3Com E4500-24 Cli Configuration Manual

Page 2: Cli Configuration

1-1 1 cli configuration when configuring cli, go to these sections for information you are interested in: z introduction to the cli z command hierarchy z cli views z cli features introduction to the cli a command line interface (cli) is a user interface to interact with a switch. Through the cli on ...

Page 4

1-3 to do… use the command… remarks configure the level of a command in a specific view command-privilege level level view view command required z you are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of comma...

Page 6

1-5 when both the super password authentication and the hwtacacs authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the hwtacacs authentication serve...

Page 8

1-7 # set the password used by the current user to switch to level 3. [sysname] super password level 3 simple 123 z a vty 0 user switches its level to level 3 after logging in. # a vty 0 user telnets to the switch, and then uses the set password to switch to user level 3. Super 3 password: user priv...

Page 10

1-9 view available operation prompt example enter method quit method user interface view configure user interface parameters [sysname-ui-aux0] execute the user-interface command in system view. Ftp client view configure ftp client parameters [ftp] execute the ftp command in user view. Sftp client vi...

Page 12

1-11 cli features online help when configuring the switch, you can use the online help to get related help information. The cli provides two types of online help: complete and partial. Complete online help 1) enter a question mark (?) in any view on your terminal to display all the commands availabl...

Page 14

1-13 z the windows 9x hyperterminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access history commands in such an environment. However, you can use and instead to achieve the same purpose. Z when you enter the same command multiple times c...

Page 16: Table of Contents

I table of contents 1 logging in to an ethernet switch ············································································································1-1 logging in to an ethernet switch ····································································································...

Page 18

1-1 1 logging in to an ethernet switch go to these sections for information you are interested in: z logging in to an ethernet switch z introduction to the user interface z configuring source ip address for telnet service packets z user control logging in to an ethernet switch you can log in to an e...

Page 20

1-3 to do… use the command… remarks enable copyright information displaying copyright-info enable optional by default, copyright displaying is enabled. That is, the copy right information is displayed on the terminal after a user logs in successfully. Enter user interface view user-interface [ type ...

Page 22

2-2 2) if you use a pc to connect to the console port, launch a terminal emulation utility (such as terminal in windows 3.X or hyperterminal in windows 9x/windows 2000/windows xp. The following assumes that you are running windows xp) and perform the configuration shown in figure 2-2 through figure ...

Page 24

2-4 configuration remarks make terminal services available optional by default, terminal services are available in all user interfaces set the maximum number of lines the screen can contain optional by default, the screen can contain up to 24 lines. Set history command buffer size optional by defaul...

Page 27

2-7 z commands of level 2 are available to the users logging in to the aux user interface. Z the baud rate of the console port is 19,200 bps. Z the screen can contain up to 30 lines. Z the history command buffer can contain up to 20 commands. Z the timeout time of the aux user interface is 6 minutes...

Page 29

2-9 to do… use the command… remarks set the timeout time for the user interface idle-timeout minutes [ seconds ] optional the default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed ...

Page 32

2-12 to do… use the command… remarks set the timeout time for the user interface idle-timeout minutes [ seconds ] optional the default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed...

Page 34: Logging In Through Telnet

3-1 3 logging in through telnet go to these sections for information you are interested in: z introduction z telnet configuration with authentication mode being none z telnet configuration with authentication mode being password introduction switch 4500 support telnet. You can manage and maintain a ...

Page 36

3-3 authentication mode telnet configuration description manage vty users set service type for vty users required perform common configuration perform common telnet configuration optional refer to table 3-2 . To improve security and prevent attacks to the unused sockets, tcp 23 and tcp 22, ports for...

Page 38

3-5 configuration procedure # enter system view. System-view # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure not to authenticate telnet users logging in to vty 0. [sysname-ui-vty0] authentication-mode none # specify commands of level 2 are available to users logging in ...

Page 40

3-7 network diagram figure 3-2 network diagram for telnet configuration (with the authentication mode being password) configuration procedure # enter system view. System-view # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure to authenticate users logging in to vty 0 using...

Page 42

3-9 to do… use the command… remarks set the timeout time for the user interface idle-timeout minutes [ seconds ] optional the default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed ...

Page 44

3-11 network diagram figure 3-3 network diagram for telnet configuration (with the authentication mode being scheme) configuration procedure # enter system view. System-view # create a local user named guest and enter local user view. [sysname] local-user guest # set the authentication password of t...

Page 46

3-13 6) after successfully telnetting to the switch, you can configure the switch or display the information about the switch by executing corresponding commands. You can also type ? At any time for help. Refer to the relevant parts in this manual for the information about the commands. Z a telnet c...

Page 48

4-2 you can verify your configuration by executing the at&v command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch configuration after logging in to a switch through its console port by ...

Page 50

4-4 figure 4-3 set the telephone number figure 4-4 call the modem 5) if the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt appears. You can then configure or manage the switch. You can also enter the character ? At anytime for help...

Page 52

5-2 [sysname-luser-admin] service-type telnet level 3 [sysname-luser-admin] password simple admin 3) establish an http connection between your pc and the switch, as shown in figure 5-1 . Figure 5-1 establish an http connection between your pc and the switch 4) log in to the switch through ie. Launch...

Page 54

5-4 to do… use the command… remarks enter system view system-view — enable the web server ip http shutdown required by default, the web server is enabled. Disable the web server undo ip http shutdown required to improve security and prevent attack to the unused sockets, tcp 80 port (which is for htt...

Page 56: Packets

7-1 7 configuring source ip address for telnet service packets go to these sections for information you are interested in: z overview z configuring source ip address for telnet service packets z displaying source ip address configuration overview you can configure the source ip address for telnet se...

Page 59

8-2 controlling telnet users prerequisites the controlling policy against telnet users is determined, including the source ip addresses, destination ip addresses and source mac addresses to be controlled and the controlling actions (permitting or denying). Controlling telnet users by source ip addre...

Page 63

8-6 [sysname] acl number 2000 [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-acl-basic-2000] quit # apply the acl to only permit snmp users sourced from the ip addresses of 10.110.100.52 to access the switch. [sysname] snmp-agent community read aaa acl 2000 [sysname] snmp-age...

Page 66

1-1 1 configuration file management when configuring configuration file management, go to these sections for information you are interested in: z introduction to configuration file z configuration task list introduction to configuration file a configuration file records and stores user configuration...

Page 68

1-3 modes in saving the configuration z fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process. Z safe mode. This is...

Page 70

1-5 you can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file z if you save the current configuration to the main configuration file, the system will automaticall...

Page 72: Vlan Overview

1-1 1 vlan overview this chapter covers these topics: z vlan overview z port-based vlan vlan overview introduction to vlan the traditional ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, whic...

Page 74

1-3 tag is encapsulated after the destination mac address and source mac address to show the information about vlan. Figure 1-3 format of vlan tag as shown in figure 1-3 , a vlan tag contains four fields, including the tag protocol identifier (tpid), priority, canonical format indicator (cfi), and v...

