Figure 1-3 Network diagram for the DHCP test Configuration procedure...
Page 738: Ftp Test
Square-Sum of Round Trip Time: 10465630 Last complete test time: 2000-4-3 9:51:30.9 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0...
Page 739 Network diagram Figure 1-4 Network diagram for the FTP test Configuration procedure Configure FTP Server (Switch B): Configure FTP server on Switch B. For specific configuration of FTP server, refer to the FTP-SFTP-TFTP part of the manual. Configure remote-ping Client (Switch A): # Enable the remote-ping client.
Page 740: Http Test
[Sysname-remote-ping-administrator-ftp] display remote-ping results administrator ftp remote-ping entry(admin administrator, tag ftp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 3245/15891/12157 Square-Sum of Round Trip Time: 1644458573 Last complete test time: 2000-4-3 4:0:34.6 Extend result: SD Maximal delay: 0 DS Maximal delay: 0...
Page 741 Network diagram Figure 1-5 Network diagram for the HTTP test Configuration procedure Configure HTTP Server: Use Windows 2003 Server as the HTTP server. For HTTP server configuration, refer to the related instruction on Windows 2003 Server configuration. Configure remote-ping Client (Switch A): # Enable the remote-ping client.
Page 742: Jitter Test
System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Http result: DNS Resolve Time: 0 HTTP Operation Time: 675 DNS Resolve Min Time: 0 HTTP Test Total Time: 748 DNS Resolve Max Time: 0 HTTP Transmission Successful Times: 10 DNS Resolve Failed Times: 0...
Page 743 Network diagram Figure 1-6 Network diagram for the Jitter test Configuration procedure Configure Remote-ping Server (Switch B): # Enable the remote-ping server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] remote-ping-server enable [Sysname] remote-ping-server udpecho 10.2.2.2 9000 Configure Remote-ping Client (Switch A): # Enable the remote-ping client.
Page 744: Snmp Test
Last complete test time: 2000-4-2 8:14:58.2 Extend result: SD Maximal delay: 10 DS Maximal delay: 10 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Jitter result:...
Page 745 Network diagram Figure 1-7 Network diagram for the SNMP test Configuration procedure Configure SNMP Agent (Switch B): # Start SNMP agent and set SNMP version to V2C, read-only community name to public, and read-write community name to private. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent sys-info version v2c [Sysname] snmp-agent community read public...
Page 746: Tcp Test (Tcpprivate Test) On The Specified Ports
# Start the test. [Sysname-remote-ping-administrator-snmp] test-enable # Display test results [Sysname-remote-ping-administrator-snmp] display remote-ping results administrator snmp remote-ping entry(admin administrator, tag snmp) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 9/11/10 Square-Sum of Round Trip Time: 983 Last complete test time: 2000-4-3 8:57:20.0 Extend result: SD Maximal delay: 0...
Page 747 Configuration procedure Configure Remote-ping Server (Switch B): # Enable the remote-ping server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] remote-ping-server enable [Sysname] remote-ping-server tcpconnect 10.2.2.2 8000 Configure Remote-ping Client (Switch A): # Enable the remote-ping client. <Sysname>...
Page 748: Udp Test (Udpprivate Test) On The Specified Ports
[Sysname-remote-ping-administrator-tcpprivate] display remote-ping history administrator tcpprivate remote-ping entry(admin administrator, tag tcpprivate) history record: Index Response Status LastRC Time 2000-04-02 08:26:02.9 2000-04-02 08:26:02.8 2000-04-02 08:26:02.8 2000-04-02 08:26:02.7 2000-04-02 08:26:02.7 2000-04-02 08:26:02.6 2000-04-02 08:26:02.6 2000-04-02 08:26:02.5 2000-04-02 08:26:02.5 2000-04-02 08:26:02.4 For detailed output description, see the corresponding command manual. UDP Test (Udpprivate Test) on the Specified Ports Network requirements Both the remote-ping client and the remote-ping server are switches.
Page 749 [Sysname-remote-ping-administrator-udpprivate] test-type udpprivate # Configure the IP address of the remote-ping server as 10.2.2.2. [Sysname-remote-ping-administrator-udpprivate] destination-ip 10.2.2.2 # Configure the destination port on the remote-ping server. [Sysname-remote-ping-administrator-udpprivate] destination-port 8000 # Configure to make 10 probes per test. [Sysname-remote-ping-administrator-udpprivate] count 10 # Set the probe timeout time to 5 seconds.
Page 750: Dns Test
DNS Test Network requirements An switch serves as the remote-ping client, and a PC serves as the DNS server. Perform a remote-ping DNS test between the switch and the DNS server to test the time required from the client sends a DNS request to it receives a resolution result from the DNS server.
Page 751 Min/Max/Average Round Trip Time: 6/10/8 Square-Sum of Round Trip Time: 756 Last complete test time: 2006-11-28 11:50:40.9 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0...
Page 752 Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-5 Introduction to IPv6 DNS ·················································································································1-8 Protocols and Standards ·················································································································1-8 IPv6 Configuration Task List ···················································································································1-8 Configuring an IPv6 Unicast Address······························································································1-9 Configuring IPv6 NDP ···················································································································1-10 Configuring a Static IPv6 Route ····································································································1-12 Configuring IPv6 TCP Properties ··································································································1-12...
