- DL manuals
- H3C
- Switch
- S3100 Series
- Operation Manual
H3C S3100 Series Operation Manual
Summary of S3100 Series
Page 1
H3c s3100 series ethernet switches operation manual hangzhou h3c technologies co., ltd. Http://www.H3c.Com document version: 20100908-c-1.00 product version: release 22xx series.
Page 2
Copyright © 2010, hangzhou h3c technologies co., ltd. And its licensors all rights reserved no part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of hangzhou h3c technologies co., ltd. Trademarks h3c, , aolynk, , h 3 care, , top g, , irf, n...
Page 3: Preface
1 preface h3c s3100 series ethernet switches operation manual-release 22xx series describes the software features for the h3c s3100 series ethernet switches and guides you through the software configuration procedures. It also provides configuration examples to help you apply software features to di...
Page 4
2 part features 05-static route operation z introduction to static route z static route configuration z troubleshooting a static route 06-ip address-ip performance operation z configuring an ip address for a switch z configuring the tcp attributes for a switch 07-voice vlan operation voice vlan (app...
Page 5
3 part features 16-multicast operation z internet group management protocol (igmp) snooping v2&v3 z multicast listener discovery (mld) snooping v1&v3 (applicable only to the s3100-ei series) z ipv6 multicast vlan configuration (applicable only to the s3100-ei series) z multicast user control policy ...
Page 6
4 part features 27-stack-cluster operation z stack z huawei group management protocol (hgmp) v2 z neighbor discovery protocol (ndp) z neighbor topology discovery protocol (ntdp) z cluster topology management function z cluster synchronization function 28-poe-poe profile operation z power over ethern...
Page 7
5 part features 42-arp and ip attack defense operation z supporting arp packet filtering based on gateway’s address (applicable only to the s3100-ei series) z supporting configuring the maximum number of dynamic arp entries a vlan interface can learn (applicable only to the s3100-ei series) z suppor...
Page 8
6 software version added features compared with the earlier version release 2108p04 part limit broadcast traffic in pps 09-port basic configuration operation multicast user control policy configuration (applicable only to the s3100-ei series) disables the epon onu from dropping unknown multicast pac...
Page 9
7 software version added features compared with the earlier version release 2108p04 part web authentication 20-web authentication operation dhcp server (applicable only to the s3100-ei series) removing dhcp snooping entries automatic configuration 23-dhcp operation ipv6 acl (applicable only to the s...
Page 10
8 conventions this section describes the conventions used in this documentation set. Command conventions convention description boldface bold text represents commands and keywords that you enter literally as shown. Italic italic text represents arguments that you replace with actual values. [ ] squa...
Page 11
9 category documents purposes z s3100-ei series switches marketing brochure z s3100-si series switches marketing brochure describe product specifications and benefits. H3c low end series ethernet switches pluggable modules manual describes the types, appearance, and specifications of pluggable modul...
Page 12
10 you can e-mail your comments about product documentation to info@h3c.Com. We appreciate your comments..
Page 13: Table of Contents
I table of contents 1 cli configuration ······································································································································1-1 introduction to the cli···································································································...
Page 14: Cli Configuration
1-1 1 cli configuration introduction to the cli a command line interface (cli) is a user interface to interact with a switch. Through the cli on a switch, a user can enter commands to configure the switch and check output information to verify the configuration. Each s3100 series ethernet switch pro...
Page 15
1-2 z manage level (level 3): commands at this level are associated with the basic operation modules and support modules of the system. These commands provide support for services. Commands concerning file system, ftp/tftp/xmodem downloading, user management, and level setting are at this level. By ...
Page 16
1-3 z it is recommended not to change the level of a command arbitrarily, for it may cause inconvenience to maintenance and operation. Z when you change the level of a command with multiple keywords or arguments, you should input the keywords or arguments one by one in the order they appear in the c...
Page 17
1-4 the high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. Generally, two authentication modes are available: the super password authentication mode and hwtacacs authentication mode. Complete the following tasks to ...
Page 18
1-5 when both the super password authentication and the hwtacacs authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the hwtacacs authentication serve...
Page 19
1-6 operation command description enter system view system-view — enter isp domain view domain domain-name — set the hwtacacs authentication scheme for user level switching authenticationsuper hwtacacs-scheme hwtacacs-scheme-name required by default, the hwtacacs authentication scheme for user level...
Page 20
1-7 # set the password used by the current user to switch to level 3. [sysname] super password level 3 simple 123 z a vty 0 user switches its level to level 3 after logging in. # a vty 0 user telnets to the switch, and then uses the set password to switch to user level 3. Super 3 password: user priv...
Page 21
1-8 table 1-2 lists the cli views provided by s3100 series ethernet switches, operations that can be performed in different cli views and the commands used to enter specific cli views. Table 1-2 cli views view available operation prompt example enter method quit method user view display operation st...
Page 22
1-9 view available operation prompt example enter method quit method ftp client view configure ftp client parameters [ftp] execute the ftp command in user view. Sftp client view configure sftp client parameters sftp-client> execute the sftp command in system view. Mst region view configure mst regio...
Page 23
1-10 view available operation prompt example enter method quit method advanced ipv6 acl view define rules for an advanced ipv6 acl (with id ranging from 3000 to 3999) supported by only s3100-ei series switches [sysname-acl6-a dv-3000] execute the acl ipv6 number command in system view. Qos profile v...
Page 24
1-11 view available operation prompt example enter method quit method pki entity view configure pki entity parameters [sysname-pki-ent ity-en] execute the pki entity command in system view. Pki certificate attribute group view configure pki certificate attribute group parameters [sysname-cert-at tri...
Page 25
1-12 the shortcut key is equivalent to the return command. Cli features online help when configuring the switch, you can use the online help to get related help information. The cli provides two types of online help: complete and partial. Complete online help 1) enter a question mark (?) in any view...
Page 26
1-13 partial online help 1) enter a character/string, and then a question mark (?) next to it. All the commands beginning with the character/string will be displayed on your terminal. For example: p? Ping pwd 2) enter a command, a space, a character/string and a question mark (?) next to it. All the...
Page 27
1-14 purpose operation remarks recall the next history command press the down arrow key or this operation recalls the next history command (if available). Z the windows 9x hyperterminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access his...
Page 28
1-15 press… to… left arrow key or move the cursor one character to the left. Right arrow key or move the cursor one character to the right. Up arrow key or down arrow key or display history commands. Use the partial online help. That is, when you input an incomplete keyword and press , if the input ...
Page 29: Table of Contents
I table of contents 1 logging into an ethernet switch ·············································································································1-1 logging into an ethernet switch ·····································································································...
Page 30
Ii configuration on the switch side············································································································4-1 modem configuration ······················································································································4-1 switch conf...
Page 31
1-1 1 logging into an ethernet switch logging into an ethernet switch you can log into an s3100 ethernet switch in one of the following ways: z logging in locally through the console port z logging in locally or remotely through an ethernet port by means of telnet or ssh z telnetting to the console ...
Page 32
1-2 z vty user interface indexes follow aux user interface indexes. The first absolute vty user interface is numbered 1, the second is 2, and so on. 2) a relative user interface index can be obtained by appending a number to the identifier of a user interface type. It is generated by user interface ...
Page 33
2-1 2 logging in through the console port introduction to log in through the console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. By default, you can locally log into an s3100 ethernet switch through its console port only. Table 2-1 ...
Page 34
2-2 2) if you use a pc to connect to the console port, launch a terminal emulation utility (such as terminal in windows xp/windows 2000. The following assumes that you are running windows xp) and perform the configuration shown in figure 2-2 through figure 2-4 for the connection to be created. Norma...
Page 35
2-3 figure 2-4 set port parameters 3) turn on the switch. You will be prompted to press the enter key if the switch successfully completes post (power-on self test). The prompt (such as ) appears after you press the enter key, as shown in figure 2-5 . Figure 2-5 hyperterminal cli 4) you can then con...
Page 36
2-4 console port login configuration common configuration table 2-2 lists the common configuration of console port login. Table 2-2 common configuration of console port login configuration remarks baud rate optional the default baud rate is 9,600 bps. Check mode optional by default, the check mode o...
Page 37
2-5 table 2-3 console port login configurations for different authentication modes authentication mode console port login configuration remarks none perform common configuration perform common configuration for console port login optional refer to table 2-2 . Configure the password configure the pas...
Page 38
2-6 operation command description configure not to authenticate users authentication-mode none required by default, users logging in through the console port (aux user interface) are not authenticated. Set the baud rate speed speed-value optional the default baud rate of a console port is 9,600 bps....
Page 39
2-7 configuration example network requirements assume that the switch is configured to allow users to log in through telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (aux user interface). Z do n...
Page 40
2-8 after the above configuration, you need to modify the configuration of the terminal emulation utility running on the pc accordingly in the dialog box shown in figure 2-4 to log into the switch successfully. Console port login configuration with authentication mode being password configuration pr...
Page 41
2-9 operation command description set the timeout time for the user interface idle-timeout minutes [ seconds ] optional the default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user interface is terminated if no operation is performed in...
Page 42
2-10 # set the local password to 123456 (in plain text). [sysname-ui-aux0] set authentication password simple 123456 # specify commands of level 2 are available to users logging into the aux user interface. [sysname-ui-aux0] user privilege level 2 # set the baud rate of the console port to 19,200 bp...
Page 43
2-11 operation command description configure to authenticate users locally or remotely authentication-mode scheme [ command- authorization ] required the specified aaa scheme determines whether to authenticate users locally or remotely. By default, users logging in through the console port (aux user...
Page 44
2-12 configuration example network requirements assume the switch is configured to allow users to log in through telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (aux user interface). Z configur...
Page 45
2-13 [sysname-ui-aux0] speed 19200 # set the maximum number of lines the screen can contain to 30. [sysname-ui-aux0] screen-length 30 # set the maximum number of commands the history command buffer can store to 20. [sysname-ui-aux0] history-command max-size 20 # set the timeout time of the aux user ...
Page 46: Logging In Through Telnet
3-1 3 logging in through telnet introduction s3100 series ethernet switches support telnet. You can manage and maintain a switch remotely by telnetting to the switch. To log into a switch through telnet, the corresponding configuration is required on both the switch and the telnet terminal. You can ...
Page 47
3-2 table 3-2 common telnet configuration configuration description configure the command level available to users logging into the vty user interface optional by default, commands of level 0 are available to users logging into a vty user interface. Configure the protocols the user interface support...
Page 48
3-3 authentication mode telnet configuration description manage vty users set service type for vty users required perform common configuration perform common telnet configuration optional refer to table 3-2 . To improve security and prevent attacks to the unused sockets, tcp 23 and tcp 22, ports for...
Page 49
3-4 operation command description make terminal services available shell optional by default, terminal services are available in all user interfaces. Set the maximum number of lines the screen can contain screen-length screen-length optional by default, the screen can contain up to 24 lines. You can...
Page 50
3-5 # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure not to authenticate telnet users logging into vty 0. [sysname-ui-vty0] authentication-mode none # specify commands of level 2 are available to users logging into vty 0. [sysname-ui-vty0] user privilege level 2 # config...
Page 51
3-6 operation command description set the maximum number of lines the screen can contain screen-length screen-length optional by default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Set the history command bu...
Page 52
3-7 # enter vty 0 user interface view. [sysname] user-interface vty 0 # configure to authenticate users logging into vty 0 using the password. [sysname-ui-vty0] authentication-mode password # set the local password to 123456 (in plain text). [sysname-ui-vty0] set authentication password simple 12345...
Page 53
3-8 operation command description enter one or more vty user interface views user-interface vty first-number [ last-number ] — configure to authenticate users locally or remotely authentication-mode scheme [ command- authorization ] required the specified aaa scheme determines whether to authenticat...
Page 54
3-9 table 3-7 determine the command level when users logging into switches are authenticated in the scheme mode scenario authentication mode user type command command level the user privilege level level command is not executed, and the service-type command does not specify the available command lev...
Page 55
3-10 refer to aaa operation and ssh operation of this manual for information about aaa, radius, and ssh. Configuration example network requirements assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations...
Page 56
3-11 [sysname-ui-vty0] screen-length 30 # set the maximum number of commands the history command buffer can store to 20. [sysname-ui-vty0] history-command max-size 20 # set the timeout time to 6 minutes. [sysname-ui-vty0] idle-timeout 6 telnetting to a switch telnetting to a switch from a terminal 1...
Page 57
3-12 2) perform telnet-related configuration on the switch. Refer to section " telnet configuration with authentication mode being none ”, section “ telnet configuration with authentication mode being password ”, and section “ telnet configuration with authentication mode being scheme ” for more. 3)...
Page 58
3-13 z a telnet connection is terminated if you delete or modify the ip address of the vlan interface in the telnet session. Z by default, commands of level 0 are available to telnet users authenticated by password. Refer to section 1.2 “command hierarchy/command view” in cli part for information ab...
Page 59: Logging In Using A Modem
4-1 4 logging in using a modem introduction the administrator can log into the console port of a remote switch using a modem through public switched telephone network (pstn) if the remote switch is connected to the pstn through a modem to configure and maintain the switch remotely. When a network op...
Page 60
4-2 the configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch configuration after logging into a switch through its console port by using a modem, you will enter the aux user interface. The correspo...
Page 61
4-3 figure 4-1 establish the connection by using modems console port pstn telephone line modem serial cable telephone number of the romote end: 82882285 modem modem 4) launch a terminal emulation utility on the pc and set the telephone number to call the modem directly connected to the switch, as sh...
Page 62
4-4 figure 4-3 set the telephone number figure 4-4 call the modem 5) if the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? At anyti...
Page 63: Management System
5-1 5 logging in through the web-based network management system introduction an s3100 ethernet switch has a web server built in. It enables you to log into an s3100 ethernet switch through a web browser and then manage and maintain the switch intuitively by interacting with the built-in web server....
Page 64
5-2 figure 5-1 establish an http connection between your pc and the switch 4) log into the switch through ie. Launch ie on the web-based network management terminal (your pc) and enter the ip address of the management vlan interface of the switch in the address bar. (make sure the route between the ...
Page 65
5-3 configuration example network requirements z a user logs in to the switch through web. Z the banner page is desired when a user logs into the switch. Network diagram figure 5-3 network diagram for login banner configuration configuration procedure # enter system view. System-view # configure the...
Page 66
5-4 operation command description enable the web server ip http shutdown required by default, the web server is enabled. Disable the web server undo ip http shutdown required to improve security and prevent attack to the unused sockets, tcp 80 port (which is for http service) is enabled/disabled aft...
Page 67: Logging In Through Nms
6-1 6 logging in through nms introduction you can also log into a switch through a network management station (nms), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (snmp) is applied between the nms and the agent. Refer to the snmp-...
Page 68: User Control
7-1 7 user control refer to the acl part for information about acl. Introduction a switch provides ways to control different types of login users, as listed in table 7-1 . Table 7-1 ways to control different types of login users login mode control method implementation related section by source ip a...
Page 71
7-4 controlling network management users by source ip addresses you can manage an s3100 ethernet switch through network management software. Network management users can access switches through snmp. You need to perform the following two operations to control network management users by source ip ad...
Page 72
7-5 network diagram figure 7-2 network diagram for controlling snmp users using acls switch 10.110.100.46 host a ip network host b 10.110.100.52 configuration procedure # define a basic acl. System-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [sysname-...
Page 74
7-7 [sysname] ip http acl 2030
Page 75: Table of Contents
I table of contents 1 configuration file management···············································································································1-1 introduction to configuration file ···································································································...
Page 76
1-1 1 configuration file management introduction to configuration file a configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Types of configuration the configuration of a device falls into two types: z saved co...
Page 77
1-2 z when setting the configuration file for next startup, you can specify to use the main or backup configuration file. Startup with the configuration file when booting, the system chooses the configuration files following the rules below: 1) if the main configuration file exists, the device initi...
Page 78
1-3 s3100 series ethernet switches do not support the safe mode. When you are saving a configuration file using the save safely command, if the device reboots or the power fails during the saving process, the configuration file will be lost. Three attributes of the configuration file z main attribut...
Page 79
1-4 z while the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute. Z while the reset saved-configuration backup command erases the configuration file with backu...
Page 80
1-5 displaying device configuration after the above configuration, you can execute the display command in any view to display the current and initial configurations of the device, so as to verify your configuration. Table 1-5 display device configuration operation command description display the ini...
Page 81: Table of Contents
I table of contents 1 vlan overview ··········································································································································1-1 vlan overview·············································································································...
