- DL manuals
- 3Com
- Network Router
- 400 Family
- Configuration Manual
3Com 400 Family Configuration Manual
Summary of 400 Family
Page 1
3com switch 4500 family configuration guide http://www.3com.Com/ part number: 10015003 published: march 2006.
Page 2
3com corporation 350 campus drive marlborough, ma usa 01752-3064 copyright © 2006, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without writt...
Page 3: Ontents
C ontents a bout t his g uide how this guide is organized 11 intended readership 11 conventions 12 related documentation 13 1 g etting s tarted product overview 15 stacking overview 16 brief introduction 16 typical networking topology 16 product features 16 logging in to the switch 17 setting up con...
Page 4
3 vlan o peration vlan configuration 57 vlan overview 57 configuring a vlan 57 displaying and debugging vlan 59 vlan configuration example one 59 vlan configuration example two 60 voice vlan configuration 61 introduction to voice vlan 61 voice vlan configuration 61 displaying and debugging of voice ...
Page 5
Access management configuration 87 access management overview 87 configuring access management 87 displaying and debugging access management 89 access management configuration example 89 access management via the web 90 udp helper configuration 90 overview of udp helper 90 udp helper configuration 9...
Page 6
8 acl c onfiguration brief introduction to acl 131 acl supported by the switch 132 configuring acl 132 defining acl 132 activating acl 135 displaying and debugging acl 135 advanced acl configuration example 136 basic acl configuration example 137 link acl configuration example 137 qos configuration ...
Page 7
10 rstp c onfiguration stp overview 161 implement stp 161 configuration bpdu forwarding mechanism in stp 165 implement rstp on the switch 166 rstp configuration 167 enable/disable rstp on a switch 170 enable/disable rstp on a port 171 configure rstp operating mode 171 configure the stp-ignore attrib...
Page 8
Aaa and radius protocol configuration 192 radius protocol overview 192 implementing aaa/radius on the ethernet switch 193 configuring aaa 194 creating/deleting an isp domain 194 configuring relevant attributes of the isp domain 195 enabling/disabling the messenger alert 197 configuring self-service ...
Page 9
Ftp overview 221 enabling/disabling ftp server 222 configuring the ftp server authentication and authorization 222 configuring the running parameters of ftp server 223 displaying and debugging ftp server 223 introduction to ftp client 223 ftp server configuration example 225 tftp overview 226 downlo...
Page 10
Creating/updating view information or deleting a view 266 setting the size of snmp packet sent/received by an agent 266 enabling/disabling a port transmitting trap information snmp agent 266 disabling snmp agent 266 displaying and debugging snmp 267 snmp configuration example 267 reading usmusr tabl...
Page 11
B radius s erver and radius c lient s etup setting up a radius server 301 configuring microsoft ias radius 301 configuring funk radius 324 configuring freeradius 329 setting up the radius client 330 windows 2000 built-in client 331 windows xp built-in client 331 aegis client installation 331 c a uth...
Page 13: Bout
A bout t his g uide this guide provides information about configuring your network using the commands supported on the 3com ® switch 4500. How this guide is organized the switch 4500 configuration guide consists of the following chapters: ■ getting started — details the main features and configurati...
Page 14
12 a bout t his g uide conventions this guide uses the following conventions: table 1 icons icon notice type description information note information that describes important features or instructions. Caution information that alerts you to potential loss of data or potential damage to an application...
Page 15
Related documentation 13 related documentation the 3com switch 4500 getting started guide provides information about installation. The 3com switch 4500 command reference guide provides all the information you need to use the configuration commands..
Page 16
14 a bout t his g uide.
Page 17: Etting
1 g etting s tarted this chapter covers the following topics: ■ product overview ■ stacking overview ■ product features ■ logging in to the switch ■ command line interface ■ user interface configuration product overview table 3 lists the models in the switch 4500 family : the switch 4500 family supp...
Page 18
16 c hapter 1: g etting s tarted stacking overview brief introduction with the 3com switch 4500, up to eight units can be operated together as a single larger logical unit to simplify administration. This is called stacking. Stacking allows you to add ports in a site or location incrementally, witho...
Page 19
Logging in to the switch 17 logging in to the switch setting up configuration environment through the console port 1 to set up the local configuration environment, connect the serial port of a pc (or a terminal) to the console port of the switch with the console cable (see figure 2 ). Figure 2 setti...
Page 20
18 c hapter 1: g etting s tarted ■ databit = 8 ■ parity check = none ■ stopbit = 1 ■ flow control = none ■ terminal type = vt100 figure 3 setting up a new connection figure 4 configuring the port for connection.
Page 21
Logging in to the switch 19 figure 5 setting communication parameters 3 the switch is powered on and it displays self-test information. Press to show the command line prompt such as . 4 enter a command to configure the switch or view the operation state. Enter a ? To view online help. For details of...
Page 22
20 c hapter 1: g etting s tarted figure 6 setting up the configuration environment through telnet 3 run telnet on the pc and enter the ip address of the vlan connected to the network port on the pc. Figure 7 running telnet 4 the terminal displays login authentication and prompts the user to enter th...
Page 23
Logging in to the switch 21 figure 8 providing telnet client service 1 authenticate the telnet user through the console port on the telnet server (a switch) before login. By default, the password is required to authenticate telnet users and to enable them to log on to the switch. If a user logs in t...
Page 24
22 c hapter 1: g etting s tarted [4500-ui-aux0]set authentication password simple xxxx (xxxx is the preset login password of the modem user.) 2 perform the following configurations on the modem that is directly connected to the switch. (you are not required to configure the modem connected to the te...
Page 25
Logging in to the switch 23 figure 10 setting the dialed number figure 11 dialing on the remote pc 5 enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the switch. Enter ? To view online help. For details of specific commands, ...
Page 26
24 c hapter 1: g etting s tarted command line interface the switch 4500 family provides a series of configuration commands and command line interfaces for configuring and managing the switch. The command line interface has the following characteristics: ■ local configuration through the console port...
Page 27
Command line interface 25 to prevent unauthorized users from illegal intrusion, the user will be identified when switching from a lower level to a higher level with the super [ level ] command. User id authentication is performed when users at lower level become users at a higher level. In other wor...
Page 28
26 c hapter 1: g etting s tarted table 5 features of command views command view function prompt command to enter command to exit user view show the basic information about operation and statistics this is the view you are in after connecting to the switch quit disconnects to the switch system view c...
Page 29
Command line interface 27 basic acl view define the rule of basic acl [4500-acl- basic-2000] enter acl number 2000 in system view quit returns to system view return returns to user view advanced acl view define the rule of advanced acl [4500-acl-adv-3000] enter acl number 3000 in system view quit re...
Page 30
28 c hapter 1: g etting s tarted features and functions of command line command line help the command line interface provides full and partial online help. You can get help information through the online help commands, which are described below: 1 enter ? In any view to get all the commands in that ...
Page 31
Command line interface 29 command buffer is defaulted as 10. That is, the command line interface stores 10 history commands for each user. The operations are shown in table 7 . Cursor keys can be used to retrieve the history commands in windows 3.X terminal and telnet. However, in windows 9x hyperte...
Page 32
30 c hapter 1: g etting s tarted user interface configuration user interface overview user interface configuration is another way provided by the switch to configure and manage the port data. Switch 4500 family switches support the following configuration methods: ■ local configuration through the c...
Page 33
User interface configuration 31 user interface configuration tasks for configuring the user interface are described in the following sections: ■ entering user interface view ■ configuring the user interface-supported protocol ■ configuring the attributes of aux (console) port ■ configuring the termi...
Page 34
32 c hapter 1: g etting s tarted perform the following configurations in user interface (aux user interface only) view. Configuring the transmission speed on the aux (console) port by default, the transmission speed on the aux (console) port is 19200bps. Configuring the flow control on the aux (cons...
Page 35
User interface configuration 33 configuring the terminal attributes the following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command ...
Page 36
34 c hapter 1: g etting s tarted setting the screen length if a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more convenient...
Page 37
User interface configuration 35 perform the following configuration in user interface view. Configure for password authentication when a user logs in through a vty 0 user interface and set the password to 3com. [4500]user-interface vty 0 [4500-ui-vty0]authentication-mode password [4500-ui-vty0]set a...
Page 38
36 c hapter 1: g etting s tarted by default, the specified logged-in user can access the commands at level 1. Setting the command level used after a user logs in from a user interface you can use the following command to set the command level after a user logs in from a specific user interface, so t...
Page 39
User interface configuration 37 configuring redirection send command the following command can be used for sending messages between user interfaces. Perform the following configuration in user view. Auto-execute command the following command is used to automatically run a command after you log in. A...
Page 41: Ort
2 p ort o peration this chapter covers the following topics: ■ ethernet port configuration ■ link aggregation configuration ethernet port configuration ethernet port overview the following features are found in the ethernet ports of the switch 4500 ■ 10/100base-t ethernet ports support mdi/mdi-x aut...
Page 42
40 c hapter 2: p ort o peration entering ethernet port view before configuring an ethernet port, enter ethernet port view. Perform the following configuration in system view. Enabling/disabling an ethernet port use the following command to disable or enable the port. After configuring the related pa...
Page 43
Ethernet port configuration 41 note that 10/100base-t ethernet ports support full duplex, half duplex and auto-negotiation, which can be set as required. Gigabit ethernet ports support full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaul...
Page 44
42 c hapter 2: p ort o peration perform the following configuration in ethernet port view. By default, ethernet port flow control is disabled. Setting the ethernet port suppression ratio use the following commands to restrict broadcast/multicast/unicast traffic. Once traffic exceeds the value set by...
Page 45
Ethernet port configuration 43 by default, the port is access port. Note that: ■ you can configure four types of ports concurrently on the same switch, but you cannot switch port type between trunk port, hybrid port and stack port. You must return it first into access port and the set it as the othe...
Page 46
44 c hapter 2: p ort o peration port, you can configure to tag some vlan packets, based on which the packets can be processed differently. Setting the default vlan id for the ethernet port because the access port can only be included in one vlan, its default vlan is the one to which it belongs. Beca...