Page 76

1-5 a hybrid port allows the packets of multiple vlans to be sent untagged, but a trunk port only allows the packets of the default vlan to be sent untagged. The three types of ports can coexist on the same device. Assigning an ethernet port to specified vlans you can assign an ethernet port to a vl...

Page 78: Vlan Configuration

2-1 2 vlan configuration when configuring vlan, go to these sections for information you are interested in: z vlan configuration z configuring a port-based vlan vlan configuration vlan configuration task list complete the following tasks to configure vlan: task remarks basic vlan configuration requi...

Page 80

2-3 the operation of enabling/disabling a vlan’s vlan interface does not influence the physical status of the ethernet ports belonging to this vlan. Displaying vlan configuration to do... Use the command... Remarks display the vlan interface information display interface vlan-interface [ vlan-id ] d...

Page 82

2-5 configuring the default vlan for a port because an access port can belong to only one vlan, its default vlan is the vlan it resides in and cannot be configured. This section describes how to configure a default vlan for a trunk or hybrid port. Follow these steps to configure the default vlan for...

Page 84

2-7 [switcha-gigabitethernet1/0/2] port trunk permit vlan 100 [switcha-gigabitethernet1/0/2] port trunk permit vlan 200 # configure gigabitethernet 1/0/10 of switch b. [switchb] interface gigabitethernet 1/0/10 [switchb-gigabitethernet1/0/10] port link-type trunk [switchb-gigabitethernet1/0/10] port...

Page 86: Ip Addressing Configuration

1-1 1 ip addressing configuration when configuring ip addressing, go to these sections for information you are interested in: z ip addressing overview z configuring ip addresses z displaying ip addressing configuration z ip address configuration examples ip addressing overview ip address classes ip ...

Page 88

1-3 while allowing you to create multiple logical networks within a single class a, b, or c network, subnetting is transparent to the rest of the internet. All these networks still appear as one. As subnetting adds an additional level, subnet id, to the two-level hierarchy with ip addressing, ip rou...

Page 90

1-5 ip address configuration examples ip address configuration example i network requirement assign ip address 129.2.2.1 with mask 255.255.255.0 to vlan-interface 1 of the switch. Network diagram figure 1-3 network diagram for ip address configuration configuration procedure # configure an ip addres...

Page 92

1-7 reply from 172.16.2.2: bytes=56 sequence=2 ttl=255 time=26 ms reply from 172.16.2.2: bytes=56 sequence=3 ttl=255 time=26 ms reply from 172.16.2.2: bytes=56 sequence=4 ttl=255 time=26 ms reply from 172.16.2.2: bytes=56 sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --- 5 packet(s) t...

Page 94

2-2 terminated. If fin packets are received, the tcp connection state changes to time_wait. If non-fin packets are received, the system restarts the timer from receiving the last non-fin packet. The connection is broken after the timer expires. Z size of tcp receive/send buffer follow these steps to...

Page 96: Table of Contents

I table of contents 1 voice vlan configuration························································································································1-1 voice vlan overview···············································································································...

Page 98

1-2 following describes the way an ip phone acquires an ip address. Figure 1-1 network diagram for ip phones as shown in figure 1-1 , the ip phone needs to work in conjunction with the dhcp server and the ncp to establish a path for voice data transmission. An ip phone goes through the following thr...

Page 100

1-4 z set the dscp value to 46. Configuring voice vlan assignment mode of a port a port can work in automatic voice vlan assignment mode or manual voice vlan assignment mode. You can configure the voice vlan assignment mode for a port according to data traffic passing through the port. Processing mo...

Page 102

1-6 table 1-3 matching relationship between port types and voice devices acquiring voice vlan through manual configuration voice vlan assignment mode port type supported or not access not supported trunk supported make sure the default vlan of the port exists and is not a voice vlan, and the access ...

Page 104

1-8 set the voice vlan aging timer voice vlan aging minutes optional the default aging timer is 1440 minutes. Enable the voice vlan function globally voice vlan vlan-id enable required enter ethernet port view interface interface-type interface-number required enable the voice vlan function on a por...

Page 106

1-10 z the voice vlan function can be enabled for only one vlan at one time. Z if the link aggregation control protocol (lacp) is enabled on a port, voice vlan feature cannot be enabled on it. Z voice vlan function can be enabled only for the static vlan. A dynamic vlan cannot be configured as a voi...

Page 108

1-12 # configure gigabitethernet 1/0/1 to operate in automatic voice vlan assignment mode. (optional. By default, a port operates in automatic voice vlan assignment mode.) [devicea] interface gigabitethernet 1/0/1 [devicea-gigabitethernet1/0/1] voice vlan mode auto # configure gigabitethernet 1/0/1 ...

Page 110

1-14 [devicea-ethernet1/0/1] port hybrid pvid vlan 2 [devicea-ethernet1/0/1] port hybrid vlan 2 untagged # enable the voice vlan function on ethernet 1/0/1. [devicea-ethernet1/0/1] voice vlan enable verification # display the oui addresses, the corresponding oui address masks and the corresponding d...

Page 112: Gvrp Configuration

1-1 1 gvrp configuration when configuring gvrp, go to these sections for information you are interested in: z introduction to gvrp z gvrp configuration z displaying and maintaining gvrp z gvrp configuration example introduction to gvrp garp vlan registration protocol (gvrp) is an implementation of g...

Page 114

1-3 figure 1-1 format of garp packets the following table describes the fields of a garp packet. Table 1-1 description of garp packet fields field description value protocol id protocol id 1 message each message consists of two parts: attribute type and attribute list. — attribute type defined by th...

Page 116

1-5 to do ... Use the command ... Remarks enter system view system-view — enable gvrp globally gvrp required by default, gvrp is disabled globally. Enter ethernet port view interface interface-type interface-number — enable gvrp on the port gvrp required by default, gvrp is disabled on the port. Z a...

Page 118

1-7 displaying and maintaining gvrp to do … use the command … remarks display garp statistics display garp statistics [ interface interface-list ] display the settings of the garp timers display garp timer [ interface interface-list ] display gvrp statistics display gvrp statistics [ interface inter...

Page 120

1-9 the following dynamic vlans exist: 5, 7, 8, # display the vlan information dynamically registered on switch b. [switchb] display vlan dynamic total 3 dynamic vlan exist(s). The following dynamic vlans exist: 5, 7, 8, # display the vlan information dynamically registered on switch e. [switche] di...

Page 122: Table of Contents

I table of contents 1 port basic configuration ··························································································································1-1 ethernet port configuration ···································································································...

Page 124

1-2 to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — enable the ethernet port undo shutdown optional by default, the port is enabled. Use the shutdown command to disable the port. Set the description string for t...