Page 82
Ii associating a port with a protocol-based vlan ···········································································2-10 displaying protocol-based vlan configuration ···········································································2-10 protocol-based vlan configuration example ····...
Page 83: Vlan Overview
1-1 1 vlan overview this chapter covers these topics: z vlan overview z port-based vlan z mac-based vlan z protocol-based vlan vlan overview introduction to vlan the traditional ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hu...
Page 84
1-2 way. However, hosts in different vlans cannot communicate with each other directly but need the help of network layer devices, such as routers and layer 3 switches. Figure 1-1 illustrates a vlan implementation. Figure 1-1 a vlan implementation advantages of vlans compared with traditional ethern...
Page 85
1-3 ieee 802.1q inserts a four-byte vlan tag after the da&sa field, as shown in figure 1-3 . Figure 1-3 format of vlan tag a vlan tag comprises four fields: tag protocol identifier (tpid), priority, canonical format indicator (cfi), and vlan id. Z the 16-bit tpid field with a value of 0x8100 indicat...
Page 86
1-4 z shared vlan learning (svl), where the switch records all learned mac address entries in one mac address table, regardless of in which vlan they are learned. This table is called the shared mac address forwarding table. Packets received in any vlan on a port are forwarded according to this tabl...
Page 87
1-5 port-based vlan port-based vlan technology introduces the simplest way to classify vlans. You can assign the ports on the device to different vlans. Thus packets received on a port will be transmitted through the corresponding vlan only, so as to isolate hosts to different broadcast domains and ...
Page 88
1-6 before assigning an access or hybrid port to a vlan, create the vlan first. Configuring the default vlan id for a port an access port can belong to only one vlan. Therefore, the vlan an access port belongs to is also the default vlan of the access port. A hybrid/trunk port can belong to multiple...
Page 89
1-7 mac-based vlan the contents of this section are only applicable to the s3100-ei series among s3100 series switches. Introduction to mac-based vlan the mac-based vlan feature assigns hosts to a vlan based on their mac addresses. This feature is mostly used in conjunction with security technologie...
Page 90
1-8 protocol-based vlan the contents of this section are only applicable to the s3100-ei series among s3100 series switches. Introduction to protocol-based vlan protocol-based vlan is also known as protocol vlan, which is another way to classify vlans. Through the protocol-based vlans, the switch ca...
Page 91
1-9 packets with the value of the type or length field being in the range 0x05dd to 0x05ff are regarded as illegal packets and thus discarded directly. The switch identifies whether a packet is an ethernet ii packet or an 802.2/802.3 packet according to the ranges of the two fields. Encapsulation fo...
Page 92: Vlan Configuration
2-1 2 vlan configuration when configuring a vlan, go to these sections for information you are interested in: z vlan configuration z configuring a port-based vlan z mac-based vlan z configuring a protocol-based vlan vlan configuration vlan configuration task list complete the following tasks to conf...
Page 93
2-2 z vlan 1 is the system default vlan, which needs not to be created and cannot be removed, either. Z the vlan you created in the way described above is a static vlan. On the switch, there are dynamic vlans which are registered through gvrp. For details, refer to “gvrp” part of this manual. Z when...
Page 94
2-3 to do... Use the command... Remarks create a vlan interface and enter vlan interface view interface vlan-interface vlan-id required by default, there is no vlan interface on a switch. Specify the description string for the current vlan interface description text optional by default, the descript...
Page 95
2-4 to do… use the command… remarks enter system view system-view — enter vlan view vlan vlan-id required if the specified vlan does not exist, this command be created first creates the vlan before entering its view. Add an access port to the current vlan port interface-list required by default, sys...
Page 96
2-5 z to configure a trunk port into a hybrid port (or vice versa), you need to use the access port as a medium. For example, the trunk port has to be configured as an access port first and then a hybrid port. Z ensure that the vlans already exist before configuring them to pass through a hybrid por...
Page 97
2-6 port-based vlan configuration example network requirements z as shown in figure 2-1 , switch a and switch b each connect to a server and a workstation (host). Z for data security concerns, the two servers are assigned to vlan 101 with the descriptive string being “dmz”, and the pcs are assigned ...
Page 98
2-7 because the link between switch a and switch b need to transmit data of both vlan 101 and vlan 102, you can configure the ports at the end of the link as trunk ports and permit packets of the two vlans to pass through. # configure ethernet1/0/3 of switch a. [switcha] interface ethernet 1/0/3 [sw...
Page 99
2-8 configuring a mac-based vlan configuration prerequisites create a vlan before configuring the vlan as a protocol-based vlan. Configuration procedure follow these steps to configure a mac-based vlan: to do... Use the command... Remarks enter system view system-view — associate mac addresses with ...
Page 100
2-9 protocol-based vlan configuration task list complete these tasks to configure protocol-based vlan: task remarks configuring a protocol template for a protocol-based vlan required associating a port with a protocol-based vlan required displaying protocol-based vlan configuration optional configur...
Page 101
2-10 z at present, the s3100 series support only the standard templates of appletalk and ip, the standard template of ipx encapsulated in ethernet ii format, and the user-defined templates matching the ethernet ii encapsulation format. Protocol templates matching 802.2/802.3 encapsulation formats an...
Page 103
2-12 [switch] vlan 100 [switch-vlan100] protocol-vlan ip # to ensure the normal operation of ip network, you need to configure a user-defined protocol template for vlan 100 to match the arp protocol (assume ethernet ii encapsulation is adopted here). [switch-vlan100] protocol-vlan mode ethernetii et...
Page 104: Table of Contents
I table of contents 1 static route configuration ·······················································································································1-1 introduction to static route····································································································...
Page 105: Static Route Configuration
1-1 1 static route configuration when configuring a static route, go to these sections for information you are interested in: z introduction to static route z static route configuration z displaying and maintaining static routes z troubleshooting a static route introduction to static route static ro...
Page 106
1-2 static route configuration configuration prerequisites before configuring a static route, perform the following tasks: z configuring the physical parameters of related interfaces z configuring ip addresses for related interfaces configuring a static route follow these steps to configure a static...
Page 107
1-3 operation command remarks display the routes that match a specified basic access control list (acl) display ip routing-table acl acl-number [ verbose ] display the routing table in a tree structure display ip routing-table radix display the statistics on the routing table display ip routing-tabl...
Page 108: Table of Contents
I table of contents 1 ip addressing configuration····················································································································1-1 ip addressing overview·············································································································...
Page 109: Ip Addressing Configuration
1-1 1 ip addressing configuration ip addressing overview ip address classes ip addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary. To make ip addresses in 32-bit form easier to read, they are written in dotted decimal notatio...
Page 110
1-2 class address range description d 224.0.0.0 to 239.255.255.255 multicast address. E 240.0.0.0 to 255.255.255.255 reserved for future use except for the broadcast address 255.255.255.255. Special case ip addresses the following ip addresses are for special use, and they cannot be used as host ip ...
Page 111
1-3 bits for the host id and thus have only 126 (2 7 – 2) hosts in each subnet. The maximum number of hosts is thus 64,512 (512 × 126), 1022 less after the network is subnetted. Class a, b, and c networks, before being subnetted, use these default masks (also called natural masks): 255.0.0.0, 255.25...
Page 112
1-4 configuring an ip address to a vlan interface table 1-3 configure an ip address to a vlan interface(s3100-si) operation command remarks enter system view system-view — configure a specified vlan to be the management vlan management-vlan vlan-id required by default, vlan 1 operates as the managem...
Page 113
1-5 operation command remarks display brief configuration information about a specified or all layer 3 interfaces display ip interface brief [ interface-type [ interface-number ]] ip address configuration examples ip address configuration example i network requirement assign ip address 129.2.2.1 wit...
Page 114: Ip Performance Configuration
2-1 2 ip performance configuration ip performance overview introduction to ip performance configuration in some network environments, you need to adjust the ip parameters to achieve best network performance. The ip performance configuration supported by s3100 series ethernet switches includes: z con...
Page 115
2-2 table 2-2 configure tcp attributes operation command remarks enter system view system-view — configure tcp synwait timer’s timeout value tcp timer syn-timeout time-value optional by default, the timeout value is 75 seconds. Configure tcp finwait timer’s timeout value tcp timer fin-timeout time-v...
Page 116
2-3 use the reset command in user view to clear the ip, tcp, and udp traffic statistics. Table 2-4 display and maintain ip performance operation command remarks display tcp connection status display tcp status display tcp connection statistics display tcp statistics display udp traffic statistics di...
Page 117: Table of Contents
I table of contents 1 voice vlan configuration························································································································1-1 voice vlan overview···············································································································...
Page 118: Voice Vlan Configuration
1-1 1 voice vlan configuration the contents of this chapter are only applicable to the s3100-ei series among s3100 series switches. When configuring voice vlan, go to these sections for information you are interested in: z voice vlan overview z voice vlan configuration z displaying and maintaining v...
Page 119
1-2 z voice vlan configuration z failover call routing following describes the way a typical ip phone acquires an ip address. Figure 1-1 network diagram for ip phones as shown in figure 1-1 , the ip phone needs to work in conjunction with the dhcp server and the ncp to establish a path for voice dat...
Page 120
1-3 dhcp server 1, and sends a new dhcp request message carrying the voice vlan tag to the voice vlan. 4) after receiving the dhcp request, dhcp server 2 residing in the voice vlan assigns a new ip address to the ip phone and sends a tagged response message to the ip phone. After the ip phone receiv...
Page 121
1-4 setting the voice traffic transmission priority in order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the traffic in the voice vlan as follows: z set the cos (802.1p) priority to 6. Z set the dscp value to 46. Configuring voice vlan assignment ...
Page 122
1-5 table 1-2 matching relationship between port types and voice devices capable of acquiring ip address and voice vlan automatically voice vlan assignment mode voice traffic type port type supported or not access not supported trunk supported make sure the default vlan of the port exists and is not...
Page 123
1-6 table 1-3 matching relationship between port types and voice devices acquiring voice vlan through manual configuration voice vlan assignment mode port type supported or not access not supported trunk supported make sure the default vlan of the port exists and is not a voice vlan, and the access ...
Page 124
1-7 voice vlan mode packet type processing method packet carrying any other vlan tag the packet is forwarded or dropped based on whether the receiving port is assigned to the carried vlan. The processing method is irrelevant to the voice vlan mode (security or normal). Untagged packet packet carryin...
Page 125
1-8 configuring the voice vlan to operate in automatic voice vlan assignment mode follow these steps to configure a voice vlan to operate in automatic voice vlan assignment mode: to do… use the command… remarks enter system view system-view — set an oui address that can be identified by the voice vl...
Page 126
1-9 when the voice vlan is working normally, if the device restarts, in order to make the established voice connections work normally, the system does not need to be triggered by the voice traffic to add the port in automatic voice vlan assignment mode to the local devices but does so immediately af...
Page 128
1-11 displaying and maintaining voice vlan to do… use the command… remarks display information about the ports on which voice vlan configuration fails display voice vlan error-info display the voice vlan configuration status display voice vlan status display the oui list display voice vlan oui displ...
Page 129
1-12 # set the voice vlan aging timer. [devicea] voice vlan aging 100 # add a user-defined oui address 0011-2200-000 and set the description string to “test”. [devicea] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # enable the voice vlan function globally. [devicea] voi...
Page 130
1-13 configuration procedure # enable the security mode for the voice vlan so that the ports in the voice vlan permit valid voice packets only. This operation is optional. The security mode is enabled by default. System-view [devicea] voice vlan security enable # add a user-defined oui address 0011-...
Page 131: Table of Contents
I table of contents 1 gvrp configuration ··································································································································1-1 introduction to gvrp ········································································································...
Page 132: Gvrp Configuration
1-1 1 gvrp configuration when configuring gvrp, go to these sections for information you are interested in: z introduction to gvrp z gvrp configuration z displaying and maintaining gvrp z gvrp configuration example introduction to gvrp garp vlan registration protocol (gvrp) is an implementation of g...
Page 133
1-2 through message exchange, all the attribute information to be registered can be propagated to all the garp-enabled switches in the same lan. 2) garp timers timers determine the intervals of sending different types of garp messages. Garp defines four timers to control the period of sending garp m...
Page 134
1-3 figure 1-1 format of garp packets the following table describes the fields of a garp packet. Table 1-1 description of garp packet fields field description value protocol id protocol id 1 message each message consists of two parts: attribute type and attribute list. — attribute type defined by th...
Page 135
1-4 gvrp as an implementation of garp, garp vlan registration protocol (gvrp) maintains dynamic vlan registration information and propagates the information to the other switches through garp. With gvrp enabled on a device, the vlan registration information received by the device from other devices ...
Page 136
1-5 to do ... Use the command ... Remarks enter system view system-view — enable gvrp globally gvrp required by default, gvrp is disabled globally. Enter ethernet port view interface interface-type interface-number — enable gvrp on the port gvrp required by default, gvrp is disabled on the port. S z...
Page 137
1-6 table 1-2 relations between the timers timer lower threshold upper threshold hold 10 centiseconds this upper threshold is less than or equal to one-half of the timeout time of the join timer. You can change the threshold by changing the timeout time of the join timer. Join this lower threshold i...
Page 138
1-7 to do … use the command … remarks display the settings of the garp timers display garp timer [ interface interface-list ] display gvrp statistics display gvrp statistics [interface interface-list ] display the global gvrp status display gvrp status clear garp statistics reset garp statistics [ i...
Page 139
1-8 [switcha] interface ethernet 1/0/2 [switcha-ethernet1/0/2] port link-type trunk [switcha-ethernet1/0/2] port trunk permit vlan all # enable gvrp on ethernet1/0/2. [switcha-ethernet1/0/2] gvrp [switcha-ethernet1/0/2] quit # configure ethernet1/0/3 to be a trunk port and to permit the packets of a...
Page 140
1-9 the following dynamic vlans exist: 8 7) configure ethernet1/0/1 on switch e to operate in fixed gvrp registration mode and display the vlan information dynamically registered on switch a, switch b, and switch e. # configure ethernet1/0/1 on switch e to operate in fixed gvrp registration mode. [s...
Page 141: Table of Contents
I table of contents 1 port basic configuration ··························································································································1-1 ethernet port configuration ···································································································...
Page 142: Port Basic Configuration
1-1 1 port basic configuration ethernet port configuration combo port configuration introduction to combo port a combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface. For a combo port, the electrical port and the correspondi...
Page 143
1-2 operation command remarks enable the ethernet port undo shutdown optional by default, the port is enabled. Use the shutdown command to disable the port. Set the description string for the ethernet port description text optional by default, the description string of an ethernet port is null. Set ...
Page 144
1-3 z after you configure auto-negotiation speed(s) for a port, if you execute the undo speed command or the speed auto command, the auto-negotiation speed setting of the port restores to the default setting. Z the effect of executing speed auto 10 100 1000 equals to that of executing speed auto, th...
Page 145
1-4 table 1-3 enable flow control on a port operation command remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — enable flow control on the ethernet port flow-control by default, flow control is not enabled on the port. Duplicating the config...
Page 146
1-5 z if you have additionally enabled the loopback port auto-shutdown function on the port, the system will shut down the port, and send log and trap messages to the terminal. After the loop is removed, you need to use the undo shutdown command to bring up the port. Z if you have not enabled the lo...
Page 147
1-6 operation command remarks enable loopback detection on a specified port loopback-detection enable optional by default, the loopback detection function is enabled on ports if the device boots with the default configuration file (config.Def); if the device boots with null configuration, this funct...
Page 148
1-7 z external: performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100m port, the self-loop headers are made from four cores of the 8-core cables, for 1000m port, the self-loop header are made from eight cores of the 8-core cables, ...
Page 149
1-8 enabling the system to test connected cable you can enable the system to test the cable connected to a specific port. The test result will be returned in five seconds. The system can test these attributes of the cable: receive and transmit directions (rx and tx), short circuit/open circuit or no...
Page 150
1-9 status of ethernet ports in a network changes frequently, large amount of log information may be sent, which increases work load of the log server and consumes more network resources. You can limit the amount of the log information sent to the log server by disabling the up/down log output funct...
Page 151
1-10 z with traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast traffic on the port. Once it finds that a type of traffic exceeds the specified upper threshold, it blocks this type of traffic on the port or directly shuts ...
Page 152
1-11 the port state change delay takes effect when the port goes down but not when the port goes up. Table 1-11 set the port state change delay operation command remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number — set the port state chang...