Page 47
Ethernet port configuration 45 by default, port loopback detection and the loopback detection control function on trunk and hybrid ports are disabled. The detection interval is 30 seconds, and the system detects the default vlan on the trunk and hybrid ports. Copying port configuration to other port...
Page 48
46 c hapter 2: p ort o peration enter the loopback command in ethernet port view to check whether the ethernet port works normally. In the process of the loopback test, the port cannot forward any packets. The loop test will finish automatically after a short time. Note that: ■ the loopback test can...
Page 49
Link aggregation configuration 47 networking diagram figure 12 configuring the default vlan for a trunk port configuration procedure the following configurations are used for switch a. Configure switch b in the similar way. 1 enter the ethernet port view of ethernet1/0/1. [4500]interface ethernet1/0...
Page 50
48 c hapter 2: p ort o peration the basic configuration includes stp setting, qos setting, vlan setting, and port setting. The stp setting includes stp enabling/disabling, link attribute (point-to-point or not), stp priority, path cost, max transmission speed, loop protection, root protection, edge ...
Page 51
Link aggregation configuration 49 with the minimum port number serves as the master port, while others as sub-ports. In a manual aggregation group, the system sets the ports to active or inactive state by using these rules: ■ the system sets the port with the highest priority to active state, and ot...
Page 52
50 c hapter 2: p ort o peration systems as well as under manual control through direct manipulation of the state variables of link aggregation (for example, keys) by a network manager. Dynamic lacp aggregation can be established even for a single port, as is called single port aggregation. Lacp is e...
Page 53
Link aggregation configuration 51 a load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others are standby ports. Selection criteria of selected ports vary for different types of aggregation groups. Link a...
Page 54
52 c hapter 2: p ort o peration aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated; when you delete a static or dynamic lacp aggregation group, its member ports form one or several dynamic lacp aggregation groups. Perform the following configuration...
Page 55
Link aggregation configuration 53 ■ port with 802.1x enabled. ■ you must delete the aggregation group, instead of the port, if the manual or static lacp aggregation group contains only one port. Setting/deleting the aggregation group descriptor perform the following configuration in system view. By ...
Page 56
54 c hapter 2: p ort o peration perform the following configuration in ethernet port view. By default, port priority is 32768. Displaying and debugging link aggregation after the above configuration, enter the display command in any view to display the running of the link aggregation configuration, ...
Page 57
Link aggregation configuration 55 networking diagram figure 13 networking for link aggregation configuration procedure the following only lists the configuration for switch a; configure switch b similarly. 1 manual link aggregation a create manual aggregation group 1. [4500]link-aggregation group 1 ...
Page 58
56 c hapter 2: p ort o peration.
Page 59: Vlan O
3 vlan o peration this chapter covers the following topics: ■ vlan configuration ■ voice vlan configuration vlan configuration vlan overview a virtual local area network (vlan) creates logical groups of lan devices into segments to implement virtual workgroups. Ieee issued the ieee 802.1q in 1999, w...
Page 60
58 c hapter 3: vlan o peration note that the default vlan, namely vlan 1, cannot be deleted. Adding ethernet ports to a vlan use the following command to add ethernet ports to a vlan. Perform the following configuration in vlan view. By default, the system adds all the ports to a default vlan, whose...
Page 61
Vlan configuration 59 create a vlan first before creating an interface for it. For this configuration task, vlan_id takes the vlan id. Shutting down/enabling the vlan interface use the following command to shut down/enable a vlan interface. Perform the following configuration in vlan interface view....
Page 62
60 c hapter 3: vlan o peration networking diagram figure 14 vlan configuration example 1 configuration procedure 1 create vlan 2 and enter its view. [4500]vlan 2 2 add ethernet1/0/1 and ethernet1/0/2 to vlan2. [4500-vlan2]port ethernet1/0/1 to ethernet1/0/2 3 create vlan 3 and enter its view. [4500-...
Page 63
Voice vlan configuration 61 voice vlan configuration introduction to voice vlan voice vlan is specially designed for users’ voice flow, and it distributes different port precedence in different cases. The system uses the source mac of the traffic traveling through the port to identify the ip phone d...
Page 64
62 c hapter 3: vlan o peration ■ setting/removing the oui address learned by voice vlan ■ enabling/disabling voice vlan security mode ■ enabling/disabling voice vlan auto mode ■ setting the aging time of voice vlan if you change the status of voice vlan security mode, you must first enable voice vla...
Page 65
Voice vlan configuration 63 there are four default oui addresses after the system starts. Enabling/disabling voice vlan security mode in security mode, the system can filter out the traffic whose source mac is not oui within the voice vlan, while the other vlans are not influenced. If security mode ...
Page 66
64 c hapter 3: vlan o peration perform the following configuration in system view. The default aging time is 1440 minutes. Displaying and debugging of voice vlan after completing the above configuration, enter the display command in any view to view the configuration and running state of voice vlan....
Page 67
Voice vlan configuration 65 [4500 -ethernet1/0/2]quit [4500]undo voice vlan mode auto [4500]voice vlan mac_address 0011-2200-0000 mask ffff-ff00-0000 description private [4500]voice vlan 2 enable [4500]voice vlan aging 100
Page 68
66 c hapter 3: vlan o peration.
Page 69: Ower
4 p ower over e thernet c onfiguration this chapter covers the following topics: ■ poe overview ■ poe configuration poe overview the switch 4500 26 port pwr and switch 4500 50 port pwr support power over ethernet (poe). This feature uses twisted pairs to provide -44 through -62 vdc power to remote p...
Page 70
68 c hapter 4: p ower over e thernet c onfiguration ■ when using the pwr switches to supply power to remote pds, the pds need not have any external power supply. ■ if a remote pd has an external power supply, the pwr switches and the external power supply will be redundant with each other for the pd...
Page 71
Poe configuration 69 setting the maximum power output on a port the maximum power that can be supplied by an ethernet port of the switch 4500 26-port pwr and switch 4500 50-port pwr to its pd is 15400 mw. In practice, you can set the maximum power on a port depending on the actual power of the pd, w...
Page 72
70 c hapter 4: p ower over e thernet c onfiguration table 69 setting the power supply management mode on the switch by default, the power supply management mode on the switch is auto . Setting the port priority set the priority of the current port in ethernet port view. Table 70 setting the port pri...
Page 73
Poe configuration 71 upgrading the pse processing software online the online upgrading of pse processing software can update the processing software or repair the software if it is damaged. After upgrading files are downloaded, you can use the following command to perform online upgrading on the pse...
Page 74
72 c hapter 4: p ower over e thernet c onfiguration to guarantee the power feeding to the pd that will be connected to the ethernet1/0/24 even when the switch 4500 pwr is in full load. Network diagram figure 17 poe remote power supply configuration procedure update the pse processing software online...
Page 75: Etwork
5 n etwork p rotocol o peration this chapter covers the following topics: ■ ip address configuration ■ arp configuration ■ dhcp configuration ■ access management configuration ■ udp helper configuration ■ ip performance configuration ip address configuration ip address overview ip address classifica...
Page 76
74 c hapter 5: n etwork p rotocol o peration the ip address is in dotted decimal format. Each ip address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101. When using ip addresses, note that some of them are reserved for special uses, an...
Page 77
Ip address configuration 75 a mask is a 32-bit number corresponding to an ip address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the ip address into two parts: su...
Page 78
76 c hapter 5: n etwork p rotocol o peration the ip address configuration is described in the following sections: ■ configuring the hostname and host ip address ■ configuring the ip address of the vlan interface configuring the hostname and host ip address the host name is corresponded to the ip add...
Page 79
Arp configuration 77 ip address configuration example networking requirements configure the ip address as 129.2.2.1 and subnet mask as 255.255.255.0 for vlan interface 1 of the switch. Networking diagram figure 20 ip address configuration networking configuration procedure 1 enter vlan interface 1. ...
Page 80
78 c hapter 5: n etwork p rotocol o peration dynamic arp mapping entry is not in use for a specified period of time, the host will remove it from the arp mapping table so as to save the memory space and shorten the interval for switch to search arp mapping table. Suppose there are two hosts on the s...
Page 81
Arp configuration 79 by default, the arp mapping table is empty and the address mapping is obtained through dynamic arp. Note that: ■ static arp map entry will be always valid as long as the switch works normally. But if the vlan corresponding to the arp mapping entry is deleted, the arp mapping ent...
Page 82
80 c hapter 5: n etwork p rotocol o peration by default, this feature is enabled. Displaying and debugging arp after the above configuration, enter the display command in any view to display the running of the arp configuration, and to verify the effect of the configuration. Enter the debugging comm...
Page 83
Dhcp configuration 81 figure 21 typical dhcp application. To obtain valid dynamic ip addresses, the dhcp client exchanges different types of information with the server at different stages. One of the following three situations may occur: ■ a dhcp client logs into the network for the first time when...
Page 84
82 c hapter 5: n etwork p rotocol o peration ■ if the requested ip address becomes unavailable (for example, having been allocated to another client), the dhcp server returns the dhcp_nak message. After receiving the dhcp_nak message, the client sends the dhcp_discover message to request another new...
Page 85
Dhcp configuration 83 ■ the dhcp server determines a correct configuration based on the information from the client and returns the configuration information back to the client through dhcp relay. In fact, several such interactions may be needed to complete a dhcp relay configuration. Dhcp client co...
Page 86
84 c hapter 5: n etwork p rotocol o peration configuring the dhcp server group for the vlan interfaces perform the following configuration in vlan interface view. By default, no dhcp server corresponds to vlan interfaces. When associating a vlan interface to a new dhcp server group, you can configur...
Page 87
Dhcp configuration 85 networking diagram figure 23 configuring dhcp relay configuration procedure 1 create a dhcp server group that will use two dhcp servers (a master and an optional backup) and assign it the ip addresses of the two dhcp servers (the first ip address is the master). [4500]dhcp-serv...