Page 753: Ipv6 Configuration
IPv6 Configuration 3Com Switch 4210 Family support IPv6 management features, but do not support IPv6 forwarding and related features. The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol.
Page 754 Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long.IPv6 can provide 3.4 x 10 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses. Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation.
Page 755: Introduction To Ipv6 Address
Introduction to IPv6 Address IPv6 addresses An IPv6 address is represented as a series of 16-bit hexadecimals, separated by colons. An IPv6 address is divided into eight groups, 16 bits of each group are represented by four hexadecimal numbers which are separated by colons, for example, 2001:0000:130F:0000:0000:09C0:876A:130B. To simplify the representation of IPv6 addresses, zeros in IPv6 addresses can be handled as follows: Leading zeros in each group can be removed.
Page 756 The type of an IPv6 address is designated by the format prefix. Table 1-1 lists the mapping between major address types and format prefixes. Table 1-1 Mapping between address types and format prefixes Type Format prefix (binary) IPv6 prefix ID Unassigned address 00...0 (128 bits) ::/128...
Page 757: Introduction To Ipv6 Neighbor Discovery Protocol
Address Application FF05::2 Site-local scope all-routers multicast address Besides, there is another type of multicast address: solicited-node address. The solicited-node multicast address is used to acquire the link-layer addresses of neighbor nodes on the same link and is also used for duplicate address detection. Each IPv6 unicast or anycast address has one corresponding solicited-node address.
Page 758 3Com Switch 4210 Family do not support RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, 3Com Switch 4210 Family support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
Page 759 Figure 1-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited-node multicast address of node B.
Page 760: Introduction To Ipv6 Dns
Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message also contains the IPv6 address. If node B uses this IPv6 address, node B returns an NA message. The NA message contains the IPv6 address of node B.
Page 761: Configuring An Ipv6 Unicast Address
Task Remarks Configuring IPv6 TCP Properties Optional Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Optional Specified Time Configuring the Hop Limit of ICMPv6 Reply Packets Optional Configuring IPv6 DNS Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address An IPv6 address is required for a host to access an IPv6 network.
Page 762: Configuring Ipv6 Ndp
IPv6 unicast addresses can be configured for only one VLAN interface of a 3Com Switch 4210. Only one global unicast address or one site-local address can be configured for an interface. After an IPv6 site-local address or global unicast address is configured for an interface, a link-local address will be generated automatically.
Page 763 Table 1-6 Configure a static neighbor entry To do... Use the command... Remarks Enter system view system-view — ipv6 neighbor ipv6-address mac-address { vlan-id Configure a static port-type port-number | interface interface-type Required neighbor entry interface-number } Configure the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table.
Page 764: Configuring A Static Ipv6 Route
Configure the NS Interval After a device sends an NS message, if it does not receive a response within a specific period, the device will send another NS message. You can configure the interval for sending NS messages. Table 1-9 Configure the NS interval To do…...
Page 765: Configuring The Maximum Number Of Ipv6 Icmp Error Packets Sent Within A Specified Time
finwait timer: When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated. If FIN packets are received, the IPv6 TCP connection status becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires.
Page 766: Configuring Ipv6 Dns
Table 1-14 Configure the hop limit of ICMPv6 reply packets To do… Use the command… Remarks Enter system view system-view — Optional Configure the hop limit of ipv6 nd hop-limit value ICMPv6 reply packets 64 by default. Configuring IPv6 DNS Configure a static host name to IPv6 address mapping You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address.
Page 767: Displaying And Maintaining Ipv6
The dns resolve and dns domain commands are the same as those of IPv4 DNS. For details about the commands, refer to DNS. Displaying and Maintaining IPv6 Table 1-17 Display and maintain IPv6 To do… Use the command… Remarks Display DNS domain name suffix display dns domain [ dynamic ] information Display IPv6 dynamic domain name...
Page 768: Ipv6 Configuration Example
To do… Use the command… Remarks reset ipv6 neighbors [ all | dynamic | Clear IPv6 neighbor information interface interface-type interface-number | static ] Clear the statistics of IPv6 packets reset ipv6 statistics Clear the statistics of all IPv6 TCP reset tcp ipv6 statistics packets Clear the statistics of all IPv6 UDP...
Page 769 # Configure an automatically generated link-local address for the interface Vlan-interface1. <SwitchA> system-view [SwitchB] interface Vlan-interface 1 [SwitchB-Vlan-interface1] ipv6 address auto link-local # Configure a global unicast address for the interface Vlan-interface1. [SwitchB-Vlan-interface1] ipv6 address 3001::2/64 Verification # Display the brief IPv6 information of an interface on Switch A. [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 Vlan-interface1 current state :UP Line protocol current state :UP...