Page 128

1-6 z if you have not enabled the loopback port auto-shutdown function on the port, the port will automatically resume the normal forwarding state after the loop is removed. 2) if a loop is found on a trunk or hybrid port, the system merely sends log messages to the terminal but does not set the por...

Page 130

1-8 z external : performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100m port, the self-loop headers are made from four cores of the 8-core cables, for 1000m port, the self-loop header are made from eight cores of the 8-core cables,...

Page 132

1-10 configuration examples # in the default conditions, where up/down log output is enabled, execute the shutdown command or the undo shutdown command on ethernet 1/0/1. The up/down log information for ethernet 1/0/1 is generated and displayed on the terminal. System-view system view: return to use...

Page 134

1-12 network diagram figure 1-2 network diagram for ethernet port configuration configuration procedure z only the configuration for switch a is listed below. The configuration for switch b is similar to that of switch a. Z this example supposes that vlan 2, vlan 6 through vlan 50 and vlan 100 have ...

Page 136

1-1 1 link aggregation configuration when configuring link aggregation, go to these sections for information you are interested in: z overview z link aggregation classification z aggregation group categories z link aggregation configuration z displaying and maintaining link aggregation configuration...

Page 138

1-3 lacp is disabled on the member ports of manual aggregation groups, and you cannot enable lacp on ports in a manual aggregation group. Port status in manual aggregation group a port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation grou...

Page 140

1-5 for an aggregation group: z when the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; z when the rate of a port decreases, if the port belongs to a manual or static lacp aggregation group, the port will be switched to the unselected state; if th...

Page 142

1-7 for a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group. Follow these steps to configure a manual aggregation group: to do… use the command… remarks enter system view system-view — create a manual aggregation group link-aggregation group agg...

Page 144

1-9 note: changing the system priority may affect the priority relationship between the aggregation peers, and thus affect the selected/unselected status of member ports in the dynamic aggregation group. Configuring a description for an aggregation group to do… use the command… remarks enter system ...

Page 146

1-11 # create static aggregation group 1. System-view [sysname] link-aggregation group 1 mode static # add ethernet 1/0/1 through ethernet 1/0/3 to aggregation group 1. [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] port link-aggregation group 1 [sysname-ethernet1/0/1] quit [sysname] int...

Page 148: Port Isolation Configuration

1-1 1 port isolation configuration when configuring port isolation, go to these sections for information you are interested in: z port isolation overview z port isolation configuration z displaying and maintaining port isolation configuration z port isolation configuration example port isolation ove...

Page 150

1-3 network diagram figure 1-1 network diagram for port isolation configuration configuration procedure # add ethernet1/0/2, ethernet1/0/3, and ethernet1/0/4 to the isolation group. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet1/0/2 [sysname-ethernet1/0/2] po...

Page 152: Port Security Configuration

1-1 1 port security configuration when configuring port security, go to these sections for information you are interested in: z port security overview z port security configuration task list z displaying and maintaining port security configuration z port security configuration examples port security...

Page 154

1-3 security mode description feature userlogin in this mode, port-based 802.1x authentication is performed for access users. In this mode, neither ntk nor intrusion protection will be triggered. Userloginsecure mac-based 802.1x authentication is performed on the access user. The port is enabled onl...

Page 156

1-5 task remarks configuring guest vlan for a port in macaddressoruserloginsecure mode optional ignoring the authorization information from the radius server optional configuring security mac addresses optional enabling port security configuration prerequisites before enabling port security, you nee...

Page 158

1-7 z before setting the port security mode to autolearn , you need to set the maximum number of mac addresses allowed on the port with the port-security max-mac-count command. Z when the port operates in the autolearn mode, you cannot change the maximum number of mac addresses allowed on the port. ...

Page 160

1-9 z the users of the port can initiate 802.1x authentication. If a user passes authentication, the port leaves the guest vlan and is added to the original vlan, that is, the one the port belongs to before it is added to the guest vlan). The port then does not handle other users' authentication req...

Page 162

1-11 to do... Use the command... Remarks enter system view system-view — in system view mac-address security mac-address interface interface-type interface-number vlan vlan-id interface interface-type interface-number add a security mac address entry in ethernet port view mac-address security mac-ad...

Page 164

1-13 [switch-ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # configure the port to be silent for 30 seconds after intrusion protection is triggered. [switch-ethernet1/0/1] port-security intrusion-mode disableport-temporarily [switch-ethernet1/0/1] quit [switch] port-security timer disabl...

Page 166: Table of Contents

I table of contents 1 dldp configuration ··································································································································1-1 overview ····················································································································...

Page 168

1-2 figure 1-2 fiber broken or not connected device a ge1/0/49 ge1/0/50 device b ge1/0/49 ge1/0/50 pc device link detection protocol (dldp) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If dldp finds a unidirectional link, it dis...

Page 170

1-4 dldp status a link can be in one of these dldp states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 dldp status status description initial initial status before dldp is enabled. Inactive dldp is enabled but the corresponding link is down active dldp is enabl...

Page 172

1-6 table 1-4 dldp operating mode and neighbor entry aging dldp operating mode detecting a neighbor after the corresponding neighbor entry ages out removing the neighbor entry immediately after the entry timer expires triggering the enhanced timer after an entry timer expires normal mode no yes no e...

Page 174

1-8 table 1-7 processing procedure when no echo packet is received from the neighbor no echo packet received from the neighbor processing procedure in normal mode, no echo packet is received when the echo waiting timer expires. In enhanced mode, no echo packet is received when the enhanced timer exp...

Page 176

1-10 z when connecting two dldp-enabled devices, make sure the software running on them is of the same version. Otherwise, dldp may operate improperly. Z when you use the dldp enable/dldp disable command in system view to enable/disable dldp on all optical ports of the switch, the configuration take...

Page 178

1-12 # set the dldp handling mode for unidirectional links to auto . [switcha] dldp unidirectional-shutdown auto # display the dldp state [switcha] display dldp 1 when two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inac...

Page 180: Mac Address Table Management

1-1 1 mac address table management when mac address table management functions, go to these sections for information you are interested in: z overview z mac address table management z displaying mac address table information z configuration example this chapter describes the management of static, dy...

Page 182

1-3 figure 1-4 mac address learning diagram (3) 4) at this time, the mac address table of the switch includes two forwarding entries shown in figure 1-5 . When forwarding the response packet from user b to user a, the switch sends the response to user a through gigabitethernet 1/0/1 (technically cal...

Page 184

1-5 task remarks enabling destination mac address triggered update optional configuring a mac address entry you can add, modify, or remove a mac address entry, remove all mac address entries concerning a specific port, or remove specific type of mac address entries (dynamic or static mac address ent...

Page 186

1-7 by setting the maximum number of mac addresses that can be learned from individual ports, the administrator can control the number of the mac address entries the mac address table can dynamically maintain. When the number of the mac address entries learnt from a port reaches the set value, the p...

Page 188: Table of Contents

I table of contents 1 auto detect configuration························································································································1-1 introduction to the auto detect function·························································································...