Page 88
86 c hapter 5: n etwork p rotocol o peration networking diagram figure 24 networking diagram of configuration dhcp relay configuration procedure 1 configure the group number of dhcp server as 1 and the ip address as 202.38.1.2. [4500]dhcp-server 1 ip 202.38.1.2 2 associate the vlan interface 2 with ...
Page 89
Access management configuration 87 debugging dhcp-relay in user view and then use the terminal debugging command to output the debugging information to the console. In this way, you can view the detailed information of all dhcp packets on the console as they apply for the ip address, and so locate t...
Page 90
88 c hapter 5: n etwork p rotocol o peration by default, the ip address pools for access management on the port are null and all the packets are permitted. Note that if the ip address pool to be configured contains the ip addresses configured in the static arp at other ports, then the system prompts...
Page 91
Access management configuration 89 enabling/disabling access management trap you can enable the access management trap function using the following commands. When this function is enabled, the trap information of access management is delivered to the console for the purpose of monitoring. Perform th...
Page 92
90 c hapter 5: n etwork p rotocol o peration 2 configure the ip address pool for access management on port 1. [4500]interface ethernet1/0/1 [4500-ethernet1/0/1]am ip-pool 202.10.20.1 20 3 add port 1 into isolation group. [4500-ethernet1/0/1]port isolate 4 configure the ip address pool for access man...
Page 93
Udp helper configuration 91 udp helper configuration udp helper configuration includes: ■ enabling/disabling udp helper function ■ configuring udp port with replay function ■ configuring the relay destination server for broadcast packet enabling/disabling udp helper function when the udp helper func...
Page 94
92 c hapter 5: n etwork p rotocol o peration for example, the udp-helper port 53 command is equivalent to the udp-helper port dns command in function. ■ the default udp ports are not displayed when using the display current-configuration command. But its id is displayed after its relay function is d...
Page 95
Ip performance configuration 93 networking diagram figure 26 networking for udp helper configuration configuration procedure 1 enable udp helper function. [4500]udp-helper enable 2 set to relay-forward the broadcast packets with destination udp port 55. [4500]udp-helper port 55 3 set the ip address ...
Page 96
94 c hapter 5: n etwork p rotocol o peration by default, the tcp finwait timer is 675 seconds, the synwait timer is 75 seconds, and the receiving/sending buffer size of connection-oriented socket is 8k bytes. Displaying and debugging ip performance after the above configuration, enter the display co...
Page 97
Ip performance configuration 95 ■ use the terminal debugging command to output the debugging information to the console. ■ use the command debugging udp packet to enable the udp debugging to trace the udp packet. The following are the udp packet formats: udp output packet: source ip address:202.38.1...
Page 98
96 c hapter 5: n etwork p rotocol o peration.
Page 99: Ip R
6 ip r outing p rotocol o peration ip routing protocol overview routers select an appropriate path through a network for an ip packet according to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submit...
Page 100
98 c hapter 6: ip r outing p rotocol o peration the optimal route. For example, routing through three lan route segments may be much faster than routing through two wan route segments. Configuring the ip routing protocol is described in the following sections: ■ selecting routes through the routing ...
Page 101
Ip routing protocol overview 99 in a complicated internet configuration, as shown in figure 28 , the number in each network is the network address. The router r8 is connected to three networks, so it has three ip addresses and three physical ports. Its routing table is shown in figure 2. Figure 28 t...
Page 102
100 c hapter 6: ip r outing p rotocol o peration supporting load sharing and route backup i. Load sharing the switch 4500 supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via mul...
Page 103
Static routes 101 the following routes are static routes: ■ reachable route — the ip packet is sent to the next hop towards the destination. This is a common type of static route. ■ unreachable route — when a static route to a destination has the reject attribute, all the ip packets to this destinat...
Page 104
102 c hapter 6: ip r outing p rotocol o peration the parameters are explained as follows: ■ ip address and mask the ip address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the dig...
Page 105
Static routes 103 displaying and debugging static routes after you configure static and default routes, execute the display command in any view to display the static route configuration, and to verify the effect of the configuration. Example: typical static route configuration networking requirement...
Page 106
104 c hapter 6: ip r outing p rotocol o peration [switch a]ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 2 configure the static route for ethernet switch b [switch b]ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [switch b]ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [switch b]ip route-static 1.1.1....
Page 107
Rip 105 ■ next hop address — the address of the next router that an ip packet will pass through for reaching the destination. ■ interface — the interface through which the ip packet should be forwarded. ■ cost — the cost for the router to reach the destination, which should be an integer in the rang...
Page 108
106 c hapter 6: ip r outing p rotocol o peration after rip is disabled, the interface-related features also become invalid. The rip configuration tasks are described in the following sections: ■ enabling rip and entering the rip view ■ enabling rip on a specified network ■ configuring unicast rip me...
Page 109
Rip 107 has been specified. Rip does not receive or send routes for an interface that is not on the specified network, and does not forward its interface route. When the network command is used for an address, the effect is to enable the interface of the network with this address. For example, for n...
Page 110
108 c hapter 6: ip r outing p rotocol o peration by default, the interface receives and sends the rip-1 packets. It transmits packets in multicast mode when the interface rip version is set to rip-2. Configuring rip timers as stipulated in rfc1058, rip is controlled by three timers: period update, t...
Page 111
Rip 109 perform the following configurations in rip view. Specifying the operating state of the interface in the interface view, you can specify whether rip update packets are sent and received on the interface. In addition, you can specify whether an interface sends or receives rip update packets. ...
Page 112
110 c hapter 6: ip r outing p rotocol o peration enabling rip-2 route aggregation route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to other networks. Route aggregation can be performed t...
Page 113
Rip 111 generation of routing loops, but in some special cases, split horizon must be disabled to obtain correct advertising at the cost of efficiency. Disabling split horizon has no effect on p2p connected links but is applicable on the ethernet. Perform the following configuration in interface vie...
Page 114
112 c hapter 6: ip r outing p rotocol o peration setting the rip preference each routing protocol has its own preference by which the routing policy selects the optimal route from the routes of different protocols. The greater the preference value, the lower the preference. The preference of rip can...
Page 115
Rip 113 configuring rip to filter the received routes configuring rip to filter the distributed routes by default, rip will not filter the received and distributed routing information. ■ the filter-policy import command filters the rip routes received from its neighbors, and the routes that cannot p...
Page 116
114 c hapter 6: ip r outing p rotocol o peration example: typical rip configuration networking requirements as shown in figure 30 , switch c connects to the subnet 117.102.0.0 through the ethernet port. The ethernet ports of switch a and switch b are connected to the networks 155.10.1.0 and 196.38.1...
Page 117
Ip routing policy 115 3 configure rip on switch c [switch c]rip [switch c-rip]network 117.102.0.0 [switch c-rip]network 110.11.2.0 troubleshooting rip the switch 4500 cannot receive the update packets when the physical connection to the peer routing device is normal. ■ rip does not operate on the co...
Page 118
116 c hapter 6: ip r outing p rotocol o peration the route is permitted by a single node in the route-policy, the route passes the matching test of the route policy without attempting the test of the next node. Acl the access control list (acl) used by the route policy can be divided into three type...
Page 119
Ip routing policy 117 perform the following configurations in system view. The permit parameter specifies that if a route satisfies all the if-match clauses of a node, the route passes the filtering of the node, and the apply clauses for the node are executed without taking the test of the next node...
Page 120
118 c hapter 6: ip r outing p rotocol o peration by default, no matching is performed. The if-match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are sp...
Page 121
Ip routing policy 119 perform the following configurations in system view. During the matching, the router checks list items identified by the index_number in ascending order. If only one list item meets the condition, it means that it has passed the ip-prefix filtering (and does not enter the testi...
Page 122
120 c hapter 6: ip r outing p rotocol o peration networking diagram figure 31 filtering the received routing information configuration procedure 1 configure switch a: a configure the ip address of vlan interface. [switch a]interface vlan-interface 100 [switch a-vlan-interface100]ip address 10.0.0.1 ...
Page 123
Ip routing policy 121 troubleshooting routing protocols routing information filtering cannot be implemented in normal operation of the routing protocol check for the following faults: ■ the if-match mode of at least one node of the route policy should be the permit mode. When a route policy is used ...
Page 124
122 c hapter 6: ip r outing p rotocol o peration.
Page 125: Igmp S
7 igmp s nooping igmp snooping overview igmp snooping (internet group management protocol snooping) is a multicast control mechanism running on layer 2 (the link layer) of the switch. It is used for multicast group management and control. When receiving igmp messages transmitted between the host and...
Page 126
124 c hapter 7: igmp s nooping figure 33 multicast packet transmission when igmp snooping runs igmp snooping terminology table 127 explains switching terminology relevant to igmp snooping. The switch 4500 runs igmp snooping to listen to the igmp messages and map the host and its ports to the corresp...
Page 127
Igmp snooping overview 125 figure 34 implementing igmp snooping table 128 explains igmp snooping terminology. Table 128 igmp snooping terminology term meaning igmp general query message transmitted by the multicast router to query which multicast group contains member. When a router port receives an...
Page 128
126 c hapter 7: igmp s nooping configuring igmp snooping igmp snooping configuration includes: ■ enabling/disabling igmp snooping ■ configuring router port aging time ■ configuring maximum response time ■ configuring aging time of multicast group member of the above configuration tasks, enabling igm...
Page 129
Configuring igmp snooping 127 perform the following configuration in system view and vlan view. Although layer 2 and layer 3 multicast protocols can run together, they cannot run on the same vlan or its corresponding vlan interface at the same time. For example, if the layer 2 multicast protocol is ...
Page 130
128 c hapter 7: igmp s nooping perform the following configuration in system view. By default, the aging time of the multicast member is 260 seconds. Displaying and debugging igmp snooping execute display command in any view to display the running of the igmp snooping configuration, and to verify th...
Page 131
Igmp snooping fault diagnosis and troubleshooting 129 networking diagram figure 35 igmp snooping configuration network configuration procedure enable igmp snooping globally. [4500]igmp-snooping enable enable igmp snooping on vlan 10. [4500]vlan 10 [4500-vlan10]igmp-snooping enable igmp snooping faul...