Page 770 When you use the ping ipv6 command to verify the reachability of the destination, you must specify the “–i” keyword if the destination address is a link-local address. For the operation of IPv6 ping, refer to section “IPv6 Ping”. [SwitchA-Vlan-interface1]ping ipv6 FE80::2E0:FCFF:FE00:2006 -i Vlan-interface 1 PING FE80::2E0:FCFF:FE00:2006 : 56 data bytes, press CTRL_C to break Reply from FE80::2E0:FCFF:FE00:2006...
Page 771: Ipv6 Application Configuration
IPv6 Application Configuration Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applications supported on 3Com Switch 4210 Family are: Ping Traceroute TFTP Telnet IPv6 Application Configuration IPv6 Ping The ping ipv6 command is commonly used for testing the reachability of a host.
Page 772: Ipv6 Tftp
Figure 2-1 Traceroute process Device A Device B Device C Device D Hop Limit=1 Hop Limit exceeded Hop Limit=2 Hop Limit exceeded Hop Limit=n UDP port unreachable Figure 2-1 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1. If the first hop device receiving the datagram reads the Hop Limit of 1, it will discard the packet and return an ICMP timeout error message.
Page 773: Ipv6 Telnet
Table 2-3 Download/upload files to TFTP servers To do… Use the command… Remarks tftp ipv6 remote-system [ -i Required Download/ Upload files interface-type interface-number ] { get | from TFTP server put } source-filename Available in user view [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i”...
Page 774: Ipv6 Application Configuration Example
Display and maintain IPv6 Telnet Table 2-5 Display and maintain IPv6 Telnet To do… Use the command… Remarks Display the use information of display users [ all ] Available in any view the users who have logged in IPv6 Application Configuration Example IPv6 Applications Network requirements Figure...
Page 775: Troubleshooting Ipv6 Application
bytes=56 Sequence=1 hop limit=64 time = 110 ms Reply from 3003::1 bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms...
Page 776: Unable To Run Traceroute
Solution Check that the IPv6 addresses are configured correctly. Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.
Page 777 Table of Contents 1 Password Control Configuration Operations ·························································································1-1 Introduction to Password Control Configuration ·····················································································1-1 Password Control Configuration ·············································································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Tasks·························································································································1-3 Configuring Password Aging ···········································································································1-3 Configuring the Limitation of Minimum Password Length ·······························································1-5 Configuring History Password Recording························································································1-6 Configuring a User Login Password in Interactive Mode ································································1-7 Configuring Login Attempt Times Limitation and Failure Processing Mode ···································1-7 Configuring the Password Authentication Timeout Time ································································1-8...
Page 778: Password Control Configuration Operations
Password Control Configuration Operations Introduction to Password Control Configuration The password control feature is designed to manage the following passwords: Telnet passwords: passwords for logging into the switch through Telnet. SSH passwords: passwords for logging into the switch through SSH. FTP passwords: passwords for logging into the switch through FTP.
Page 779 Function Description Application Encrypted display: The switch protects the displayed password. The password is always displayed as a string containing only asterisks (*) in the configuration file or on Password user terminal. protection All passwords encryption Saving passwords in ciphertext: The switch encrypts and saves the configured passwords in ciphertext in the configuration file.
Page 780: Password Control Configuration
Password Control Configuration Configuration Prerequisites A user PC is connected to the switch to be configured; both devices are operating normally. Configuration Tasks The following sections describe the configuration tasks for password control: Configuring Password Aging Configuring the Limitation of Minimum Password Length Configuring History Password Recording Configuring a User Login Password in Interactive Mode Configuring Login Attempt Times Limitation and Failure Processing Mode...
Page 781 Operation Command Description Create a local user or enter — local-user user-name local user view Optional Configure a password aging password-control aging By default, the aging time is time for the local user aging-time 90 days. In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords.
Page 782: Configuring The Limitation Of Minimum Password Length
You can configure the password aging time when password aging is not yet enabled, but these configured parameters will not take effect. After the user changes the password successfully, the switch saves the old password in a readable file in the flash memory. The switch does not provide the alert function for FTP passwords.
Page 783: Configuring History Password Recording
In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords. Settings in the local user view apply to the local user password only. Settings on the parameters of the super passwords apply to super passwords only.
Page 784: Configuring A User Login Password In Interactive Mode
