- DL manuals
- 3Com
- Switch
- Switch 4500 PWR 26-Port
- Configuration Manual
3Com Switch 4500 PWR 26-Port Configuration Manual
Summary of Switch 4500 PWR 26-Port
Page 1
3com ® switch 4500 family configuration guide switch 4500 26-port switch 4500 50-port switch 4500 pwr 26-port switch 4500 pwr 50-port www.3com.Com part no. 10015033, rev. Ab published: january 2007.
Page 2
3com corporation 350 campus drive marlborough, ma usa 01752-3064 copyright © 2007, 3com corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without writt...
Page 3: Ontents
C ontents a bout t his g uide how this guide is organized 11 intended readership 11 conventions 12 related documentation 13 1 g etting s tarted product overview 15 stacking overview 16 brief introduction 16 typical networking topology 16 product features 16 logging in to the switch 17 setting up con...
Page 4
3 vlan o peration vlan configuration 57 vlan overview 57 configuring a vlan 57 displaying and debugging vlan 59 vlan configuration example one 59 vlan configuration example two 60 voice vlan configuration 61 introduction to voice vlan 61 voice vlan configuration 61 displaying and debugging of voice ...
Page 5
Dhcp relay configuration example one 90 dhcp relay configuration example two 91 troubleshooting dhcp relay configuration 92 access management configuration 93 access management overview 93 configuring access management 93 displaying and debugging access management 95 access management configuration ...
Page 6
Basic acl configuration example 135 link acl configuration example 135 qos configuration 136 qos configuration 138 setting port priority 138 configuring trust packet priority 138 setting port mirroring 139 configuring traffic mirroring 139 setting traffic limit 141 setting line limit 141 configuring...
Page 7
Configuration bpdu forwarding mechanism in stp 171 implement rstp on the switch 172 rstp configuration 173 enable/disable rstp on a switch 176 enable/disable rstp on a port 177 configure rstp operating mode 177 configure the stp-ignore attribute of vlans on a switch 177 set priority of a specified b...
Page 8
Configuring the user name and password for fixed mode 200 configuring domain name used by the mac address authentication user 200 configuring centralized mac address authentication timers 200 displaying and debugging centralized mac address authentication 201 auto vlan 201 configuration example of c...
Page 9
Erasing configuration files from flash memory 230 configuring the name of the configuration file used for the next startup. 230 ftp overview 231 enabling/disabling ftp server 232 configuring the ftp server authentication and authorization 232 configuring the running parameters of ftp server 232 disp...
Page 10
Ping 252 introduction to remote-ping 254 remote-ping configuration 255 introduction to remote-ping configuration 255 configuring remote-ping 255 configuration example 256 logging function 257 introduction to info-center 257 info-center configuration 260 sending the information to loghost 263 sending...
Page 11
Adding/deleting an entry to/from the extended rmon alarm table 291 adding/deleting an entry to/from the statistics table 291 displaying and debugging rmon 291 rmon configuration example 292 18 ntp c onfiguration overview 293 applications of ntp 293 implementation principle of ntp 294 ntp implementat...
Page 12
Configuring the minimum password length 343 configuring history password recording 343 configuring user login password in encryption mode 344 configuring login attempts limitation and failure procession mode 344 configuring the timeout for user password authentication 345 displaying password control...
Page 13: Bout
A bout t his g uide this guide provides information about configuring your network using the commands supported on the 3com ® switch 4500. How this guide is organized the switch 4500 configuration guide consists of the following chapters: ■ getting started — details the main features and configurati...
Page 14
12 a bout t his g uide conventions this guide uses the following conventions: table 1 icons icon notice type description information note information that describes important features or instructions. Caution information that alerts you to potential loss of data or potential damage to an application...
Page 15
Related documentation 13 related documentation the 3com switch 4500 getting started guide provides information about installation. The 3com switch 4500 command reference guide provides all the information you need to use the configuration commands..
Page 16
14 a bout t his g uide.
Page 17: Etting
1 g etting s tarted this chapter covers the following topics: ■ product overview ■ stacking overview ■ product features ■ logging in to the switch ■ command line interface ■ user interface configuration product overview table 3 lists the models in the switch 4500 family : the switch 4500 family supp...
Page 18
16 c hapter 1: g etting s tarted stacking overview brief introduction with the 3com switch 4500, up to eight units can be operated together as a single larger logical unit to simplify administration. This is called stacking. Stacking allows you to add ports in a site or location incrementally, witho...
Page 19
Logging in to the switch 17 logging in to the switch setting up configuration environment through the console port 1 to set up the local configuration environment, connect the serial port of a pc (or a terminal) to the console port of the switch with the console cable (see figure 2 ). Figure 2 setti...
Page 20
18 c hapter 1: g etting s tarted ■ databit = 8 ■ parity check = none ■ stopbit = 1 ■ flow control = none ■ terminal type = vt100 figure 3 setting up a new connection figure 4 configuring the port for connection.
Page 21
Logging in to the switch 19 figure 5 setting communication parameters 3 the switch is powered on and it displays self-test information. Press to show the command line prompt such as . 4 enter a command to configure the switch or view the operation state. Enter a ? To view online help. For details of...
Page 22
20 c hapter 1: g etting s tarted figure 6 setting up the configuration environment through telnet 3 run telnet on the pc and enter the ip address of the vlan connected to the network port on the pc. Figure 7 running telnet 4 the terminal displays login authentication and prompts the user to enter th...
Page 23
Logging in to the switch 21 figure 8 providing telnet client service 1 authenticate the telnet user through the console port on the telnet server (a switch) before login. By default, the password is required to authenticate telnet users and to enable them to log on to the switch. If a user logs in t...
Page 24
22 c hapter 1: g etting s tarted [4500-ui-aux0]set authentication password simple xxxx (xxxx is the preset login password of the modem user.) 2 perform the following configurations on the modem that is directly connected to the switch. (you are not required to configure the modem connected to the te...
Page 25
Logging in to the switch 23 figure 10 setting the dialed number figure 11 dialing on the remote pc 5 enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the switch. Enter ? To view online help. For details of specific commands, ...
Page 26
24 c hapter 1: g etting s tarted command line interface the switch 4500 family provides a series of configuration commands and command line interfaces for configuring and managing the switch. The command line interface has the following characteristics: ■ local configuration through the console port...
Page 27
Command line interface 25 to prevent unauthorized users from illegal intrusion, the user will be identified when switching from a lower level to a higher level with the super [ level ] command. User id authentication is performed when users at lower level become users at a higher level. In other wor...
Page 28
26 c hapter 1: g etting s tarted table 5 features of command views command view function prompt command to enter command to exit user view show the basic information about operation and statistics this is the view you are in after connecting to the switch quit disconnects to the switch system view c...
Page 29
Command line interface 27 basic acl view define the rule of basic acl [4500-acl- basic-2000] enter acl number 2000 in system view quit returns to system view return returns to user view advanced acl view define the rule of advanced acl [4500-acl-adv-3000] enter acl number 3000 in system view quit re...
Page 30
28 c hapter 1: g etting s tarted features and functions of command line command line help the command line interface provides full and partial online help. You can get help information through the online help commands, which are described below: 1 enter ? In any view to get all the commands in that ...
Page 31
Command line interface 29 command buffer is defaulted as 10. That is, the command line interface stores 10 history commands for each user. The operations are shown in table 7 . Cursor keys can be used to retrieve the history commands in windows 3.X terminal and telnet. However, in windows 9x hyperte...
Page 32
30 c hapter 1: g etting s tarted user interface configuration user interface overview user interface configuration is another way provided by the switch to configure and manage the port data. Switch 4500 family switches support the following configuration methods: ■ local configuration through the c...
Page 33
User interface configuration 31 user interface configuration tasks for configuring the user interface are described in the following sections: ■ entering user interface view ■ configuring the user interface-supported protocol ■ configuring the attributes of aux (console) port ■ configuring the termi...
Page 34
32 c hapter 1: g etting s tarted perform the following configurations in user interface (aux user interface only) view. Configuring the transmission speed on the aux (console) port by default, the transmission speed on the aux (console) port is 19200bps. Configuring the flow control on the aux (cons...
Page 35
User interface configuration 33 configuring the terminal attributes the following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command ...
Page 36
34 c hapter 1: g etting s tarted setting the screen length if a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more convenient...
Page 37
User interface configuration 35 perform the following configuration in user interface view. Configure for password authentication when a user logs in through a vty 0 user interface and set the password to 3com. [4500]user-interface vty 0 [4500-ui-vty0]authentication-mode password [4500-ui-vty0]set a...
Page 38
36 c hapter 1: g etting s tarted by default, the specified logged-in user can access the commands at level 1. Setting the command level used after a user logs in from a user interface you can use the following command to set the command level after a user logs in from a specific user interface, so t...
Page 39
User interface configuration 37 configuring redirection send command the following command can be used for sending messages between user interfaces. Perform the following configuration in user view. Auto-execute command the following command is used to automatically run a command after you log in. A...
Page 41: Ort
2 p ort o peration this chapter covers the following topics: ■ ethernet port configuration ■ link aggregation configuration ethernet port configuration ethernet port overview the following features are found in the ethernet ports of the switch 4500 ■ 10/100base-t ethernet ports support mdi/mdi-x aut...
Page 42
40 c hapter 2: p ort o peration entering ethernet port view before configuring an ethernet port, enter ethernet port view. Perform the following configuration in system view. Enabling/disabling an ethernet port use the following command to disable or enable the port. After configuring the related pa...
Page 43
Ethernet port configuration 41 note that 10/100base-t ethernet ports support full duplex, half duplex and auto-negotiation, which can be set as required. Gigabit ethernet ports support full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaul...
Page 44
42 c hapter 2: p ort o peration perform the following configuration in ethernet port view. By default, ethernet port flow control is disabled. Setting the ethernet port suppression ratio use the following commands to restrict broadcast/multicast/unicast traffic. Once traffic exceeds the value set by...
Page 45
Ethernet port configuration 43 by default, the port is access port. Note that: ■ you can configure four types of ports concurrently on the same switch, but you cannot switch port type between trunk port, hybrid port and stack port. You must return it first into access port and the set it as the othe...
Page 46
44 c hapter 2: p ort o peration port, you can configure to tag some vlan packets, based on which the packets can be processed differently. Setting the default vlan id for the ethernet port because the access port can only be included in one vlan, its default vlan is the one to which it belongs. Beca...
Page 47
Ethernet port configuration 45 by default, port loopback detection and the loopback detection control function on trunk and hybrid ports are disabled. The detection interval is 30 seconds, and the system detects the default vlan on the trunk and hybrid ports. Copying port configuration to other port...
Page 48
46 c hapter 2: p ort o peration enter the loopback command in ethernet port view to check whether the ethernet port works normally. In the process of the loopback test, the port cannot forward any packets. The loop test will finish automatically after a short time. Note that: ■ the loopback test can...
Page 49
Link aggregation configuration 47 networking diagram figure 12 configuring the default vlan for a trunk port configuration procedure the following configurations are used for switch a. Configure switch b in the similar way. 1 enter the ethernet port view of ethernet1/0/1. [4500]interface ethernet1/0...
Page 50
48 c hapter 2: p ort o peration the basic configuration includes stp setting, qos setting, vlan setting, and port setting. The stp setting includes stp enabling/disabling, link attribute (point-to-point or not), stp priority, path cost, max transmission speed, loop protection, root protection, edge ...
Page 51
Link aggregation configuration 49 with the minimum port number serves as the master port, while others as sub-ports. In a manual aggregation group, the system sets the ports to active or inactive state by using these rules: ■ the system sets the port with the highest priority to active state, and ot...