Page 132
130 c hapter 7: igmp s nooping diagnosis 3: multicast forwarding table set up on the bottom layer is wrong. 1 enable igmp snooping group in user view and then input the command display igmp-snooping group to check if mac multicast forwarding table in the bottom layer and that created by igmp snoopin...
Page 133: Acl C
8 acl c onfiguration this chapter covers the following topics: ■ brief introduction to acl ■ qos configuration ■ acl control configuration brief introduction to acl a series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, ...
Page 134
132 c hapter 8: acl c onfiguration the depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129...
Page 135
Brief introduction to acl 133 ■ if acl is used to filter or classify the data transmitted by the hardware of the switch, the match order defined in the acl command will not be effective. If acl is used to filter or classify the data treated by the software of the switch, the match order of acl’s sub...
Page 136
134 c hapter 8: acl c onfiguration note that, the port1 and port2 in the above command specify the tcp or udp ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as a shortcut. For example, “bgp” can represent the tcp number 179 used by bgp. ...
Page 137
Brief introduction to acl 135 table 138 defining the user-defined acl rule-string is a character string defined by a user. It is made up of a hexadecimal character string with even digits of characters. Rule-mask offset is used to extract the packet information. Here, rule-mask is rule mask, used fo...
Page 138
136 c hapter 8: acl c onfiguration the matched information of display acl command specifies the rules treated by the switch’s cpu. For syntax description, refer to the command reference guide. Advanced acl configuration example networking requirements the interconnection between different department...
Page 139
Brief introduction to acl 137 activate the acl 3000. [4500-gigabitethernet1/0/50]packet-filter inbound ip-group 3000 rule 1 basic acl configuration example networking requirements using basic acl, filter the packet whose source ip address is 10.1.1.1 during the time range 8:00 ~ 18:00 every day. The...
Page 140
138 c hapter 8: acl c onfiguration networking diagram figure 38 access control configuration example configuration procedure in the following configurations, only the commands related to acl configurations are listed. 1 define the time range define time range from 8:00 to 18:00. [4500]time-range 3co...
Page 141
Qos configuration 139 packet filter packet filter is used to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, the switch enables the ...
Page 142
140 c hapter 8: acl c onfiguration qos configuration the process of traffic based qos: 1 identify the traffic by acl 2 perform the qos operation to the traffic. The configuration steps of traffic based qos: 1 define the acl 2 configure the qos operation if qos is not based on traffic, you need not d...
Page 143
Qos configuration 141 setting port mirroring port mirroring means duplicating data on the monitored port to the designated mirror port, for purpose of data analysis and supervision. The switch supports one monitor port and multiple mirroring ports. If several switches form a fabric, multiple mirrori...
Page 144
142 c hapter 8: acl c onfiguration only one monitor port can be configured on one switch. If a group of switches form a fabric, only one monitor port can be configured on one fabric. 2 configure traffic mirroring perform the following configuration in the ethernet port view. Table 148 configuring tr...
Page 145
Qos configuration 143 table 152 map configuration by default, the switch uses the default mapping relationship. Setting traffic limit traffic limit refers to rate limit based on traffic. If the traffic threshold is exceeded, corresponding measures will be taken, for example, dropping the excessive p...
Page 146
144 c hapter 8: acl c onfiguration perform the following configuration in the ethernet port view. Table 155 configuring wred operation for details about the command, refer to the command reference guide. Displaying and debugging qos configuration you can use the display command in any view to see th...
Page 147
Qos configuration 145 networking diagram figure 39 qos configuration example configuration procedure only the commands concerning qos/acl configuration are listed here. 1 define outbound traffic for the wage server. A enter numbered advanced acl view. [4500]acl number 3000 b define the traffic-of-pa...
Page 148
146 c hapter 8: acl c onfiguration networking diagram figure 40 qos configuration example configuration procedure define port mirroring, with monitoring port being ethernet3/0/8. [4500-ethernet3/0/8]monitor-port [4500-ethernet3/0/1]mirroring-port both acl control configuration the switch provides th...
Page 149
Acl control configuration 147 configuration tasks table 157 lists the commands that you can execute to configure telnet or ssh user acl. By default, the incoming/outgoing calls are not restricted on the user interface. ■ you can only use number-based acls for telnet or ssh user acl control. ■ when t...
Page 150
148 c hapter 8: acl c onfiguration acls, the incoming/outgoing calls are restricted on the basis of source mac addresses. As a result, when you use the rules for l2 acls, only the source mac and the corresponding mask, and the time-range keyword take effect. ■ when you control telnet and ssh users o...
Page 151
Acl control configuration 149 basic acl configuration example configuration prerequisites only the telnet users, whose ip addresses are 10.110.100.52 and 10.110.100.46, are allowed to access switches. Figure 42 source ip control over telnet user accessing switch configuration steps # define basic ac...
Page 152
150 c hapter 8: acl c onfiguration acl control over users accessing switches by snmp the switch supports remote management through network management software. Network management users can access switches by simple network management protocol (snmp). The acl control over these users can filter illeg...
Page 153
Acl control configuration 151 ■ the snmp-agent community, snmp-agent group and snmp-agent usm-use commands can use different acls. ■ you can only use number-based basic acls for acl control over network management users. Configuration example network requirements only the snmp users with the ip addr...
Page 154
152 c hapter 8: acl c onfiguration figure 43 acl control over snmp users of the switch configuration steps # define basic acls and rules. System-view system view: return to user view with ctrl+z. [4500] acl number 2000 match-order config [4500-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [45...
Page 155
Acl control configuration 153 calling acl to control http users to control the web network management users with acl, call the defined acl. You can use the following commands to call an acl. Perform the following configuration in system view. Table 159 calling acl to control http users for more info...
Page 156
154 c hapter 8: acl c onfiguration.
Page 157: Tacking
9 s tacking this chapter covers the following topics: ■ introduction to stacking ■ configuring a stack ■ stack configuration example introduction to stacking several switch 4500 units can be interconnected to create a “stack”, in which each switch is a unit. The ports used to interconnect all the un...
Page 158
156 c hapter 9: s tacking specifying the stacking vlan of the switch you can use the command in the following table to specify the stacking vlan of the switch. Perform the following configuration in system view. Table 161 specifying the stacking vlan of the switch by default, the stacking vlan is vl...
Page 159
Configuring a stack 157 ■ if auto-numbering is selected, the system sets the unit id priority to 10. You can use the fabric save-unit-id command to save the modified unit id into the unit flash memory and clear the information about the existing one. The unit ids in a stack are not necessarily numbe...
Page 160
158 c hapter 9: s tacking table 166 setting a stack name for switches by default, the stack name is “4500”. Setting an xrn authentication mode for switches only the switches with the same stack name and xrn authentication mode can constitute a stack. Note: “xrn” is a proprietary 3com technology for ...
Page 161
Stack configuration example 159 stack configuration example networking requirements configure unit id, unit name, stack name, and authentication mode for four switches, and interconnect them to form a stack. The configuration details are as follows: ■ unit ids: 1, 2, 3, 4 ■ unit names: unit 1, unit ...
Page 162
160 c hapter 9: s tacking configure switch d: [4500]change unit-id 1 to auto-numbering [4500]fabric-port gigabitethernet4/0/51 enable [4500]fabric-port gigabitethernet4/0/52 enable [4500]sysname hello [hello]xrn-fabric authentication-mode simple welcome ■ in the example, it is assumed that the syste...
Page 163: Rstp C
10 rstp c onfiguration this chapter covers the following topics: ■ stp overview ■ rstp configuration ■ rstp configuration example stp overview spanning tree protocol (stp) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-...
Page 164
162 c hapter 10: rstp c onfiguration what are the designated bridge and designated port? Figure 47 designated bridge and designated port for a switch, the designated bridge is a switch in charge of forwarding bpdu to the local switch via a port called the designated port. For a lan, the designated b...
Page 165
Stp overview 163 in the figure above, the priorities of switch a, b and c are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 1 initial state when initialized, each port of the switches will generate the configuration bpdu taking itself as the root with a root path cost as...
Page 166
164 c hapter 10: rstp c onfiguration the comparison process of each switch is as follows. ■ switch a: ap1 receives the configuration bpdu from switch b and finds out that the local configuration bpdu priority is higher than that of the received one, so it discards the received configuration bpdu. Th...
Page 167
Stp overview 165 cp2 will receive the updated configuration bpdu, {0, 5, 1, bp2}, from switch b. Since this configuration bpdu is better then the old one, the old bpdu will be updated to {0, 5, 1, bp2}. Meanwhile, cp1 receives the configuration bpdu from switch a but its configuration bpdu will not ...
Page 168
166 c hapter 10: rstp c onfiguration designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of forward delay before they enter the forwarding state. Implement rstp on the switch the switch implements the rapid spanning tr...
Page 169
Rstp configuration 167 rstp configuration the configuration of rstp changes with the position of the switch in the network, as discussed below. Figure 50 configuring stp in figure 50 the switch 4500 is typically switch e, f and g. Additionally it could be switch c and d. For completeness, configurat...
Page 170
168 c hapter 10: rstp c onfiguration configure the bridge preference of a switch the bridge preference of a switch is 32768. A switch can be made the root bridge by specifying its bridge preference to 0. Specify forward delay, hello time, and max age forward delay fixes on 15 seconds, hello times on...
Page 171
Rstp configuration 169 configure the timeout time factor of a switch the switch, if has not received any hello packet from the upstream switch for thrice the hello time, will consider the upstream switch failed and recalculate the spanning tree. In a stable network, it is recommended to set the time...
Page 172
170 c hapter 10: rstp c onfiguration after the stp protocol is enabled, the modification of any parameter will result in the re-calculation of the spanning tree on the switch. It is therefore recommended to configure all the rstp parameters before enabling the stp feature on the switch and the port....
Page 173
Rstp configuration 171 only after the rstp is enabled on the switch can other configurations take effect. By default, rstp is enabled. Enable/disable rstp on a port you can use the following command to enable/disable the rstp on the designated port. To flexibly control the rstp operations, after rst...