Table 1-5 Manually remove history password records Operation Command Description Executing this command without the user-name reset user-name option removes the history password Remove history password-control records of all users. password records history-record Executing this command with the user-name of one or all users user-name user-name option removes the history password user-name ]...
Page 785: Configuring The Password Authentication Timeout Time
lock-time: In this mode, the system inhibits the user from re-logging in within a certain time period. After the period, the user is allowed to log into the switch again. By default, this time is 120 minutes. lock: In this mode, the system inhibits the user from re-logging in forever. The user is allowed to log into the switch again only after the administrator removes the user from the user blacklist.
Page 786: Configuring Password Composition Policies
Table 1-9 Configure the timeout time for users to be authenticated Operation Command Description Enter system view system-view — Configure the timeout time password-control Optional for users to be authentication-timeout By default, it is 60 seconds. authenticated authentication-timeout Configuring Password Composition Policies A password can be combination of characters from the following four categories: letters A to Z, a to z, number 0 to 9, and 32 special characters of space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.
Page 787: Displaying Password Control
Operation Command Description Optional By default, the minimum number password-control of types a password should Configure the password composition type-number contain is 1 and the minimum composition policy for the local policy-type [ type-length number of characters of each user type-length ] type is 1.
Page 788: Configuration Procedure
For the super password, the minimum number of password composition types is 3 and the minimum number of characters in each composition type is 3. For a local user named test, the minimum password length is 6 characters, the minimum number of password composition types is 2, the minimum number of characters in each password composition type is 3, and the password aging time is 20 days.
Page 789 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Basic Concepts in Smart Link ·········································································································1-1 Operating Mechanism of Smart Link ·······························································································1-2 Configuring Smart Link····························································································································1-3 Configuration Tasks·························································································································1-3 Configuring a Smart Link Device·····································································································1-3 Configuring Associated Devices······································································································1-4 Precautions······································································································································1-5 Displaying and Debugging Smart Link····································································································1-6 Smart Link Configuration Example ·········································································································1-6 Implementing Link Redundancy Backup ·························································································1-6 2 Monitor Link Configuration ······················································································································2-1...
Page 790: Smart Link Configuration
Smart Link Configuration Smart Link Overview As shown in Figure 1-1, dual-uplink networking is widely applied currently. Usually, spanning tree protocol (STP) is used to implement link redundancy backup in the network. However, STP is not suitable for users with a high demand for convergence time. Smart Link can achieve active/standby link redundancy backup and fast convergence to meet the user demand.
Page 791: Operating Mechanism Of Smart Link
Flush message When a forwarding link fails, the device will switch the traffic to the blocked standby link. The former forwarding entries of each device in the network are no longer suitable for the new topology, so MAC address forwarding entries and ARP entries must be updated throughout the network. In this case, the Smart Link group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries.
Page 792: Configuring Smart Link
When link switching occurs in the Smart Link group, MAC forwarding entries and ARP entries of each device in the network may be out of date. In order to guarantee correct packet transmission, you must enable the Smart Link device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries.
Page 793: Configuring Associated Devices
Operation Command Remarks Create a Smart Link group and enter Smart Link group Required smart-link group group-id view Required Enable the function of sending flush enable control-vlan By default, no control VLAN for flush messages in the vlan-id sending flush messages is specified control VLAN specified.
Page 794: Precautions
Table 1-4 Enable the specified port to process flush messages received from the specified control VLAN Operation Command Remarks Enter system view system-view — smart-link flush enable control-vlan System Required, use Enable the vlan-id port interface-type interface-number view either approach. specified port(s) [ to interface-type interface-number ] to process flush...
Page 795: Displaying And Debugging Smart Link
Network requirements As shown in Figure 1-3, Switch A is a 3Com switch 4210. Switch C, Switch D and Switch E support Smart Link. Configure Smart Link feature to provide remote PCs with reliable access to the server. Network diagram...