Page 52
50 c hapter 2: p ort o peration systems as well as under manual control through direct manipulation of the state variables of link aggregation (for example, keys) by a network manager. Dynamic lacp aggregation can be established even for a single port, as is called single port aggregation. Lacp is e...
Page 53
Link aggregation configuration 51 a load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others are standby ports. Selection criteria of selected ports vary for different types of aggregation groups. Link a...
Page 54
52 c hapter 2: p ort o peration aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated; when you delete a static or dynamic lacp aggregation group, its member ports form one or several dynamic lacp aggregation groups. Perform the following configuration...
Page 55
Link aggregation configuration 53 ■ port with 802.1x enabled. ■ you must delete the aggregation group, instead of the port, if the manual or static lacp aggregation group contains only one port. Setting/deleting the aggregation group descriptor perform the following configuration in system view. By ...
Page 56
54 c hapter 2: p ort o peration perform the following configuration in ethernet port view. By default, port priority is 32768. Displaying and debugging link aggregation after the above configuration, enter the display command in any view to display the running of the link aggregation configuration, ...
Page 57
Link aggregation configuration 55 networking diagram figure 13 networking for link aggregation configuration procedure the following only lists the configuration for switch a; configure switch b similarly. 1 manual link aggregation a create manual aggregation group 1. [4500]link-aggregation group 1 ...
Page 58
56 c hapter 2: p ort o peration.
Page 59: Vlan O
3 vlan o peration this chapter covers the following topics: ■ vlan configuration ■ voice vlan configuration vlan configuration vlan overview a virtual local area network (vlan) creates logical groups of lan devices into segments to implement virtual workgroups. Ieee issued the ieee 802.1q in 1999, w...
Page 60
58 c hapter 3: vlan o peration note that the default vlan, namely vlan 1, cannot be deleted. Adding ethernet ports to a vlan use the following command to add ethernet ports to a vlan. Perform the following configuration in vlan view. By default, the system adds all the ports to a default vlan, whose...
Page 61
Vlan configuration 59 create a vlan first before creating an interface for it. For this configuration task, vlan_id takes the vlan id. Shutting down/enabling the vlan interface use the following command to shut down/enable a vlan interface. Perform the following configuration in vlan interface view....
Page 62
60 c hapter 3: vlan o peration networking diagram figure 14 vlan configuration example 1 configuration procedure 1 create vlan 2 and enter its view. [4500]vlan 2 2 add ethernet1/0/1 and ethernet1/0/2 to vlan2. [4500-vlan2]port ethernet1/0/1 to ethernet1/0/2 3 create vlan 3 and enter its view. [4500-...
Page 63
Voice vlan configuration 61 voice vlan configuration introduction to voice vlan voice vlan is specially designed for users’ voice flow, and it distributes different port precedence in different cases. The system uses the source mac of the traffic traveling through the port to identify the ip phone d...
Page 64
62 c hapter 3: vlan o peration ■ setting/removing the oui address learned by voice vlan ■ enabling/disabling voice vlan security mode ■ enabling/disabling voice vlan auto mode ■ setting the aging time of voice vlan if you change the status of voice vlan security mode, you must first enable voice vla...
Page 65
Voice vlan configuration 63 there are four default oui addresses after the system starts. Enabling/disabling voice vlan security mode in security mode, the system can filter out the traffic whose source mac is not oui within the voice vlan, while the other vlans are not influenced. If security mode ...
Page 66
64 c hapter 3: vlan o peration perform the following configuration in system view. The default aging time is 1440 minutes. Displaying and debugging of voice vlan after completing the above configuration, enter the display command in any view to view the configuration and running state of voice vlan....
Page 67
Configuring voice vlan with a pc downstream from phone 65 [4500 -ethernet1/0/2]quit [4500]undo voice vlan mode auto [4500]voice vlan mac_address 0011-2200-0000 mask ffff-ff00-0000 description private [4500]voice vlan 2 enable [4500]voice vlan aging 100 configuring voice vlan with a pc downstream fro...
Page 68
66 c hapter 3: vlan o peration ■ be sure that the oui of the phone is included in the oui table. This will certainly be the case by default for 3com nbx phones but should be checked for non-3com phones ■ if a pwr unit is being used to power the voip phone, you must enable poe on the required ports ■...
Page 69
Configuring voice vlan with a pc downstream from phone 67 figure 19 dhcp scopes 2 connect the nbx call processor (ip address is 10.10.11.192/24), 3com nbx phones (2102pe) 1 and 2 to port 11, 6 or 7, and 9 on the switch, respectively. Attach a pc (tpc4) to phone 1. 3 port 6 is a hybrid port while por...
Page 70
68 c hapter 3: vlan o peration level 2 local-user monitor service-type ssh telnet terminal level 1 # acl number 4999 rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff # vlan 1 igmp-snooping enable # vlan 5 # vlan 50 # interface vlan-interface1 ip address dhcp-alloc rip version 2 multicast # interface v...
Page 71
Configuring voice vlan with a pc downstream from phone 69 interface ethernet1/0/6 poe enable stp edged-port enable port link-type hybrid port hybrid vlan 5 untagged undo port hybrid vlan 1 port hybrid pvid vlan 5 broadcast-suppression pps 3000 priority trust voice vlan enable packet-filter inbound l...
Page 72
70 c hapter 3: vlan o peration stp edged-port enable broadcast-suppression pps 3000 priority trust packet-filter inbound link-group 4999 rule 0 # interface ethernet1/0/14 poe enable stp edged-port enable broadcast-suppression pps 3000 priority trust packet-filter inbound link-group 4999 rule 0 # int...
Page 73
Configuring voice vlan with a pc downstream from phone 71 packet-filter inbound link-group 4999 rule 0 # interface ethernet1/0/23 poe enable stp edged-port enable broadcast-suppression pps 3000 priority trust packet-filter inbound link-group 4999 rule 0 # interface ethernet1/0/24 poe enable stp edge...
Page 74
72 c hapter 3: vlan o peration undo port hybrid vlan 1 port hybrid pvid vlan 5 broadcast-suppression pps 3000 priority trust voice vlan enable packet-filter inbound link-group 4999 rule 0 # interface ethernet1/0/7 poe enable stp edged-port enable port link-type trunk- undo port trunk permit vlan 1 p...
Page 75: Ower
4 p ower over e thernet c onfiguration this chapter covers the following topics: ■ poe overview ■ poe configuration poe overview the switch 4500 26 port pwr and switch 4500 50 port pwr support power over ethernet (poe). This feature uses twisted pairs to provide -44 through -62 vdc power to remote p...
Page 76
74 c hapter 4: p ower over e thernet c onfiguration ■ when using the pwr switches to supply power to remote pds, the pds need not have any external power supply. ■ if a remote pd has an external power supply, the pwr switches and the external power supply will be redundant with each other for the pd...
Page 77
Poe configuration 75 setting the maximum power output on a port the maximum power that can be supplied by an ethernet port of the switch 4500 26-port pwr and switch 4500 50-port pwr to its pd is 15400 mw. In practice, you can set the maximum power on a port depending on the actual power of the pd, w...
Page 78
76 c hapter 4: p ower over e thernet c onfiguration table 69 setting the power supply management mode on the switch by default, the power supply management mode on the switch is auto . Setting the port priority set the priority of the current port in ethernet port view. Table 70 setting the port pri...
Page 79
Poe configuration 77 upgrading the pse processing software online the online upgrading of pse processing software can update the processing software or repair the software if it is damaged. After upgrading files are downloaded, you can use the following command to perform online upgrading on the pse...
Page 80
78 c hapter 4: p ower over e thernet c onfiguration to guarantee the power feeding to the pd that will be connected to the ethernet1/0/24 even when the switch 4500 pwr is in full load. Network diagram figure 20 poe remote power supply configuration procedure update the pse processing software online...
Page 81: Etwork
5 n etwork p rotocol o peration this chapter covers the following topics: ■ ip address configuration ■ arp configuration ■ dhcp configuration ■ access management configuration ■ udp helper configuration ■ ip performance configuration ip address configuration ip address overview ip address classifica...
Page 82
80 c hapter 5: n etwork p rotocol o peration the ip address is in dotted decimal format. Each ip address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101. When using ip addresses, note that some of them are reserved for special uses, an...
Page 83
Ip address configuration 81 a mask is a 32-bit number corresponding to an ip address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the ip address into two parts: su...
Page 84
82 c hapter 5: n etwork p rotocol o peration the ip address configuration is described in the following sections: ■ configuring the hostname and host ip address ■ configuring the ip address of the vlan interface configuring the hostname and host ip address the host name is corresponded to the ip add...
Page 85
Arp configuration 83 ip address configuration example networking requirements configure the ip address as 129.2.2.1 and subnet mask as 255.255.255.0 for vlan interface 1 of the switch. Networking diagram figure 23 ip address configuration networking configuration procedure 1 enter vlan interface 1. ...
Page 86
84 c hapter 5: n etwork p rotocol o peration dynamic arp mapping entry is not in use for a specified period of time, the host will remove it from the arp mapping table so as to save the memory space and shorten the interval for switch to search arp mapping table. Suppose there are two hosts on the s...
Page 87
Arp configuration 85 by default, the arp mapping table is empty and the address mapping is obtained through dynamic arp. Note that: ■ static arp map entry will be always valid as long as the switch works normally. But if the vlan corresponding to the arp mapping entry is deleted, the arp mapping ent...
Page 88
86 c hapter 5: n etwork p rotocol o peration by default, this feature is enabled. Displaying and debugging arp after the above configuration, enter the display command in any view to display the running of the arp configuration, and to verify the effect of the configuration. Enter the debugging comm...
Page 89
Dhcp configuration 87 figure 24 typical dhcp application. To obtain valid dynamic ip addresses, the dhcp client exchanges different types of information with the server at different stages. One of the following three situations may occur: ■ a dhcp client logs into the network for the first time when...
Page 90
88 c hapter 5: n etwork p rotocol o peration ■ if the requested ip address becomes unavailable (for example, having been allocated to another client), the dhcp server returns the dhcp_nak message. After receiving the dhcp_nak message, the client sends the dhcp_discover message to request another new...
Page 91
Dhcp configuration 89 ■ the dhcp server determines a correct configuration based on the information from the client and returns the configuration information back to the client through dhcp relay. In fact, several such interactions may be needed to complete a dhcp relay configuration. Dhcp client co...
Page 92
90 c hapter 5: n etwork p rotocol o peration configuring the dhcp server group for the vlan interfaces perform the following configuration in vlan interface view. By default, no dhcp server corresponds to vlan interfaces. When associating a vlan interface to a new dhcp server group, you can configur...
Page 93
Dhcp configuration 91 networking diagram figure 26 configuring dhcp relay configuration procedure 1 create a dhcp server group that will use two dhcp servers (a master and an optional backup) and assign it the ip addresses of the two dhcp servers (the first ip address is the master). [4500]dhcp-serv...
Page 94
92 c hapter 5: n etwork p rotocol o peration networking diagram figure 27 networking diagram of configuration dhcp relay configuration procedure 1 configure the group number of dhcp server as 1 and the ip address as 202.38.1.2. [4500]dhcp-server 1 ip 202.38.1.2 2 associate the vlan interface 2 with ...
Page 95
Access management configuration 93 debugging dhcp-relay in user view and then use the terminal debugging command to output the debugging information to the console. In this way, you can view the detailed information of all dhcp packets on the console as they apply for the ip address, and so locate t...
Page 96
94 c hapter 5: n etwork p rotocol o peration by default, the ip address pools for access management on the port are null and all the packets are permitted. Note that if the ip address pool to be configured contains the ip addresses configured in the static arp at other ports, then the system prompts...