Page 190

1-2 task remarks auto detect implementation in vlan interface backup optional auto detect basic configuration follow these steps to configure the auto detect function: to do… use the command… remarks enter system view system-view — create a detected group and enter detected group view detect-group g...

Page 192

1-4 figure 1-1 schematic diagram for vlan interface backup using auto detect can help implement vlan interfaces backup. When data can be transmitted through two vlan interfaces on the switch to the same destination, configure one of the vlan interface as the active interface and the other as the sta...

Page 194

1-6 network diagram figure 1-3 network diagram for vlan interface backup configuration procedure configure the ip addresses of all the interfaces as shown in figure 1-3 . The configuration procedure is omitted. # enter system view. System-view # create auto detected group 10. [switcha] detect-group ...

Page 196

Ii introduction····································································································································1-39 configuring digest snooping·········································································································1-40 configuring...

Page 198

1-2 stp identifies the network topology by transmitting bpdus between stp compliant network devices, typically switches and routers. Bpdus contain sufficient information for the network devices to complete the spanning tree calculation. In stp, bpdus come in two types: z configuration bpdus, used to...

Page 200

1-4 6) port id a port id used on a 3com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all ethernet ports on 3com switches 4500 is 128. You can use commands to confi...

Page 202

1-6 step description 3 the device compares the calculated configuration bpdu with the configuration bpdu on the port whose role is to be determined, and acts as follows based on the comparison result: z if the calculated configuration bpdu is superior, this port will serve as the designated port, an...

Page 204

1-8 device comparison process bpdu of port after comparison z port cp1 receives the configuration bpdu of device a {0, 0, 0, ap2}. Device c finds that the received configuration bpdu is superior to the configuration bpdu of the local port {2, 0, 2, cp1}, and updates the configuration bpdu of cp1. Z ...

Page 206

1-10 for this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration bpdus to be propagate...

Page 208

1-12 2) msti a multiple spanning tree instance (msti) refers to a spanning tree in an mst region. Multiple spanning trees can be established in one mst region. These spanning trees are independent of each other. For example, each region in figure 1-4 contains multiple spanning trees known as mstis. ...

Page 210

1-14 z forwarding state. Ports in this state can forward user packets and receive/send bpdu packets. Z learning state. Ports in this state can receive/send bpdu packets but do not forward user packets. Z discarding state. Ports in this state can only receive bpdu packets. Port roles and port states ...

Page 212

1-16 task remarks configuring the timeout time factor optional configuring the maximum transmitting rate on the current port optional the default value is recommended. Configuring the current port as an edge port optional setting the link type of a port to p2p optional enabling mstp required to prev...

Page 214

1-18 z mstp-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), mst region name, vlan-to-instance mapping table, and revision level. Z the 3com switches 4500 support only the mst re...

Page 216

1-20 configuring the bridge priority of the current switch root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An mstp-enabled switch can have different bridge priorit...

Page 220

1-24 to do... Use the command... Remarks configure the max age parameter stp timer max-age centiseconds required the max age parameter defaults to 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the cist root bridge. Z...

Page 222

1-26 to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure the maximum transmitting rate stp transmit-limit packetnum required the maximum transmitting rate of all ethernet ports on a switch defaults to 10. ...

Page 224

1-28 setting the link type of a port to p2p in ethernet port view follow these steps to specify whether the link connected to a port is point-to-point link in ethernet port view: to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type int...

Page 226

1-30 configuring the timeout time factor refer to configuring the timeout time factor . Configuring the maximum transmitting rate on the current port refer to configuring the maximum transmitting rate on the current port . Configuring a port as an edge port refer to configuring the current port as a...

Page 228

1-32 1) perform this configuration in system view system-view [sysname] stp interface ethernet 1/0/1 instance 1 cost 2000 2) perform this configuration in ethernet port view system-view [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] stp instance 1 cost 2000 configuration example (b) # co...

Page 230

1-34 configuration procedure you can perform the mcheck operation in the following two ways. Perform the mcheck operation in system view follow these steps to perform the mcheck operation in system view: to do... Use the command... Remarks enter system view system-view — perform the mcheck operation...

Page 232

1-36 forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration bpdus with higher priorities for a specified period. Z you are recommended to enable root guard on the designated ports of a root bridge. Z loop guard, root guard, a...

Page 234

1-38 period, the switch may be busy in removing the mac address table and arp entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch cpu utilization. With the tc-bpdu attack guard function enabled, a switch performs a removing operation upon receivi...

Page 236

1-40 the digest snooping function is not applicable to edge ports. Configuring digest snooping configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same mst region through mstis. Con...

Page 238

1-42 figure 1-6 the rstp rapid transition mechanism root port blocks other non- edge ports, changes to forwarding state and sends agreement to upstream device downstream switch upstream switch proposal for rapid transition agree ment designated port changes to forwarding state root port designated p...

Page 240

1-44 z the rapid transition feature can be enabled on only root ports or alternate ports. Z if you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring vlan-vpn tunnel introduction the vlan-vpn tunnel function enables stp packets to b...

Page 242

1-46 system-view [sysname] stp instance 1 portlog # enable log/trap output for the ports of all instances. System-view [sysname] stp portlog all enabling trap messages conforming to 802.1d standard a switch sends trap messages conforming to 802.1d standard to the network management device in the fol...

Page 244

1-48 # specify switch a as the root bridge of msti 1. [sysname] stp instance 1 root primary 2) configure switch b # enter mst region view. System-view [sysname] stp region-configuration # configure the region name, vlan-to-instance mapping table, and revision level for the mst region. [sysname-mst-r...

Page 246

1-50 [sysname] vlan-vpn tunnel # add gigabitethernet 1/0/1 to vlan 10. [sysname] vlan 10 [sysname-vlan10] port gigabitethernet 1/0/1 [sysname-vlan10] quit # enable the vlan vpn function on gigabitethernet 1/0/1. [sysname] interface gigabitethernet 1/0/1 [sysname-gigabitethernet1/0/1] port access vla...

Page 248

Ii filters ···············································································································································4-1 ip route policy configuration task list··································································································4-2 r...

Page 250

1-2 z preference: there may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing protocols, or be manually configured static routes. The one with the highest preference (the smallest numerical value) will be selected as the current ...

Page 252

1-4 each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: table 1-1 routing protocols and priorities...

Page 254: Static Route Configuration

2-1 2 static route configuration when configuring a static route, go to these sections for information you are interested in: z introduction to static route z static route configuration z displaying and maintaining static routes z static route configuration example z troubleshooting a static route t...

Page 257

2-4 1) perform the following configurations on the switch. # approach 1: configure static routes on switch a. System-view [switcha] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [switcha] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [switcha] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # approach...

Page 259

3-2 z interface: outbound interface on this router, through which ip packets should be forwarded to reach the destination. Z metric: cost from the local router to the destination. Z route time: time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry...