Page 154
1-13 z only the configuration for switch a is listed below. The configuration for switch b is similar to that of switch a. Z this example supposes that vlan 2, vlan 6 through vlan 50 and vlan 100 have been created. # enter ethernet 1/0/1 port view. System-view [sysname] interface ethernet1/0/1 # set...
Page 155: Table of Contents
I table of contents 1 link aggregation configuration ··············································································································1-1 overview ····························································································································...
Page 156
1-1 1 link aggregation configuration overview introduction to link aggregation link aggregation can aggregate multiple ethernet ports together to form a logical aggregation group. To upper layer entities, all the physical links in an aggregation group are a single logical link. Link aggregation is d...
Page 157
1-2 z s3100 series that support extended lacp functions can be used as intermediate devices in lacp mad implementation. Z for details about irf, member devices, intermediate devices, and the lacp mad mechanism, see the operation manuals of irf-supported devices. Operational key operation key is gene...
Page 158
1-3 manual aggregation group must contain at least one port. When a manual aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group. Lacp is disabled on the member ports of manual aggregation groups, and you cannot enable lacp on ports in a m...
Page 159
1-4 z the ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. Z the system sets the...
Page 160
1-5 z when the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; z when the rate of a port decreases, if the port belongs to a manual or static lacp aggregation group, the port will be switched to the unselected state; if the port belongs to a dynami...
Page 161
1-6 link aggregation configuration z the commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. Z the ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address...
Page 162
1-7 z if the aggregation group you are creating already exists but contains no port, its type will change to the type you set. Z if the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from...
Page 163
1-8 configuring a dynamic lacp aggregation group a dynamic lacp aggregation group is automatically created by the system based on lacp-enabled ports. The adding and removing of ports to/from a dynamic aggregation group are automatically accomplished by lacp. You need to enable lacp on the ports whic...
Page 164
1-9 operation command remarks configure a description for an aggregation group link-aggregation group agg-id description agg-name optional by default, no description is configured for an aggregation group. If you have saved the current configuration with the save command, after system reboot, the co...
Page 165
1-10 network diagram figure 1-1 network diagram for link aggregation configuration configuration procedure the following only lists the configuration on switch a; you must perform the similar configuration on switch b to implement link aggregation. 1) adopting manual aggregation mode # create manual...
Page 166
1-11 3) adopting dynamic lacp aggregation mode # enable lacp on ethernet1/0/1 through ethernet1/0/3. System-view [sysname] interface ethernet1/0/1 [sysname-ethernet1/0/1] lacp enable [sysname-ethernet1/0/1] quit [sysname] interface ethernet1/0/2 [sysname-ethernet1/0/2] lacp enable [sysname-ethernet1...
Page 167: Table of Contents
I table of contents 1 port isolation configuration ·····················································································································1-1 port isolation overview ········································································································...
Page 168: Port Isolation Configuration
1-1 1 port isolation configuration port isolation overview through the port isolation feature, you can add the ports to be controlled into an isolation group to isolate the layer 2 and layer 3 data between each port in the isolation group. Thus, you can construct your network in a more flexible way ...
Page 169
1-2 z when a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local device will join/leave the isolation group at the same time. Z for ports that belong to an aggregation group and an isolation group simultaneously, removing a ...
Page 170
1-3 network diagram figure 1-1 network diagram for port isolation configuration configuration procedure # add ethernet1/0/2, ethernet1/0/3, and ethernet1/0/4 to the isolation group. System-view system view: return to user view with ctrl+z. [sysname] interface ethernet1/0/2 [sysname-ethernet1/0/2] po...
Page 171: Table of Contents
I table of contents 1 port security configuration······················································································································1-1 port security overview···········································································································...
Page 172: Port Security Configuration
1-1 1 port security configuration when configuring port security, go to these sections for information you are interested in: z port security overview z port security configuration task list z displaying and maintaining port security configuration z port security configuration example port security ...
Page 173
1-2 table 1-1 description of port security modes security mode description feature norestriction in this mode, access to the port is not restricted. In this mode, neither the ntk nor the intrusion protection feature is triggered. Autolearn in this mode, the port automatically learns mac addresses an...
Page 174
1-3 security mode description feature userloginsecure mac-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user can pass through the port. In this mode...
Page 175
1-4 security mode description feature macaddresselseus erloginsecureext this mode is similar to the macaddresselseuserloginsecure mode, except that there can be more than one 802.1x-authenticated user on the port. Macaddressandus erloginsecure in this mode, a port firstly performs mac authentication...
Page 176
1-5 enabling port security configuration prerequisites before enabling port security, you need to disable 802.1x and mac authentication globally. Enabling port security follow these steps to enable port security: to do... Use the command... Remarks enter system view system-view — enable port securit...
Page 177
1-6 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number — set the maximum number of mac addresses allowed on the port port-security max-mac-count count-value required not limited by default setting the port security mode follow these steps to set th...
Page 178
1-7 if the port-security port-mode modecommand has been executed on a port, none of the following can be configured on the same port: z maximum number of mac addresses that the port can learn z reflector port for port mirroring z link aggregation configuring port security features configuring the nt...
Page 179
1-8 if you configure the ntk feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination mac address is illegal from being sent out that port; that is, the ntk feature configured will not take effect on th...
Page 180
1-9 to do… use the command… remarks enter system view system-view — set the interval at which the switch triggers mac address authentication after a port is added to the guest vlan port-security timer guest-vlan-reauth interval optional enter ethernet port view interface interface-type interface-num...
Page 181
1-10 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number — ignore the authorization information from the radius server port-security authorization ignore required by default, a port uses the authorization information from the radius server. Configur...
Page 182
1-11 to do... Use the command... Remarks interface interface-type interface-number in ethernet port view mac-address security mac-address vlan vlan-id security mac address is configured. Configuring an aging time for learned security mac address entries by default, learned security mac address entri...
Page 183
1-12 to do... Use the command... Remarks display information about security mac address configuration display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] port security configuration example port security configuration example network requirements imp...
Page 184
1-13 [switch-ethernet1/0/1] quit [switch] port-security timer disableport 30 guest vlan configuration example network requirements as shown in figure 1-2 , ethernet 1/0/2 connects to a pc and a printer, which are not used at the same time. Configure the port to operate in macaddressoruserloginsecure...
Page 185
1-14 [switch] radius scheme 2000 [switch-radius-2000] primary authentication 10.11.1.1 1812 [switch-radius-2000] primary accounting 10.11.1.1 1813 [switch-radius-2000] key authentication abc [switch-radius-2000] key accounting abc [switch-radius-2000] user-name-format without-domain [switch-radius-2...
Page 186: Port Binding Configuration
2-1 2 port binding configuration when configuring port binding, go to these sections for information you are interested in: z port binding overview z displaying and maintaining port binding configuration z port binding configuration example currently, only the s3100-ei series support port binding. P...
Page 188
2-3 network diagram figure 2-1 network diagram for port binding configuration 10.12.1.1/24 mac address: 0001-0002-0003 host a host b eth1/0/1 switch a switch b configuration procedure configure switch a as follows: # enter system view. System-view # enter ethernet 1/0/1 port view. [switcha] interfac...
Page 189: Table of Contents
I table of contents 1 dldp configuration ··································································································································1-1 overview ····················································································································...
Page 190: Dldp Configuration
1-1 1 dldp configuration when configuring dldp, go to these sections for information you are interested in: z overview z dldp fundamentals z dldp configuration z dldp configuration example currently, only s3100-ei series ethernet switches support the dldp feature. Overview device link detection prot...
Page 191
1-2 figure 1-1 fiber cross-connection figure 1-2 fiber broken or not connected switch a ge1/1/1 ge1/1/2 switch b ge1/1/1 ge1/1/2 pc device link detection protocol (dldp) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If dldp finds...
Page 192
1-3 z the auto-negotiation mechanism at the physical layer detects physical signals and faults. Dldp identifies peer devices and unidirectional links, and disables unreachable ports. Z even if both ends of links can work normally at the physical layer, dldp can detect whether these links are connect...
Page 193
1-4 dldp packet type function linkdown linkdown packets are used to notify unidirectional link emergencies (a unidirectional link emergency occurs when the local port is down and the peer port is up). Linkdown packets carry only the local port information instead of the neighbor information. In some...
Page 194
1-5 status description delaydown when a device in the active, advertisement, or probe dldp state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first. When a device ch...
Page 195
1-6 timer description delaydown timer when a device in the active, advertisement, or probe dldp state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first. When a devi...
Page 196
1-7 figure 1-3 a case for enhanced dldp mode z in normal dldp mode, only fiber cross-connected unidirectional links (as shown in figure 1-1 ) can be detected. Z in enhanced dldp mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in figure 1-1 ). The...
Page 197
1-8 table 1-6 the procedure to process a received dldp packet packet type processing procedure if the corresponding neighbor entry does not exist on the local device, dldp creates the neighbor entry, triggers the entry aging timer, and switches to the probe state. Advertisement packet extracts neigh...
Page 198
1-9 link auto-recovery mechanism if the shutdown mode of a port is set to auto shutdown, the port is set to the dldp down state when dldp detects the link connecting to the port is a unidirectional link. A port in dldp down state does not forward service packets or receive/send protocol packets exce...
Page 200
1-11 this function is only applicable to ports that are in dldp down state. Follow these steps to reset dldp state: to do … use the command … remarks system-view reset dldp state for all the ports shut down by dldp dldp reset interface interface-type interface-number reset the dldp state for a port ...
Page 201
1-12 network diagram figure 1-4 network diagram for dldp configuration switch a ge1/1/1 ge1/1/2 switch b ge1/1/1 ge1/1/2 pc configuration procedure 1) configure switch a # configure the ports to work in mandatory full duplex mode at a rate of 1000 mbps. System-view [switcha] interface gigabitetherne...
Page 202
1-13 when two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state. When a fiber is connected to a device correctly on one end with the other end connected to no device: z if the device operates in the normal dldp ...
Page 203: Table of Contents
I table of contents 1 mac address table management············································································································1-1 overview ·································································································································...
Page 204: Mac Address Table Management
1-1 1 mac address table management when configuring mac address table management, go to these sections for information you are interested in: z overview z mac address table management z displaying mac address table information z configuration example this chapter describes the management of static, ...
Page 205
1-2 generally, the majority of mac address entries are created and maintained through mac address learning. The following describes the mac address learning process of a switch: 1) as shown in figure 1-1 , user a and user b are both in vlan 1. When user a communicates with user b, the packet from us...
Page 206
1-3 3) because the switch broadcasts the packet, both user b and user c can receive the packet. However, user c is not the destination device of the packet, and therefore does not process the packet. Normally, user b will respond to user a, as shown in figure 1-4 . When the response packet from user...
Page 207
1-4 managing mac address table aging of mac address table to fully utilize a mac address table, which has a limited capacity, the switch uses an aging mechanism for updating the table. That is, the switch starts an aging timer for an entry when dynamically creating the entry. The switch removes the ...
Page 208
1-5 mac address replication configuration the contents of this section are only applicable to the s3100-ei series among s3100 series switches. Overview the mac address replication feature allows you to copy the mac address table entries of one or multiple vlans to the mac address table of another vl...
Page 209
1-6 with the mac address replication feature enabled, the switch copies the mac address entries of the original vlan to the mac address table of the marked vlan. When the switch receives a response packet from the marked vlan, it searches the mac address table of the marked vlan, obtains the outboun...
Page 210
1-7 configuring a mac address entry you can add, modify, or remove a mac address entry, remove all mac address entries concerning a specific port, or remove specific type of mac address entries (dynamic or static mac address entries). You can add a mac address entry in either system view or ethernet...
Page 211
1-8 z when you add a mac address entry, the current port must belong to the vlan specified by the vlan argument in the command. Otherwise, the entry will not be added. Z if the vlan specified by the vlan argument is a dynamic vlan, after a static mac address is added, it will become a static vlan. S...
Page 212
1-9 by setting the maximum number of mac addresses that can be learned from individual ports, the administrator can control the number of the mac address entries the mac address table can dynamically maintain. When the number of the mac address entries learnt from a port reaches the set value, the p...
Page 213
1-10 z if the vlan is configured as a remote probe vlan used by port mirroring, you can not disable mac address learning of this vlan. Similarly, after you disable mac address learning, this vlan can not be configured as a remote probe vlan. Z disabling the mac address learning function of a vlan ta...
Page 214
1-11 configuring mac address replication the contents of this section are only applicable to the s3100-ei series among s3100 series switches. Follow these steps to configure the mac address replication feature: to do... Use the command... Remarks enter system view system-view — enter ethernet port v...
Page 215
1-12 configuration example adding a static mac address entry manually network requirements the server connects to the switch through ethernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the mac address of the server to the mac address table o...
Page 216
1-13 figure 1-8 network diagram for mac address replication and vlan marking configuration eth1/0/1 network 192.168.1.0/24 network mac-a vlan3 mac-a vlan4 switcha eth1/0/2 configuration procedure # create vlan 3 and vlan 4 on switch a. System-view [switcha] vlan 3 to 4 please wait.... Done. # config...
Page 217
1-14 # configure mac address replication on ethernet 1/0/1 to copy the mac address entries of vlan 3 to the mac address table of vlan 4. [switcha-ethernet1/0/1] mac-address-mapping 0 source-vlan 3 destination-vlan 4 [switcha-ethernet1/0/1] quit # configure vlan marking on ethernet 1/0/2 to replace t...
Page 218: Table of Contents
I table of contents 1 mstp configuration ··································································································································1-1 overview ····················································································································...
Page 219
Ii introduction····································································································································1-40 configuring digest snooping·········································································································1-40 configuring...
Page 220: Mstp Configuration
1-1 1 mstp configuration go to these sections for information you are interested in: z overview z mstp configuration task list z configuring root bridge z configuring leaf nodes z performing mcheck operation z configuring guard functions z configuring digest snooping z configuring rapid transition z...
Page 221
1-2 stp identifies the network topology by transmitting bpdus between stp compliant network devices, typically switches and routers. Bpdus contain sufficient information for the network devices to complete the spanning tree calculation. In stp, bpdus come in two types: z configuration bpdus, used to...
Page 222
1-3 figure 1-1 a schematic diagram of designated bridges and designated ports all the ports on the root bridge are designated ports. 4) bridge id a bridge id consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the mac add...
Page 223
1-4 6) port id a port id used on an h3c device consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all ethernet ports on h3c devices is 128. You can use commands to configure port pr...
Page 224
1-5 table 1-2 selection of the optimum configuration bpdu step description 1 upon receiving a configuration bpdu on a port, the device performs the following processing: z if the received configuration bpdu has a lower priority than that of the configuration bpdu generated by the port, the device wi...
Page 225
1-6 step description 3 the device compares the calculated configuration bpdu with the configuration bpdu on the port whose role is to be determined, and acts as follows based on the comparison result: z if the calculated configuration bpdu is superior, this port will serve as the designated port, an...
Page 226
1-7 device port name bpdu of port bp1 {1, 0, 1, bp1} device b bp2 {1, 0, 1, bp2} cp1 {2, 0, 2, cp1} device c cp2 {2, 0, 2, cp2} z comparison process and result on each device the following table shows the comparison process and result on each device. Table 1-5 comparison process and result on each d...
Page 227
1-8 device comparison process bpdu of port after comparison z port cp1 receives the configuration bpdu of device a {0, 0, 0, ap2}. Device c finds that the received configuration bpdu is superior to the configuration bpdu of the local port {2, 0, 2, cp1}, and updates the configuration bpdu of cp1. Z ...
Page 228
1-9 figure 1-3 the final calculated spanning tree to facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. 3) the bpdu forwarding mechanism in stp z upon network initiation, every switch regards itself as the root b...
Page 229
1-10 for this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration bpdus to be propagate...
Page 230
1-11 z mstp supports mapping vlans to multiple spanning tree (mst) instances (mstis) by means of a vlan-to-instance mapping table. Mstp introduces instances (which integrates multiple vlans into a set) and can bind multiple vlans to an instance, thus saving communication overhead and improving resou...
Page 231
1-12 3) msti a multiple spanning tree instance (msti) refers to a spanning tree in an mst region. Multiple spanning trees can be established in one mst region. These spanning trees are independent of each other. For example, each region in figure 1-4 contains multiple spanning trees known as mstis. ...
Page 232
1-13 z a region boundary port is located on the boundary of an mst region and is used to connect one mst region to another mst region, an stp-enabled region or an rstp-enabled region. Z an alternate port is a secondary port of a root port or master port and is used for rapid transition. With the roo...