Page 796 Configuration procedure Configure a Smart Link group on Switch A and configure member ports for it. Enable the function of sending flush messages in Control VLAN 1. # Enter system view. <switchA> system-view # Enter Ethernet port view. Disable STP on Ethernet1/0/1 and Ethernet1/0/2. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] stp disable [SwitchA-Ethernet1/0/1] quit...
Page 797: Monitor Link Configuration
Monitor Link Configuration Introduction to Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link. A monitor Link consists of an uplink port and one or multiple downlink ports. When the link for the uplink port of a Monitor Link group fails, all the downlink ports in the Monitor Link group are forced down.
Page 798: How Monitor Link Works
How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implementation Eth1/0/12 Eth1/0/11 Switch E Switch C Switch D Eth1/0/1 Eth1/0/1 Eth1/0/2 Eth1/0/2 Eth1/0/3 Eth1/0/1 BLOCK Eth1/0/2 Switch A Switch B As shown in Figure 2-2, the devices Switch C and Switch D are connected to the uplink device Switch E. Switch C is configured with a Monitor Link group, where Ethernet1/0/1 is the uplink port, while Ethernet1/0/2 and Ethernet1/0/3 are the downlink ports.
Page 799: Configuration Tasks
Before configuring a Monitor Link group, you must create a Monitor Link group and configure member ports for it. A Monitor Link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a Smart Link group.
Page 800: Configuring A Downlink Port
Operation Command Remarks Monitor Link port interface-type group view interface-number uplink Configure the specified quit Ethernet port as the uplink interface interface-type Ethernet port of the interface-number port view Monitor Link group port monitor-link group group-id uplink Configuring a Downlink Port Table 2-4 Configure a downlink port Operation Command...
Page 801: Monitor Link Configuration Example
Table 2-5 Display Monitor Link configuration Operation Command Remarks Display the information about display monitor-link group You can use the display one or all Monitor Link groups { group-id | all } command in any view. Monitor Link Configuration Example Implementing Collaboration Between Smart Link and Monitor Link Network requirements As shown in...
Page 802 [SwitchA-Ethernet1/0/1] stp disable [SwitchA-Ethernet1/0/1] quit [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] stp disable # Return to system view. [SwitchA-Ethernet1/0/2] quit # Create Smart Link group 1 and enter Smart Link group view. [SwitchA] smart-link group 1 # Configure Ethernet1/0/1 as the master port of the Smart Link group and Ethernet1/0/2 as the slave port.
Page 803 Table of Contents 1 ARP and IP Attack Defense Configuration ································································································ 1 ARP Packet Filtering Based on Gateway’s Address ················································································· 1 Introduction········································································································································· 1 Configuring ARP Packet Filtering······································································································· 1 Configuring the Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn······················ 2 Introduction·········································································································································...
Page 804: Arp And Ip Attack Defense Configuration
ARP and IP Attack Defense Configuration ARP Packet Filtering Based on Gateway’s Address Introduction According to the ARP design, after receiving an ARP packet with the target IP address being that of the receiving interface, a device adds the IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address is not requested by itself.
Page 805: Configuring The Maximum Number Of Dynamic Arp Entries A Vlan Interface Can Learn
To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Configure ARP packet filtering Required based on the gateway’s IP arp filter source ip-address Not configured by default. address Configure ARP packet filtering Required arp filter binding ip-address based on the gateway’s IP and...
Page 806: Arp/Ip Attack Defense Based On 802.1X
ARP/IP Attack Defense Based on 802.1x Overview ARP attack detection and IP filtering implemented based on DHCP snooping entries can effectively prevent ARP/IP attacks in a network where clients obtain IP addresses dynamically through DHCP. However, if most of the clients are assigned with IP addresses statically, you need to configure an IP static binding for each of such clients, which is a heavy workload and easily causes errors.
Page 807: Configuring 802.1X-Based Arp/Ip Attack Defense
Configuring 802.1x-Based ARP/IP Attack Defense Follow these steps to configure 802.1x-based ARP/IP attack defense: To do… Use the command… Remarks Enter system view system-view — Enable using IP-MAC bindings of Required ip source static import authenticated 802.1x clients for ARP dot1x Disabled by default.
Page 808: Enabling Arp Source Mac Address Consistency Check
If they are consistent, the packet passes the check and the switch learns the ARP entry. If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is not learned. Enabling ARP Source MAC Address Consistency Check To do…...
Page 809: Arp Attack Defense Configuration Example Ii
# Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/2. [Switch] interface Ethernet 1/0/2 [Switch-Ethernet1/0/2] arp filter source 192.168.100.1 [Switch-Ethernet1/0/2] quit # Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/3. [Switch] interface Ethernet 1/0/3 [Switch-Ethernet1/0/3] arp filter source 192.168.100.1 [Switch-Ethernet1/0/3] quit ARP Attack Defense Configuration Example II...