Page 261

3-4 z related rip commands configured in interface view can take effect only after rip is enabled. Z rip operates on the interfaces attached to a specified network segment. When rip is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the in...

Page 263

3-6 follow these steps to configure rip route summarization: to do... Use the command... Remarks enter system view system-view — enter rip view rip — enable rip-2 automatic route summarization summary required enabled by default disabling the router from receiving host routes in some special cases, ...

Page 265

3-8 rip network adjustment and optimization in some special network environments, some rip features need to be configured and rip network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: z changing the conver...

Page 267

3-10 configuring rip to unicast rip packets follow these steps to configure rip to unicast rip packets: to do... Use the command... Remarks enter system view system-view — enter rip view rip — configure rip to unicast rip packets peer ip-address required when rip runs on the link that does not suppo...

Page 269

4-1 4 ip route policy configuration when configuring an ip route policy, go to these sections for information you are interested in: z ip route policy overview z ip route policy configuration task list z displaying ip route policy z ip route policy configuration example z troubleshooting ip route po...

Page 271

4-3 z if-match clause: defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. Z apply clause: specifies actions, which are the configuration comma...

Page 274

4-6 ip route policy configuration example controlling rip packet cost to implement dynamic route backup network requirements the required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the...

Page 276

4-8 [switchc-route-policy] if-match interface vlan-interface2 [switchc-route-policy] if-match ip-prefix 2 [switchc-route-policy] apply cost 6 [switchc-route-policy] quit # create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matc...

Page 278: Table of Contents

I table of contents 1 multicast overview ····································································································································1-1 multicast overview ········································································································...

Page 280: Multicast Overview

1-1 1 multicast overview in this manual, the term “router” refers to a router in the generic sense or a layer 3 ethernet switch running an ip multicast protocol. Multicast overview with the development of the internet, more and more interaction services such as data, voice, and video services are ru...

Page 282

1-3 information transmission in the multicast mode as described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicas...

Page 284

1-5 application of multicast the multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an ip network, multicast greatly saves network bandwidth and reduces network load. Multicast provide...

Page 286

1-7 note that: z the ip addresses of a permanent multicast group keep unchanged, while the members of the group can be changed. Z there can be any number of, or even zero, members in a permanent multicast group. Z those ip multicast addresses not assigned to permanent multicast groups can be used by...

Page 288

1-9 z generally, we refer to ip multicast working at the network layer as layer 3 multicast and the corresponding multicast protocols as layer 3 multicast protocols, which include igmp, pim, and msdp; we refer to ip multicast working at the data link layer as layer 2 multicast and the corresponding ...

Page 290

1-11 z to process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a reverse path forwarding (rpf) check on the incoming interface. The result of the rpf check determines whether the packet will be forwarded...

Page 292

1-1 2 common multicast configuration in this manual, the term “router” refers to a router in the generic sense or a layer 3 ethernet switch running an ip multicast protocol. Common multicast configuration table 2-1 complete the following tasks to perform common multicast configurations: task remarks...

Page 294

1-3 z if the multicast mac address entry to be created already exists, the system gives you a prompt. Z if you want to add a port to a multicast mac address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specifie...

Page 296

1-2 figure 3-1 before and after igmp snooping is enabled on layer 2 device multicast packet transmission without igmp snooping source multicast router host a receiver host b host c receiver multicast packets layer 2 switch multicast packet transmission when igmp snooping runs source multicast router...

Page 298

1-4 a switch will not forward an igmp report through a non-router port for the following reason: due to the igmp report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this preve...

Page 300

1-6 z although both layer 2 and layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a vlan or its corresponding vlan interface. Z before enabling igmp snooping in a vlan, be sure to enable igmp snooping globally in system view; otherwise the igmp ...

Page 302

1-8 z the fast leave processing function works for a port only if the host attached to the port runs igmpv2 or igmpv3. Z the configuration performed in system view takes effect on all ports of the switch if no vlan is specified; if one or more vlans are specified, the configuration takes effect on a...

Page 304

1-10 configuring igmp snooping querier in an ip multicast network running igmp, one dedicated multicast device is responsible for sending igmp general queries, and this router or layer 3 switch is called the igmp querier. However, a layer 2 multicast switch does not support igmp, and therefore canno...

Page 306

1-12 in ethernet port view follow these steps to configure a static multicast group member port in ethernet port view: to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure the current port as a static membe...

Page 308

1-14 z before configuring a simulated host, enable igmp snooping in vlan view first. Z the port to be configured must belong to the specified vlan; otherwise the configuration does not take effect. Z you can use the source-ip source-address command to specify a multicast source address that the port...

Page 311

1-17 network diagram figure 3-3 network diagram for igmp snooping configuration multicast packets source router a switch a receiver receiver host b host a host c 1.1.1.1/24 eth1/0/4 eth1/0/2 eth1/0/3 igmp querier eth1/0/1 eth1/0/1 10.1.1.1/24 eth1/0/2 1.1.1.2/24 vlan100 configuration procedure 1) co...

Page 313

1-19 device device description networking description switch b layer 2 switch z vlan 2 contains ethernet 1/0/1 and vlan 3 contains ethernet 1/0/2. Z the default vlans of ethernet 1/0/1 and ethernet 1/0/2 are vlan 2 and vlan 3 respectively. Z vlan 10 contains ethernet 1/0/10, ethernet 1/0/1, and ethe...

Page 315

1-21 [switchb] interface ethernet 1/0/2 [switchb-ethernet1/0/2] port link-type hybrid [switchb-ethernet1/0/2] port hybrid vlan 3 10 untagged [switchb-ethernet1/0/2] port hybrid pvid vlan 3 [switchb-ethernet1/0/2] quit troubleshooting igmp snooping symptom : multicast function does not work on the sw...

Page 317

Ii layer 3 error control ·······················································································································4-1 configuring system guard······················································································································4-1 config...

Page 319

1-2 figure 1-1 architecture of 802.1x authentication z the supplicant system is the entity seeking access to the lan. It resides at one end of a lan segment and is authenticated by the authenticator system at the other end of the lan segment. The supplicant system is usually a user terminal device. ...

Page 321

1-4 figure 1-3 the format of an eapol packet in an eapol packet: z the pae ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888e. Z the protocol version field holds the version of the protocol supported by the sender of the eapol packet. Z the type field can be one o...

Page 323

1-6 eap relay mode this mode is defined in 802.1x. In this mode, eap packets are encapsulated in higher level protocol (such as eapor) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the radius server support the two newly-added fields: the e...

Page 325

1-8 feedbacks (through a radius access-accept packet and an eap-success packet) to the switch to indicate that the supplicant system is authenticated. Z the switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. Z the supplicant sys...

Page 327

1-10 z re-authentication timer ( reauth-period ). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. Z radius server timer ( server-timeout ). This timer sets the server-timeout period. After sending an authentication request packet to the radius server...