Page 233
1-14 z forwarding state. Ports in this state can forward user packets and receive/send bpdus. Z learning state. Ports in this state can receive/send bpdus but do not forward user packets. Z discarding state. Ports in this state can only receive bpdus. Port roles and port states are not mutually depe...
Page 234
1-15 in addition to the basic mstp functions, h3c series switches also provide the following functions for users to manage their switches. Z root bridge hold z root bridge backup z root guard z bpdu guard z loop guard z tc-bpdu attack guard z bpdu dropping protocols and standards mstp is documented ...
Page 235
1-16 task remarks configuring the timeout time factor optional configuring the maximum transmitting rate on the current port optional the default value is recommended. Configuring the current port as an edge port optional setting the link type of a port to p2p optional enabling mstp required to prev...
Page 236
1-17 configuring root bridge configuring an mst region configuration procedure follow these steps to configure an mst region: to do... Use the command... Remarks enter system view system-view — enter mst region view stp region-configuration — configure the name of the mst region region-name name req...
Page 237
1-18 z mstp-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), mst region name, vlan-to-instance mapping table, and revision level. Z the h3c series support only the mst region nam...
Page 238
1-19 specify the current switch as the secondary root bridge of a spanning tree follow these steps to specify the current switch as the secondary root bridge of a spanning tree: to do... Use the command... Remarks enter system view system-view — specify the current switch as the secondary root bridg...
Page 239
1-20 configuring the bridge priority of the current switch root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An mstp-enabled switch can have different bridge priorit...
Page 240
1-21 in auto mode, if a port frequently receives mstp packets of different formats alternately, the port will be forcibly placed in the discarding state and no longer forwards mstp packets. The physical state of the port will be displayed as stp down. To restore such a port, you can first run the sh...
Page 241
1-22 z stp-compatible mode, where the ports of a switch send stp bpdus to neighboring devices. If stp-enabled switches exist in a switched network, you can use the stp mode stp command to configure an mstp-enabled switch to operate in stp-compatible mode. Z rstp-compatible mode, where the ports of a...
Page 242
1-23 to do... Use the command... Remarks configure the maximum hop count of the mst region stp max-hops hops required by default, the maximum hop count of an mst region is 20. The bigger the maximum hop count, the larger the mst region is. Note that only the maximum hop settings on the switch operat...
Page 243
1-24 configuration procedure follow these steps to configure mstp time-related parameters: to do... Use the command... Remarks enter system view system-view — configure the forward delay parameter stp timer forward-delay centiseconds required the forward delay parameter defaults to 1,500 centisecond...
Page 244
1-25 configuration example # configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the cist root bridge). System-view [sysname] stp timer forwar...
Page 245
1-26 to do... Use the command... Remarks enter system view system-view — configure the maximum transmitting rate for specified ports stp interface interface-list transmit-limit packetnum required the maximum transmitting rate of all ethernet ports on a switch defaults to 10. Configure the maximum tr...
Page 246
1-27 to do... Use the command... Remarks configure the specified ports as edge ports stp interface interface-list edged-port enable required by default, all the ethernet ports of a switch are non-edge ports. Configure a port as an edge port in ethernet port view follow these steps to configure a por...
Page 247
1-28 you can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways. Setting the link type of a port to p2p in system view follow these steps to specify whether the link connected to a port is point-to-point link in system view: to do... Use t...
Page 248
1-29 enabling mstp configuration procedure follow these steps to enable mstp in system view: to do... Use the command... Remarks enter system view system-view — enable mstp stp enable required mstp is disabled by default. Disable mstp on specified ports stp interface interface-list disable optional ...
Page 249
1-30 [sysname-ethernet1/0/1] stp disable configuring leaf nodes configuring the mst region refer to configuring an mst region . Configuring how a port recognizes and sends mstp packets refer to configuring how a port recognizes and sends mstp packets . Configuring the timeout time factor refer to co...
Page 250
1-31 table 1-7 transmission rates vs. Path costs rate operation mode (half-/full-duplex) 802.1d-1998 ieee 802.1t latency standard 0 — 65,535 200,000,000 200,000 10 mbps half-duplex/full-duplex aggregated link 2 ports aggregated link 3 ports aggregated link 4 ports 100 95 95 95 2,000,000 1,000,000 66...
Page 251
1-32 follow these steps to configure the path cost for a port in ethernet port view: to do... Use the command... Remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure the path cost for the port stp [ instance instance-id ] cost cost re...
Page 252
1-33 configure port priority in system view follow these steps to configure port priority in system view: to do... Use the command... Remarks enter system view system-view — configure port priority for specified ports stp interface interface-list instance instance-id port priority priority required ...
Page 253
1-34 performing mcheck operation ports on an mstp-enabled switch can operate in three modes: stp-compatible, rstp-compatible, and mstp. If a port on a device running mstp (or rstp) connects to a device running stp, this port will automatically migrate to the stp-compatible mode. However, it will not...
Page 254
1-35 [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] stp mcheck configuring guard functions the following guard functions are available on an mstp-enabled switch: bpdu guard, root guard, loop guard, tc-bpdu attack guard, and bpdu drop. Configuring bpdu guard normally, the access ports of ...
Page 255
1-36 configuring root guard a root bridge and its secondary root bridges must reside in the same region. The root bridge of the cist and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration bpdus with their prio...
Page 256
1-37 configuration example # enable the root guard function on ethernet 1/0/1. 1) perform this configuration in system view system-view [sysname] stp interface ethernet 1/0/1 root-protection 2) perform this configuration in ethernet port view system-view [sysname] interface ethernet 1/0/1 [sysname-e...
Page 257
1-38 configuration example # enable the loop guard function on ethernet 1/0/1. System-view [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] stp loop-protection configuring tc-bpdu attack guard normally, a switch removes its mac address table and arp entries upon receiving topology change b...
Page 258
1-39 # set the maximum times for the switch to remove the mac address table and arp entries within 10 seconds to 5. System-view [sysname] stp tc-protection threshold 5 configuring bpdu dropping in a stp-enabled network, attackers may send bpdus to switches continuously in order to destroy the networ...
Page 259
1-40 configuring digest snooping introduction according to ieee 802.1s, two interconnected switches can communicate with each other through mstis in an mst region only when the two switches have the same mst region-related configuration. Interconnected mstp-enabled switches determine whether or not ...
Page 260
1-41 to do... Use the command... Remarks return to system view quit — enable the digest snooping feature globally stp config-digest-snooping required the digest snooping feature is disabled globally by default. Display the current configuration display current-configuration available in any view z w...
Page 261
1-42 figure 1-6 and figure 1-7 illustrate the rapid transition mechanisms on designated ports in rstp and mstp. Figure 1-6 the rstp rapid transition mechanism root port blocks other non- edge ports, changes to forwarding state and sends agreement to upstream device downstream switch upstream switch ...
Page 262
1-43 upstream designated ports, instead of waiting for agreement packets from the upstream switch. This enables designated ports of the upstream switch to change their states rapidly. Configuring rapid transition configuration prerequisites as shown in figure 1-8 , a h3c series switch is connected t...
Page 263
1-44 z the rapid transition feature can be enabled on only root ports or alternate ports. Z if you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring vlan-vpn tunnel currently, only s3100-si series ethernet switches support the vlan...
Page 264
1-45 configuring vlan-vpn tunnel follow these steps to configure vlan-vpn tunnel: to do... Use the command... Remarks enter system view system-view — enable mstp globally stp enable — enable the vlan-vpn tunnel function globally vlan-vpn tunnel required the vlan-vpn tunnel function is disabled by de...
Page 265
1-46 configuration example # enable log/trap output for the ports of instance 1. System-view [sysname] stp instance 1 portlog # enable log/trap output for the ports of all instances. System-view [sysname] stp portlog all enabling trap messages conforming to 802.1d standard when enabled, the switch s...
Page 266
1-47 to do... Use the command... Remarks display information about the root port of the instance where the switch reside display stp root clear statistics about mstp reset stp [ interface interface-list ] available in user view mstp configuration example network requirements implement mstp in the ne...
Page 267
1-48 [sysname-mst-region] region-name example [sysname-mst-region] instance 1 vlan 10 [sysname-mst-region] instance 3 vlan 30 [sysname-mst-region] instance 4 vlan 40 [sysname-mst-region] revision-level 0 # activate the settings of the mst region manually. [sysname-mst-region] active region-configura...
Page 268
1-49 [sysname-mst-region] region-name example [sysname-mst-region] instance 1 vlan 10 [sysname-mst-region] instance 3 vlan 30 [sysname-mst-region] instance 4 vlan 40 [sysname-mst-region] revision-level 0 # activate the settings of the mst region manually. [sysname-mst-region] active region-configura...
Page 269
1-50 # add ethernet 1/0/1 to vlan 10. [sysname] vlan 10 [sysname-vlan10] port ethernet 1/0/1 3) configure switch c # enable mstp. System-view [sysname] stp enable # enable the vlan-vpn tunnel function. [sysname] vlan-vpn tunnel # add gigabitethernet 1/0/1 to vlan 10. [sysname] vlan 10 [sysname-vlan1...
Page 270
1-51 [sysname-gigabitethernet1/0/1] port trunk permit vlan all.
Page 271: Table of Contents
I table of contents 1 multicast overview ····································································································································1-1 multicast overview ········································································································...
Page 272
Ii introduction to mld snooping·········································································································3-1 basic concepts in mld snooping···································································································3-2 how mld snooping works ····...
Page 273
Iii configuration prerequisites ·············································································································4-3 configuring user port attributes······································································································4-3 configuring ipv6 ...
Page 274: Multicast Overview
1-1 1 multicast overview multicast overview with development of networks on the internet, more and more interaction services such as data, voice, and video services are running on the networks. In addition, highly bandwidth- and time-critical services, such as e-commerce, web conference, online auct...
Page 275
1-2 information transmission in the broadcast mode when you adopt broadcast, the system transmits information to all users on a network. Any user on the network can receive the information, no matter the information is needed or not. Figure 1-2 shows information transmission in broadcast mode. Figur...
Page 276
1-3 figure 1-3 information transmission in the multicast mode assume that hosts b, d and e need the information. To transmit the information to the right users, it is necessary to group hosts b, d and e into a receiver set. The routers on the network duplicate and distribute the information based on...
Page 277
1-4 table 1-1 an analogy between tv transmission and multicast transmission step tv transmission multicast transmission 1 a tv station transmits a tv program through a television channel. A multicast source sends multicast data to a multicast group. 2 a user tunes the tv set to the channel. A receiv...
Page 278
1-5 asm model in the asm model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware...
Page 279
1-6 multicast address as receivers are multiple hosts in a multicast group, you should be concerned about the following questions: z what destination should the information source send the information to in the multicast mode? Z how to select the destination address? These questions are about multic...
Page 280
1-7 class d address range description 232.0.0.0 to 232.255.255.255 available source-specific multicast (ssm) multicast group addresses. 239.0.0.0 to 239.255.255.255 administratively scoped multicast addresses, which are for specific local use only. As specified by iana, the ip addresses ranging from...
Page 281
1-8 figure 1-4 ipv6 multicast format referring to figure 1-4 , the meanings of the fields of an ipv6 multicast address are as follows: z 0xff: the most significant 8 bits are 11111111, indicating that this address is an ipv6 multicast address. Figure 1-5 format of the flags field z flags: referring ...
Page 282
1-9 value meaning e global scope group id: 112 bits, ipv6 multicast group identifier that uniquely identifies an ipv6 multicast group in the scope defined by the scope field. Ethernet multicast mac address when a unicast ip packet is transported in an ethernet network, the destination mac address is...
Page 283
1-10 multicast protocols z generally, we refer to ip multicast working at the network layer as layer 3 multicast and the corresponding multicast protocols as layer 3 multicast protocols, which include igmp/mld, pim/ipv6 pim, msdp, and mbgp/ipv6 mbgp; we refer to ip multicast working at the data link...
Page 284
1-11 2) multicast routing protocols a multicast routing protocol runs on layer 3 multicast devices to establish and maintain multicast routes and forward multicast packets correctly and efficiently. Multicast routes constitute loop-free data transmission paths from a data source to multiple receiver...
Page 285
1-12 in the traditional multicast-on-demand mode, when users in different vlans on a layer 2 device need multicast information, the upstream layer 3 device must forward a separate copy of the multicast data to each vlan of the layer 2 device. With the multicast vlan or ipv6 multicast vlan feature en...
Page 286
1-13 using the rpf interface as the incoming interface, and installs the entry into the multicast forwarding table. Z if the interface on which the packet actually arrived is the rpf interface, the rpf check is successful and the router forwards the packet to all the outgoing interfaces. Z if the in...
Page 287
1-14 the interface on which the packet actually arrived. The rpf check succeeds and the packet is forwarded..
Page 288: Igmp Snooping Configuration
2-1 2 igmp snooping configuration igmp snooping overview internet group management protocol snooping (igmp snooping) is a multicast constraining mechanism that runs on layer 2 devices to manage and control multicast groups. Principle of igmp snooping by analyzing received igmp messages, a layer 2 de...
Page 289
2-2 figure 2-2 igmp snooping related ports router a switch a switch b eth1/0/1 eth1/0/2 eth1/0/3 eth1/0/1 eth1/0/2 receiver receiver host a host b host c host d source multicast packets router port member port ports involved in igmp snooping, as shown in figure 2-2 , are described as follows: z rout...
Page 290
2-3 z if the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port. Z if the receiving port is not a router port existing in its router port list, the switch adds it into its router port list and sets an aging timer for this router po...
Page 291
2-4 z if any igmp report in response to the group-specific query arrives to the member port before its aging timer expires, this means that some other members of that multicast group still exist under that port: the switch resets the aging timer of the member port. Z if no igmp report in response to...
Page 292
2-5 operation command remarks enable igmp snooping globally igmp-snooping enable required by default, igmp snooping is disabled globally. Enter vlan view vlan vlan-id — enable igmp snooping on the vlan igmp-snooping enable required by default, igmp snooping is disabled on all the vlans. Z before ena...
Page 293
2-6 configuring timers this section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports,. Table 2-5 configure timers operation command remarks enter system view system-view — configure the aging timer of the router port igmp-snooping router-ag...
Page 294
2-7 z the fast leave processing function works for a port only if the host attached to the port runs igmpv2 or igmpv3. Z the configuration performed in system view takes effect on all ports of the switch if no vlan is specified; if one or more vlans are specified, the configuration takes effect on a...
Page 295
2-8 operation command remarks configure a multicast group filter igmp-snooping group-policy acl-number [vlan vlan-list ] optional no group filter is configured by default, namely hosts can join any multicast group. Z a port can belong to multiple vlans, you can configure only one acl rule per vlan o...
Page 296
2-9 z to prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. Z when the number of multicast groups exceeds the configured limit, the switch removes ...
Page 297
2-10 operation command remarks enable igmp snooping igmp-snooping enable required by default, igmp snooping is disabled. Enter vlan view vlan vlan-id — enable igmp snooping igmp-snooping enable required by default, igmp snooping is disabled. Enable igmp snooping querier igmp-snooping querier require...
Page 298
2-11 table 2-11 suppress flooding of unknown multicast traffic in the vlan operation command remarks enter system view system-view — enable unknown multicast flooding suppression igmp-snooping nonflooding-enable required by default, unknown multicast flooding suppression z if the function of droppin...
Page 299
2-12 operation command remarks configure specified port(s) as static member port(s) of a multicast group in the vlan multicast static-group group-address interface interface-list required by default, no port is configured as a static multicast group member port. Configuring a static router port in a...
Page 300
2-13 z when receiving an igmp general query, the simulated host responds with an igmp report. Meanwhile, the switch sends the same igmp report to itself to ensure that the igmp entry does not age out. Z when the simulated joining function is disabled on an ethernet port, the simulated host sends an ...
Page 301
2-14 it is not recommended to configure this function while the multicast vlan function is in effect. Configuring multicast vlan in traditional multicast implementations, when users in different vlans listen to the same multicast group, the multicast data is copied on the multicast router for each v...
Page 302
2-15 operation command remarks enable igmp snooping igmp-snooping enable — enter vlan view vlan vlan-id — enable igmp snooping igmp-snooping enable required enable multicast vlan service-type multicast required return to system view quit — enter ethernet port view for the layer 3 switch interface in...
Page 303
2-16 table 2-20 display and maintain igmp snooping operation command remarks display the current igmp snooping configuration display igmp-snooping configuration display igmp snooping message statistics display igmp-snooping statistics display the information about ip and mac multicast groups in one ...