Page 810: Arp/Ip Attack Defense Configuration Example Iii
# Configure the maximum number of ARP entries that can be learned by VLAN-interface 1 as 500. [SwitchA-Vlan-interface1] arp max-learning-num 500 [SwitchA-Vlan-interface1] quit ARP/IP Attack Defense Configuration Example III Network Requirements Host A is assigned with an IP address statically and installed with an 802.1x client. A CAMS authentication, authorization and accounting server serves as the authentication server.
Page 811 # Enable 802.1x on Ethernet 1/0/1. [Switch] interface ethernet1/0/1 [Switch-Ethernet1/0/1] dot1x # Enable IP filtering based on IP-MAC bindings of authenticated 802.1x clients. [Switch-Ethernet1/0/1] ip check dot1x enable...
Page 812 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-1 Operating Modes of LLDP···············································································································1-5 How LLDP Works ····························································································································1-6 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-7 Setting the LLDP Re-Initialization Delay ·························································································1-7 Enabling LLDP Polling·····················································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-8...
Page 813: Lldp Configuration
LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
Page 814 Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
Page 815 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
Page 816 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, 3Com switches 4210 support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 1-5 IEEE 802.3 organizationally specific TLVs Type...
Page 817: Operating Modes Of Lldp
LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs satisfy the voice device vendors’ requirements for cost effectiveness, ease of deployment, and ease of management.
Page 818: How Lldp Works
How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.
Page 819: Performing Basic Lldp Configuration
Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do… Use the command… Remarks Enter system view system-view —...
Page 820: Enabling Lldp Polling
Enabling LLDP Polling With LLDP polling enabled, a device checks for local configuration changes periodically. Upon detecting a configuration change, the device sends LLDP frames to inform the neighboring devices of the change. Follow these steps to enable LLDP polling: To do…...
Page 821: Setting Other Lldp Parameters
To do… Use the command… Remarks interface interface-type Enter Ethernet interface view Required interface-number Optional By default, the management address is sent through Enable LLDP to advertise LLDPDUs, and the management address TLVs lldp management-address-tlv management address is the and configure the advertised [ ip-address ] main IP address of the management IP address...
Page 822: Setting An Encapsulation Format For Lldpdus
LLDP-CDP (CDP is short for the Cisco Discovery Protocol) packets use only SNAP encapsulation. Configuring CDP Compatibility On a 3Com switch 4210, only one voice VLAN exists at any given point in time. For detailed information about voice VLAN, refer to Voice VLAN Operation in this manual.
Page 823: Configuration Prerequisites
With CDP compatibility enabled, the device can use LLDP to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN ID of the device for the IP phones to configure the voice VLAN automatically. In this way, voice traffic is confined in the configured voice VLAN and is thus differentiated from other types of traffic.
Page 824: Displaying And Maintaining Lldp
Follow these steps to configure LLDP trapping: To do… Use the command… Remarks — Enter system view system-view interface interface-type Enter Ethernet interface view Required interface-number Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default — Quit to system view quit Optional Set the interval to send LLDP...
Page 825 Figure 1-4 Network diagram for basic LLDP configuration Eth1/0/1 Eth1/0/2 Eth1/0/1 Switch A Switch B Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on Ethernet 1/0/1 and Ethernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
Page 826 Hold multiplier Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [Ethernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV...
Page 827: Cdp-Compatible Lldp Configuration Example
Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [Ethernet1/0/2]: Port status of LLDP : Enable Admin status...
Page 828 <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] quit # Set the link type of Ethernet 1/0/1 and Ethernet 1/0/2 to trunk and enable voice VLAN on them. [SwitchA] interface ethernet 1/0/1 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] voice vlan 2 enable [SwitchA-Ethernet1/0/1] quit [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] voice vlan 2 enable...
Page 829 Platform : Cisco IP Phone 7960 Duplex : Full As the sample output shows, Switch A has discovered the IP phones connected to Ethernet 1/0/1 and Ethernet 1/0/2, and has obtained their LLDP device information. 1-17...
Page 830 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-4 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-6 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-8...
Page 831: Pki Configuration
PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...
Page 832: Architecture Of Pki
CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level.
Page 833: Applications Of Pki
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.
Page 834: Pki Configuration Task List
The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
Page 835 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...
Page 836: Configuring A Pki Domain
Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.
Page 837: Submitting A Pki Certificate Request
To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.
Page 838: Submitting A Certificate Request In Manual Mode
Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | mode to auto password { cipher | simple }...
Page 839: Retrieving A Certificate Manually
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. A newly created key pair will overwrite the existing one.
Page 840: Configuring Pki Certificate Verification
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.
Page 841: Destroying A Local Rsa Key Pair
To do… Use the command… Remarks Enter PKI domain view pki domain domain-name — Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually Verify the validity of the pki validate-certificate { ca |...
Page 842: Configuring An Access Control Policy
Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. Follow these steps to configure a certificate attribute-based access control policy: To do… Use the command…...
Page 843: Pki Configuration Examples
PKI Configuration Examples The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA. The SCEP plug-in is not required when RSA Keon is used.
Page 844 After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. # Configure the CRL distribution behavior.
Page 845 Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
Page 846: Requesting A Certificate From A Ca Running Windows 2003 Server
Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption...
Page 847 Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP plug-in As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP plug-in so that the Switch can register and obtain its certificate automatically.
Page 848 # Specify the entity for certificate request as aaa. [Switch-pki-domain-torsa] certificate request entity aaa Generate a local key pair using RSA [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It may take a few minutes.
Page 849: Troubleshooting Pki
Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001)
Page 850: Failed To Request A Local Certificate
The network connection is not proper. For example, the network cable may be damaged or loose. No trusted CA is specified. The URL of the registration server for certificate request is not correct or not configured. No authority is specified for certificate request. The system clock of the device is not synchronized with that of the CA.
Page 851 The CRL distribution URL is not configured. The LDAP server version is wrong. Solution Make sure that the network connection is physically proper. Retrieve a CA certificate. Specify the IP address of the LDAP server. Specify the CRL distribution URL. Re-configure the LDAP version.
Page 852 Table of Contents 1 SSL Configuration ·····································································································································1-1 SSL Overview ·········································································································································1-1 SSL Security Mechanism ················································································································1-1 SSL Protocol Stack··························································································································1-2 SSL Configuration Task List ···················································································································1-2 Configuring an SSL Server Policy···········································································································1-2 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-3 SSL Server Policy Configuration Example ······················································································1-4 Configuring an SSL Client Policy ············································································································1-6 Configuration Prerequisites ·············································································································1-6 Configuration Procedure··················································································································1-6 Displaying and Maintaining SSL ·············································································································1-7...
Page 853: Ssl Configuration
SSL Configuration When configuring SSL, go to these sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshooting SSL SSL Overview Secure Sockets Layer (SSL) is a security protocol providing secure connection service for TCP-based application layer protocols, for example, HTTP protocol.
Page 854: Ssl Protocol Stack
SSL Protocol Stack As shown in Figure 1-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 1-2 SSL protocol stack SSL handshake protocol: As a very important part of the SSL protocol stack, it is responsible for negotiating the cipher suite to be used during communication (including the symmetric encryption...
Page 855: Configuration Prerequisites
Configuration Prerequisites When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining the server side certificate. Therefore, before configuring an SSL server policy, you must configure a PKI domain.. Configuration Procedure Follow these steps to configure an SSL server policy: To do...
Page 856: Ssl Server Policy Configuration Example
If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
Page 857 [Switch-pki-entity-en] quit # Create a PKI domain and configure it. [Switch] pki domain 1 [Switch-pki-domain-1] ca identifier ca1 [Switch-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Switch-pki-domain-1] certificate request from ra [Switch-pki-domain-1] certificate request entity en [Switch-pki-domain-1] quit # Create the local RSA key pairs. [Switch] public-key local create rsa # Retrieve the CA certificate.