Page 97
Access management configuration 95 enabling/disabling access management trap you can enable the access management trap function using the following commands. When this function is enabled, the trap information of access management is delivered to the console for the purpose of monitoring. Perform th...
Page 98
96 c hapter 5: n etwork p rotocol o peration 2 configure the ip address pool for access management on port 1. [4500]interface ethernet1/0/1 [4500-ethernet1/0/1]am ip-pool 202.10.20.1 20 3 add port 1 into isolation group. [4500-ethernet1/0/1]port isolate 4 configure the ip address pool for access man...
Page 99
Udp helper configuration 97 udp helper configuration udp helper configuration includes: ■ enabling/disabling udp helper function ■ configuring udp port with replay function ■ configuring the relay destination server for broadcast packet enabling/disabling udp helper function when the udp helper func...
Page 100
98 c hapter 5: n etwork p rotocol o peration for example, the udp-helper port 53 command is equivalent to the udp-helper port dns command in function. ■ the default udp ports are not displayed when using the display current-configuration command. But its id is displayed after its relay function is d...
Page 101
Ip performance configuration 99 networking diagram figure 29 networking for udp helper configuration configuration procedure 1 enable udp helper function. [4500]udp-helper enable 2 set to relay-forward the broadcast packets with destination udp port 55. [4500]udp-helper port 55 3 set the ip address ...
Page 102
100 c hapter 5: n etwork p rotocol o peration by default, the tcp finwait timer is 675 seconds, the synwait timer is 75 seconds, and the receiving/sending buffer size of connection-oriented socket is 8k bytes. Displaying and debugging ip performance after the above configuration, enter the display c...
Page 103
Ip performance configuration 101 ■ use the terminal debugging command to output the debugging information to the console. ■ use the command debugging udp packet to enable the udp debugging to trace the udp packet. The following are the udp packet formats: udp output packet: source ip address:202.38....
Page 104
102 c hapter 5: n etwork p rotocol o peration.
Page 105: Ip R
6 ip r outing p rotocol o peration ip routing protocol overview routers select an appropriate path through a network for an ip packet according to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submit...
Page 106
104 c hapter 6: ip r outing p rotocol o peration the optimal route. For example, routing through three lan route segments may be much faster than routing through two wan route segments. Configuring the ip routing protocol is described in the following sections: ■ selecting routes through the routing...
Page 107
Ip routing protocol overview 105 in a complicated internet configuration, as shown in figure 31 , the number in each network is the network address. The router r8 is connected to three networks, so it has three ip addresses and three physical ports. Its routing table is shown in figure 2. Figure 31 ...
Page 108
106 c hapter 6: ip r outing p rotocol o peration supporting load sharing and route backup i. Load sharing the switch 4500 supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via mul...
Page 109
Static routes 107 the following routes are static routes: ■ reachable route — the ip packet is sent to the next hop towards the destination. This is a common type of static route. ■ unreachable route — when a static route to a destination has the reject attribute, all the ip packets to this destinat...
Page 110
108 c hapter 6: ip r outing p rotocol o peration the parameters are explained as follows: ■ ip address and mask the ip address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the dig...
Page 111
Static routes 109 displaying and debugging static routes after you configure static and default routes, execute the display command in any view to display the static route configuration, and to verify the effect of the configuration. Example: typical static route configuration networking requirement...
Page 112
110 c hapter 6: ip r outing p rotocol o peration [switch a]ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 2 configure the static route for ethernet switch b [switch b]ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [switch b]ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [switch b]ip route-static 1.1.1....
Page 113
Rip 111 ■ next hop address — the address of the next router that an ip packet will pass through for reaching the destination. ■ interface — the interface through which the ip packet should be forwarded. ■ cost — the cost for the router to reach the destination, which should be an integer in the rang...
Page 114
112 c hapter 6: ip r outing p rotocol o peration after rip is disabled, the interface-related features also become invalid. The rip configuration tasks are described in the following sections: ■ enabling rip and entering the rip view ■ enabling rip on a specified network ■ configuring unicast rip me...
Page 115
Rip 113 has been specified. Rip does not receive or send routes for an interface that is not on the specified network, and does not forward its interface route. When the network command is used for an address, the effect is to enable the interface of the network with this address. For example, for n...
Page 116
114 c hapter 6: ip r outing p rotocol o peration by default, the interface receives and sends the rip-1 packets. It transmits packets in multicast mode when the interface rip version is set to rip-2. Configuring rip timers as stipulated in rfc1058, rip is controlled by three timers: period update, t...
Page 117
Rip 115 perform the following configurations in rip view. Specifying the operating state of the interface in the interface view, you can specify whether rip update packets are sent and received on the interface. In addition, you can specify whether an interface sends or receives rip update packets. ...
Page 118
116 c hapter 6: ip r outing p rotocol o peration enabling rip-2 route aggregation route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to other networks. Route aggregation can be performed t...
Page 119
Rip 117 generation of routing loops, but in some special cases, split horizon must be disabled to obtain correct advertising at the cost of efficiency. Disabling split horizon has no effect on p2p connected links but is applicable on the ethernet. Perform the following configuration in interface vie...
Page 120
118 c hapter 6: ip r outing p rotocol o peration setting the rip preference each routing protocol has its own preference by which the routing policy selects the optimal route from the routes of different protocols. The greater the preference value, the lower the preference. The preference of rip can...
Page 121
Rip 119 configuring rip to filter the received routes configuring rip to filter the distributed routes by default, rip will not filter the received and distributed routing information. ■ the filter-policy import command filters the rip routes received from its neighbors, and the routes that cannot p...
Page 122
120 c hapter 6: ip r outing p rotocol o peration example: typical rip configuration networking requirements as shown in figure 33 , switch c connects to the subnet 117.102.0.0 through the ethernet port. The ethernet ports of switch a and switch b are connected to the networks 155.10.1.0 and 196.38.1...
Page 123
Ip routing policy 121 3 configure rip on switch c [switch c]rip [switch c-rip]network 117.102.0.0 [switch c-rip]network 110.11.2.0 troubleshooting rip the switch 4500 cannot receive the update packets when the physical connection to the peer routing device is normal. ■ rip does not operate on the co...
Page 124
122 c hapter 6: ip r outing p rotocol o peration the route is permitted by a single node in the route-policy, the route passes the matching test of the route policy without attempting the test of the next node. Acl the access control list (acl) used by the route policy can be divided into three type...
Page 125
Ip routing policy 123 perform the following configurations in system view. The permit parameter specifies that if a route satisfies all the if-match clauses of a node, the route passes the filtering of the node, and the apply clauses for the node are executed without taking the test of the next node...
Page 126
124 c hapter 6: ip r outing p rotocol o peration by default, no matching is performed. The if-match clauses for a node in the route policy require that the route satisfy all the clauses to match the node before the actions specified by the apply clauses can be executed. If no if-match clauses are sp...
Page 127
Ip routing policy 125 perform the following configurations in system view. During the matching, the router checks list items identified by the index_number in ascending order. If only one list item meets the condition, it means that it has passed the ip-prefix filtering (and does not enter the testi...
Page 128
126 c hapter 6: ip r outing p rotocol o peration networking diagram figure 34 filtering the received routing information configuration procedure 1 configure switch a: a configure the ip address of vlan interface. [switch a]interface vlan-interface 100 [switch a-vlan-interface100]ip address 10.0.0.1 ...
Page 129
Ip routing policy 127 troubleshooting routing protocols routing information filtering cannot be implemented in normal operation of the routing protocol check for the following faults: ■ the if-match mode of at least one node of the route policy should be the permit mode. When a route policy is used ...
Page 130
128 c hapter 6: ip r outing p rotocol o peration.
Page 131: Acl C
7 acl c onfiguration this chapter covers the following topics: ■ brief introduction to acl ■ qos configuration ■ acl control configuration brief introduction to acl a series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, ...
Page 132
130 c hapter 7: acl c onfiguration the depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129...
Page 133
Brief introduction to acl 131 ■ if acl is used to filter or classify the data transmitted by the hardware of the switch, the match order defined in the acl command will not be effective. If acl is used to filter or classify the data treated by the software of the switch, the match order of acl’s sub...
Page 134
132 c hapter 7: acl c onfiguration note that, the port1 and port2 in the above command specify the tcp or udp ports used by various high-layer applications. For some common port numbers, you can use the mnemonic symbols as a shortcut. For example, “bgp” can represent the tcp number 179 used by bgp. ...
Page 135
Brief introduction to acl 133 table 131 defining the user-defined acl rule-string is a character string defined by a user. It is made up of a hexadecimal character string with even digits of characters. Rule-mask offset is used to extract the packet information. Here, rule-mask is rule mask, used fo...
Page 136
134 c hapter 7: acl c onfiguration the matched information of display acl command specifies the rules treated by the switch’s cpu. For syntax description, refer to the command reference guide. Advanced acl configuration example networking requirements the interconnection between different department...
Page 137
Brief introduction to acl 135 activate the acl 3000. [4500-gigabitethernet1/0/50]packet-filter inbound ip-group 3000 rule 1 basic acl configuration example networking requirements using basic acl, filter the packet whose source ip address is 10.1.1.1 during the time range 8:00 ~ 18:00 every day. The...
Page 138
136 c hapter 7: acl c onfiguration networking diagram figure 37 access control configuration example configuration procedure in the following configurations, only the commands related to acl configurations are listed. 1 define the time range define time range from 8:00 to 18:00. [4500]time-range 3co...
Page 139
Qos configuration 137 packet filter packet filter is used to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, the switch enables the ...
Page 140
138 c hapter 7: acl c onfiguration qos configuration the process of traffic based qos: 1 identify the traffic by acl 2 perform the qos operation to the traffic. The configuration steps of traffic based qos: 1 define the acl 2 configure the qos operation if qos is not based on traffic, you need not d...
Page 141
Qos configuration 139 setting port mirroring port mirroring means duplicating data on the monitored port to the designated mirror port, for purpose of data analysis and supervision. The switch supports one monitor port and multiple mirroring ports. If several switches form a fabric, multiple mirrori...
Page 142
140 c hapter 7: acl c onfiguration only one monitor port can be configured on one switch. If a group of switches form a fabric, only one monitor port can be configured on one fabric. 2 configure traffic mirroring perform the following configuration in the ethernet port view. Table 141 configuring tr...
Page 143
Qos configuration 141 table 145 map configuration by default, the switch uses the default mapping relationship. Setting traffic limit traffic limit refers to rate limit based on traffic. If the traffic threshold is exceeded, corresponding measures will be taken, for example, dropping the excessive p...
Page 144
142 c hapter 7: acl c onfiguration perform the following configuration in the ethernet port view. Table 148 configuring wred operation for details about the command, refer to the command reference guide. Displaying and debugging qos configuration you can use the display command in any view to see th...
Page 145
Qos configuration 143 networking diagram figure 38 qos configuration example configuration procedure only the commands concerning qos/acl configuration are listed here. 1 define outbound traffic for the wage server. A enter numbered advanced acl view. [4500]acl number 3000 b define the traffic-of-pa...
Page 146
144 c hapter 7: acl c onfiguration networking diagram figure 39 qos configuration example configuration procedure define port mirroring, with monitoring port being ethernet3/0/8. [4500-ethernet3/0/8]monitor-port [4500-ethernet3/0/1]mirroring-port both acl control configuration the switch provides th...
Page 147
Acl control configuration 145 configuration tasks table 150 lists the commands that you can execute to configure telnet or ssh user acl. By default, the incoming/outgoing calls are not restricted on the user interface. ■ you can only use number-based acls for telnet or ssh user acl control. ■ when t...