Page 304
2-17 2) configure router a # enable ip multicast routing, enable pim-dm on each interface, and enable igmp on ethernet1/0/1. System-view [routera] multicast routing-enable [routera] interface ethernet 1/0/1 [routera-ethernet1/0/1] igmp enable [routera-ethernet1/0/1] quit [routera] interface ethernet...
Page 305
2-18 configuring multicast vlan network requirements as shown in figure 2-4 , workstation is a multicast source. Switch a forwards multicast data from the multicast source. A layer 2 switch, switch b forwards the multicast data to the end users host a and host b. Table 2-21 describes the network dev...
Page 306
2-19 1) configure switch a: # set the interface ip address of vlan 20 to 168.10.1.1 and enable pim dm on the vlan interface. System-view [switcha] multicast routing-enable [switcha] vlan 20 [switcha–vlan20]port ethernet 1/0/1 [switcha-vlan20] quit [switcha] interface vlan-interface 20 [switcha-vlan-...
Page 307
2-20 [switchb] interface ethernet 1/0/2 [switchb-ethernet1/0/2] port link-type hybrid [switchb-ethernet1/0/2] port hybrid vlan 3 10 untagged [switchb-ethernet1/0/2] port hybrid pvid vlan 3 [switchb-ethernet1/0/2] quit troubleshooting igmp snooping symptom: multicast function does not work on the swi...
Page 308: Mld Snooping Configuration
3-1 3 mld snooping configuration only the s3100-ei series support mld snooping configuration. When configuring mld snooping, go to these sections for information you are interested in: z mld snooping overview z mld snooping configuration task list z displaying and maintaining mld snooping z mld snoo...
Page 309
3-2 figure 3-1 before and after mld snooping is enabled on the layer 2 device ipv6 multicast packet transmission without mld snooping source multicast router host a receiver host b host c receiver ipv6 multicast packets layer 2 switch ipv6 multicast packet transmission when mld snooping runs source ...
Page 310
3-3 ports involved in mld snooping, as shown in figure 3-2 , are described as follows: z router port: a router port is a port on the ethernet switch that leads switch towards the layer-3 multicast device (dr or mld querier). In the figure, ethernet 1/0/1 of switch a and ethernet 1/0/1 of switch b ar...
Page 311
3-4 the description about adding or deleting a port in this section is only for a dynamic port. Static ports can be added or deleted only through the corresponding configurations. For details, see configuring static ports . General queries the mld querier periodically sends mld general queries to al...
Page 312
3-5 done messages when a host leaves an ipv6 multicast group, the host sends an mld done message to the multicast router. When the switch receives an mld done message on a dynamic member port, the switch first checks whether a forwarding table entry for the ipv6 multicast group address in the messag...
Page 313
3-6 figure 3-3 network diagram for mld snooping proxying as shown in figure 3-3 , switch a works as an mld snooping proxy. As a host from the perspective of the querier router a, switch a represents its attached hosts to send their membership reports and done messages to router a. Table 3-2 describe...
Page 314
3-7 mld snooping configuration task list complete these tasks to configure mld snooping: task remarks enabling mld snooping required configuring the version of mld snooping optional configuring basic functions of mld snooping configuring limit on the number of forwarding entries globally optional co...
Page 315
3-8 configuring basic functions of mld snooping configuration prerequisites before configuring the basic functions of mld snooping, complete the following tasks: z configure the corresponding vlans before configuring the basic functions of mld snooping, prepare the following data: z the version of m...
Page 316
3-9 if you switch mld snooping from version 2 to version 1, the system will clear all mld snooping forwarding entries from dynamic joining, and will: z keep forwarding entries from version 2 static (*, g) joining; z clear forwarding entries from version 2 static (s, g) joining, which will be restore...
Page 317
3-10 configuring aging timers for dynamic ports if the switch receives no mld general queries or ipv6 pim hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no mld reports for an ipv6 multica...
Page 318
3-11 to do... Use the command... Remarks configure the port(s) as static member port(s) mld-snooping static-group ipv6-group-address [ source-ip ipv6-source-address ] vlan vlan-id required no static member ports by default configure the port(s) as static router port(s) mld-snooping static-router-por...
Page 319
3-12 z each simulated host is equivalent to an independent host. For example, when receiving an mld query, the simulated host corresponding to each configuration responds respectively. Z unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port...
Page 320
3-13 configuring mld snooping querier configuration prerequisites before configuring mld snooping querier, complete the following task: z enable mld snooping in the vlan. Before configuring mld snooping querier, prepare the following data: z mld general query interval, z mld last-member query interv...
Page 321
3-14 the maximum response time (the host obtains the value of the maximum response time from the max response time field in the mld query it received). When the timer value comes down to 0, the host sends an mld report to the corresponding ipv6 multicast group. An appropriate setting of the maximum ...
Page 322
3-15 configuring source ipv6 addresses of mld queries this configuration allows you to change the source ipv6 address of mld queries. Follow these steps to configure source ipv6 addresses of mld queries: to do... Use the command... Remarks enter system view system-view — enter vlan view vlan vlan-id...
Page 323
3-16 configuring a source ipv6 address for the mld messages sent by the proxy you can set the source ipv6 addresses in the mld reports and done messages sent by the mld snooping proxy on behalf of its attached hosts. Follow these steps to configure the source ipv6 addresses for the mld messages sent...
Page 324
3-17 configuring mld report suppression when a layer 2 device receives an mld report from an ipv6 multicast group member, the layer 2 device forwards the message to the layer 3 device directly connected with it. Thus, when multiple members belonging to an ipv6 multicast group exist on the layer 2 de...
Page 325
3-18 z when the number of ipv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the mld snooping forwarding table, and the hosts on this port need to join ipv6 multicast groups again. Z if ...
Page 326
3-19 to do... Use the command... Remarks enable ipv6 multicast group replacement mld-snooping overflow-replace [ vlan vlan-list ] required disabled by default be sure to configure the maximum number of ipv6 multicast groups allowed on a port (refer to configuring maximum multicast groups that can be...
Page 327
3-20 to do… use the command... Remarks clear the statistics information of all kinds of mld messages learned by mld snooping reset mld-snooping statistics available in user view z the reset mld-snooping group command works only on an mld snooping–enabled vlan. Z the reset mld-snooping group command ...
Page 328
3-21 enable ipv6 forwarding and configure an ipv6 address and prefix length for each interface as per figure 3-4 . The detailed configuration steps are omitted. 2) configure router a # enable ipv6 multicast routing, enable ipv6 pim-dm on each interface, and enable mldv1 on ethernet 1/0/1. System-vie...
Page 329
3-22 port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Eth1/0/1 (d) ( 00:01:30 ) ip group(s):the following ip group(s) match to one mac group. Ip g...
Page 330
3-23 if no static router port is configured, when the path of switch a—switch b—switch c gets blocked, at least one mld query-response cycle must be completed before the ipv6 multicast data can flow to the receivers along the new path of switch a—switch c, namely ipv6 multicast delivery will be inte...
Page 331
3-24 # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create vlan 100, assign ethernet 1/0/1 through ethernet 1/0/3 to this vlan, and enable mld snooping in the vlan. [switcha] vlan 100 [switcha-vlan100] port ethernet 1/0/1 to ethernet 1/0/3 [switcha-v...
Page 332
3-25 total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 2 port. Eth1/0/1 (d) ( 00:01:30 ) e...
Page 333
3-26 as shown above, ethernet 1/0/3 and ethernet 1/0/5 on switch c have become static member ports for ipv6 multicast group ff1e::101. Mld snooping querier configuration example network requirements z as shown in figure 3-6 , in a layer-2-only network environment, two multicast sources source 1 and ...
Page 334
3-27 [switcha-vlan100] mld-snooping querier [switcha-vlan100] quit 2) configure switch b # enable ipv6 forwarding and enable mld snooping globally. System-view [switchb] ipv6 [switchb] mld-snooping [switchb-mld-snooping] quit # create vlan 100, add ethernet 1/0/1 through ethernet 1/0/4 into vlan 100...
Page 335
3-28 figure 3-7 network diagram for mld snooping proxying configuration source receiver host b host a host c 1::1/64 eth1/0/4 eth1/0/2 eth1/0/3 eth1/0/1 eth1/0/1 2001::1/64 eth1/0/2 1::2/64 receiver router a mld querier switch a proxy & querier configuration procedure 1) configure ipv6 addresses for...
Page 336
3-29 after the configuration is completed, host a and host b send mld join messages addressed to group ff1e::101. When receiving the messages, switch a sends a join message for the group out port ethernet 1/0/1 (a router port) to router a. Use the display mld-snooping group command and the display m...
Page 337
3-30 port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):100. Total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Router port(s):total 1 port. Eth1/0/1 (d) ( 00:01:23 ) ip group(s):the following ip group(s) match to one mac group. Ip g...
Page 338
4-1 4 ipv6 multicast vlan configuration only the s3100-ei series support ipv6 multicast vlan configuration. When configuring ipv6 multicast vlan, go to these sections for information you are interested in: z introduction to ipv6 multicast vlan z ipv6 multicast vlan configuration task list z configur...
Page 339
4-2 as shown in figure 4-2 , host a, host b and host c are in three different user vlans. All the user ports are hybrid ports. On switch a, configure vlan 10 as an ipv6 multicast vlan, assign all the user ports to this ipv6 multicast vlan, and enable mld snooping in the ipv6 multicast vlan and all t...
Page 340
4-3 configuring ipv6 multicast vlan when configuring port-based ipv6 multicast vlan, you need to configure the attributes of each user port and then assign the ports to the ipv6 multicast vlan. A user port can be configured as a multicast vlan port only if it is of the ethernet interface type. Confi...
Page 341
4-4 configuring ipv6 multicast vlan ports in this approach, you need to configure a vlan as an ipv6 multicast vlan and then assign user ports to this ipv6 multicast vlan by either adding the user ports in the ipv6 multicast vlan or specifying the ipv6 multicast vlan on the user ports. These two meth...
Page 342
4-5 ipv6 multicast vlan configuration examples network requirements z as shown in figure 4-3 , router a connects to an ipv6 multicast source (source) through ethernet 1/0/1, and to switch a through ethernet 1/0/2. Z mldv1 is required on router a. Mldv1 snooping is required on switch a. Router a acts...
Page 343
4-6 [routera-ethernet1/0/1] ipv6 pim dm [routera-ethernet1/0/1] quit [routera] interface ethernet 1/0/2 [routera-ethernet1/0/2] ipv6 pim dm [routera-ethernet1/0/2] mld enable 3) configure switch a # enable mld snooping globally. System-view [switcha] mld-snooping [switcha-mld-snooping] quit # create...
Page 344
4-7 # view the mld snooping multicast group information on switch a. [switcha] display mld-snooping group total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vlan vlan(id):10. Total 1 ip group(s). ...
Page 345
5-1 5 multicast user control policy configuration only the s3100-ei series support multicast user control policy configuration. Ipv4 multicast user control policy configuration configuring ipv4 multicast user control policy multicast user control policies are configured on access switches to allow o...
Page 346
5-2 to do... Use the command... Remarks configure the mode to apply a qos profile as user-based undo qos-profile port-based z if the 802.1x authentication mode is mac address-based, the mode to apply a qos profile must be configured user-based. Z if the 802.1x authentication mode is port-based, the ...
Page 347
5-3 figure 5-1 network diagram for ipv4 multicast user control policy configuration switch b receiver host a host b eth1/0/2 eth1/0/3 eth1/0/1 source 1 1.1.1.1/24 switch a radius server 2.1.1.1/24 eth1/0/1 vlan-int101 1.1.1.2/24 eth1/0/2 vlan-int102 2.1.1.2/24 eth1/0/3 vlan-int103 3.1.1.1/24 configu...
Page 348
5-4 [switchb] igmp-snooping enable # create vlan 103, assign ethernet 1/0/1 through ethernet 1/0/3 to this vlan, and enable igmp snooping in this vlan. [switchb] vlan 103 [switchb-vlan103] port ethernet 1/0/1 to ethernet 1/0/3 [switchb-vlan103] igmp-snooping enable [switchb-vlan103] quit # create a ...
Page 349
5-5 # display information about igmp snooping multicast groups in vlan 103 on switch b. [switchb] display igmp-snooping group vlan 103 verbose total 1 ip group(s). Total 1 ip source(s). Total 1 mac group(s). Port flags: d-dynamic port, s-static port, c-copy port subvlan flags: r-real vlan, c-copy vl...
Page 350
5-6 is then processed as per the rule), the rule order is important in determining which match criteria will apply. Two rule orders are available for ipv6 acls: z config: acl rules are sorted in ascending order rule id. That is, a rule with a smaller id number has a higher priority z auto: acl rules...
Page 351
5-7 a bigger step means more numbering flexibility. This is helpful when the config rule order is adopted, with which acl rules are sorted in ascending order of rule id. If no id is specified for a rule when the rule is created, the system automatically assigns it the smallest multiple of the step t...
Page 352
5-8 z you can only modify the existing rules of an acl that uses the rule order of config. When modifying a rule of such an acl, you may choose to change just some of the settings, in which case the other settings remain the same. Z you cannot create a rule with, or modify a rule to have, the same p...
Page 353
5-9 to do… use the command… remarks set the rule numbering step step step-value optional 5 by default configure a description for the advanced ipv6 acl description text optional by default, an advanced ipv6 acl has no acl description. Configure a rule description rule rule-id comment text optional b...
Page 355
5-11 to do... Use the command... Remarks configure an ipv6 multicast group filter mld-snooping group-policy acl6-number [ vlan vlan-list ] required by default, no ipv6 group filter is configured on an interface, that is, hosts on the interface can join any valid multicast group. Ipv6 multicast user ...
Page 356
5-12 z for details about the qos-profile, qos-profile port-based and undo qos-profile port-based commands, refer to qos-qos profile operation. Z a ipv6 multicast user control policy functions only if 802.1x is configured, that is, 802.1x must be enabled on the port to which the qos profile is applie...
Page 357
5-13 # create vlan 101 through vlan 104 and assign ethernet 1/0/1 through ethernet 1/0/3 to the four vlans respectively. System-view [switcha] vlan 101 [switcha-vlan101] port ethernet 1/0/1 [switcha-vlan101] quit [switcha] vlan 102 [switcha-vlan102] port ethernet 1/0/2 [switcha-vlan102] quit [switch...
Page 358
5-14 [switchb-radius-scheme1] primary accounting 2::1 [switchb-radius-scheme1] key accounting 321123 [switchb-radius-scheme1] user-name-format without-domain [switchb-radius-scheme1] quit # create an isp domain domain1; reference scheme1 for the authentication, and accounting for lan users; specify ...
Page 359
5-15 mac group address:3333-0000-0101 host port(s):total 1 port. Eth1/0/3 as shown above, ethernet 1/0/3 on switch b has joined ff1e::101 but not ff1e::102..
Page 360
6-1 6 common multicast configuration common multicast configuration table 6-1 common multicast configuration tasks configuration task remarks configuring suppression on the multicast source port optional configuring a multicast mac address entry optional configuring dropping unknown multicast packet...
Page 361
6-2 configuring multicast source port suppression in ethernet port view table 6-3 configure multicast source port suppression in ethernet port view operation command remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — configure multicast sourc...
Page 362
6-3 z if the multicast mac address entry to be created already exists, the system gives you a prompt. Z if you want to add a port to a multicast mac address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specifie...
Page 363
6-4 table 6-7 display common multicast configuration operation command remarks display the statistics information about multicast source port suppression display multicast-source-deny [ interface interface-type [ interface-number ] ] display the created multicast mac table entries display mac-addres...
Page 364: Table of Contents
I table of contents 1 802.1x configuration ·································································································································1-1 introduction to 802.1x······································································································...
Page 365
Ii 4 system-guard configuration (for s3100-ei) ··························································································4-1 system-guard overview ·························································································································4-1 configuring ...
Page 366: 802.1X Configuration
1-1 1 802.1x configuration introduction to 802.1x the 802.1x protocol (802.1x for short) was developed by ieee802 lan/wan committee to address security issues of wireless lans. It was then used in ethernet as a common access control mechanism for lan ports to address mainly authentication and securi...
Page 367
1-2 stores user information, such as user name, password, the vlan a user belongs to, priority, and the acls (access control list) applied. The four basic concepts related to the above three entities are pae, controlled port and uncontrolled port, the valid direction of a controlled port and the way...