Page 174
172 c hapter 10: rstp c onfiguration consequent blocking by configuring the stp-ignore attribute on the appropriate switch. Once an stp-ignored vlan is configured, the packets of this vlan will be forwarded on any switch port, with no restriction from the calculated stp path. You can configure the s...
Page 175
Rstp configuration 173 after a switch is configured as primary root bridge or secondary root bridge, you cannot modify the bridge priority of the switch. A switch can either be a primary or secondary root bridge, but not both of them. If the primary root of a spanning tree instance is down or powere...
Page 176
174 c hapter 10: rstp c onfiguration that if the forward delay is configured too short, occasional path redundancy may occur. If the forward delay is configured too long, restoring the network connection may take a long time. It is recommended to use the default setting. By default, the bridge forwa...
Page 177
Rstp configuration 175 you can use the following command to set the multiple value of hello time of a specified bridge. Perform the following configurations in system view. Table 179 set timeout factor of the bridge it is recommended to set 5, 6 or 7 as the value of multiple in the steady network. B...
Page 178
176 c hapter 10: rstp c onfiguration ethernet port is not connected with any ethernet port of other bridges, this port should be set as an edgeport. If a specified port connected to a port of any other bridge is configured as an edge port, rstp will automatically detect and reconfigure it as a non-e...
Page 179
Rstp configuration 177 by default, the switch calculates the default path cost of a port by the ieee 802.1t standard. Set the priority of a specified port the port priority is an important basis to decide if the port can be a root port. In the calculation of the spanning tree, the port with the high...
Page 180
178 c hapter 10: rstp c onfiguration link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such a link. You can manually configure the act...
Page 181
Rstp configuration 179 again. In this case, the former root port will turn into a bpdu specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loops. After it is enabled, the root...
Page 182
180 c hapter 10: rstp c onfiguration table 188 display and debug rstp rstp configuration example networking requirements in the following scenario, switch c serves as a standby of switch b and forwards data when a fault occurs on switch b. They are connected to each other with two links, so that, in...
Page 183
Rstp configuration example 181 however, be careful and do not disable those involved. (the following configuration takes gigabitethernet 1/0/25 as an example.) [4500]interface gigabitethernet 1/0/25 [4500-gigabitethernet1/0/25]stp disable c to configure switch a as a root, you can either configure t...
Page 184
182 c hapter 10: rstp c onfiguration c configure switch c and switch b to serve as standby of each other and sets the bridge priority of switch c to 8192. [4500]stp priority 8192 d enable the root protection function on every designated port. [4500]interface ethernet 1/0/1 [4500-ethernet1/0/1]stp ro...
Page 185: 802.1X C
11 802.1x c onfiguration this chapter covers the following topics: ■ ieee 802.1x overview ■ configuring 802.1x ■ aaa and radius protocol configuration for information on setting up a radius server and radius client refer to appendix b . For details on how to authenticate the switch 4500 with a cisco...
Page 186
184 c hapter 11: 802.1x c onfiguration provided by 3com (or by microsoft windows xp). The 802.1x authentication server system normally stays in the carrier's aaa center. Authenticator and authentication server exchange information through eap (extensible authentication protocol) frames. The user and...
Page 187
Configuring 802.1x 185 the eapol-encapsulated-asf-alert is related to the network management information and terminated by the authenticator. Although 802.1x provides user id authentication, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure ...
Page 188
186 c hapter 11: 802.1x c onfiguration this command is used in ethernet port view, the parameter interface-list cannot be input and 802.1x can only be enabled on the current port.. Perform the following configurations in system view or ethernet port view. Table 189 enabling/disabling 802.1x you can ...
Page 189
Configuring 802.1x 187 checking the users that log on the switch via proxy the following commands are used for checking the users that log on the switch via proxy. Perform the following configurations in system view or ethernet port view. Table 192 checking the users that log on the switch via proxy...
Page 190
188 c hapter 11: 802.1x c onfiguration configuring the authentication method for 802.1x user the following commands can be used to configure the authentication method for 802.1x user. Three methods are available: pap authentication (the radius server must support pap authentication), chap authentica...
Page 191
Configuring 802.1x 189 handshake-period-value : handshake period. The value ranges from 1 to 1024 in units of second and defaults to 15. Quiet-period : specify the quiet timer. If an 802.1x user has not passed the authentication, the authenticator will keep quiet for a while (which is specified by q...
Page 192
190 c hapter 11: 802.1x c onfiguration displaying and debugging 802.1x after the above configuration, execute display command in any view to display the running of the vlan configuration, and to verify the effect of the configuration. Execute reset command in user view to reset 802.1x statistics. Ex...
Page 193
Configuring 802.1x 191 networking diagram figure 53 enabling 802.1x and radius to perform aaa on the user configuration procedure the following examples concern most of the aaa/radius configuration commands. For details, refer to the chapter aaa and radius protocol configuration. The configurations ...
Page 194
192 c hapter 11: 802.1x c onfiguration [4500-radius-radius1]timer 5 [4500-radius-radius1]retry 5 9 set the interval for the system to transmit real-time accounting packets to the radius server. [4500-radius-radius1]timer realtime-accounting 15 10 configure the system to transmit the user name to the...
Page 195
Aaa and radius protocol configuration 193 what is radius? Remote authentication dial-in user service, radius for short, is a type of distributed information switching protocol in client/server architecture. Radius can prevent the network from interruption of unauthorized access and it is often used ...
Page 196
194 c hapter 11: 802.1x c onfiguration figure 54 networking when switch 4500 units are applying radius authentication configuring aaa aaa configuration includes: ■ creating/deleting an isp domain ■ configuring relevant attributes of the isp domain ■ creating a local user ■ setting attributes of the ...
Page 197
Aaa and radius protocol configuration 195 table 201 creating/deleting an isp domain by default, a domain named “system” has been created in the system. Its attributes are all default values. Configuring relevant attributes of the isp domain the relevant attributes of isp domain include the aaa schem...
Page 198
196 c hapter 11: 802.1x c onfiguration table 203 configuring isp domain state by default, after an isp domain is created, the state of the domain is active . Setting access limit maximum number of users specifies how many users can be contained in the isp. For any isp domain, there is no limit to th...
Page 199
Aaa and radius protocol configuration 197 enabling/disabling the messenger alert messenger alert function allows the clients to inform the online users about their remaining online time through the message alert dialog box. The implementation of this function is as follows: ■ on the switch, use the ...
Page 201
Aaa and radius protocol configuration 199 note the following two items when you configure these service types: ssh, telnet or terminal. ■ when you configure a new service type for a user, the system adds the requested service-type to any existing configuration. For example, if the user previously ha...
Page 202
200 c hapter 11: 802.1x c onfiguration configuring the radius protocol for the switch 4500, the radius protocol is configured on the per radius scheme basis. In a real networking environment, a radius scheme can be an independent radius server or a set of primary/secondary radius servers with the sa...
Page 203
Aaa and radius protocol configuration 201 several isp domains can use a radius scheme at the same time. You can configure up to 16 radius schemes, including the default scheme named as system . By default, the system has a radius scheme named as system whose attributes are all default values. The de...
Page 204
202 c hapter 11: 802.1x c onfiguration perform the following configurations in radius scheme view. Table 215 configuring radius accounting servers by default, as for the newly created radius scheme, the ip address of the primary accounting server is 0.0.0.0, and the udp port number of this server is...
Page 205
Aaa and radius protocol configuration 203 table 216 setting the maximum times of real-time accounting request failing to be responded how to calculate the value of retry-times ? Suppose that radius server connection will timeout in t and the real-time accounting interval of nas is t, then the intege...
Page 206
204 c hapter 11: 802.1x c onfiguration table 219 enabling the selection of radius accounting option this command can also be configured in isp domain view. For details, refer to configuring relevant attributes of the isp domain. Setting the radius packet encryption key the radius client (switch syst...
Page 207
Aaa and radius protocol configuration 205 you can use the following command to set the supported types of radius servers. Perform the following configurations in radius scheme view. Table 222 setting the supported type of the radius server by default, the newly created radius scheme supports the ser...
Page 208
206 c hapter 11: 802.1x c onfiguration table 224 setting the username format transmitted to the radius server if a radius scheme is configured not to allow usernames including isp domain names, the radius scheme shall not be simultaneously used in more than one isp domain. Otherwise, the radius serv...
Page 209
Aaa and radius protocol configuration 207 configuring source address for radius packets sent by nas perform the following configurations in the corresponding view. Table 227 configuring source address for the radius packets sent by the nas you can use either command to bind a source address with the...
Page 210
208 c hapter 11: 802.1x c onfiguration the value of minute is related to the performance of nas and radius server. The smaller the value, the higher the performances of nas and radius that are required. When there are a large amount of users (more than 1000, inclusive), 3com suggests a larger value....
Page 211
Aaa and radius protocol configuration 209 aaa and radius protocol configuration example for the hybrid configuration example of aaa/radius protocol and 802.1x protocol, refer to “802.1x configuration example” on page 190 . Configuring the ftp/telnet user authentication at a remote radius server conf...
Page 212
210 c hapter 11: 802.1x c onfiguration networking topology figure 55 configuring the remote radius authentication for telnet users configuration procedure 1 add a telnet user. For details about configuring ftp and telnet users, refer to user interface configuration in the getting started chapter. 2 ...
Page 213
Aaa and radius protocol configuration 211 networking diagram figure 56 local authentication for telnet users configuration procedure 1 method 1: using local scheme. A apply aaa authentication to telnet users. [4500-ui-vty0-4]authentication-mode scheme b create a local user telnet. [4500]local-user t...
Page 214
212 c hapter 11: 802.1x c onfiguration it is not recommended that you change the system domain, as it could result in locking all users out of the switch. This could happen if you change the default local scheme to use an external radius server, which is unavailable. 1 a new radius scheme should be ...