Page 148
146 c hapter 7: acl c onfiguration acls, the incoming/outgoing calls are restricted on the basis of source mac addresses. As a result, when you use the rules for l2 acls, only the source mac and the corresponding mask, and the time-range keyword take effect. ■ when you control telnet and ssh users o...
Page 149
Acl control configuration 147 basic acl configuration example configuration prerequisites only the telnet users, whose ip addresses are 10.110.100.52 and 10.110.100.46, are allowed to access switches. Figure 41 source ip control over telnet user accessing switch configuration steps # define basic ac...
Page 150
148 c hapter 7: acl c onfiguration acl control over users accessing switches by snmp the switch supports remote management through network management software. Network management users can access switches by simple network management protocol (snmp). The acl control over these users can filter illeg...
Page 151
Acl control configuration 149 ■ the snmp-agent community, snmp-agent group and snmp-agent usm-use commands can use different acls. ■ you can only use number-based basic acls for acl control over network management users. Configuration example network requirements only the snmp users with the ip addr...
Page 152
150 c hapter 7: acl c onfiguration figure 42 acl control over snmp users of the switch configuration steps # define basic acls and rules. System-view system view: return to user view with ctrl+z. [4500] acl number 2000 match-order config [4500-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [45...
Page 153
Acl control configuration 151 calling acl to control http users to control the web network management users with acl, call the defined acl. You can use the following commands to call an acl. Perform the following configuration in system view. Table 152 calling acl to control http users for more info...
Page 154
152 c hapter 7: acl c onfiguration.
Page 155: Igmp S
8 igmp s nooping igmp snooping overview igmp snooping (internet group management protocol snooping) is a multicast control mechanism running on layer 2 (the link layer) of the switch. It is used for multicast group management and control. When receiving igmp messages transmitted between the host and...
Page 156
154 c hapter 8: igmp s nooping figure 45 multicast packet transmission when igmp snooping runs igmp snooping terminology table 153 explains switching terminology relevant to igmp snooping. The switch 4500 runs igmp snooping to listen to the igmp messages and map the host and its ports to the corresp...
Page 157
Igmp snooping overview 155 figure 46 implementing igmp snooping table 154 explains igmp snooping terminology. Table 154 igmp snooping terminology term meaning igmp general query message transmitted by the multicast router to query which multicast group contains member. When a router port receives an...
Page 158
156 c hapter 8: igmp s nooping configuring igmp snooping igmp snooping configuration includes: ■ enabling/disabling igmp snooping ■ configuring router port aging time ■ configuring maximum response time ■ configuring aging time of multicast group member of the above configuration tasks, enabling igm...
Page 159
Configuring igmp snooping 157 perform the following configuration in system view and vlan view. Although layer 2 and layer 3 multicast protocols can run together, they cannot run on the same vlan or its corresponding vlan interface at the same time. For example, if the layer 2 multicast protocol is ...
Page 160
158 c hapter 8: igmp s nooping perform the following configuration in system view. By default, the aging time of the multicast member is 260 seconds. Displaying and debugging igmp snooping execute display command in any view to display the running of the igmp snooping configuration, and to verify th...
Page 161
Igmp snooping fault diagnosis and troubleshooting 159 networking diagram figure 47 igmp snooping configuration network configuration procedure enable igmp snooping globally. [4500]igmp-snooping enable enable igmp snooping on vlan 10. [4500]vlan 10 [4500-vlan10]igmp-snooping enable igmp snooping faul...
Page 162
160 c hapter 8: igmp s nooping diagnosis 3: multicast forwarding table set up on the bottom layer is wrong. 1 enable igmp snooping group in user view and then input the command display igmp-snooping group to check if mac multicast forwarding table in the bottom layer and that created by igmp snoopin...
Page 163: Tacking
9 s tacking this chapter covers the following topics: ■ introduction to stacking ■ configuring a stack ■ stack configuration example introduction to stacking several switch 4500 units can be interconnected to create a “stack”, in which each switch is a unit. The ports used to interconnect all the un...
Page 164
162 c hapter 9: s tacking specifying the stacking vlan of the switch you can use the command in the following table to specify the stacking vlan of the switch. Perform the following configuration in system view. Table 161 specifying the stacking vlan of the switch by default, the stacking vlan is vl...
Page 165
Configuring a stack 163 ■ if auto-numbering is selected, the system sets the unit id priority to 10. You can use the fabric save-unit-id command to save the modified unit id into the unit flash memory and clear the information about the existing one. The unit ids in a stack are not necessarily numbe...
Page 166
164 c hapter 9: s tacking table 166 setting a stack name for switches by default, the stack name is “4500”. Setting an xrn authentication mode for switches only the switches with the same stack name and xrn authentication mode can constitute a stack. Note: “xrn” is a proprietary 3com technology for ...
Page 167
Stack configuration example 165 stack configuration example networking requirements configure unit id, unit name, stack name, and authentication mode for four switches, and interconnect them to form a stack. The configuration details are as follows: ■ unit ids: 1, 2, 3, 4 ■ unit names: unit 1, unit ...
Page 168
166 c hapter 9: s tacking configure switch d: [4500]change unit-id 1 to auto-numbering [4500]fabric-port gigabitethernet4/0/51 enable [4500]fabric-port gigabitethernet4/0/52 enable [4500]sysname hello [hello]xrn-fabric authentication-mode simple welcome ■ in the example, it is assumed that the syste...
Page 169: Rstp C
10 rstp c onfiguration this chapter covers the following topics: ■ stp overview ■ rstp configuration ■ rstp configuration example stp overview spanning tree protocol (stp) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-...
Page 170
168 c hapter 10: rstp c onfiguration what are the designated bridge and designated port? Figure 50 designated bridge and designated port for a switch, the designated bridge is a switch in charge of forwarding bpdu to the local switch via a port called the designated port. For a lan, the designated b...
Page 171
Stp overview 169 in the figure above, the priorities of switch a, b and c are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 1 initial state when initialized, each port of the switches will generate the configuration bpdu taking itself as the root with a root path cost as...
Page 172
170 c hapter 10: rstp c onfiguration the comparison process of each switch is as follows. ■ switch a: ap1 receives the configuration bpdu from switch b and finds out that the local configuration bpdu priority is higher than that of the received one, so it discards the received configuration bpdu. Th...
Page 173
Stp overview 171 cp2 will receive the updated configuration bpdu, {0, 5, 1, bp2}, from switch b. Since this configuration bpdu is better then the old one, the old bpdu will be updated to {0, 5, 1, bp2}. Meanwhile, cp1 receives the configuration bpdu from switch a but its configuration bpdu will not ...
Page 174
172 c hapter 10: rstp c onfiguration designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of forward delay before they enter the forwarding state. Implement rstp on the switch the switch implements the rapid spanning tr...
Page 175
Rstp configuration 173 rstp configuration the configuration of rstp changes with the position of the switch in the network, as discussed below. Figure 53 configuring stp in figure 53 the switch 4500 is typically switch e, f and g. Additionally it could be switch c and d. For completeness, configurat...
Page 176
174 c hapter 10: rstp c onfiguration configure the bridge preference of a switch the bridge preference of a switch is 32768. A switch can be made the root bridge by specifying its bridge preference to 0. Specify forward delay, hello time, and max age forward delay fixes on 15 seconds, hello times on...
Page 177
Rstp configuration 175 configure the timeout time factor of a switch the switch, if has not received any hello packet from the upstream switch for thrice the hello time, will consider the upstream switch failed and recalculate the spanning tree. In a stable network, it is recommended to set the time...
Page 178
176 c hapter 10: rstp c onfiguration after the stp protocol is enabled, the modification of any parameter will result in the re-calculation of the spanning tree on the switch. It is therefore recommended to configure all the rstp parameters before enabling the stp feature on the switch and the port....
Page 179
Rstp configuration 177 only after the rstp is enabled on the switch can other configurations take effect. By default, rstp is enabled. Enable/disable rstp on a port you can use the following command to enable/disable the rstp on the designated port. To flexibly control the rstp operations, after rst...
Page 180
178 c hapter 10: rstp c onfiguration consequent blocking by configuring the stp-ignore attribute on the appropriate switch. Once an stp-ignored vlan is configured, the packets of this vlan will be forwarded on any switch port, with no restriction from the calculated stp path. You can configure the s...
Page 181
Rstp configuration 179 after a switch is configured as primary root bridge or secondary root bridge, you cannot modify the bridge priority of the switch. A switch can either be a primary or secondary root bridge, but not both of them. If the primary root of a spanning tree instance is down or powere...
Page 182
180 c hapter 10: rstp c onfiguration that if the forward delay is configured too short, occasional path redundancy may occur. If the forward delay is configured too long, restoring the network connection may take a long time. It is recommended to use the default setting. By default, the bridge forwa...
Page 183
Rstp configuration 181 you can use the following command to set the multiple value of hello time of a specified bridge. Perform the following configurations in system view. Table 179 set timeout factor of the bridge it is recommended to set 5, 6 or 7 as the value of multiple in the steady network. B...
Page 184
182 c hapter 10: rstp c onfiguration ethernet port is not connected with any ethernet port of other bridges, this port should be set as an edgeport. If a specified port connected to a port of any other bridge is configured as an edge port, rstp will automatically detect and reconfigure it as a non-e...
Page 185
Rstp configuration 183 by default, the switch calculates the default path cost of a port by the ieee 802.1t standard. Set the priority of a specified port the port priority is an important basis to decide if the port can be a root port. In the calculation of the spanning tree, the port with the high...
Page 186
184 c hapter 10: rstp c onfiguration link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such a link. You can manually configure the act...
Page 187
Rstp configuration 185 again. In this case, the former root port will turn into a bpdu specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loops. After it is enabled, the root...
Page 188
186 c hapter 10: rstp c onfiguration table 188 display and debug rstp rstp configuration example networking requirements in the following scenario, switch c serves as a standby of switch b and forwards data when a fault occurs on switch b. They are connected to each other with two links, so that, in...
Page 189
Rstp configuration example 187 however, be careful and do not disable those involved. (the following configuration takes gigabitethernet 1/0/25 as an example.) [4500]interface gigabitethernet 1/0/25 [4500-gigabitethernet1/0/25]stp disable c to configure switch a as a root, you can either configure t...
Page 190
188 c hapter 10: rstp c onfiguration c configure switch c and switch b to serve as standby of each other and sets the bridge priority of switch c to 8192. [4500]stp priority 8192 d enable the root protection function on every designated port. [4500]interface ethernet 1/0/1 [4500-ethernet1/0/1]stp ro...
Page 191: 802.1X C
11 802.1x c onfiguration this chapter covers the following topics: ■ ieee 802.1x overview ■ configuring 802.1x ■ aaa and radius protocol configuration for information on setting up a radius server and radius client refer to appendix b . For details on how to authenticate the switch 4500 with a cisco...
Page 192
190 c hapter 11: 802.1x c onfiguration provided by 3com (or by microsoft windows xp). The 802.1x authentication server system normally stays in the carrier's aaa center. Authenticator and authentication server exchange information through eap (extensible authentication protocol) frames. The user and...
Page 193
Configuring 802.1x 191 the eapol-encapsulated-asf-alert is related to the network management information and terminated by the authenticator. Although 802.1x provides user id authentication, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure ...
Page 194
192 c hapter 11: 802.1x c onfiguration this command is used in ethernet port view, the parameter interface-list cannot be input and 802.1x can only be enabled on the current port.. Perform the following configurations in system view or ethernet port view. Table 189 enabling/disabling 802.1x you can ...
Page 195
Configuring 802.1x 193 checking the users that log on the switch via proxy the following commands are used for checking the users that log on the switch via proxy. Perform the following configurations in system view or ethernet port view. Table 192 checking the users that log on the switch via proxy...