Page 858: Configuring An Ssl Client Policy
# Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create ISP domain aabbcc.net for Web authentication users and enter the domain view. [Sysname] domain aabbcc.net # Configure domain aabbcc.net as the default user domain.
Page 859: Displaying And Maintaining Ssl
To do… Use the command… Remarks prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Optional Specify the preferred cipher rsa_aes_256_cbc_sha | suite for the SSL client policy rsa_rc4_128_md5 by default rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } Optional Specify the SSL protocol version { ssl3.0 | tls1.0 } version for the SSL client policy TLS 1.0 by default If you enable client authentication on the server, you must request a local certificate for the client.
Page 860 If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request and install a certificate for the client. You can use the display ssl server-policy command to view the cipher suite used by the SSL server policy.
Page 861 Table of Contents 1 HTTPS Configuration ································································································································1-1 HTTPS Overview ····································································································································1-1 HTTPS Configuration Task List ··············································································································1-1 Associating the HTTPS Service with an SSL Server Policy ···································································1-2 Enabling the HTTPS Service ··················································································································1-2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy································1-3 Associating the HTTPS Service with an ACL ·························································································1-3 Displaying and Maintaining HTTPS ········································································································1-3 HTTPS Configuration Example···············································································································1-4...
Page 862: Https Configuration
HTTPS Configuration When configuring HTTPS, go to these sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS HTTPS Configuration Example...
Page 863: Associating The Https Service With An Ssl Server Policy
Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy: To do…...
Page 864: Associating The Https Service With A Certificate Attribute Access Control Policy
Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security. Follow these steps to associate the HTTPS service with a certificate attribute access control policy: To do…...
Page 865: Https Configuration Example
HTTPS Configuration Example Network requirements Host acts as the HTTPS client and Device acts as the HTTPS server. Host accesses Device through Web to control Device. CA (Certificate Authority) issues certificate to Device. The common name of CA is new-ca. In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
Page 866 [Device] pki retrieval-certificate ca domain 1 # Apply for a local certificate. [Device] pki request-certificate domain 1 Configure an SSL server policy associated with the HTTPS service # Configure an SSL server policy. [Device] ssl server-policy myssl [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit Configure a certificate access control policy...
Page 867 Table of Contents Appendix A Acronyms ································································································································ A-1...
Page 868 Appendix A Acronyms Authentication, Authorization and Accounting Area Border Router Access Control List Address Resolution Protocol Autonomous System ASBR Autonomous System Border Router Backup Designated Router Committed Access Rate Command Line Interface Class of Service DHCP Dynamic Host Configuration Protocol Designated Router Distance Vector Routing Algorithm Exterior Gateway Protocol...
Page 869 IGMP Internet Group Management Protocol Interior Gateway Protocol Internet Protocol LLDP Link Layer Discovery Protocol Link State Advertisement LSDB Link State DataBase Medium Access Control Management Information Base NBMA Non Broadcast MultiAccess Network Information Center Network Management System NVRAM Nonvolatile RAM OSPF Open Shortest Path First Protocol Independent Multicast...
Page 870 Time To Live User Datagram Protocol VLAN Virtual LAN Video On Demand Weighted Round Robin eXchange Identification eXpandable Resilient Networking...

This manual is also suitable for:

4210 pwr 18-port 4210 pwr 26-port 4210 52-port 4210 pwr 9-port

3Com 4210 9-Port Configuration Manual

Table of Contents

1 Logging in to an Ethernet Switch

2 Logging in through the Console Port

3 Logging in through Telnet

4 Logging in Using a Modem

151 CLI Configuration

7 Logging in through NMS

8 User Control

Configuration File Management

VLAN Overview/Vlan Configuration

1 VLAN Overview

2 VLAN Configuration

Management VLAN Configuration

IP Addressing Configuration/Ip Performance Configuration

1 IP Addressing Configuration

2 IP Performance Configuration

DNS Configuration

Voice VLAN Configuration

Gvrp Configuration

# Display the VLAN Information Dynamically Registered on Switch E.

Link Aggregation Configuration

Port Isolation Configuration

Port Security Configuration/Port Binding Configuration

1 Port Security Configuration

2 Port Binding Configuration

Dldp Configuration

Mac Address Table Management

Mstp Configuration

Quick Links

Chapters

Troubleshooting

Related Manuals for 3Com 4210 9-Port

Summary of Contents for 3Com 4210 9-Port