Page 368
1-3 figure 1-2 the mechanism of an 802.1x authentication system z eap protocol packets transmitted between the supplicant system pae and the authenticator system pae are encapsulated as eapol packets. Z eap protocol packets transmitted between the authenticator system pae and the radius server can e...
Page 369
1-4 z the packet body field differs with the type field. Note that eapol-start, eapol-logoff, and eapol-key packets are only transmitted between the supplicant system and the authenticator system. Eap-packets are encapsulated by radius protocol to allow them successfully reach the authentication ser...
Page 370
1-5 fragmented and are encapsulated in multiple eap-message fields. The type code of the eap-message field is 79. Figure 1-6 the format of an eap-message field 0 15 type string 7 length n eap packets the message-authenticator field, whose format is shown in figure 1-7 , is used to prevent unauthoriz...
Page 371
1-6 figure 1-8 802.1x authentication procedure (in eap relay mode) supplicant system pae raduis server eapol eapor eapol-start eap-request / identity eap-response / identity eap-request / md5 challenge eap-success eap-response / md5 challenge radius access-request (eap-response / identity) radius ac...
Page 372
1-7 z the radius server compares the received encrypted password (contained in a radius access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a radius access-accept packet and an eap-success packet) to the switch to indicate that the suppl...
Page 373
1-8 figure 1-9 802.1x authentication procedure (in eap terminating mode) supplicant system pae authenticator system pae radius server eapol radius eapol-start eap-request/identity eap-response/identity eap-request/md5 challenge eap-success eap-response/md5 challenge radius access-request (chap-respo...
Page 374
1-9 request packet if it does not receive the response from the radius server when this timer times out. Z supplicant system timer (supp-timeout). This timer sets the supp-timeout period and is triggered by the switch after the switch sends a request/challenge packet to a supplicant system. The swit...
Page 375
1-10 z the 802.1x client needs to capable of detecting multiple network adapters, proxies, and ie proxies. Z the cams server is configured to disable the use of multiple network adapters, proxies, or ie proxies. By default, an 802.1x client program allows use of multiple network adapters, proxies, a...
Page 376
1-11 if a user of a port in the guest vlan initiates authentication but fails the authentication, the port will be added to the auth-fail vlan configured for the port, if any. If no auth-fail vlan is configured, the port will stay in the guest vlan. If a user of a port in the guest vlan initiates au...
Page 377
1-12 z if the authentication server assigns a vlan, the port joins the assigned vlan. After the user goes offline, the port returns to its initial vlan, that is, the vlan the port was in before it was added to any authorized vlan. Z if the authentication server assigns no vlan, the port returns to i...
Page 378
1-13 figure 1-10 802.1x re-authentication pc internet pc pc radius server switch 802.1x re-authentication can be enabled in one of the following two ways: z the radius server triggers the switch to perform 802.1x re-authentication of users. The radius server sends the switch an access-accept packet ...
Page 379
1-14 z 802.1x users use domain names to associate with the isp domains configured on switches z configure the aaa scheme (a local authentication scheme or a radius scheme) to be adopted in the isp domain. Z if you specify to use a local authentication scheme, you need to configure the user names and...
Page 381
1-16 z 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. Z if you enable 802.1x for a port, you cannot set the maximum number of mac addresses that can be learnt for the port. Meanwhile, if you set the maximum number of mac addresses that can be le...
Page 383
1-18 authentication domains for different ports even if the user certificates are from the same certificate authority (that is, the user domain names are the same). This allows you to deploy 802.1x access policies flexibly. Table 1-3 shows the relations of the 802.1x username entered for authenticat...
Page 385
1-20 operation command remarks set the client version checking period timer dot1x timer ver-period ver-period-value optional by default, the timer is set to 30 seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command...
Page 386
1-21 configuring guest vlan table 1-8 configure a guest vlan operation command remarks enter system view system-view — in system view dot1x guest-vlan vlan-id [ interface interface-list ] interface interface-type interface-number dot1x guest-vlan vlan-id enable the guest vlan function in port view q...
Page 387
1-22 z at present, only the s3100-ei series supports the auth-fail vlan function. Z different ports can be configured with different auth-fail vlans, but a port can be configured with only one auth-fail vlan. Z if you configure both 802.1x authentication and mac authentication on a port and specify ...
Page 388
1-23 2) the switch uses the value configured with the dot1x timer reauth-period command as the re-authentication interval for access users. Note the following: during re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned tw...
Page 389
1-24 z the switch is connected to a server comprising of two radius servers whose ip addresses are 10.11.1.1 and 10.11.1.2. The radius server with an ip address of 10.11.1.1 operates as the primary authentication server and the secondary accounting server. The other operates as the secondary authent...
Page 390
1-25 # create a radius scheme named “radius1” and enter radius scheme view. [sysname] radius scheme radius1 # assign ip addresses to the primary authentication and accounting radius servers. [sysname-radius-radius1] primary authentication 10.11.1.1 [sysname-radius-radius1] primary accounting 10.11.1...
Page 391
1-26 802.1x mandatory authentication domain configuration example network requirements as shown in figure 1-13 , host a (an 802.1x user) and host b (a telnet user) are connected to the internet through ethernet 1/0/1 and ethernet 1/0/2 on switch, respectively. It is required to implement radius auth...
Page 392
1-27 [switch-isp-aabbcc] scheme radius-scheme radius1 [switch-isp-aabbcc] quit # configure radius scheme radius1. [switch] radius scheme radius1 [switch-radius-radius1] primary authentication 10.110.91.164 1812 [switch-radius-radius1] primary accounting 10.110.91.164 1813 [switch-radius-radius1] key...
Page 393
2-1 2 quick ead deployment configuration the configuration introduced in this chapter is only supported by the s3100-ei series switches. Introduction to quick ead deployment quick ead deployment overview as an integrated solution, an endpoint admission defense (ead) solution can improve the overall ...
Page 394
2-2 configuring quick ead deployment configuration prerequisites z enable 802.1x on the switch. Z set the access mode to auto for 802.1x-enabled ports. Configuration procedure configuring a free ip range a free ip range is an ip range that users can access before passing 802.1x authentication. Table...
Page 395
2-3 you can control the usage of acl resources by setting the acl timer. The acl timer starts once a user gets online. If the user has not passed authentication when the acl timer expires, the occupied acl resources are released for other users to use. When a tremendous of access requests are presen...
Page 396
2-4 network diagram figure 2-1 network diagram for quick ead deployment configuration procedure before enabling quick ead deployment, be sure that: z the web server is configured properly. Z the default gateway of the user’s pc is configured as the ip address of the connected vlan interface on the s...
Page 397
2-5 troubleshooting symptom: a user cannot be redirected to the specified url server, no matter what url the user enters in the ie address bar. Solution: z if a user enters an ip address in a format other than the dotted decimal notation, the user may not be redirected. This is related with the oper...
Page 398: Habp Configuration
3-1 3 habp configuration introduction to habp with 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. For ports with switches attached and are not authenticated and authorized by 802.1x, their received packets will be f...
Page 399
3-2 habp client configuration habp clients reside on switches attached to habp servers. After you enable habp for a switch, the switch operates as an habp client by default. So you only need to enable habp on a switch to make it an habp client. Table 3-2 configure an habp client operation command re...
Page 400
4-1 4 system-guard configuration (for s3100-ei) the configuration introduced in this chapter is only supported by the s3100-ei series switches. System-guard overview at first, you must determine whether the cpu is under attack to implement system guard for the cpu. You should not determine whether t...
Page 401
4-2 operation command description set the length of the isolation after an attack is detected system-guard timer-interval isolate-timer optional by default, the length of the isolation after an attack is detected is 10 minutes. Displaying and maintaining system-guard after the above configuration, e...
Page 402
5-1 5 system-guard configuration (for s3100-si) the configuration introduced in this chapter is only supported by the s3100-si series switches. System-guard overview the system-guard function checks system-guard-enabled ports regularly to determine if the ports are under attack. With this function e...
Page 403
5-2 table 5-2 configure system-guard related parameters operation command description enter system view system-view — configure system-guard-related parameters system-guard mode rate-limit interval-time threshold timeout required the default system-guard-related parameters are as follows. Interval-t...
Page 404: Table of Contents
I table of contents 1 aaa overview ············································································································································1-1 introduction to aaa ·····································································································...
Page 405
Ii per user type aaa configuration example··················································································2-31 remote radius authentication of telnet/ssh users ·································································2-32 local authentication of ftp/telnet users············...
Page 406: Aaa Overview
1-1 1 aaa overview introduction to aaa aaa is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure these three functions to implement network security management. Z authentication: defines what users can acce...
Page 407
1-2 accounting aaa supports the following accounting methods: z none accounting: no accounting is performed for users. Z local accounting: it is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. Z remote accounting: user accounting is pe...
Page 408
1-3 introduction to aaa services introduction to radius aaa is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used service for aaa is radius. What is radius radius (remote authentication dial-in user service) is a distributed service based ...
Page 409
1-4 the authentication response message. Figure 1-3 depicts the message exchange procedure between user, switch and radius server. Figure 1-3 basic message exchange procedure of radius radius client radius server ( 1 ) the user inputs the user name and password ( 3 ) access-accept ( 2 ) access-reque...
Page 410
1-5 figure 1-4 radius message format 2) the code field (one byte) decides the type of radius message, as shown in table 1-1 . Table 1-1 description on the major values of the code field code message type message description 1 access-request direction: client->server. The client transmits this messag...
Page 411
1-6 5) the authenticator field (16 bytes) is used to authenticate the response from the radius server; and is used in the password hiding algorithm. There are two kinds of authenticators: request authenticator and response authenticator. 6) the attributes field contains specific authentication/autho...
Page 412
1-7 figure 1-5 depicts the format of attribute 26. The vendor-id field used to identify a vendor occupies four bytes, where the first byte is 0, and the other three bytes are defined in rfc 1700. Here, the vendor can encapsulate multiple customized sub-attributes (containing vendor-specific type, le...
Page 413
1-8 figure 1-6 network diagram for a typical hwtacacs application host hwtacacs client hwtacacs server hwtacacs server basic message exchange procedure in hwtacacs the following text takes telnet user as an example to describe how hwtacacs implements authentication, authorization, and accounting for...
Page 414
1-9 1) a user sends a login request to the switch acting as a tacacs client, which then sends an authentication start request to the tacacs server. 2) the tacacs server returns an authentication response, asking for the username. Upon receiving the response, the tacacs client requests the user for t...
Page 415: Aaa Configuration
2-1 2 aaa configuration aaa configuration task list configuration introduction you need to configure aaa to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Table 2-1 aaa configuration tasks (configuring a c...
Page 416
2-2 task remarks cutting down user connections forcibly optional creating an isp domain and configuring its attributes table 2-3 create an isp domain and configure its attributes operation command remarks enter system view system-view — configure the form of the delimiter between the user name and t...
Page 417
2-3 z if you have configured to use "." as the delimiter, for a user name that contains multiple ".", the first "." will be used as the domain delimiter. Z if you have configured to use "@" as the delimiter, the "@" must not appear more than once in the user name. Z if the system does not find any a...
Page 419
2-5 z you can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured radius scheme to implement all the three aaa functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be imple...
Page 420
2-6 z local authentication (local): authentication is performed by the nas, which is configured with the user information, including the usernames, passwords, and attributes. Local authentication features high speed and low cost, but the amount of information that can be stored is limited by the har...
Page 422
2-8 configuring dynamic vlan assignment the dynamic vlan assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different vlans according to the attributes assigned by the radius server, so as to control the network resources that different use...
Page 423
2-9 z in string mode, if the vlan id assigned by the radius server is a character string containing only digits (for example, 1024), the switch first regards it as an integer vlan id: the switch transforms the string to an integer value and judges if the value is in the valid vlan id range; if it is...
Page 425
2-11 you can use the display connection command to view the connections of telnet users, but you cannot use the cut connection command to cut down their connections. Radius configuration task list h3c’s ethernet switches can function not only as radius clients but also as local radius servers. Table...
Page 426
2-12 task remarks configuring the type of radius servers to be supported optional configuring the status of radius servers optional configuring the attributes of data to be sent to radius servers optional configuring the local radius authentication server function required configuring timers for rad...
Page 427
2-13 operation command remarks enable radius authentication port radius client enable optional by default, radius authentication port is enabled. Create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a radius scheme named "system" has already been created in...
Page 428
2-14 z the authentication response sent from the radius server to the radius client carries authorization information. Therefore, you need not (and cannot) specify a separate radius authorization server. Z in an actual network environment, you can specify one server as both the primary and secondary...
Page 429
2-15 follow these steps to configure the radius authorization attribute ignoring function: to do… use the command… remarks enter system view system-view — create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a radius scheme named "system" has already been c...
Page 430
2-16 configuring radius accounting servers table 2-14 configure radius accounting servers operation command remarks enter system view system-view — create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a radius scheme named "system" has already been created ...
Page 431
2-17 z in an actual network environment, you can specify one server as both the primary and secondary accounting servers, as well as specifying two radius servers as the primary and secondary accounting servers respectively. In addition, because radius adopts different udp ports to exchange authenti...
Page 432
2-18 the authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server. Configuring the maximum number of radius request transmissi...
Page 433
2-19 z if you change the type of radius server, the data stream destined to the original radius server will be restored to the default unit. Z when the third party radius server is used, you can select standard or extended as the server-type in a radius scheme; when the cams server is used, you can ...
Page 434
2-20 configuring the attributes of data to be sent to radius servers table 2-19 configure the attributes of data to be sent to radius servers operation command remarks enter system view system-view — create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a ra...
Page 435
2-21 z generally, the access users are named in the userid@isp-name or userid.Isp-name format. Here, isp-name after the “@” or “.” character represents the isp domain name, by which the device determines which isp domain a user belongs to. However, some old radius servers cannot accept the user name...
Page 436
2-22 z if you adopt the local radius authentication server function, the udp port number of the authentication/authorization server must be 1645, the udp port number of the accounting server must be 1646, and the ip addresses of the servers must be set to the addresses of this switch. Z the message ...
Page 437
2-23 operation command remarks create a radius scheme and enter its view radius scheme radius-scheme-name required by default, a radius scheme named "system" has already been created in the system. Set the response timeout time of radius servers timer response-timeout seconds optional by default, th...
Page 438
2-24 in an environment that a cams server is used to implement aaa functions, if the switch reboots after an exclusive user (a user whose concurrent online number is set to 1 on the cams) gets authenticated and authorized and begins being charged, the switch will give a prompt that the user has alre...
Page 439
2-25 hwtacacs configuration task list table 2-24 hwtacacs configuration tasks task remarks creating an hwtacacs scheme required configuring tacacs authentication servers required configuring tacacs authorization servers required configuring tacacs accounting servers optional configuring shared keys ...
Page 440
2-26 operation command remarks set the ip address and port number of the primary tacacs authentication server primary authentication ip-address [ port ] required by default, the ip address of the primary authentication server is 0.0.0.0, and the port number is 0. Set the ip address and port number o...
Page 441
2-27 configuring tacacs accounting servers table 2-28 configure tacacs accounting servers operation command remarks enter system view system-view — create an hwtacacs scheme and enter its view hwtacacs scheme hwtacacs-scheme-name required by default, no hwtacacs scheme exists. Set the ip address and...
Page 443
2-29 configuring the timers regarding tacacs servers table 2-31 configure the timers regarding tacacs servers operation command remarks enter system view system-view — create an hwtacacs scheme and enter its view hwtacacs scheme hwtacacs-scheme-name required by default, no hwtacacs scheme exists. Se...
Page 445
2-31 operation command remarks delete buffered non-response stop-accounting requests reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name aaa configuration examples per user type aaa configuration example network requirements as shown in figure 2-2 , host a, serving as an 802.1x user, a...
Page 446
2-32 # configure radius scheme radius1. [switch] radius scheme radius1 [switch-radius-radius1] primary authentication 10.110.91.164 1812 [switch-radius-radius1] primary accounting 10.110.91.164 1813 [switch-radius-radius1] key authentication aabbcc [switch-radius-radius1] server-type extended [switc...
Page 447
2-33 the telnet user names added to the radius server must be in the format of userid@isp-name if you have configured the switch to include domain names in the user names to be sent to the radius server in the radius scheme. Network diagram figure 2-3 remote radius authentication of telnet users con...
Page 448
2-34 the configuration procedure for local authentication of ftp users is similar to that for telnet users. The following text only takes telnet users as example to describe the configuration procedure for local authentication. Network requirements in the network environment shown in figure 2-4 , yo...