Page 196
194 c hapter 11: 802.1x c onfiguration configuring the authentication method for 802.1x user the following commands can be used to configure the authentication method for 802.1x user. Three methods are available: pap authentication (the radius server must support pap authentication), chap authentica...
Page 197
Configuring 802.1x 195 will consider the user having logged off and set the user as logoff state if system doesn't receive the response from user for consecutive n times. Handshake-period-value : handshake period. The value ranges from 1 to 1024 in units of second and defaults to 15. Quiet-period : ...
Page 198
196 c hapter 11: 802.1x c onfiguration by default, the quiet-period timer is disabled. Displaying and debugging 802.1x after the above configuration, execute display command in any view to display the running of the vlan configuration, and to verify the effect of the configuration. Execute reset com...
Page 199
Configuring 802.1x 197 radius server every 15 minutes. The system is instructed to transmit the user name to the radius server after removing the user domain name. The user name of the local 802.1x access user is localuser and the password is localpass (input in plain text). The idle cut function is...
Page 200
198 c hapter 11: 802.1x c onfiguration 7 set the encryption key when the system exchanges packets with the accounting radius server. [4500-radius-radius1]key accounting money 8 set the timeouts and times for the system to retransmit packets to the radius server. [4500-radius-radius1]timer 5 [4500-ra...
Page 201
Centralized mac address authentication 199 centralized mac address authentication configuration centralized mac address authentication configuration includes: ■ enabling mac address authentication both globally and on the port ■ configuring domain name used by the mac address authentication user ■ c...
Page 202
200 c hapter 11: 802.1x c onfiguration configuring the user name and password for fixed mode if you configure the centralized mac address authentication mode to be fixed mode, you need to configure the user name and password for fixed mode. Configuring domain name used by the mac address authenticat...
Page 203
Centralized mac address authentication 201 by default, the offline-detect time is 300 seconds; quiet time is 60 seconds; and the server-timeout time is 100 seconds. Displaying and debugging centralized mac address authentication after the above configuration, perform the display command in any view,...
Page 204
202 c hapter 11: 802.1x c onfiguration 2 add local access user. A set the user name and password. [sw4500]local-user 00e0fc010101 [sw4500-luser-00e0fc010101]password simple 00e0fc010101 b set the service type of the user to lan-access. [sw4500-luser-00e0fc010101]service-type lan-access 3 enable the ...
Page 205
Aaa and radius protocol configuration 203 receiving a user’s request from nas, the radius server performs aaa through user database query and update and returns the configuration information and accounting data to nas. Here, nas controls users and corresponding connections, while the radius protocol...
Page 206
204 c hapter 11: 802.1x c onfiguration ■ disconnecting a user by force among the above configuration tasks, creating isp domain is compulsory, otherwise the user attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements. Creating/deleting an isp domain ...
Page 207
Aaa and radius protocol configuration 205 information of the commands of setting radius scheme, refer to the following configuring radius section of this chapter. ■ local authentication — if you use the local scheme, you can only implement authentication and authorization at local without radius ser...
Page 208
206 c hapter 11: 802.1x c onfiguration by default, the idle-cut function is disabled. Enabling the selection of the radius accounting option if no radius server is available or if the radius accounting server fails when the accounting optional is configured, the user can still use the network resour...
Page 209
Aaa and radius protocol configuration 207 configuring self-service server url the self-service-url enable command can be used to configure self-service server uniform resource locator (url). This command must be incorporated with a radius server (such as a cams) that supports self-service. Self-serv...
Page 210
208 c hapter 11: 802.1x c onfiguration setting the password display mode perform the following configurations in system view. Table 217 setting the password display mode of local users auto means that the password display mode will be the one specified by the user at the time of configuring the pass...
Page 211
Aaa and radius protocol configuration 209 however, the user-privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types. In this case both telnet and ssh: [4500-si-luser-adminpwd]service-type telnet le...
Page 212
210 c hapter 11: 802.1x c onfiguration ■ configuring the local radius authentication server ■ configuring source address for radius packets sent by nas ■ setting the timers of the radius server among the above tasks, creating the radius scheme and setting the ip address of the radius server are requ...
Page 213
Aaa and radius protocol configuration 211 by default, as for the newly created radius scheme, the ip address of the primary authentication server is 0.0.0.0, and the udp port number of this server is 1812; as for the "system" radius scheme created by the system, the ip address of the primary authent...
Page 214
212 c hapter 11: 802.1x c onfiguration radius protocol uses different udp ports to receive/transmit authentication/authorization and accounting packets, you need to set two different ports accordingly. Suggested by rfc2138/2139, authentication/authorization port number is 1812 and accounting port nu...
Page 215
Aaa and radius protocol configuration 213 perform the following configurations in radius scheme view. Table 224 enabling/disabling the stopping accounting request buffer by default, the stopping accounting request will be saved in the buffer. Setting the maximum retransmitting times of stopping acco...
Page 216
214 c hapter 11: 802.1x c onfiguration by default, the keys of radius authentication/authorization and accounting packets are all “3com”. Setting retransmission times of radius request packet since radius protocol uses udp packets to carry the data, the communication process is not reliable. If the ...
Page 217
Aaa and radius protocol configuration 215 when the primary and secondary servers are both active or block , nas will send the packets to the primary server only. Perform the following configurations in radius scheme view. Table 230 setting the radius server state by default, for the newly created ra...
Page 218
216 c hapter 11: 802.1x c onfiguration by default, the default data unit is byte and the default data packet unit is one packet. Configuring the local radius authentication server radius service adopts authentication/authorization/accounting servers to manage users. Local authentication/authorizatio...
Page 219
Aaa and radius protocol configuration 217 perform the following configurations in radius scheme view. Table 235 setting the response timeout timer of the radius server by default, timeout timer of radius server is 3 seconds. Setting a real-time accounting interval to implement real-time accounting, ...
Page 220
218 c hapter 11: 802.1x c onfiguration table 238 configure the radius server response timer by default, the response timeout timer for the radius server is set to three seconds. Displaying and debugging aaa and radius protocol after the above configuration, execute the display command in any view to...
Page 221
Aaa and radius protocol configuration 219 aaa and radius protocol configuration example for the hybrid configuration example of aaa/radius protocol and 802.1x protocol, refer to “802.1x configuration example” on page 196 . Configuring the ftp/telnet user authentication at a remote radius server conf...
Page 222
220 c hapter 11: 802.1x c onfiguration 4 configure radius scheme. [4500]radius scheme cams [4500-radius-cams]primary authentication 10.110.91.146 1812 [4500-radius-cams]key authentication expert [4500-radius-cams]server-type 3com [4500-radius-cams]user-name-format without-domain 5 configuration asso...
Page 223
Aaa and radius protocol configuration 221 domain and radius scheme creation the switch 4500 can have 1 or more domains created on it. A domain on the switch 4500 is similar to a windows domain. By default, there is one domain created called "system". This uses the local scheme to validate users. The...
Page 224
222 c hapter 11: 802.1x c onfiguration once enabled globally, the network login needs to be enabled on a per port basis. This can be done in one of two ways: ■ to enable dot1x on one port, enter the interface of the port and enable dot1x on the port. For example: [4500-xx]interface ethernet 1/0/7 [4...
Page 225
Aaa and radius protocol configuration 223 the end of the username. This states the user is a member of the local domain, and as a result uses the local radius server. Based on the steps in section domain and radius scheme creation to login using the external radius server defined, you need to login ...
Page 226
224 c hapter 11: 802.1x c onfiguration aaa and radius protocol fault diagnosis and troubleshooting the radius protocol of the tcp/ip protocol suite is located on the application layer. It mainly specifies how to exchange user information between nas and radius server of isp. So it is likely to be in...
Page 227
Aaa and radius protocol configuration 225 problem diagnosis the switch 4500 provides debugging of radius. Terminal debugging can be enabled with the command: terminal debugging once enabled, different debug traces can be enabled to the terminal. For example, to turn on radius debugging, enter the co...
Page 228
226 c hapter 11: 802.1x c onfiguration.
Page 229: Ile
12 f ile s ystem m anagement file system overview the switch provides a flash file system for efficient management of the storage devices such as flash memory. The file system offers file access and directory management, including creating the file system, creating, deleting, modifying and renaming ...
Page 230
228 c hapter 12: f ile s ystem m anagement system use the delete /unreserved file-url command. Using this command will ensure that space is made available on the flash file system for additional information. To ensure that all deleted files have been removed from the system use the reset recycle-bin...
Page 231
Configuring file management 229 table 244 file system operation configuring file management the management module of the configuration file provides a user-friendly operation interface. It saves the configuration of the switch in the text format of command line to record the whole configuration proc...
Page 232
230 c hapter 12: f ile s ystem m anagement the configuration files are displayed in their corresponding saving formats. Saving the current-configuration use the save command to save the current-configuration in the flash memory, and the configurations will become the saved-configuration when the sys...
Page 233
Ftp overview 231 table 249 display the information of the file used at startup ftp overview ftp is a common way to transmit files on the internet and ip network. Before the world wide web (www), files were transmitted in the command line mode and ftp was the most popular application. Even now, ftp i...
Page 234
232 c hapter 12: f ile s ystem m anagement the prerequisite for normal ftp function is that the switch and pc are reachable. Enabling/disabling ftp server you can use the following commands to enable/disable the ftp server on the switch. Perform the following configuration in system view. Table 252 ...
Page 235
Ftp overview 233 table 254 configure ftp server connection timeout by default, the ftp server connection timeout is 30 minutes. Displaying and debugging ftp server after the above configuration, execute display command in all views to display the running of the ftp server configuration, and to verif...
Page 236
234 c hapter 12: f ile s ystem m anagement networking diagram figure 61 networking for ftp configuration configuration procedure 1 configure the ftp server parameters on the pc: a user named as switch, password hello, read and write authority over the switch directory on the pc. 2 configure the swit...
Page 237
Tftp overview 235 ftp server configuration example networking requirement the switch serves as ftp server and the remote pc as ftp client. The configuration on ftp server: configure a ftp user named as switch, with password hello and with read and write authority over the flash root directory on the...
Page 238
236 c hapter 12: f ile s ystem m anagement when there is no complicated interaction between the clients and server. Tftp is implemented on the basis of udp. Tftp transmission is originated from the client end. To download a file, the client sends a request to the tftp server and then receives data f...
Page 239
Tftp overview 237 table 258 upload files by means of tftp tftp client configuration example networking requirement the switch serves as tftp client and the remote pc as tftp server. Authorized tftp directory is set on the tftp server. The ip address of a vlan interface on the switch is 1.1.1.1, and ...
Page 240
238 c hapter 12: f ile s ystem m anagement 7 use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the switch. Boot boot-loader switch.App reboot.
Page 241: Mac Address Table
13 mac address table management overview a switch maintains a mac address table for fast forwarding packets. A table entry includes the mac address of a device and the port id of the switch connected to it. The dynamic entries (not configured manually) are learned by the switch. The switch learns a ...
Page 242
240 c hapter 13: mac address table management you can configure (add or modify) the mac address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones. Mac address table configuration mac address table management includes: ■ set mac address ta...
Page 243
Displaying mac address table 241 table 260 set the mac address aging time for the system in addition, this command takes effect on all the ports. However the address aging only functions on the dynamic addresses (manual entries added to the switch are not aged). By default, the aging-time is 300 sec...
Page 244
242 c hapter 13: mac address table management mac address table management display example networking requirements the user logs into the switch via the console port to display the mac address table. Switch display the entire mac address table of the switch. If this switch is a member of a stack the...
Page 245
Mac address table management display example 243 mac address table management configuration example networking requirements the user logs into the switch via the console port to configure the address table management. It is required to set the address aging time to 500s and add a static address 00e0...