Page 215
Aaa and radius protocol configuration 213 802.1x is enabled on port ethernet1/0/10 802.1x is enabled on port ethernet1/0/11 802.1x is enabled on port ethernet1/0/12 802.1x is enabled on port ethernet1/0/14 802.1x is enabled on port ethernet1/0/15 802.1x is enabled on port ethernet1/0/16 802.1x is en...
Page 216
214 c hapter 11: 802.1x c onfiguration aaa and radius protocol fault diagnosis and troubleshooting the radius protocol of the tcp/ip protocol suite is located on the application layer. It mainly specifies how to exchange user information between nas and radius server of isp. So it is likely to be in...
Page 217
Aaa and radius protocol configuration 215 problem diagnosis the switch 4500 provides debugging of radius. Terminal debugging can be enabled with the command: terminal debugging once enabled, different debug traces can be enabled to the terminal. For example, to turn on radius debugging, enter the co...
Page 218
216 c hapter 11: 802.1x c onfiguration.
Page 219: Ile
12 f ile s ystem m anagement this chapter covers the following topics: ■ file system overview ■ configuring file management ■ ftp overview ■ tftp overview ■ mac address table management ■ device management ■ system maintenance and debugging ■ displaying the state and information of the system ■ test...
Page 220
218 c hapter 12: f ile s ystem m anagement a specified directory. You can use the following commands to perform directory operations. Perform the following configuration in user view. Table 233 directory operation file operation the file system can be used to delete or undelete a file and permanentl...
Page 221
Configuring file management 219 table 235 execute the specified batch file storage device operation the file system can be used to format a specified memory device. You can use the following commands to format a specified memory device. Perform the following configuration in user view. Table 236 sto...
Page 222
220 c hapter 12: f ile s ystem m anagement displaying the current-configuration and saved-configuration of the switch after being powered on, the system reads the configuration files from flash for the initialization of the device. (such configuration files are called saved-configuration files.) if ...
Page 223
Ftp overview 221 you may erase the configuration files from the flash in the following cases: ■ after being upgraded, the software does not match with the configuration files. ■ the configuration files in flash are damaged. (a common case is that a wrong configuration file has been downloaded.) conf...
Page 224
222 c hapter 12: f ile s ystem m anagement table 243 configuration of the switch as ftp client table 244 configuration of the switch as ftp server the prerequisite for normal ftp function is that the switch and pc are reachable. Enabling/disabling ftp server you can use the following commands to ena...
Page 225
Ftp overview 223 only the clients who have passed the authentication and authorization successfully can access the ftp server. Configuring the running parameters of ftp server you can use the following commands to configure the connection timeout of the ftp server. If the ftp server receives no serv...
Page 226
224 c hapter 12: f ile s ystem m anagement on the pc. The ip address of a vlan interface on the switch is 1.1.1.1, and that of the pc is 2.2.2.2. The switch and pc are reachable. The switch application switch.App is stored on the pc. Using ftp, the switch can download the switch.App from the remote ...
Page 227
Ftp overview 225 [ftp]quit 7 use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the switch. Boot boot-loader switch.App reboot ftp server configuration example networking requirement the switch serves as ftp server and the remote pc as ...
Page 228
226 c hapter 12: f ile s ystem m anagement boot boot-loader switch.App reboot tftp overview trivial file transfer protocol (tftp) is a simple protocol for file transmission. Compared with ftp, another file transmission protocol, tftp has no complicated interactive access interface or authentication ...
Page 229
Tftp overview 227 uploading files by means of tftp to upload a file, the client sends a request to the tftp server and then transmits data to it and receives the acknowledgement from it. You can use the following commands to upload files. Perform the following configuration in user view. Table 251 u...
Page 230
228 c hapter 12: f ile s ystem m anagement [4500-vlan-interface1]quit 5 upload the config.Cfg to the tftp server. Tftp 1.1.1.2 put config.Cfg config.Cfg 6 download the switch.App from the tftp server. Tftp 1.1.1.2 get switch.App switch.App 7 use the boot boot-loader command to specify the downloaded...
Page 231
Mac address table management 229 you can configure (add or modify) the mac address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones. Mac address table configuration mac address table management includes: ■ set mac address table entries ■...
Page 232
230 c hapter 12: f ile s ystem m anagement table 253 set the mac address aging time for the system in addition, this command takes effect on all the ports. However the address aging only functions on the dynamic addresses (manual entries added to the switch are not aged). By default, the aging-time ...
Page 233
Mac address table management 231 mac address table management display example networking requirements the user logs into the switch via the console port to display the mac address table. Switch display the entire mac address table of the switch. If this switch is a member of a stack then the entire ...
Page 234
232 c hapter 12: f ile s ystem m anagement networking diagram figure 64 typical configuration of address table management configuration procedure 1 enter the system view of the switch. System-view 2 add a mac address (specify the native vlan, port and state). [4500]mac-address static 00e0-fc35-dc71 ...
Page 235
Device management 233 table 256 reboot the switch enabling the timing reboot function after enabling the timing reboot function on the switch, the switch will be rebooted at the specified time. Perform the following configuration in user view, and the display schedule reboot command can be performed...
Page 236
234 c hapter 12: f ile s ystem m anagement table 260 display and debug device management device management configuration example networking requirement the user logs into the switch using telnet, downloads the application from the ftp server to the flash memory of the switch, and implements remote u...
Page 237
System maintenance and debugging 235 caution: if the flash memory of the switch is not enough, you need to first delete the existing programs in the flash memory and then upload the new ones. 3 type in the correct command in user view to establish ftp connection, then enter the correct username and ...
Page 238
236 c hapter 12: f ile s ystem m anagement setting the system clock perform the operationof clock datetime command in the user view. Table 262 set the system clock setting the time zone you can configure the name of the local time zone and the time difference between the local time and the standard ...
Page 239
Displaying the state and information of the system 237 ■ sending output information of the commands from the switch you have logged into to your terminal. ■ supporting simultaneous configuration of multiple users. You cannot configure the configuration agent, but can view the statistics of the confi...
Page 240
238 c hapter 12: f ile s ystem m anagement figure 66 debug output you can use the following commands to control the above-mentioned debugging. Perform the following operations in user view. Table 266 enable/disable the debugging for more about the usage and format of the debugging commands, refer to...
Page 241
Testing tools for network connection 239 after the synchronization of the whole fabric, a great deal of terminal display is generated. You are recommended not to enable the information synchronization switch of the whole fabric. If you enabled the information synchronization switch, after the synchr...
Page 242
240 c hapter 12: f ile s ystem m anagement table 269 test periodically if the ip address is reachable the switch can ping an ip address every one minute to test if it is reachable. Three ping packets can be sent at most for every ip address in every testing with a time interval of five seconds. If t...
Page 243
Logging function 241 when the log information is output to the info-center, the first part will be “ ”. For example: jun 7 05:22:03 2003 4500 ifnet/6/updown:line protocol on interface ethernet1/0/2, changed state to up the description of the components of log information is as follows: 1 priority th...
Page 244
242 c hapter 12: f ile s ystem m anagement there is a blank between sysname and module name. 4 module name the module name is the name of module which created this logging information, the following sheet lists some examples: table 270 module names in logging information module name description 8021...
Page 245
Logging function 243 note that there is a slash ('/') between module name and severity. 5 severity switch information falls into three categories: log information, debugging information and trap information. The info-center classifies every kind of information into 8 severity or urgent levels. The l...
Page 246
244 c hapter 12: f ile s ystem m anagement note that there is a colon between digest and content. 7 content it is the contents of logging information. Info-center configuration the switch supports six output directions of information. The system assigns a channel in each output direction by default....
Page 247
Logging function 245 2 sending the information to the control terminal. Table 274 sending the information to the control terminal . 3 sending the information to monitor terminal table 275 sending the information to monitor terminal 4 sending the information to log buffer. Device configuration defaul...
Page 248
246 c hapter 12: f ile s ystem m anagement table 276 sending the information to log buffer 5 sending the information to trap buffer. Table 277 sending the information to trap buffer 6 sending the information to snmp table 278 sending the information to snmp 7 turn on/off the information synchronizat...
Page 249
Logging function 247 figure 68 turn on/off the information synchronization switch in fabric sending the information to loghost to send information to the loghost, follow the steps below: 1 enabling info-center perform the following operation in system view. Table 279 enable/disable info-center info-...
Page 250
248 c hapter 12: f ile s ystem m anagement figure 69 defining information source modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the level below it will not be out...
Page 251
Logging function 249 info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 configuring to output information to the control terminal. Perform the following o...
Page 252
250 c hapter 12: f ile s ystem m anagement table 285 configuring the output format of time-stamp 4 enable terminal display function to view the output information at the control terminal, you must first enable the corresponding log, debugging and trap information functions at the switch. For example...
Page 253
Logging function 251 3 configuring information source on the switch with this configuration, you can define the information that is sent to the telnet terminal or dumb terminal that is generated by which modules, information type, information level, and so on. Perform the following operation in syst...
Page 254
252 c hapter 12: f ile s ystem m anagement for example, if you have set the log information as the information sent to the telnet terminal or dumb terminal, you need to use the terminal logging command to enable the terminal display function of log information on the switch, then you can view the in...
Page 255
Logging function 253 perform the following operation in system view: table 294 defining the information source modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the ...
Page 256
254 c hapter 12: f ile s ystem m anagement info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 configuring to output information to the trap buffer. Perfor...
Page 257
Logging function 255 table 299 configuring the output format of time-stamp sending the information to snmp network management to send information to snmp nm, follow the steps below: 1 enabling info-center perform the following operation in system view. Table 300 enabling/disabling info-center info-c...
Page 258
256 c hapter 12: f ile s ystem m anagement every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging. When there is no specific...
Page 259
Logging function 257 table 305 turn on/off the information synchronization switch of every switch you can turn on/off the synchronization switch of the specified information on the specified switch as needed. Displaying and debugging info-center after the above configuration, performing the display ...
Page 260
258 c hapter 12: f ile s ystem m anagement networking diagram figure 71 schematic diagram of configuration configuration procedure 1 configuration on the switch a enabling info-center [4500]info-center enable b set the host with the ip address of 202.38.1.10 as the loghost; set the severity level th...