Page 449
2-35 z change the server ip address, and the udp port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "configure a radius scheme" in section remote radius authentication of telnet/ssh users . Z enable the local radius server function, set the ip addr...
Page 450
2-36 troubleshooting aaa troubleshooting radius configuration the radius protocol operates at the application layer in the tcp/ip protocol suite. This protocol prescribes how the switch and the radius server of the isp exchange user information with each other. Symptom 1: user authentication/authori...
Page 451: Ead Configuration
3-1 3 ead configuration only the s3100-ei series switches support the ead configuration. Introduction to ead endpoint admission defense (ead) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spread...
Page 452
3-2 figure 3-1 typical network application of ead virus patch server supplicant authentication server security policy server after a client passes the authentication, the security client (software installed on the client pc) interacts with the security policy server to check the security status of t...
Page 453
3-3 ead configuration example network requirements in figure 3-2 : z a user is connected to ethernet 1/0/1 on the switch. Z the user adopts 802.1x client supporting ead extended function. Z you are required to configure the switch to use radius server for remote user authentication and use security ...
Page 454
3-4 [sysname-radius-cams] key authentication expert [sysname-radius-cams] server-type extended # configure the ip address of the security policy server. [sysname-radius-cams] security-policy-server 10.110.91.166 # associate the domain with the radius scheme. [sysname-radius-cams] quit [sysname] doma...
Page 455: Table of Contents
I table of contents 1 mac authentication configuration··········································································································1-1 mac authentication overview ············································································································...
Page 456
1-1 1 mac authentication configuration mac authentication overview mac authentication provides a way for authenticating users based on ports and mac addresses, without requiring any client software to be installed on the hosts. Once detecting a new mac address, it initiates the authentication proces...
Page 457
1-2 related concepts mac authentication timers the following timers function in the process of mac authentication: z offline detect timer: at this interval, the switch checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the switch sends a stop-accountin...
Page 458
1-3 operation command remarks set the user name in fixed mode for mac authentication mac-authentication authmode usernamefixed configure the user name mac-authentication authusername username set the user name in fixed mode for mac authentication configure the password mac-authentication authpasswor...
Page 459
1-4 mac address authentication enhanced function configuration mac address authentication enhanced function configuration tasks table 1-2 mac address authentication enhanced function configuration tasks operation description related section configure a guest vlan or auth-fail vlan optional section “...
Page 460
1-5 in pgv or pafv mode, when a user fails mac authentication on a port, the device adds the port to the guest vlan or auth-fail vlan. Therefore, the guest vlan can separate unauthenticated users on an access port. When it comes to a trunk port or a hybrid port, if a packet itself carries a vlan tag...
Page 461
1-6 z the auth-fail vlan for mac authentication takes precedence over the guest vlan for mac authentication. When both of them are configured on a user access port and they are different vlans, a user failing mac authentication on the port will be added to the auth-fail vlan, that is, the user is au...
Page 462
1-7 z if both the limit on the number of mac address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of mac address authentication users allow...
Page 463
1-8 mac authentication configuration example network requirements as illustrated in figure 1-1 , a supplicant is connected to the switch through port ethernet 1/0/2. Z mac authentication is required on port ethernet 1/0/2 to control user access to the internet. Z all users belong to domain aabbcc.Ne...
Page 464
1-9 after doing so, your mac authentication configuration will take effect immediately. Only users with the mac address of 00-0d-88-f6-44-c1 are allowed to access the internet through port ethernet 1/0/2..
Page 465: Table of Contents
I table of contents 1 web authentication configuration ··········································································································1-1 introduction to web authentication ····································································································...
Page 466
1-1 1 web authentication configuration when configuring web authentication, go to these sections for information you are interested in: z introduction to web authentication z web authentication configuration z configuring an auth-fail vlan for web authentication z configuring a web authentication-fr...
Page 467
1-2 z web authentication can use only a radius authentication scheme; it does not support local authentication. Z the user number limit configured under an aaa scheme does not take effect for web authentication. Web authentication does not support accounting. Configure accounting for the aaa scheme ...
Page 468
1-3 z before enabling global web authentication, you should first set the ip address of a web authentication server. Z do not add a web authentication enabled port to a port aggregation group and do not enable web authentication on a port that is in a port aggregation group. Z you can make web authe...
Page 469
1-4 configuration procedure follow these steps to configure an auth-fail vlan for web authentication: to do… use the command… remarks enter system view system-view — enter port view interface interface-type interface-number — configure an auth-fail vlan for web authentication web-authentication auth...
Page 470
1-5 after you configure https access for web authentication on the switch, the switch will allow clients to use https to open the authentication pages for secure transmission of authentication information. Configuration prerequisites to configure the access protocol as https, be sure to configure th...
Page 471
1-6 the web-authentication customize command is used to customize part of the information provided on the default authentication page. You cannot change the overall style of the authentication page. This is applicable to simple authentication pages. Customizing authentication pages the device also s...
Page 472
1-7 table 1-1 main authentication page file names main authentication page file name login page login.Htm login success page loginsuccess.Htm login failure page loginfail.Htm online page pushed for online state notification online.Htm system busy page pushed when the system is busy or the user is in...
Page 473
1-8 3) authentication pages loginsuccess.Htm and online.Htm must contain the logout post request. The following example shows part of the script in page online.Htm. Rules on page file compression and saving z a set of authentication page files must be compressed into a standard zip file. A zip file ...
Page 474
1-9 the auto mode allows a user to move between ports in the same vlan rather than different vlans. If a user moves between vlans, the access is denied but the previous port is still open for this user. Configuring a proxy server port for web authentication when a proxy server is used for web authen...
Page 475
1-10 web authentication configuration example network requirements as shown in figure 1-1 , a user connects to the ethernet switch through port ethernet 1/0/1. Z configure the dhcp server so that users can obtain ip addresses from it. Z configure web authentication on ethernet 1/0/1 to control the a...
Page 476
1-11 [sysname -radius-radius1] key authentication expert # configure the system to strip domain name off a user name before transmitting the user name to the radius server. [sysname-radius-radius1] user-name-format without-domain [sysname-radius-radius1] quit # create isp domain aabbcc.Net for web a...
Page 477: Table of Content
I table of content 1 triple authentication configuration ········································································································1-1 triple authentication overview ········································································································...
Page 478
1-1 1 triple authentication configuration triple authentication overview currently, among s3100 series ethernet switches, only the s3100-ei series support triple authentication. Background the terminals in a lan may support different authentication methods. As shown in figure 1-1 , a printer support...
Page 479
1-2 z upon startup, a terminal triggers mac authentication first on the access device. If it passes mac authentication, no other types of authentication will be performed. If it fails, 802.1x or web authentication can be triggered. Z if a terminal sends an eap packet using the 802.1x client or a thi...
Page 480
1-3 triple authentication configuration complete the following tasks to configure triple authentication: task remarks for details configure 802.1x authentication required refer to 802.1x and system-guard operation. Configure mac authentication required refer to mac address authentication operation. ...
Page 481
1-4 configuration procedure z make sure that the terminals, the servers and the switch are reachable to each other. Z if using an external dhcp server, ensure that the terminals can get ip addresses from the server before and after authentication. Z complete the configuration on the radius server an...
Page 482
1-5 configure ip address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire ip addresses after failing authentication or being logged off. [switch] dhcp server ip-pool 3 [switch-dhcp-pool-3] network 3.3.3.0 mas...
Page 483
1-6 # set the mac authentication timers. [switch] mac-authentication timer offline-detect 180 [switch] mac-authentication timer quiet 180 # specify the mac authentication username format as mac address, that is, using the mac address (with hyphens) of a user as the username and password for mac auth...
Page 484: Table of Contents
I table of contents 1 arp configuration·····································································································································1-1 introduction to arp ········································································································...
Page 485: Arp Configuration
1-1 1 arp configuration introduction to arp arp function address resolution protocol (arp) is used to resolve an ip address into a data link layer address. An ip address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the data...
Page 486
1-2 table 1-1 describes the fields of an arp packet. Table 1-1 description on the fields of an arp packet field description hardware type type of the hardware interface. Refer to table 1-2 for the information about the field values. Protocol type type of protocol address to be mapped. 0x0800 indicat...
Page 487
1-3 table 1-3 arp entries arp entry generation method maintenance mode static arp entry manually configured manual maintenance dynamic arp entry dynamically generated arp entries of this type age with time. The aging period is set by the arp aging timer. Arp process figure 1-2 arp process suppose th...
Page 488
1-4 introduction to arp attack detection man-in-the-middle attack according to the arp design, after receiving an arp response, a host adds the ip-to-mac mapping of the sender into its arp mapping table even if the mac address is not the real one. This can reduce the arp traffic in the network, but ...
Page 489
1-5 packets, or through trusted ports if the mac address table contains no such destination mac addresses. Introduction to arp packet rate limit to prevent the man-in-the-middle attack, a switch enabled with the arp attack detection function delivers arp packets to the cpu to check the validity of t...
Page 490
1-6 operation command remarks configure the arp aging timer arp timer aging aging-time optional by default, the arp aging timer is set to 20 minutes. Enable the arp entry checking function (that is, disable the switch from learning arp entries with multicast mac addresses) arp check enable optional ...
Page 491
1-7 operation command remarks enable the arp attack detection function arp detection enable required by default, arp attack detection is disabled on all ports. Quit to system view quit — enter ethernet port view interface interface-type interface-number — configure the port as an arp trusted port ar...
Page 492
1-8 table 1-6 configure the arp packet rate limit function operation command remarks enter system view system-view — enter ethernet port view interface interface-type interface-number — enable the arp packet rate limit function arp rate-limit enable required by default, the arp packet rate limit fun...
Page 493
1-9 the sending of gratuitous arp packets is enabled as long as an s3100 switch operates. No command is needed for enabling this function. That is, the device sends gratuitous arp packets whenever a vlan interface is enabled (such as when a link is enabled or an ip address is configured for the vlan...
Page 494
1-10 z add a static arp entry, with the ip address being 192.168.1.1, the mac address being 000f-e201-0000, and the outbound port being ethernet1/0/10 of vlan 1. Configuration procedure system-view [sysname] undo arp check enable [sysname] arp timer aging 10 [sysname] arp static 192.168.1.1 000f-e20...
Page 495
1-11 [switcha-ethernet1/0/1] arp detection trust [switcha-ethernet1/0/1] quit # enable arp attack detection on all ports in vlan 1. [switcha] vlan 1 [switcha-vlan1] arp detection enable [switcha-vlan1] quit # enable the arp packet rate limit function on ethernet1/0/2, and set the maximum arp packet ...
Page 496: Table of Contents
I table of contents 1 dhcp overview··········································································································································1-1 introduction to dhcp ······································································································...
Page 497
Ii introduction to dhcp accounting··································································································2-23 dhcp accounting fundamentals··································································································2-23 dhcp accounting configuration ··...
Page 498: Dhcp Overview
1-1 1 dhcp overview introduction to dhcp with networks getting larger in size and more complicated in structure, lack of available ip addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With th...
Page 499
1-2 obtaining ip addresses dynamically a dhcp client undergoes the following four phases to dynamically obtain an ip address from a dhcp server: 1) discover: in this phase, the dhcp client tries to find a dhcp server by broadcasting a dhcp-discover packet. 2) offer: in this phase, the dhcp server of...
Page 500
1-3 if the dhcp client fails to update its ip address lease when half of the lease time elapses, it will update its ip address lease by broadcasting a dhcp-request packet to the dhcp servers again when seven-eighths of the lease time elapses. The dhcp server performs the same operations as those des...
Page 501
1-4 protocol specification protocol specifications related to dhcp include: z rfc2131: dynamic host configuration protocol z rfc2132: dhcp options and bootp vendor extensions z rfc1542: clarifications and extensions for the bootstrap protocol z rfc3046: dhcp relay agent information option.
Page 502: Dhcp Server Configuration
2-1 2 dhcp server configuration when configuring the dhcp server, go to these sections for information you are interested in: z introduction to dhcp server z dhcp server configuration task list z enabling dhcp z configuring the global address pool based dhcp server z configuring the interface addres...
Page 503
2-2 picks an ip address from the pool and sends the ip address and other related parameters (such as the ip address of the dns server, and the lease time of the ip address) to the dhcp client. Types of address pool the address pools of a dhcp server fall into two types: global address pool and inter...
Page 504
2-3 the dhcp server assigns an ip address to the client in the following order from an interface address pool or a global address pool: 3) if there is an address pool where an ip address is statically bound to the mac address or id of the client, the dhcp server will select this address pool and ass...
Page 505
2-4 to do… use the command… remarks enter system view system-view — enable dhcp dhcp enable optional by default, dhcp is enabled. To improve security and avoid malicious attacks to unused sockets, s3100 ethernet switches provide the following functions: z udp port 67 and udp port 68 ports used by dh...
Page 506
2-5 enabling the global address pool mode on interface(s) you can configure the global address pool mode on the specified or all interfaces of a dhcp server. After that, when the dhcp server receives dhcp packets from dhcp clients through these interfaces, it assigns ip addresses in the global addre...
Page 507
2-6 address, the dhcp server searches for the ip address corresponding to the mac address of the dhcp client and assigns the ip address to the dhcp client. When some dhcp clients send dhcp-discover packets to the dhcp server to apply for ip addresses, they construct client ids and add them in the dh...
Page 508
2-7 to improve security and avoid malicious attack to the unused sockets, s3100 ethernet switches provide the following functions: z udp 67 and udp 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp 67 and udp 68 ports are disabled when dhcp is disabled. The corresponding implementat...
Page 509
2-8 z in the same dhcp global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. Z the dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple ip addresses that are not dynamically as...
Page 510
2-9 configuring wins servers for the dhcp client for microsoft windows-based dhcp clients that communicate through netbios protocol, the host name-to-ip address translation is carried out by windows internet naming service (wins) servers. So you need to perform wins-related configuration for most wi...
Page 511
2-10 configuring gateways for the dhcp client gateways are necessary for dhcp clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a dhcp server, the dhcp server provides the gateway addresses to dhcp clients as well while assigning ip address...
Page 512
2-11 z sub-option 4: fail-over call routing. Meanings of the sub-options for option 184 figure 2-1 meanings of the sub-options for option 184 sub-option feature function note ncp-ip (sub-option 1) the ncp-ip sub-option carries the ip address of the network call processor (ncp). The ip address of the...
Page 513
2-12 for the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you need to configure the dhcp server to add sub-option 1. Mechanism of using option 184 on dhcp server the dhcp server encapsulates the information for option 184 to ca...
Page 514
2-13 specify an ip address for the network calling processor before performing other configuration. Configuring a self-defined dhcp option by configuring self-defined dhcp options, you can: z define new dhcp options. New configuration options will come out with dhcp development. To support new optio...
Page 515
2-14 configuring the interface address pool based dhcp server in the interface address pool mode, after the addresses in the interface address pool have been assigned, the dhcp server picks ip addresses from the global interface address pool containing the network segment of the interface address po...
Page 516
2-15 task remarks enabling the interface address pool mode on interface(s) required configuring the static ip address allocation mode configuring an address allocation mode for an interface address pool configuring the dynamic ip address allocation mode one of the two options is required. And these ...
Page 517
2-16 to improve security and avoid malicious attack to the unused sockets, s3600 ethernet switches provide the following functions: z udp port 67 and udp port 68 ports used by dhcp are enabled only when dhcp is enabled. Z udp port 67 and udp port 68 ports are disabled when dhcp is disabled. The corr...
Page 518
2-17 z the ip addresses statically bound in interface address pools and the interface ip addresses must be in the same network segment. Z there is no limit to the number of ip addresses statically bound in an interface address pool, but the ip addresses statically bound in interface address pools an...
Page 519
2-18 to do… use the command… remarks specify the ip addresses that are not dynamically assigned dhcp server forbidden-ip low-ip-address [ high-ip-address ] optional by default, all ip addresses in a dhcp address pool are available for being dynamically assigned. Z the dhcp server forbidden-ip comman...
Page 520
2-19 to do… use the command… remarks enter system view system-view — interface interface-type interface-number dhcp server dns-list ip-address& configure the current interface quit configure dns server addresses for dhcp clients configure multiple interfaces in system view dhcp server dns-list ip-ad...
Page 522
2-21 follow these steps to configure option 184 parameters for the client with voice service: to do… use the command… remarks enter system view system-view — enter interface view interface interface-type interface-number — specify the primary network calling processor dhcp server voice-config ncp-ip...