Page 246: Evice
14 d evice m anagement overview with the device management function, the switch can display the current running state and event debugging information about the unit, thereby implementing the maintenance and management of the state and communication of the physical devices. In addition, there is a co...
Page 247
Displaying and debugging device management 245 table 265 designate the app adopted when booting the switch next time upgrading bootrom you can use this command to upgrade the bootrom with the bootrom program in the flash memory. This configuration task facilitates the remote upgrade. You can upload ...
Page 248
246 c hapter 14: d evice m anagement networking diagram figure 68 networking for ftp configuration configuration procedure 1 configure ftp server parameters on the pc. Define a user named as switch , password hello , read and write authority over the switch directory on the pc. 2 configure the switc...
Page 249
Device management configuration example 247 upgrading bootrom, please wait... Upgrade bootrom succeeded! 8 use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the switch. Boot boot-loader switch.App display boot-loader the app to boot at...
Page 250
248 c hapter 14: d evice m anagement.
Page 251: Ystem
15 s ystem m aintenance and d ebugging basic system configuration setting the system name for the switch perform the operationof sysname command in the system view. Table 268 set the name for the switch setting the system clock perform the operationof clock datetime command in the user view. Table 2...
Page 252
250 c hapter 15: s ystem m aintenance and d ebugging displaying the state and information of the system the display commands can be classified as follows according to their functions. ■ commands for displaying the system configuration information ■ commands for displaying the system running state ■ ...
Page 253
System debugging 251 figure 69 illustrates the relationship between two switches. Figure 69 debug output you can use the following commands to control the above-mentioned debugging. Perform the following operations in user view. Table 273 enable/disable the debugging for more about the usage and for...
Page 254
252 c hapter 15: s ystem m aintenance and d ebugging information, ensuring the consistency of logging, debugging and trap information in a fabric. After the synchronization of the whole fabric, a great deal of terminal display is generated. You are recommended not to enable the information synchroni...
Page 255
Testing tools for network connection 253 table 276 test periodically if the ip address is reachable the switch can ping an ip address every one minute to test if it is reachable. Three ping packets can be sent at most for every ip address in every testing with a time interval of five seconds. If the...
Page 256
254 c hapter 15: s ystem m aintenance and d ebugging introduction to remote-ping remote-ping is a network diagnostic tool used to test the performance of protocols (only icmp by far) operating on network. It is an enhanced alternative to the ping command. Remote-ping test group is a set of remote-pi...
Page 257
Remote-ping configuration 255 remote-ping configuration this section contains information on remote-ping. Introduction to remote-ping configuration the configuration tasks for remote-ping include: ■ enabling remote-ping client ■ creating test group ■ configuring test parameters the test parameters t...
Page 258
256 c hapter 15: s ystem m aintenance and d ebugging the remote-ping test does not display test results. You can use the display remote-ping command to view the test results. You can use the display remote-ping command to check the test history as well as the latest test results. Configuration examp...
Page 259
Logging function 257 5 display the test results. [s5500-remote-ping-administrator-icmp] display remote-ping results administrator icmp [s5500-remote-ping-administrator-icmp] display remote-ping history administrator icmp logging function introduction to info-center the info-center serves as an infor...
Page 260
258 c hapter 15: s ystem m aintenance and d ebugging " hh:mm:ss " is the time field, " hh " is from 00 to 23, " mm " and " ss " are from 00 to 59. " yyyy " is the year field. If changed to boot format, it represents the milliseconds from system booting. Generally, the data are so large that two 32 b...
Page 261
Logging function 259 note that there is a slash ('/') between module name and severity. 5 severity switch information falls into three categories: log information, debugging information and trap information. The info-center classifies every kind of information into 8 severity or urgent levels. The l...
Page 262
260 c hapter 15: s ystem m aintenance and d ebugging level represented by “emergencies” is 1, and that represented by ”debugging” is 8. Therefore, when the threshold of the severity level is “debugging”, the system will output all the information. Definition of severity in logging information is as ...
Page 263
Logging function 261 ■ the information can be classified in terms of the source modules and the information can be filtered in accordance with the modules. ■ the output language can be selected between chinese and english. 1 sending the information to the control terminal. Table 281 sending the info...
Page 264
262 c hapter 15: s ystem m aintenance and d ebugging table 283 sending the information to log buffer 4 sending the information to trap buffer. Table 284 sending the information to trap buffer 5 sending the information to snmp table 285 sending the information to snmp 6 turn on/off the information sy...
Page 265
Logging function 263 figure 72 turn on/off the information synchronization switch in fabric sending the information to loghost to send information to loghost, follow the steps below: 1 perform the following operation in system view. Table 286 enable/disable info-center info-center is enabled by defa...
Page 266
264 c hapter 15: s ystem m aintenance and d ebugging table 287 defining information source modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the level below it will ...
Page 267
Logging function 265 table 289 enable/disable info-center info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 configuring to output information to the cont...
Page 268
266 c hapter 15: s ystem m aintenance and d ebugging you can use the following commands to configure log information, debugging information and the time-stamp output format of trap information. Perform the following operation in system view: table 292 configuring the output format of time-stamp 4 en...
Page 269
Logging function 267 table 295 configuring to output information to telnet terminal or dumb termina l 3 configuring information source on the switch with this configuration, you can define the information that is sent to the telnet terminal or dumb terminal that is generated by which modules, inform...
Page 270
268 c hapter 15: s ystem m aintenance and d ebugging 4 enabling terminal display function to view the output information at the telnet terminal or dumb terminal, you must first enable the corresponding log, debugging and trap information functions at the switch. For example, if you have set the log ...
Page 271
Logging function 269 table 300 configuring to output information to log buffer 3 configuring the information source on the switch with this configuration, you can define the information that is sent to the log buffer: generated by which modules, information type, information level, and so on. Perfor...
Page 272
270 c hapter 15: s ystem m aintenance and d ebugging sending the information to the trap buffer to send information to the trap buffer, follow the steps below: 1 enabling info-center perform the following operation in system view. Table 303 enabling/disabling info-center info-center is enabled by de...
Page 273
Logging function 271 is no specific configuration record for a module in the channel, use the default one. If you want to view the debugging information of some modules on the switch, you must select debugging as the information type when configuring information source, meantime using the debugging ...
Page 274
272 c hapter 15: s ystem m aintenance and d ebugging table 309 defining information source modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the level below it will ...
Page 275
Logging function 273 the switch provides a command to turn on/off the synchronization switch in every switch. If the synchronization switch of a switch is turned off, it does not send information to other switches but still receives information from others. 1 enable info-center perform the following...
Page 276
274 c hapter 15: s ystem m aintenance and d ebugging ■ the information with the severity level above informational will be sent to the loghost ■ the output language is english ■ the modules that allowed to output information are arp and ip networking diagram table 313 schematic diagram of configurat...
Page 277
■ the device name and the acceptant log information level specified in /etc/syslog.Conf must be consistent with info-center loghost and info-center loghost a.B.C.D facility configured on the switch. Otherwise, the log information probably cannot be output to the loghost correctly. C after the establ...
Page 278
276 c hapter 15: s ystem m aintenance and d ebugging language to english; set all the modules are allowed output information. [3com] info-center loghost 202.38.1.10 facility local7 language english [3com] info-center source default channel loghost log level informational configuration on the loghost...
Page 279
Logging function 277 ■ the information with the severitylevel above informational will be sent to the loghost ■ the output language is english ■ the modules that allowed to output information are arp and ip networking diagram figure 76 schematic diagram of configuration configuration procedure 1 con...
Page 280
278 c hapter 15: s ystem m aintenance and d ebugging.
Page 281: Snmp C
Overview 279 16 snmp c onfiguration overview the simple network management protocol (snmp) has gained the most extensive application in the computer networks. Snmp has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the managemen...
Page 282
280 c hapter 16: snmp c onfiguration figure 77 architecture of the mib tree the mib (management information base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object...
Page 283
Configuring snmp 281 ■ set snmp system information ■ set the engine id of a local or remote device ■ set/delete an snmp group ■ set the source address of trap ■ add/delete a user to/from an snmp group ■ create/update view information or deleting a view ■ set the size of snmp packet sent/received by ...
Page 284
282 c hapter 16: snmp c onfiguration setting the destination address of trap you can use the following commands to set or delete the destination address of the trap. Perform the following configuration in system view. Table 317 set the destination address of trap setting lifetime of trap message you...
Page 285
Configuring snmp 283 table 320 set the engine id of a local or remote device by default, the engine id is expressed as enterprise no. + device information. The device information can be ip address, mac address, or user-defined text. Setting/deleting an snmp group you can use the following commands t...
Page 286
284 c hapter 16: snmp c onfiguration creating/updating view information or deleting a view you can use the following commands to create, update the information of views or delete a view. Perform the following configuration in system view. Table 324 create/update view information or deleting a view s...
Page 288
286 c hapter 16: snmp c onfiguration networking diagram figure 78 snmp configuration example configuration procedure 1 enter the system view. System-view 2 set the community name , group name and user. [4500]snmp-agent sys-info version all [4500]snmp-agent community write public [4500]snmp-agent mib...
Page 289
Snmp configuration example 287 reading usmusr table configuration example networking requirements viewdefault view should be reconfigured if you use snmp v3 to read the usmusr table. The snmpvacmmib and snmpusmmib should be included in viewdefault view. Networking diagram figure 79 snmp configuratio...
Page 290
288 c hapter 16: snmp c onfiguration view name:viewdefault mib subtree:snmpmodules.18 subtree mask: storage-type: nonvolatile view type:excluded view status:active.
Page 291: Rmon C
17 rmon c onfiguration overview remote network monitoring (rmon) is a type of ietf-defined mib. It is the most important enhancement to the mib ii standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the most widely used network managemen...
Page 292
290 c hapter 17: rmon c onfiguration ■ add/delete an entry to/from the history control terminal ■ add/delete an entry to/from the extended rmon alarm table ■ add/delete an entry to/from the statistics table adding/deleting an entry to/from the alarm table rmon alarm management can monitor the specif...
Page 293
Displaying and debugging rmon 291 table 331 add/delete an entry to/from the history control termina l adding/deleting an entry to/from the extended rmon alarm table you can use the command to add/delete an entry to/from the extended rmon alarm table. Perform the following configuration in system vie...
Page 294
292 c hapter 17: rmon c onfiguration rmon configuration example networking requirements set an entry in rmon ethernet statistics table for the ethernet port performance, which is convenient for network administrators’ query. Networking diagram figure 80 rmon configuration networking configuration pr...
Page 295: Ntp C
Overview 293 18 ntp c onfiguration overview network time protocol (ntp) is a time synchronization protocol defined in rfc1305. It is used for time synchronization between a set of distributed time servers and clients. Ntp transmits packets through udp port 123. Ntp is intended for time synchronizati...
Page 296
294 c hapter 18: ntp c onfiguration ■ the local clock of an switch 4500 cannot operate as a reference clock. It can serve as a ntp server only after synchronized. Implementation principle of ntp figure 81 shows the implementation principle of ntp. Ethernet switch a (ls_a) is connected to ethernet sw...
Page 297
Overview 295 ■ when receiving a response packet, ls_a inserts a new timestamp 10:00:03 am (t 4 ) into it. At this time, ls_a has enough information to calculate the following two parameters: ■ delay for an ntp packet to make a round trip between ls_a and ls_b: delay = (t 4 -t 1 )-(t 3 -t 2 ). ■ time...
Page 298
296 c hapter 18: ntp c onfiguration figure 84 broadcast mode figure 85 multicast mode table 335 describes how the above mentioned ntp modes are implemented on the switch 4500. Table 335 ntp implementation modes on the switch 4500 family ntp implementation mode configuration on the switch 4500 family...