Page 262
260 c hapter 12: f ile s ystem m anagement a perform the following command as the super user (root). # mkdir /var/log/4500 # touch /var/log/4500/information b edit file /etc/syslog.Conf as the super user (root), add the following selector/actor pairs. # 4500 configuration messages local7.Info /var/l...
Page 263
Snmp configuration 261 networking diagram figure 73 schematic diagram of configuration configuration procedure 1 configuration on the switch enabling info-center [4500]info-center enable 2 configure control terminal log output; allow modules arp and ip to output information; the severitylevel is res...
Page 264
262 c hapter 12: f ile s ystem m anagement snmp versions and supported mib to uniquely identify the management variables of a device in snmp messages, snmp adopts the hierarchical naming scheme to identify the managed objects. It is like a tree. A tree node represents a managed object, as shown in t...
Page 265
Snmp configuration 263 configure snmp the main configuration of snmp includes: ■ set community name ■ set the method of identifying and contacting the administrator ■ enable/disable snmp agent to send trap ■ set the destination address of trap ■ set snmp system information ■ set the engine id of a l...
Page 266
264 c hapter 12: f ile s ystem m anagement table 308 enable/disable snmp agent to send trap setting the destination address of trap you can use the following commands to set or delete the destination address of the trap. Perform the following configuration in system view. Table 309 set the destinati...
Page 267
Snmp configuration 265 by default, the syslocation is specified as a blank string, that is, “”. Setting the engine id of a local or remote device you can use the following commands to set the engine id of a local or remote device. Perform the following configuration in system view. Table 312 set the...
Page 268
266 c hapter 12: f ile s ystem m anagement table 315 add/delete a user to/from an snmp group creating/updating view information or deleting a view you can use the following commands to create, update the information of views or delete a view. Perform the following configuration in system view. Table...
Page 269
Snmp configuration 267 if user disable nmp agent, it will be enabled whatever snmp-agent command is configured thereafter. Displaying and debugging snmp after the above configuration, execute the display command in all views to display the running of the snmp configuration, and to verify the effect ...
Page 270
268 c hapter 12: f ile s ystem m anagement networking diagram figure 75 snmp configuration example configuration procedure 1 enter the system view. System-view 2 set the community name , group name and user. [4500]snmp-agent sys-info version all [4500]snmp-agent community write public [4500]snmp-age...
Page 271
Snmp configuration 269 reading usmusr table configuration example networking requirements viewdefault view should be reconfigured if you use snmp v3 to read the usmusr table. The snmpvacmmib and snmpusmmib should be included in viewdefault view. Networking diagram figure 76 snmp configuration exampl...
Page 272
270 c hapter 12: f ile s ystem m anagement view name:viewdefault mib subtree:snmpmodules.18 subtree mask: storage-type: nonvolatile view type:excluded view status:active rmon configuration remote network monitoring (rmon) is a type of ietf-defined mib. It is the most important enhancement to the mib...
Page 273
Rmon configuration 271 ■ add/delete an entry to/from the statistics table adding/deleting an entry to/from the alarm table rmon alarm management can monitor the specified alarm variables such as the statistics on a port. When a value of the monitored data exceeds the defined threshold, an alarm even...
Page 274
272 c hapter 12: f ile s ystem m anagement table 323 add/delete an entry to/from the history control termina l adding/deleting an entry to/from the extended rmon alarm table you can use the command to add/delete an entry to/from the extended rmon alarm table. Perform the following configuration in s...
Page 275
Rmon configuration 273 rmon configuration example networking requirements set an entry in rmon ethernet statistics table for the ethernet port performance, which is convenient for network administrators’ query. Networking diagram figure 77 rmon configuration networking configuration procedure 1 conf...
Page 276
274 c hapter 12: f ile s ystem m anagement ssh terminal services secure shell (ssh) can provide information security and powerful authentication to prevent such assaults as ip address spoofing, plain-text password interception when users log on to the switch remotely from an insecure network environ...
Page 277
Ssh terminal services 275 authentication and rsa authentication. In the first type, the server compares the username and password received with those configured locally. The user is allowed to log on to the switch if the usernames and passwords match exactly. Rsa authentication works in this way: th...
Page 278
276 c hapter 12: f ile s ystem m anagement caution: if ssh protocol is specified, to ensure a successful login, you must configure the aaa authentication using the authentication-mode scheme command. The protocol inbound ssh configuration fails if you configure authentication-mode password and authe...
Page 279
Ssh terminal services 277 by default, the system does not update server key. Defining ssh authentication timeout value perform the following configurations in system view. Table 331 defining ssh authentication timeout value by default, the timeout value for ssh authentication is 60 seconds. Defining...
Page 280
278 c hapter 12: f ile s ystem m anagement figure 79 starting/terminating public key editing associating public key with ssh user please perform the following configurations in system view. Figure 80 associating public key with ssh user configuring ssh client there are several types of ssh client so...
Page 281
Ssh terminal services 279 figure 81 putty key generator when the generation process has finished, save the generated public and private keys to files using the save buttons. Run the sshkey program. This converts ssh public key to the format required by the switch. Open the public key file generated ...
Page 282
280 c hapter 12: f ile s ystem m anagement figure 82 ssh key convert. Use the save button to save this converted key to a file. Open the public key file in notepad and the following lines of text before the existing text: rsa peer-public-key mykey public-key-code begin where mykey is a name used to ...
Page 283
Ssh terminal services 281 figure 83 text file of mykey save this to a file ending with a ".Bat" extension, for example,"keys.Bat". This file can be transferred to the switch using ftp or tftp. The key is installed using the execute command in the system view [4500]execute keys.Bat specifying server ...
Page 284
282 c hapter 12: f ile s ystem m anagement figure 84 ssh client configuration interface (1) in the host name (or ip address) text box key in the ip address of the switch, for example, 10.110.28.10. You can also input the ip address of an interface in up state, but its route to ssh client pc must be ...
Page 285
Ssh terminal services 283 figure 85 ssh client configuration interface (2) you can select 1, as shown in the above figure. Specifying rsa private key file if you want to enable rsa authentication, you must specify rsa private key file, which is not required for password authentication. Click [ssh/au...
Page 286
284 c hapter 12: f ile s ystem m anagement figure 86 ssh client configuration interface (3) click browse to enter the file select interface. Choose a desired file and click ok. Opening ssh connection click open to enter ssh client interface. If it runs normally, you are prompted to enter username an...
Page 287
Ssh terminal services 285 log out of ssh connection with the logout command. Displaying and debugging ssh run the display command in any view to view the running of ssh and further to check configuration result. Run the debugging command to debug the ssh. Perform the following configurations in any ...
Page 288
286 c hapter 12: f ile s ystem m anagement connected to the switch and access the switch using username “client001” and password “3com”. 3 for rsa authentication mode: create local user client002 [4500]local-user client002 [4500-luser-client002]service-type ssh 4 specify aaa authentication on the us...
Page 289: Assword
13 p assword c ontrol c onfiguration o perations introduction to password control configuration the password control feature is designed to manage the following passwords: ■ telnet passwords: passwords used by the users who log in the switch through telnet. ■ ssh passwords: passwords used by the use...
Page 290
288 c hapter 13: p assword c ontrol c onfiguration o perations history password recording the password configured and once used by a user is called a history (old) password. The switch is able to record the user history passwords. User cannot successfully update their passwords if they use a history...
Page 291
Password control configuration 289 password control configuration configuration prerequisites a user pc is connected to the s3200 switches to be configured; both devices are operating normally. Configuration tasks the following sections describe the configuration tasks for password control: ■ config...
Page 292
290 c hapter 13: p assword c ontrol c onfiguration o perations minimum password length (if available), the enable/disable state of history password recording, the procession mode for login attempt failures, and the time when the password history was last cleared. If all the password attempts of a us...
Page 293
Password control configuration 291 caution: after the user updates the password successfully, the switch saves the old password in a readable file in the flash memory. Caution: the switch does not provide the alert function for super passwords. Caution: the switch does not provide the alert function...
Page 294
292 c hapter 13: p assword c ontrol c onfiguration o perations caution: when updating a password, do not reuse one of the recorded history passwords, or else, the system will give a prompt to reset a password. The system administrator can perform the following operations to manually remove history p...
Page 295
Password control configuration 293 when the maximum attempt times is exceeded, the system operates in one of the following procession mode: ■ locktime: in this mode, the system inhibit the user from re-login within a certain time period. After that period of time, the user is allowed to log in the s...
Page 296
294 c hapter 13: p assword c ontrol c onfiguration o perations if a password authentication is completed without timing out, the user will log in the switch normally. Displaying password control after the above configurations, you can execute the display command in any view to display the operation ...
Page 297
Password control configuration example 295 configuration procedure # configure the system login password. System-view system view: return to user view with ctrl+z. [4500]local-user test new local user added. [4500-luser-test]password password:********** confirm:********** # change the system login p...
Page 298
296 c hapter 13: p assword c ontrol c onfiguration o perations.
Page 299: Assword
A p assword r ecovery p rocess introduction the switch 4500 has two separate password systems: ■ passwords which are used by the web user interface and the cli and are stored in the 3comoscfg.Cfg file. For more information on this, refer to the getting started guide that accompanies your switch. ■ a...
Page 300
298 a ppendix a: p assword r ecovery p rocess bootrom interface during the initial boot phase of the switch (when directly connected via the console), various messages are displayed and the following prompt is shown with a five second countdown timer: press ctrl-b to enter boot menu... 4 before the ...
Page 301
Bootrom interface 299 skipping the current configuration file enter boot menu option 7 to enable the switch to boot from the factory default configuration file 3comoscfg.Def . When the switch has booted from the factory default it can be configured with an ip address and default gateway if needed. T...
Page 302
300 a ppendix a: p assword r ecovery p rocess bootrom password recovery select option 8 to set the bootrom password discovery. The following is displayed: warning: if disable the bootrom password recovery, the super password based on switch mac address is invalid! The current mode is enable bootrom ...