Page 329

1-12 z users belonging to the guest vlan can access the resources of the guest vlan without being authenticated. But they need to be authenticated when accessing external resources. Normally, the guest vlan function is coupled with the dynamic vlan delivery function. Refer to aaa operation for detai...

Page 331

1-14 configuring basic 802.1x functions follow these steps to configure basic 802.1x functions: to do… use the command… remarks enter system view system-view — enable 802.1x globally dot1x required by default, 802.1x is disabled globally. In system view dot1x interface interface-list interface inter...

Page 335

1-18 enabling dhcp-triggered authentication after performing the following configuration, 802.1x allows running dhcp on access users, and users are authenticated when they apply for dynamic ip addresses through dhcp. Follow these steps to enable dhcp-triggered authentication: to do... Use the comman...

Page 338

1-21 network diagram figure 1-12 network diagram for aaa configuration with 802.1x and radius enabled configuration procedure note: following configuration covers the major aaa/radius configuration commands. Refer to aaa operation for the information about these commands. Configuration on the client...

Page 340

2-1 2 quick ead deployment configuration when configuring quick ead deployment, go to these sections for information you are interested in: z introduction to quick ead deployment z configuring quick ead deployment z displaying and maintaining quick ead deployment z quick ead deployment configuration...

Page 342

2-3 large number of users log in but cannot pass authentication, the switch may run out of acl resources, preventing other users from logging in. A timer called acl timer is designed to solve this problem. You can control the usage of acl resources by setting the acl timer. The acl timer starts once...

Page 344: Habp Configuration

3-1 3 habp configuration when configuring habp, go to these sections for information you are interested in: z introduction to habp z habp server configuration z habp client configuration z displaying and maintaining habp configuration introduction to habp when a switch is configured with the 802.1x ...

Page 346: System Guard Configuration

4-1 4 system guard configuration when configuring system guard, go to these sections for information you are interested in: z system guard overview z configuring system guard z displaying and maintaining system guard configuration system guard overview guard against ip attacks system-guard operates ...

Page 348

4-3 enabling layer 3 error control follow these steps to enable layer 3 error control: to do... Use the command... Remarks enter system view system-view — enable layer 3 error control system-guard l3err enable required enabled by default displaying and maintaining system guard configuration to do......

Page 350

Ii local authentication of ftp/telnet users·····················································································2-28 hwtacacs authentication and authorization of telnet users ···················································2-29 troubleshooting aaa ·································...

Page 352

1-2 z none accounting: no accounting is performed for users. Z remote accounting: user accounting is performed on a remote radius or tacacs server. Introduction to isp domain an internet service provider (isp) domain is a group of users who belong to the same isp. For a username in the format of use...

Page 354

1-4 4) the radius client accepts or denies the user depending on the received authentication result. If it accepts the user, the radius client sends a start-accounting request (accounting-request, with the status-type attribute value = start) to the radius server. 5) the radius server returns a star...

Page 356

1-6 11 filter-id 33 proxy-state 12 framed-mtu 34 login-lat-service 13 framed-compression 35 login-lat-node 14 login-ip-host 36 login-lat-group 15 login-service 37 framed-appletalk-link 16 login-tcp-port 38 framed-appletalk-network 17 (unassigned) 39 framed-appletalk-zone 18 reply-message 40-59 (rese...

Page 358

1-8 figure 1-6 aaa implementation procedure for a telnet user the basic message exchange procedure is as follows: 1) a user sends a login request to the switch acting as a tacacs client, which then sends an authentication start request to the tacacs server. 2) the tacacs server returns an authentica...

Page 360: Aaa Configuration

2-1 2 aaa configuration aaa configuration task list you need to configure aaa to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure aaa (configuring a combined aaa sch...

Page 365

2-6 accounting. In this case, if the combined scheme uses radius or hwtacacs, the system never uses the secondary scheme for authorization and accounting. Z if you configure no separate scheme, the combined scheme is used for authentication, authorization, and accounting. In this case, if the system...

Page 368

2-9 z the following characters are not allowed in the user-name string: /:*?. And you cannot input more than one “@” in the string. Z after the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user p...

Page 370

2-11 creating a new radius scheme, you should configure the ip address and udp port number of each radius server you want to use in this scheme. These radius servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a rad...

Page 372

2-13 enable stop-accounting request buffering stop-accounting-buffer enable optional by default, stop-accounting request buffering is enabled. Set the maximum number of transmission attempts of a buffered stop-accounting request. Retry stop-accounting retry-times optional by default, the system trie...

Page 374

2-15 z if you change the radius server type, the units of data flows sent to radius servers will be restored to the defaults. Z when the third party radius server is used, you can select standard or extended as the server-type in a radius scheme; when the cams server is used, you can select extended...

Page 376

2-17 z generally, the access users are named in the userid@isp-name or userid.Isp-name format. Here, isp-name after the “ @” or “.” character represents the isp domain name, by which the device determines which isp domain a user belongs to. However, some old radius servers cannot accept the username...

Page 378

2-19 set the response timeout time of radius servers timer response-timeout seconds optional by default, the response timeout time of radius servers is three seconds. Set the time that the switch waits before it try to re-communicate with primary server and restore the status of the primary server t...

Page 380

2-21 hwtacacs configuration task list complete the following tasks to configure hwtacacs: task remarks creating a hwtacacs scheme required configuring tacacs authentication servers required configuring tacacs authorization servers required configuring tacacs accounting servers optional configuring s...

Page 382

2-23 configuring tacacs accounting servers follow these steps to configure tacacs accounting servers: to do… use the command… remarks enter system view system-view — create a hwtacacs scheme and enter its view hwtacacs scheme hwtacacs-scheme-name required by default, no hwtacacs scheme exists. Set t...

Page 385

2-26 displaying and maintaining radius protocol configuration to do… use the command… remarks display radius message statistics about local radius server display local-server statistics display configuration information about one specific or all radius schemes display radius scheme [ radius-scheme-n...

Page 387

2-28 [sysname-radius-cams] server-type extended [sysname-radius-cams] user-name-format with-domain [sysname-radius-cams] quit # associate the isp domain with the radius scheme. [sysname] domain cams [sysname-isp-cams] scheme radius-scheme cams a telnet user logging into the switch by a name in the f...

Page 389

2-30 [sysname-hwtacacs-hwtac] primary authentication 10.110.91.164 49 [sysname-hwtacacs-hwtac] primary authorization 10.110.91.164 49 [sysname-hwtacacs-hwtac] key authentication aabbcc [sysname-hwtacacs-hwtac] key authorization aabbcc [sysname-hwtacacs-hwtac] user-name-format without-domain [sysname...

Page 391: Ead Configuration

3-1 3 ead configuration introduction to ead endpoint admission defense (ead) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting t...

Page 393

3-3 network diagram figure 3-2 ead configuration eth1/0/1 internet user security policy servers 10.110.91.166/16 virus patch servers 10.110.91.168/16 authentication servers 10.110.91.164/16 configuration procedure # configure 802.1x on the switch. Refer to “configuring 802.1x” in 802.1x and system g...