Page 299
Configuring ntp implementation modes 297 caution: an switch 4500 can operate in the ntp peer, ntp broadcast server, or ntp multicast server mode only after its clock is synchronized. Configuring ntp implementation modes a switch 4500 can operate in one of the following ntp modes: ■ ntp client mode ■...
Page 300
298 c hapter 18: ntp c onfiguration ito reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the switch 4500 ethernet switches provides the following functions, so that a socket is opened only when it is needed: ■ opening udp port 123 (used for ntp)...
Page 301
Configuring access control right 299 ntp broadcast server mode when a switch 4500 operates in ntp broadcast server mode, it broadcasts clock synchronization packets periodically. The devices in ntp broadcast client mode will respond to these packets and start the clock synchronization process. Ntp m...
Page 302
300 c hapter 18: ntp c onfiguration enabled on the server (assuming that other related configurations are performed). ■ you need to couple the ntp authentication with a trusted key. ■ configurations on the server and the client must be consistent. ■ the client with the ntp authentication function en...
Page 303
Configuring optional ntp parameters 301 the procedure for configuring ntp authentication on the server is the same as that on the client. Besides, the client and the server must be configured with the same authentication key. Configuring optional ntp parameters optional ntp parameters are: ■ local v...
Page 304
302 c hapter 18: ntp c onfiguration dynamic connections can be established when a switch operates in passive peer mode, ntp broadcast client mode, or ntp multicast client mode. In other modes, the connections established are static. Displaying and debugging ntp after the performing the above configu...
Page 305
Configuration examples 303 clock precision: 2^7 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 0.00 ms peer dispersion: 0.00 ms reference time: 00:00:00.000 utc jan 1 1900 (00000000.00000000) # set switch1 to the ntp server of the switch 4500. System-view [4500] ntp-service unicast-ser...
Page 306
304 c hapter 18: ntp c onfiguration figure 86 network diagram for ntp peer mode configuration configuration procedure 1 configure the switch 4500. # set switch2 to the ntp server. System-view [sw4500] ntp-service unicast-server 3.0.1.31 2 configure switch3 (after the sw4500 ethernet switch is synchr...
Page 307
Configuration examples 305 # view the information about the ntp sessions of the sw4500 ethernet switch (you can see that a connection is established between the sw4500 ethernet switch and switch3). [sw4500] display ntp-service sessions source reference stra reach poll now offset delay disper *******...
Page 308
306 c hapter 18: ntp c onfiguration # enter system view. System-view [sw4500-2] # enter vlan-interface2 view. [sw4500-2] interface vlan-interface 2 [sw4500-2-vlan-interface2] # set sw4500-2 to a broadcast client. [sw4500-2-vlan-interface2] ntp-service broadcast-client after the above configurations,...
Page 309
Network diagram figure 88 network diagram for ntp multicast mode configuration configuration procedure 1 configure switch3. # enter system view. System-view [switch3] # enter vlan-interface2 view. [switch3] interface vlan-interface 2 # set switch3 to a multicast server. [switch3-vlan-interface2] ntp...
Page 310
308 c hapter 18: ntp c onfiguration from switch3, while sw4500-1 is synchronized to switch3 after receiving multicast packets from switch3. View the status of sw4500-1 after synchronization. [sw4500-1] display ntp-service status clock status: synchronized clock stratum: 3 reference clock id: 3.0.1.3...
Page 311
Configuration examples 309 # enable the ntp authentication function. [sw4500] ntp-service authentication enable # configure an md5 authentication key, with the key id being 42 and the key being anicekey. [sw4500] ntp-service authentication-keyid 42 authentication-mode md5 anicekey # specify the key ...
Page 312
310 c hapter 18: ntp c onfiguration.
Page 313: Ssh T
Ssh terminal service 311 19 ssh t erminal s ervices this section contains information for ssh terminal services. Ssh terminal service secure shell (ssh) can provide information security and powerful authentication to prevent such assaults as ip address spoofing, plain-text password interception when...
Page 314
312 c hapter 19: ssh t erminal s ervices figure 91 establish an ssh channel through a wan to establish an ssh authentication secure connection, the server and the client must go through the following five phases: 1 version number negotiation: ■ the client sends a tcp connection request. ■ after the ...
Page 315
Ssh terminal service 313 3 authentication mode negotiation: ■ the client sends its username information to the server. ■ the server initiates a procedure to authenticate the user. If the server is configured not to authenticate the user, the process proceeds to session request phase directly. ■ the ...
Page 316
314 c hapter 19: ssh t erminal s ervices ssh server configuration ssh server configuration tasks are described in the following sections: table 343 ssh server configuration 1 configuring the supported protocol use this configuration task to specify the protocol the current user interface supports. P...
Page 317
Ssh terminal service 315 caution: if the supported protocol configured in the user interface is ssh, make sure to configure the authentication mode for logging into the user interface to authentication-mode scheme (using aaa authentication mode). If the authentication mode is configured as authentic...
Page 318
316 c hapter 19: ssh t erminal s ervices by default, no login authentication mode is specified, that is, ssh users are unable to log in. 4 configuring the authentication timeout use this configuration task to set the authentication timeout of ssh connections. Perform the following configuration in s...
Page 319
Ssh terminal service 317 table 350 pubic key configuration the configuration commands are applicable to the environments where the server employs rsa authentication on ssh users. If the server adopts password authentication on ssh users, these configurations are not necessary. 8 entering the public ...
Page 320
318 c hapter 19: ssh t erminal s ervices 11 configuring the server compatibility mode use this configuration task to set whether the server should be compatible with the ssh 1.X client. Perform the following configuration in system view. Table 354 configure the compatibility mode by default, the ser...
Page 321
Ssh terminal service 319 figure 92 generating the client key (1) while generating the key pair, you must move the mouse continuously. The mouse should be restricted off the green process bar in the blue box of figure 93 . Otherwise, the process bar does not move and the key pair cannot be generated..
Page 322
320 c hapter 19: ssh t erminal s ervices figure 93 generating the client key (2) after the key pair is generated, click "save public key" and enter the file name (public for here) to save the key pair..
Page 323
Ssh terminal service 321 figure 94 generating the client key (3) likewise, to save a private key, click "save private key" and a warning window pops up to prompt you whether to save a private key without any precautions. Click "yes" and enter a name (private for here) to save the private key. Figure...
Page 324
322 c hapter 19: ssh t erminal s ervices figure 96 generating the client key (5) specifying the ip address of the server launch putty.Exe and the following window appears..
Page 325
Ssh terminal service 323 figure 97 fissh client interface 1 in the [host name (or ip address)] text box, enter the ip address of the server, for example, 10.110.28.10. Note that the ip address can be the ip address of any interface on the server that has ssh in the state of up and a route to the cli...
Page 326
324 c hapter 19: ssh t erminal s ervices figure 98 ssh client interface 2 in the [protocol options] field, select [2] from the [preferred ssh protocol version] section. Open an ssh connection with rsa if the client needs to use rsa authentication, you must specify the rsa private key file. If the cl...
Page 327
Ssh terminal service 325 figure 99 figure 8-10 ssh client interface 3 click to bring up the file selection window, navigate to the private key file and click ..
Page 328
326 c hapter 19: ssh t erminal s ervices open an ssh connection with password 1 click . The following ssh client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in figure 100 . Figure 100 ssh client interface 2 enter the username and ...
Page 329
Ssh terminal service 327 table 356 start the ssh client 2 specifying the public key of the server use this configuration task to specify the public key of the server to be connected to the client, so that the client authenticates if the connected server is trustworthy. Perform the following configur...
Page 330
328 c hapter 19: ssh t erminal s ervices of the configurations. You can also debug ssh by performing the debugging command in user view. Table 359 display information relevant to ssh ssh server configuration example network requirements as shown in figure 101 , a pc (ssh client) running ssh 2.0-enab...
Page 331
Ssh terminal service 329 [3com] user-interface vty 0 4 [3com-ui-vty0-4] authentication-mode scheme # specify the login protocol for user client001 as ssh, the authentication mode as password. [3com-ui-vty0-4] protocol inbound ssh [3com] local-user client001 [3com-luser-client001] password simple 3co...
Page 332
330 c hapter 19: ssh t erminal s ervices network diagram figure 102 network diagram for ssh client configuration procedure 1 configure the client to perform the first-time authentication of the server. [3com] ssh client first-time enable 2 specify the public key of the server on the client. [3com] r...
Page 333
Sftp service 331 enter password: ********************************************************* * all rights reserved (1997-2004) * * without the owner's prior written consent, * *no decompiling or reverse-engineering shall be allowed.* ********************************************************* employ rsa...
Page 334
332 c hapter 19: ssh t erminal s ervices table 360 configure the service type to be used by default, the service type is stelnet. 2 starting the sftp server perform the following configuration in system view. Table 361 start the sftp server by default, the sftp server is shut down. Sftp client confi...
Page 335
Sftp service 333 table 362 sftp client configuration 1 starting the sftp client use this configuration task to start the sftp client program, establish a connection with the remote sftp server, and enter the sftp client view. Perform the following configuration in system view. No configuration item ...
Page 336
334 c hapter 19: ssh t erminal s ervices table 363 start the sftp client 2 shutting down the sftp client use this configuration task to shut down the sftp client program. Perform the following configuration in sftp client view. Table 364 shut down the sftp client the three commands, bye , exit , and...
Page 337
Sftp service 335 table 366 sftp file operations the dir command and the ls command have the same functionality. The delete command and the remove command have the same functionality. 5 displaying help information use this command to display command-relevant help information such as the format of the...
Page 338
336 c hapter 19: ssh t erminal s ervices network diagram figure 103 network diagram for sftp configuration procedure 1 configure switch b as the server. # start the sftp server. [3com] sftp-server enable # specify the service type as sftp. [3com] ssh user 8040 service-type sftp 2 configure switch a ...
Page 339
Sftp service 337 sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 aug 23 06:52 vrpcfg.Cfg -rwxrwxrwx 1 noone nogroup 225 aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 sep 01 06:55 pub drwxrwxrwx 1...
Page 340
338 c hapter 19: ssh t erminal s ervices.
Page 341: Assword
20 p assword c ontrol c onfiguration o perations introduction to password control configuration the password control feature is designed to manage the following passwords: ■ telnet passwords: passwords used by the users who log in the switch through telnet. ■ ssh passwords: passwords used by the use...
Page 342
340 c hapter 20: p assword c ontrol c onfiguration o perations history password recording the password configured and once used by a user is called a history (old) password. The switch is able to record the user history passwords. User cannot successfully update their passwords if they use a history...
Page 343
Password control configuration 341 password control configuration configuration prerequisites a user pc is connected to the switch 4500 to be configured; both devices are operating normally. Configuration tasks the following sections describe the configuration tasks for password control: ■ configuri...
Page 344
342 c hapter 20: p assword c ontrol c onfiguration o perations minimum password length (if available), the enable/disable state of history password recording, the procession mode for login attempt failures, and the time when the password history was last cleared. If all the password attempts of a us...
Page 345
Password control configuration 343 caution: after the user updates the password successfully, the switch saves the old password in a readable file in the flash memory. Caution: the switch does not provide the alert function for super passwords. Caution: the switch does not provide the alert function...
Page 346
344 c hapter 20: p assword c ontrol c onfiguration o perations caution: when updating a password, do not reuse one of the recorded history passwords, or else, the system will give a prompt to reset a password. The system administrator can perform the following operations to manually remove history p...