Page 303: Radius S
B radius s erver and radius c lient s etup this appendix covers the following topics: ■ setting up a radius server ■ setting up the radius client setting up a radius server there are many third party applications available to configure a radius server. 3com has successfully installed and tested the ...
Page 304
302 a ppendix b: radius s erver and radius c lient s etup and computers window, right-click domain and choose properties, select change mode. C add a user that is allowed to use the network. Go to active directory users and computers, from the left hand window right-click the users folder and choose...
Page 305
Setting up a radius server 303 e the password for the user must be set to be stored in reversible encryption. Right-click the user account and select properties. Select the account tab, check the box labeled store password using reversible encryption. F now re-enter the password for the account, rig...
Page 306
304 a ppendix b: radius s erver and radius c lient s etup in the certificate authority type window select enterprise root ca enter information to identify the certificate authority on the ca identifying information window. Enter the storage location on the data storage location window. To complete t...
Page 307
Setting up a radius server 305 5 configure a certificate authority a go to programs > administrative tools > certification authority and right-click policy settings under your certificate authority server. B select new > certificate to issue c select authenticated session and select ok. D go to prog...
Page 308
306 a ppendix b: radius s erver and radius c lient s etup e select the group policy tab, and ensure that the default domain policy is highlighted. Click edit to launch the group policy editor. F go to computer configuration > windows settings > security settings > public key policies, and right-clic...
Page 309
Setting up a radius server 307 i open up a command prompt (start > run, enter cmd ). Enter secedit /refreshpolicy machine_policy . The command may take a few minutes to take effect. 6 setup the internet authentication service (ias) radius server a go to programs > administrative tools > internet aut...
Page 310
308 a ppendix b: radius s erver and radius c lient s etup h select grant remote access permission, and select next i click on edit profile... And select the authentication tab. Ensure extensible authentication protocol is selected, and smart card or other certificate is set. Deselect any other authe...
Page 311
Setting up a radius server 309 b select the dial-in tab from the client properties window. Select allow access. Click ok. C click ok to confirm. 8 configure the switch 4500 for raduis access and client authentication see chapter 11 “802.1x configuration” . 9 generate a certificate by requesting a ce...
Page 312
310 a ppendix b: radius s erver and radius c lient s etup d select advanced request and click next > e select the first option and click next > f either copy the settings from the screenshot below or choose different key options. Click save to save the pkcs #10 file. The pkcs #10 file is used to gen...
Page 313
Setting up a radius server 311 followed by this warning message, select yes and then ok the pkcs #10 file is now saved to the local drive. H to generate a portable certificate using pkcs #10, click the home hyperlink at the top right of the ca webpage. I select request a certificate > next > advance...
Page 314
312 a ppendix b: radius s erver and radius c lient s etup l paste the copied information into the saved request field as shown below. Select authenticated session from the certificate template selector and click submit > m download the certificate and certification path. Click on the download ca cer...
Page 315
Setting up a radius server 313 o click install certificate to launch the certificate import wizard p leave the settings on the next screen as is, click next > followed by finish and ok. This will install the certificate, q launch the certification authority management tool on the server and expand t...
Page 316
314 a ppendix b: radius s erver and radius c lient s etup s click copy to file to save the certificate. This action is actually already performed with the advanced request, but this is an alternative way to save the certificate. Click next when the wizard is launched. Save the certificate using der ...
Page 317
Setting up a radius server 315 u select the user that becomes the ieee 802.1x client. Right-click on the user and select name mappings. Select add v select the certificate that you have just exported and click open. Click ok w in the security identity mapping screen, click ok to close it. X close th...
Page 318
316 a ppendix b: radius s erver and radius c lient s etup b create a new remote access policy under ias and name it switch login. Select next>.. C specify switch login to match the users in the switch access group, select next > d allow switch login to grant access to these users, select next >.
Page 319
Setting up a radius server 317 e use the edit button to change the service-type to administrative. F add a vendor specific attribute to indicate the access level that should be provided:.
Page 320
318 a ppendix b: radius s erver and radius c lient s etup the value 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates manager access. On the switch 4500, 00 indicates visitor level. 11 configure the radius client. Refer to section setting up the...
Page 321
Setting up a radius server 319 follow these steps to set up auto vlan and qos for use by microsoft ias: 1 define the vlan groups on the active directory server and assign the user accounts to each vlan group. Go to programs > administrative tools > active directory users and computers a for example,...
Page 322
320 a ppendix b: radius s erver and radius c lient s etup d go to programs > administrative tools > internet authentication service. And select remote access policies. Select the policy that you configured earlier, right-click and select properties. E click add to add policy membership. F select the...
Page 323
Setting up a radius server 321 g select the vlan group that you have just created and click add and then ok to confirm. H click ok again to return you to the security policy properties. I click edit profile... And select the advanced tab. Click add. Refer to table 346 and table 348 for the radius at...
Page 324
322 a ppendix b: radius s erver and radius c lient s etup table 346 summary of auto vlan attributes table 348 summary of qos attributes j select tunnel-medium-type and click add. K ensure that the attribute value is set to 802 and click ok. L click ok again on the multivalued attribute information s...
Page 325
Setting up a radius server 323 m select the tunnel-pvt-group-id entry and click add. N click add, ensure that the attribute value is set to 4 (attribute value in string format), and click ok. This value represents the vlan id. O click ok again on the multivalued attribute information screen to retur...
Page 326
324 a ppendix b: radius s erver and radius c lient s etup p click add again. In the pull down menu, select virtual lans and click ok. Q click ok again and to return to the add attributes screen. Click close. You will now see the added attributes r click ok to close the profile screen and ok again to...
Page 327
Setting up a radius server 325 to configure funk radius as a radius server for networks with the switch 4500, follow these steps: 1 open file eap.Ini in \radius\service and remove the ";" before the md5-challenge line. This enables the md5-challenge 2 open file radius.Ini in \radius\service and chan...
Page 328
326 a ppendix b: radius s erver and radius c lient s etup 3 either re-boot the server or stop then restart the radius service. To stop and restart the steel-belted radius service, go to control panel > administrative tools > services. Scroll down to the steel-belted service, stop and restart it. Fun...
Page 329
Setting up a radius server 327 passwords are case sensitive. 6 enter the shared secret to encrypt the authentication data. The shared secret must be identical on the switch 4500 and the radius server a select ras clients from the left hand list, enter a client name , the ip address and the shared se...
Page 330
328 a ppendix b: radius s erver and radius c lient s etup configuring auto vlan and qos for funk radius to set up auto vlan and qos using funk radius, follow these steps: 1 edit the dictionary file radius.Dct so that return list attributes from the funk radius server are returned to the switch 4500....
Page 331
Setting up a radius server 329 the following example shows the user name homer with the correct return list attributes inserted, the vlans and qos profiles must also be created on the 3com switch 4500. Configuring freeradius 3com has successfully installed and tested freeradius running on solaris 2....
Page 332
330 a ppendix b: radius s erver and radius c lient s etup b edit the existing file dictionary in /usr/local/etc/raddb to add the following line: $include dictionary.3com the new file dictionary.3com will be used in configuring the freeradius server 3 locate the existing file users in /usr/local/etc/...
Page 333
Setting up the radius client 331 windows 2000 built-in client windows 2000 requires service pack 3 and the ieee 802.1x client patch for windows 2000. 1 downloaded the patches if required from: http://www.Microsoft.Com/downloads/details.Aspx?Displaylang=en&famil yid=6b78edbe-d3ca-4880-929f-453c695b96...
Page 334
332 a ppendix b: radius s erver and radius c lient s etup follow these steps to install the aegis client: 1 registering the aegis client. When using the aegis client for the first time, a license key will be requested. To obtain a valid license key, complete an online form on the meetinghouse websit...
Page 335
Setting up the radius client 333 d click ok to finish the configuration. E restart the client either by rebooting, or stopping and re-starting the service. F click the ok button, then return to the aegis client main interface. To restart the client, press the button with the red-cross. If authentica...
Page 336
334 a ppendix b: radius s erver and radius c lient s etup.
Page 337: Uthenticating
C a uthenticating the s witch 4500 with c isco s ecure acs this appendix covers the following topics: ■ cisco secure acs (tacacs+) and the 3com switch 4500 ■ setting up the cisco secure acs (tacacs+) server cisco secure acs (tacacs+) and the 3com switch 4500 cisco secure acs and tacacs+ are propriet...
Page 338
336 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs adding a 3com switch 4500 as a radius client once logged into the cisco secure acs interface, follow these steps: 1 select network configuration from the left hand side 2 select add entry from under aaa clients. 3 enter the de...
Page 339
Setting up the cisco secure acs (tacacs+) server 337 5 select interface configuration from the left hand side. 6 select radius (ietf) from the list under interface configuration. 7 check the radius attributes that you wish to install. If you want to use auto vlan and qos, ensure that you have the fo...
Page 340
338 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs 8 select submit. 9 repeat steps 1 to 8 for each switch 4500 on your network. When all of the switch 4500s have been added as clients to the cisco secure acs server, restart the secure acs server by selecting system configurati...
Page 341
Setting up the cisco secure acs (tacacs+) server 339 the screen below shows specific radius attributes having been selected for the user. The user has the student profile selected and is assigned to vlan 10 untagged. The radius attributes need to have already been selected, see step 7 in adding a 3c...
Page 342
340 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs 3=administrator b locate the application csutil.Exe . In the utils directory of the install path (for example, c:\program files\cisco secure acs\utils\). C copy the 3com.Ini file into the utils directory d at the command promp...
Page 343
Setting up the cisco secure acs (tacacs+) server 341 3 select submit+restart the ietf attributes will still be available to the device, the 3com attributes are simply appended to them. 4 select interface configuration, followed by radius (3com) a ensure that the 3com-user-access-level option is sele...
Page 344
342 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs scrolling to the bottom of the user profile where there should be the option for configuring the access level as shown below: 6 in the radius (3com) attribute box , check 3com-user-access-level and select administrator from th...