Page 395

1-1 1 mac address authentication configuration when configuring mac address authentication, go to these sections for information you are interested: z mac address authentication overview z related concepts z configuring basic mac address authentication functions z mac address authentication enhanced...

Page 398

1-4 task remarks configuring a guest vlan optional configuring the maximum number of mac address authentication users allowed to access a port optional configuring a guest vlan different from guest vlans described in the 802.1x and system-guard manual , guest vlans mentioned in this section refer to...

Page 400

1-6 z if more than one client are connected to a port, you cannot configure a guest vlan for this port. Z when a guest vlan is configured for a port, only one mac address authentication user can access the port. Even if you set the limit on the number of mac address authentication users to more than...

Page 402

1-8 # set the user name in mac address mode for mac address authentication, requiring hyphened lowercase mac addresses as the usernames and passwords. [sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # add a local user. Z specify the user name and passw...

Page 404: Arp Configuration

1-1 1 arp configuration when configuring arp, go to these sections for information you are interested in: z introduction to arp z configuring arp z configuring gratuitous arp z displaying and debugging arp z arp configuration examples introduction to arp arp function address resolution protocol (arp...

Page 406

1-3 value description 5 chaos 6 ieee802.X 7 arc network arp table in an ethernet, the mac addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an ethernet maintains an arp table, where the latest used ip address-to-mac address mapping entries are st...

Page 408

1-5 to do… use the command… remarks enable the arp entry checking function (that is, disable the switch from learning arp entries with multicast mac addresses) arp check enable optional enabled by default. Z static arp entries are valid as long as the ethernet switch operates normally. But some oper...

Page 411

2-2 figure 2-1 network diagram for arp man-in-the-middle attack arp attack detection to guard against the man-in-the-middle attacks launched by hackers or attackers, s4500 series ethernet switches support the arp attack detection function. After you enable arp attack detection for a vlan, z when rec...

Page 413

2-4 figure 2-2 gateway spoofing attack to prevent gateway spoofing attacks, an s4500 series ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter arp packets based on the gateway’s address. Z to f...

Page 415

2-6 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — configure arp packet filtering based on the gateway’s ip address arp filtersource ip-address required not configured by default. Follow these steps to configure arp packet filtering based on gate...

Page 417

2-8 to do… use the command… remarks enter ethernet port view interface interface-type interface-number — enable the arp packet rate limit function arp rate-limit enable required by default, the arp packet rate limit function is disabled on a port. Configure the maximum arp packet rate allowed on the...

Page 419

2-10 arp attack defense configuration example ii network requirements host a and host b are connected to gateway through an access switch (switch). The ip and mac addresses of gateway are 192.168.100.1/24 and 000d-88f8-528c. To prevent gateway spoofing attacks from host a and host b, configure arp p...

Page 421

2-12 z enable arp attack detection based on bindings of authenticated 802.1x clients on the switch to prevent arp attacks. Network diagram figure 2-6 network diagram for 802.1x based arp attack defense configuration procedures # enter system view. System-view # enable 802.1x authentication globally....

Page 423

Ii enabling unauthorized dhcp server detection ···········································································2-24 configuring ip address detecting ·································································································2-24 configuring dhcp accounting functions ...

Page 425: Dhcp Overview

1-1 1 dhcp overview when configuring dhcp, go to these sections for information you are interested in: z introduction to dhcp z dhcp ip address assignment z dhcp packet format z protocol specification introduction to dhcp with networks getting larger in size and more complicated in structure, lack o...

Page 427

1-3 by default, a dhcp client updates its ip address lease automatically by unicasting a dhcp-request packet to the dhcp server when half of the lease time elapses. The dhcp server responds with a dhcp-ack packet to notify the dhcp client of a new ip lease if the server can assign the same ip addres...

Page 429: Dhcp Server Configuration

2-1 2 dhcp server configuration when configuring the dhcp server, go to these sections for information you are interested in: z introduction to dhcp server z dhcp server configuration task list z enabling dhcp z configuring the global address pool based dhcp server z configuring the interface addres...

Page 431

2-3 1) if there is an address pool where an ip address is statically bound to the mac address or id of the client, the dhcp server will select this address pool and assign the statically bound ip address to the client. 2) otherwise, the dhcp server observes the following principles to select a dynam...

Page 433

2-5 to improve security and avoid malicious attacks to unused sockets, s4500 ethernet switches provide the following functions: z udp port 67 and udp port 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp port 67 and udp port 68 ports are disabled when dhcp is disabled. The correspo...

Page 435

2-7 currently, only one ip address in a global dhcp address pool can be statically bound to a mac address or a client id. Follow these steps to configure the static ip address allocation mode: to do… use the command… remarks enter system view system-view — enter dhcp address pool view dhcp server ip...

Page 437

2-9 z in the same dhcp global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. Z the dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple ip addresses that are not dynamically as...

Page 439

2-11 configuring gateways for the dhcp client gateways are necessary for dhcp clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a dhcp server, the dhcp server provides the gateway addresses to dhcp clients as well while assigning ip address...

Page 441

2-13 for the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you need to configure the dhcp server to add sub-option 1. Mechanism of using option 184 on dhcp server the dhcp server encapsulates the information for option 184 to ca...

Page 444

2-16 task remarks enabling the interface address pool mode on interface(s) required configuring the static ip address allocation mode configuring an address allocation mode for an interface address pool configuring the dynamic ip address allocation mode one of the two options is required. And these ...

Page 446

2-18 z the ip addresses statically bound in interface address pools and the interface ip addresses must be in the same network segment. Z there is no limit to the number of ip addresses statically bound in an interface address pool, but the ip addresses statically bound in interface address pools an...

Page 448

2-20 to do… use the command… remarks enter system view system-view — interface interface-type interface-number dhcp server dns-list ip-address & configure the current interface quit configure dns server addresses for dhcp clients configure multiple interfaces in system view dhcp server dns-list ip-a...

Page 450

2-22 follow these steps to configure option 184 parameters for the client with voice service: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — specify the primary network calling processor dhcp server voice-config ncp-ip...

Page 452

2-24 be cautious when configuring self-defined dhcp options because such configuration may affect the dhcp operation process. Configuring dhcp server security functions dhcp security configuration is needed to ensure the security of dhcp service. Prerequisites before configuring dhcp security, you s...

Page 454

2-26 dhcp accounting configuration prerequisites before configuring dhcp accounting, make sure that: z the dhcp server is configured and operates properly. Address pools and lease time are configured. Z dhcp clients are configured and dhcp service is enabled. Z the network operates properly. Configu...

Page 457

2-29 system-view [switcha] dhcp enable # configure the ip addresses that are not dynamically assigned. (that is, the ip addresses of the dns server, wins server, and gateways.) [switcha] dhcp server forbidden-ip 10.1.1.2 [switcha] dhcp server forbidden-ip 10.1.1.4 [switcha] dhcp server forbidden-ip ...