Page 347
Password control configuration 345 when the maximum attempt times is exceeded, the system operates in one of the following procession mode: ■ locktime: in this mode, the system inhibit the user from re-login within a certain time period. After that period of time, the user is allowed to log in the s...
Page 348
346 c hapter 20: p assword c ontrol c onfiguration o perations if a password authentication is completed without timing out, the user will log in the switch normally. Displaying password control after the above configurations, you can execute the display command in any view to display the operation ...
Page 349
Password control configuration example 347 configuration procedure # configure the system login password. System-view system view: return to user view with ctrl+z. [4500]local-user test new local user added. [4500-luser-test]password password:********** confirm:********** # change the system login p...
Page 350
348 c hapter 20: p assword c ontrol c onfiguration o perations.
Page 351: Assword
A p assword r ecovery p rocess introduction the switch 4500 has two separate password systems: ■ passwords which are used by the web user interface and the cli and are stored in the 3comoscfg.Cfg file. For more information on this, refer to the getting started guide that accompanies your switch. ■ a...
Page 352
350 a ppendix a: p assword r ecovery p rocess bootrom interface during the initial boot phase of the switch (when directly connected via the console), various messages are displayed and the following prompt is shown with a five second countdown timer: press ctrl-b to enter boot menu... 4 before the ...
Page 353
Bootrom interface 351 skipping the current configuration file enter boot menu option 7 to enable the switch to boot from the factory default configuration file 3comoscfg.Def . When the switch has booted from the factory default it can be configured with an ip address and default gateway if needed. T...
Page 354
352 a ppendix a: p assword r ecovery p rocess bootrom password recovery select option 8 to set the bootrom password discovery. The following is displayed: warning: if disable the bootrom password recovery, the super password based on switch mac address is invalid! The current mode is enable bootrom ...
Page 355: Radius S
B radius s erver and radius c lient s etup this appendix covers the following topics: ■ setting up a radius server ■ setting up the radius client setting up a radius server there are many third party applications available to configure a radius server. 3com has successfully installed and tested the ...
Page 356
354 a ppendix b: radius s erver and radius c lient s etup and computers window, right-click domain and choose properties, select change mode. C add a user that is allowed to use the network. Go to active directory users and computers, from the left hand window right-click the users folder and choose...
Page 357
Setting up a radius server 355 e the password for the user must be set to be stored in reversible encryption. Right-click the user account and select properties. Select the account tab, check the box labeled store password using reversible encryption. F now re-enter the password for the account, rig...
Page 358
356 a ppendix b: radius s erver and radius c lient s etup in the certificate authority type window select enterprise root ca enter information to identify the certificate authority on the ca identifying information window. Enter the storage location on the data storage location window. To complete t...
Page 359
Setting up a radius server 357 5 configure a certificate authority a go to programs > administrative tools > certification authority and right-click policy settings under your certificate authority server. B select new > certificate to issue c select authenticated session and select ok. D go to prog...
Page 360
358 a ppendix b: radius s erver and radius c lient s etup e select the group policy tab, and ensure that the default domain policy is highlighted. Click edit to launch the group policy editor. F go to computer configuration > windows settings > security settings > public key policies, and right-clic...
Page 361
Setting up a radius server 359 i open up a command prompt (start > run, enter cmd ). Enter secedit /refreshpolicy machine_policy . The command may take a few minutes to take effect. 6 setup the internet authentication service (ias) radius server a go to programs > administrative tools > internet aut...
Page 362
360 a ppendix b: radius s erver and radius c lient s etup h select grant remote access permission, and select next i click on edit profile... And select the authentication tab. Ensure extensible authentication protocol is selected, and smart card or other certificate is set. Deselect any other authe...
Page 363
Setting up a radius server 361 b select the dial-in tab from the client properties window. Select allow access. Click ok. C click ok to confirm. 8 configure the switch 4500 for raduis access and client authentication see chapter 11 “802.1x configuration” . 9 generate a certificate by requesting a ce...
Page 364
362 a ppendix b: radius s erver and radius c lient s etup d select advanced request and click next > e select the first option and click next > f either copy the settings from the screenshot below or choose different key options. Click save to save the pkcs #10 file. The pkcs #10 file is used to gen...
Page 365
Setting up a radius server 363 followed by this warning message, select yes and then ok the pkcs #10 file is now saved to the local drive. H to generate a portable certificate using pkcs #10, click the home hyperlink at the top right of the ca webpage. I select request a certificate > next > advance...
Page 366
364 a ppendix b: radius s erver and radius c lient s etup l paste the copied information into the saved request field as shown below. Select authenticated session from the certificate template selector and click submit > m download the certificate and certification path. Click on the download ca cer...
Page 367
Setting up a radius server 365 o click install certificate to launch the certificate import wizard p leave the settings on the next screen as is, click next > followed by finish and ok. This will install the certificate, q launch the certification authority management tool on the server and expand t...
Page 368
366 a ppendix b: radius s erver and radius c lient s etup s click copy to file to save the certificate. This action is actually already performed with the advanced request, but this is an alternative way to save the certificate. Click next when the wizard is launched. Save the certificate using der ...
Page 369
Setting up a radius server 367 u select the user that becomes the ieee 802.1x client. Right-click on the user and select name mappings. Select add v select the certificate that you have just exported and click open. Click ok w in the security identity mapping screen, click ok to close it. X close th...
Page 370
368 a ppendix b: radius s erver and radius c lient s etup b create a new remote access policy under ias and name it switch login. Select next>.. C specify switch login to match the users in the switch access group, select next > d allow switch login to grant access to these users, select next >.
Page 371
Setting up a radius server 369 e use the edit button to change the service-type to administrative. F add a vendor specific attribute to indicate the access level that should be provided:.
Page 372
370 a ppendix b: radius s erver and radius c lient s etup the value 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates manager access. On the switch 4500, 00 indicates visitor level. 11 configure the radius client. Refer to section setting up the...
Page 373
Setting up a radius server 371 follow these steps to set up auto vlan and qos for use by microsoft ias: 1 define the vlan groups on the active directory server and assign the user accounts to each vlan group. Go to programs > administrative tools > active directory users and computers a for example,...
Page 374
372 a ppendix b: radius s erver and radius c lient s etup d go to programs > administrative tools > internet authentication service. And select remote access policies. Select the policy that you configured earlier, right-click and select properties. E click add to add policy membership. F select the...
Page 375
Setting up a radius server 373 g select the vlan group that you have just created and click add and then ok to confirm. H click ok again to return you to the security policy properties. I click edit profile... And select the advanced tab. Click add. Refer to table 379 and table 381 for the radius at...
Page 376
374 a ppendix b: radius s erver and radius c lient s etup table 379 summary of auto vlan attributes table 381 summary of qos attributes j select tunnel-medium-type and click add. K ensure that the attribute value is set to 802 and click ok. L click ok again on the multivalued attribute information s...
Page 377
Setting up a radius server 375 m select the tunnel-pvt-group-id entry and click add. N click add, ensure that the attribute value is set to 4 (attribute value in string format), and click ok. This value represents the vlan id. O click ok again on the multivalued attribute information screen to retur...
Page 378
376 a ppendix b: radius s erver and radius c lient s etup p click add again. In the pull down menu, select virtual lans and click ok. Q click ok again and to return to the add attributes screen. Click close. You will now see the added attributes r click ok to close the profile screen and ok again to...
Page 379
Setting up a radius server 377 to configure funk radius as a radius server for networks with the switch 4500, follow these steps: 1 open file eap.Ini in \radius\service and remove the ";" before the md5-challenge line. This enables the md5-challenge 2 open file radius.Ini in \radius\service and chan...
Page 380
378 a ppendix b: radius s erver and radius c lient s etup 3 either re-boot the server or stop then restart the radius service. To stop and restart the steel-belted radius service, go to control panel > administrative tools > services. Scroll down to the steel-belted service, stop and restart it. Fun...
Page 381
Setting up a radius server 379 passwords are case sensitive. 6 enter the shared secret to encrypt the authentication data. The shared secret must be identical on the switch 4500 and the radius server a select ras clients from the left hand list, enter a client name , the ip address and the shared se...
Page 382
380 a ppendix b: radius s erver and radius c lient s etup configuring auto vlan and qos for funk radius to set up auto vlan and qos using funk radius, follow these steps: 1 edit the dictionary file radius.Dct so that return list attributes from the funk radius server are returned to the switch 4500....
Page 383
Setting up a radius server 381 the following example shows the user name homer with the correct return list attributes inserted, the vlans and qos profiles must also be created on the 3com switch 4500. Configuring freeradius 3com has successfully installed and tested freeradius running on solaris 2....
Page 384
382 a ppendix b: radius s erver and radius c lient s etup b edit the existing file dictionary in /usr/local/etc/raddb to add the following line: $include dictionary.3com the new file dictionary.3com will be used in configuring the freeradius server 3 locate the existing file users in /usr/local/etc/...
Page 385
Setting up the radius client 383 windows 2000 built-in client windows 2000 requires service pack 3 and the ieee 802.1x client patch for windows 2000. 1 downloaded the patches if required from: http://www.Microsoft.Com/downloads/details.Aspx?Displaylang=en&famil yid=6b78edbe-d3ca-4880-929f-453c695b96...
Page 386
384 a ppendix b: radius s erver and radius c lient s etup follow these steps to install the aegis client: 1 registering the aegis client. When using the aegis client for the first time, a license key will be requested. To obtain a valid license key, complete an online form on the meetinghouse websit...
Page 387
Setting up the radius client 385 d click ok to finish the configuration. E restart the client either by rebooting, or stopping and re-starting the service. F click the ok button, then return to the aegis client main interface. To restart the client, press the button with the red-cross. If authentica...
Page 388
386 a ppendix b: radius s erver and radius c lient s etup.
Page 389: Uthenticating
C a uthenticating the s witch 4500 with c isco s ecure acs this appendix covers the following topics: ■ cisco secure acs (tacacs+) and the 3com switch 4500 ■ setting up the cisco secure acs (tacacs+) server cisco secure acs (tacacs+) and the 3com switch 4500 cisco secure acs and tacacs+ are propriet...
Page 390
388 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs adding a 3com switch 4500 as a radius client once logged into the cisco secure acs interface, follow these steps: 1 select network configuration from the left hand side 2 select add entry from under aaa clients. 3 enter the de...
Page 391
Setting up the cisco secure acs (tacacs+) server 389 5 select interface configuration from the left hand side. 6 select radius (ietf) from the list under interface configuration. 7 check the radius attributes that you wish to install. If you want to use auto vlan and qos, ensure that you have the fo...
Page 392
390 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs 8 select submit. 9 repeat steps 1 to 8 for each switch 4500 on your network. When all of the switch 4500s have been added as clients to the cisco secure acs server, restart the secure acs server by selecting system configurati...
Page 393
Setting up the cisco secure acs (tacacs+) server 391 the screen below shows specific radius attributes having been selected for the user. The user has the student profile selected and is assigned to vlan 10 untagged. The radius attributes need to have already been selected, see step 7 in adding a 3c...
Page 394
392 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs 3=administrator b locate the application csutil.Exe . In the utils directory of the install path (for example, c:\program files\cisco secure acs\utils\). C copy the 3com.Ini file into the utils directory d at the command promp...
Page 395
Setting up the cisco secure acs (tacacs+) server 393 3 select submit+restart the ietf attributes will still be available to the device, the 3com attributes are simply appended to them. 4 select interface configuration, followed by radius (3com) a ensure that the 3com-user-access-level option is sele...
Page 396
394 a ppendix c: a uthenticating the s witch 4500 with c isco s ecure acs scrolling to the bottom of the user profile where there should be the option for configuring the access level as shown below: 6 in the radius (3com) attribute box , check 3com-user-access-level and select administrator from th...