Page 459

2-31 dhcp accounting configuration example network requirements z the dhcp server connects to a dhcp client and a radius server respectively through ethernet 1/0/1 and ethernet 1/0/2. Z ethernet 1/0/1 belongs to vlan 2; ethernet 1/0/2 belongs to vlan 3. Z the ip address of vlan-interface 1 is 10.1.1...

Page 461

3-1 3 dhcp relay agent configuration when configuring the dhcp relay agent, go to these sections for information you are interested in: z introduction to dhcp relay agent z configuring the dhcp relay agent z displaying and maintaining dhcp relay agent configuration z dhcp relay agent configuration e...

Page 463

3-3 figure 3-2 padding contents for sub-option 1 of option 82 figure 3-3 padding contents for sub-option 2 of option 82 mechanism of option 82 supported on dhcp relay agent the procedure for a dhcp client to obtain an ip address from a dhcp server through a dhcp relay agent is similar to that for th...

Page 465

3-5 to improve security and avoid malicious attack to the unused sockets, s4500 ethernet switches provide the following functions: z udp 67 and udp 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp 67 and udp 68 ports are disabled when dhcp is disabled. The corresponding implementat...

Page 467

3-7 currently, the dhcp relay agent handshake function on an s4500 series switch can only interoperate with a windows 2000 dhcp server. Enabling unauthorized dhcp server detection if there is an unauthorized dhcp server in the network, when a client applies for an ip address, the unauthorized dhcp s...

Page 470

3-10 solution z check if dhcp is enabled on the dhcp server and the dhcp relay agent. Z check if an address pool that is on the same network segment with the dhcp clients is configured on the dhcp server. Z check if a reachable route is configured between the dhcp relay agent and the dhcp server. Z ...

Page 472

4-2 figure 4-1 typical network diagram for dhcp snooping application dhcp snooping listens the following two types of packets to retrieve the ip addresses the dhcp clients obtain from dhcp servers and the mac addresses of the dhcp clients: z dhcp-request packet z dhcp-ack packet introduction to dhcp...

Page 474

4-4 when receiving a dhcp client’s request without option 82, the dhcp snooping device will add the option field with the configured sub-option and then forward the packet. For details, see table 4-2 . Table 4-2 ways of handling a dhcp packet without option 82 sub-option configuration the dhcp-snoop...

Page 476

4-6 z if an s4500 ethernet switch is enabled with dhcp snooping, the clients connected to it cannot dynamically obtain ip addresses through bootp. Z you need to specify the ports connected to the valid dhcp servers as trusted to ensure that dhcp clients can obtain valid ip addresses. The trusted por...

Page 478

4-8 configuring the circuit id sub-option follow these steps to configure the circuit id sub-option: to do… use the command… remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure the circuit id sub-option in option 82 dhcp-snooping inf...

Page 480

4-10 to do… use the command… remarks enable ip filtering based on the dhcp-snooping table and the ip static binding table ip check source ip-address [ mac-address ] enable ip filtering enable ip filtering based on authenticated 802.1x clients ip check dot1x enable either command is required by defau...

Page 483

4-13 # specify ethernet 1/0/1 as the trusted port. [switch] interface ethernet 1/0/1 [switch-ethernet1/0/1] dhcp-snooping trust [switch-ethernet1/0/1] quit # enable ip filtering on ethernet 1/0/2, ethernet 1/0/3, and ethernet 1/0/4 to filter packets based on the source ip addresses/mac addresses. [s...

Page 485

5-2 configuring dhcp packet rate limit configuring dhcp packet rate limit follow these steps to configure rate limit of dhcp packets: to do… use the command… remarks enter system view system-view — enter port view interface interface-type interface-number — enable the dhcp packet rate limit function...

Page 487

5-4 [sysname-ethernet1/0/11] dhcp rate-limit 100

Page 489

6-2 configuring a dhcp/bootp client follow these steps to configure a dhcp/bootp client: to do… use the command… remarks enter system view system-view — enter vlan interface view interface vlan-interface vlan-id — configure the vlan interface to obtain ip address through dhcp or bootp ip address { b...

Page 491: Table of Contents

I table of contents 1 acl configuration·····································································································································1-1 acl overview ···············································································································...

Page 493

1-2 depth-first match order for rules of a basic acl 1) range of source ip address: the smaller the source ip address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority. 2) fragment keyword: a rule with the fragment keyword is prior to others. 3) if the...

Page 495

1-4 an absolute time range on switch 4500 series can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure follow these steps to configure a time range: to do... Use the command... Remarks enter system view system-view — create a time range time-range time-name { start-time...

Page 497

1-6 configuration example # configure acl 2000 to deny packets whose source ip addresses are 192.168.0.1. System-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # display the configuration information of acl 2000. [sysname-acl-basic-2000] display acl 2000 basic...

Page 501

1-10 acl's step is 1 rule 0 deny 06 ff 27 applying acl rules on ports by applying acl rules on ports, you can filter packets on the corresponding ports. Configuration prerequisites you need to define an acl before applying it on a port. For information about defining an acl, refer to configuring bas...

Page 504

1-13 network diagram figure 1-3 network diagram for basic acl configuration configuration procedure # define a periodic time range that is active from 8:00 to 18:00 everyday. System-view [sysname] time-range test 8:00 to 18:00 daily # define acl 2000 to filter packets with the source ip address of 1...

Page 506

1-15 user-defined acl configuration example network requirements as shown in figure 1-6 , pc 1 and pc 2 are connected to the switch through ethernet 1/0/1 and ethernet 1/0/2 respectively. They belong to vlan 1 and access the internet through the same gateway, which has an ip address of 192.168.0.1 (...

Page 508: Table of Contents

I table of contents 1 qos configuration·····································································································································1-1 overview ···················································································································...

Page 510

1-2 and vod. As for other applications, such as transaction processing and telnet, although bandwidth is not as critical, a too long delay may cause unexpected results. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications demand higher service performance...

Page 512

1-4 protocol or the port number of an application. Normally, traffic classification is done by checking the information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source addre...

Page 514

1-6 2) 802.1p priority 802.1p priority lies in layer 2 packet headers and is applicable to occasions where the layer 3 packet header does not need analysis but qos must be assured at layer 2. Figure 1-3 an ethernet frame with an 802.1q tag header as shown in the figure above, the 4-byte 802.1q tag h...

Page 516

1-8 priority marking the priority marking function is to reassign priority for the traffic matching an acl referenced for traffic classification. Z if 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned...

Page 518

1-10 the switch 4500 series support three queue scheduling algorithms: strict priority (sp) queuing, weighted fair queuing (wfq), and weighted round robin (wrr) queuing. 1) sp queuing figure 1-6 diagram for sp queuing sp queue-scheduling algorithm is specially designed for critical service applicati...

Page 520