Page 523
2-22 z define new dhcp options. New configuration options will come out with dhcp development. To support new options, you can add them into the attribute list of the dhcp server. Z extend existing dhcp options. When the current dhcp options cannot meet customers’ requirements (for example, you cann...
Page 524
2-23 to do… use the command… remarks enable the unauthorized dhcp server detecting function dhcp server detect required disabled by default. With the unauthorized dhcp server detection enabled, the relay agent will log all dhcp servers, including authorized ones, and each server is recorded only onc...
Page 525
2-24 z after sending a dhcp-ack packet with the ip configuration parameters to the dhcp client, the dhcp server sends an accounting start packet to a specified radius server. The radius server processes the packet, makes a record, and sends a response to the dhcp server. Z once releasing a lease, th...
Page 526
2-25 if a dhcp server is configured to ignore option 82, after the dhcp server receives packets containing option 82, the dhcp server will not add option 82 into the responses when assigning ip addresses and other configuration information to the clients. Follow these steps to configure the dhcp ser...
Page 527
2-26 dhcp server configuration examples currently, dhcp networking can be implemented in two ways. One is to deploy the dhcp server and dhcp clients in the same network segment. This enables the clients to communicate with the server directly. The other is to deploy the dhcp server and dhcp clients ...
Page 528
2-27 if you use the inheriting relation of parent and child address pools, make sure that the number of the assigned ip addresses does not exceed the number of the ip addresses in the child address pool; otherwise extra ip addresses will be obtained from the parent address pool, and the attributes (...
Page 529
2-28 # configure dhcp address pool 0, including address range, domain name suffix of the clients, and domain name server address. [switcha] dhcp server ip-pool 0 [switcha-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [switcha-dhcp-pool-0] domain-name aabbcc.Com [switcha-dhcp-pool-0] dns-list 10.1...
Page 530
2-29 network diagram dhcp client dhcp client dhcp client 3com vcx dhcp server ip:10.1.1.1/24 figure 2-3 network diagram for option 184 support configuration configuration procedure 1) configure the dhcp client. Configure the 3com vcx device to operate as a dhcp client and to request for all sub-opti...
Page 531
2-30 z the ip address of vlan-interface 1 is 10.1.1.1/24, and that of vlan-interface 2 is 10.1.2.1/24. Z the ip address of the radius server is 10.1.2.2/24. Z dhcp accounting is enabled on the dhcp server. Z the ip addresses of the global dhcp address pool belongs to the network segment 10.1.1.0. Th...
Page 532
2-31 [sysname] domain 123 [sysname-isp-123] scheme radius-scheme 123 [sysname-isp-123] quit # create an address pool on the dhcp server. [sysname] dhcp server ip-pool test [sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # enable dhcp accounting. [sysname-dhcp-pool-test] accounting domai...
Page 533: Dhcp Snooping Configuration
3-1 3 dhcp snooping configuration introduction introduction to dhcp snooping for the sake of security, the ip addresses used by online dhcp clients need to be tracked for the administrator to verify the corresponding relationship between the ip addresses the dhcp clients obtained from dhcp servers a...
Page 534
3-2 z trusted: a trusted port is connected to an authorized dhcp server directly or indirectly. It forwards dhcp messages to guarantee that dhcp clients can obtain valid ip addresses. Z untrusted: an untrusted port is connected to an unauthorized dhcp server. The dhcp-ack or dhcp-offer packets recei...
Page 535
3-3 padding content and frame format of option 82 there is no specification for what should be padded in option 82. Manufacturers can pad it as required. By default, the sub-options of option 82 for s3100-ei series ethernet switches (enabled with dhcp snooping) are padded as follows: z sub-option 1 ...
Page 536
3-4 figure 3-5 standard format of the remote id sub-option mechanism of dhcp-snooping option 82 with dhcp snooping and dhcp-snooping option 82 support enabled, when the dhcp snooping device receives a dhcp client’s request containing option 82, it will handle the packet according to the handling pol...
Page 537
3-5 the circuit id and remote id sub-options in option 82, which can be configured simultaneously or separately, are independent of each other in terms of configuration sequence. When the dhcp snooping device receives a dhcp response packet from the dhcp server, the dhcp snooping device will delete ...
Page 538
3-6 dhcp snooping configuration configuring dhcp snooping follow these steps to configure dhcp snooping: operation command description enter system view system-view — enable dhcp snooping dhcp-snooping required by default, the dhcp snooping function is disabled. Z after dhcp snooping is enabled on a...
Page 539
3-7 configuring unauthorized dhcp server detection only the s3100-si series among s3100 series switches support the unauthorized dhcp server detection. Follow these steps to configure unauthorized dhcp server detection: operation command description enter system view system-view — enter ethernet por...
Page 540
3-8 z only the s3100-ei series among s3100 series switches support the dhcp-snooping option 82 support feature. Z enable dhcp snooping and specify trusted ports on the switch before configuring dhcp snooping to support option 82. Table 3-1 dhcp-snooping option 82 support configuration task list task...
Page 541
3-9 if a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Configure the storage fo...
Page 542
3-10 z if you have configured a circuit id with the vlan vlan-id argument specified, and the other one without the argument in ethernet port view, the former circuit id applies to the dhcp messages from the specified vlan; while the latter one applies to dhcp messages from other vlans. Z in a port a...
Page 543
3-11 z if you configure a remote id sub-option in both system view and on a port, the remote id sub-option configured on the port applies when the port receives a packet, and the global remote id applies to other interfaces that have no remote id sub-option configured. Z if you have configured a rem...
Page 544
3-12 z enable dhcp snooping and specify trusted ports on the switch before configuring ip filtering. Z you are not recommended to configure ip filtering on the ports of an aggregation group. Z to create a static binding after ip filtering is enabled with the mac-address keyword specified on a port, ...
Page 545
3-13 dhcp snooping configuration example dhcp-snooping option 82 support configuration example network requirements as shown in figure 3-8 , ethernet1/0/5 of the switch (s3100-ei) is connected to the dhcp server, and ethernet1/0/1, ethernet1/0/2, and ethernet1/0/3 are respectively connected to clien...
Page 546
3-14 # set the circuit id sub-option in dhcp packets from vlan 1 to “abcd” on ethernet 1/0/3. [switch] interface ethernet1/0/3 [switch-ethernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd unauthorized dhcp server detection configuration example network requirements as shown in figu...
Page 547
3-15 [sysname-ethernet1/0/2] quit # enable unauthorized dhcp server detection on ethernet 1/0/3. [sysname] interface ethernet1/0/3 [sysname-ethernet1/0/3] dhcp-snooping server-guard enable # specify the method for handling unauthorized dhcp servers as shutdown on ethernet 1/0/3.. [sysname-ethernet1/...
Page 548
3-16 [switch-ethernet1/0/1] dhcp-snooping trust [switch-ethernet1/0/1] quit # enable ip filtering on ethernet1/0/2, ethernet1/0/3, and ethernet1/0/4 to filter packets based on the source ip addresses/mac addresses. [switch] interface ethernet1/0/2 [switch-ethernet1/0/2] ip check source ip-address ma...
Page 549
4-1 4 dhcp packet rate limit configuration the contents of this chapter are only applicable to the s3100-ei series among s3100 series switches. Introduction to dhcp packet rate limit to prevent arp attacks and attacks from unauthorized dhcp servers, arp packets and dhcp packets will be processed by ...
Page 550
4-2 configuring dhcp packet rate limit configuring dhcp packet rate limit follow these steps to configure rate limit of dhcp packets: operation command description enter system view system-view — enter port view interface interface-type interface-number — enable the dhcp packet rate limit function d...
Page 551
4-3 networking diagram figure 4-1 network diagram for dhcp packet rate limit configuration ethernet1/0/2 client a client b ethernet1/0/11 dhcp server dhcp snooping ethernet1/0/1 configuration procedure # enable dhcp snooping on the switch. System-view [switch] dhcp-snooping # specify ethernet1/0/1 a...
Page 552
5-1 5 dhcp/bootp client configuration introduction to dhcp client after you specify a vlan interface as a dhcp client, the device can use dhcp to obtain parameters such as ip address dynamically from the dhcp server, which facilitates user configuration and management. Refer to “ obtaining ip addres...
Page 553
5-2 z the s3100 epon series ethernet switches do not support automatic configuration feature. Z to implement the automatic configuration feature, there is no need to configure devices that need to get a configuration file, but you need to configure some parameters on the dhcp server and save the con...
Page 554
5-3 an intermediate file maintains the ip address-to-host name mappings which are created using the ip host hostname ip-address command. When you use this command: z the hostname argument is a character string consisting of letters, digits, “.” and “_” only, which cannot start with “.”. Z you can en...
Page 555
5-4 because a dhcp server can interact with a bootp client, you can use the dhcp server to assign an ip address to the bootp client, without needing to configure any bootp server. Configuring a dhcp/bootp client follow these steps to configure a dhcp/bootp client: operation command description enter...
Page 556
5-5 dhcp client configuration example network requirements using dhcp, vlan-interface 1 of switch a is connected to the lan to obtain an ip address from the dhcp server. Network diagram figure 5-2 a dhcp network configuration procedure the following describes only the configuration on switch a servi...
Page 557: Table of Contents
I table of contents 1 acl configuration·····································································································································1-1 acl overview ···············································································································...
Page 558: Acl Configuration
1-1 1 acl configuration acl overview as the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficien...
Page 559
1-2 for depth-first rule, there are two cases: depth-first match order for rules of a basic acl 1) range of source ip address: the smaller the source ip address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority. 2) fragment keyword: a rule with the fra...
Page 560
1-3 being referenced by upper-level software acls can also be used to filter and classify the packets to be processed by software. In this case, the rules in an acl can be matched in one of the following two ways: z config, where rules in an acl are matched in the order defined by the user. Z auto, ...
Page 561
1-4 z periodic time range, which recurs periodically on the day or days of the week. Z absolute time range, which takes effect only in a period of time and does not recur. An absolute time range on an h3c s3100 series ethernet switches can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Conf...
Page 562
1-5 time-range : test ( inactive ) 08:00 to 18:00 working-day # define an absolute time range spans from 15:00 1/28/2006 to 15:00 1/28/2008. System-view [sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [sysname] display time-range test current time is 13:30:32 apr/16/2005 saturday t...
Page 563
1-6 z with the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered. Configuration example # configure acl 2000 to deny packets whose source ip addresses are 192.168.0.1. System-view [s...
Page 564
1-7 operation command description assign a description string to the acl description text optional no description by default note that: z with the config match order specified for the advanced acl, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order s...
Page 566
1-9 z src-ip: matches the source address field in ipv6 packets. Z dest-ip: matches the destination address field in ipv6 packets. Z src-port: matches the tcp/udp source port field in ipv6 packets. Z dest-port: matches the tcp/udp destination port field in ipv6 packets. Z icmpv6-type: matches the icm...
Page 567
1-10 configuration prerequisites z to configure a time range-based ipv6 acl rule, you need to create the corresponding time range first. For information about time range configuration, refer to section configuring time range . Z the settings to be specified in the rule are determined. Configuration ...
Page 568
1-11 z ipv6 acls do not match ipv6 packets with extension headers. Z do not use ipv6 acls with vlan mapping and trusted port priority together. Configuration example # configure an rule for ipv6 acl 5000, denying packets sent from 3001::1/64 to 3002::1/64. System-view [sysname] acl number 5000 [sysn...
Page 569
1-12 assigning an acl globally configuration prerequisites before applying acl rules to a vlan, you need to define the related acls. For information about defining an acl, refer to section configuring basic acl , section configuring advanced acl , section configuring layer 2 acl , and section config...
Page 570
1-13 configuration example # apply acl 2000 to vlan 10 to filter the inbound packets of vlan 10 on all the ports. System-view [sysname] packet-filter vlan 10 inbound ip-group 2000 assigning an acl to a port group configuration prerequisites before applying acl rules to a vlan, you need to define the...
Page 571
1-14 configuration procedure table 1-9 apply an acl to a port operation command description enter system view system-view — enter ethernet port view interface interface-type interface-number — apply an acl to the port packet-filter inbound acl-rule required for description on the acl-rule argument, ...
Page 572
1-15 example for upper-layer software referencing acls example for controlling telnet login users by source ip network requirements apply an acl to permit users with the source ip address of 10.110.100.52 to telnet to the switch. Network diagram figure 1-1 network diagram for controlling telnet logi...
Page 573
1-16 configuration procedure # define acl 2001. System-view [sysname] acl number 2001 [sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [sysname-acl-basic-2001] quit # reference acl 2001 to control users logging in to the web server. [sysname] ip http acl 2001 example for applying acls t...
Page 574
1-17 advanced acl configuration example network requirements different departments of an enterprise are interconnected through a switch. The ip address of the wage query server is 192.168.1.2. The r&d department is connected to ethernet 1/0/1 of the switch. Apply an acl to deny requests from the r&d...
Page 575
1-18 network diagram figure 1-5 network diagram for layer 2 acl configuration procedure # define a periodic time range that is active from 8:00 to 18:00 everyday. System-view [sysname] time-range test 8:00 to 18:00 daily # define acl 4000 to filter packets with the source mac address of 0011-0011-00...
Page 576
1-19 system-view [sysname] time-range test 8:00 to 18:00 daily # set the port to trust the 802.1p (cos) priority in received packets. [sysname] priority trust # define an ipv6 acl template to match the source address and destination address fields in ipv6 packets. [sysname] ipv6-acl-template src-ip ...
Page 577
1-20 # define an acl to deny packets destined for the database server. [sysname] acl number 3000 [sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [sysname-acl-adv-3000] quit # create port group 1 and add ethernet 1/0/1, ethernet 1/0/2, and ethernet 1/0/3 in the port gr...
Page 578: Table of Contents
I table of contents 1 qos configuration·····································································································································1-1 overview ···················································································································...
Page 579
Ii configuration example····························································································································2-4 qos profile configuration example·································································································2-4.
Page 580: Qos Configuration
1-1 1 qos configuration overview introduction to qos quality of service (qos) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, qos does not focus on grading services precisely, but on improving services under certain conditions. In an inte...
Page 581
1-2 traffic, and setting priority of the packets. To meet those requirements, the network should be provided with better service capability. Major traffic control techniques figure 1-1 end-to-end qos model traffic classification, traffic policing, traffic shaping, congestion management, and congesti...
Page 582
1-3 category features refer to… following types: z basic acls z advanced acls z layer-2 acls (applicable only to the s3100-ei series) z ipv6 acls (applicable only to the s3100-ei series) refer to traffic classification . S3100-ei series qos actions for packets matching the specified acl: z priority ...
Page 583
1-4 priority trust mode precedence types 1) ip precedence, tos precedence, and dscp precedence figure 1-2 ds field and tos byte the tos field in an ip header contains eight bits numbered 0 through 7, among which, z the first three bits indicate ip precedence in the range 0 to 7. Z bit 3 to bit 6 ind...
Page 584
1-5 z best effort (be) class: this class is a special class without any assurance in the cs class. The af class can be degraded to the be class if it exceeds the limit. Current ip network traffic belongs to this class by default. Table 1-3 description on dscp precedence values dscp value (decimal) d...
Page 585
1-6 the 4-byte 802.1q tag header consists of the tag protocol identifier (tpid, two bytes in length), whose value is 0x8100, and the tag control information (tci, two bytes in length). Figure 1-4 describes the detailed contents of an 802.1q tag header. Figure 1-4 802.1q tag headers in the figure abo...
Page 586
1-7 for incoming 802.1q tagged packets, you can configure the switch to trust packet priority with the priority trust command or to trust port priority with the undo priority trust command. By default, the s3100 series switches trust port priority. Z trusting port priority in this mode, the switch r...
Page 587
1-8 table 1-7 dscp-precedence-to-local-precedence mapping table dscp local precedence 0 to 15 0 16 to 31 1 32 to 47 2 48 to 63 3 table 1-8 ip-precedence-to-local-precedence mapping table ip precedence local precedence 0 1 1 0 2 0 3 1 4 2 5 2 6 3 7 3 the configuration of trusting the ip precedence of...
Page 588
1-9 network resources and provide better service for more users. For example, a traffic flow can be limited to get only its committed resources during a time period to avoid network congestion caused by excessive bursts. Traffic policing and traffic shaping is each a kind of traffic control policy u...
Page 589
1-10 traffic policing the typical application of traffic policing is to supervise specific traffic into the network and limit it to a reasonable range, or to "discipline" the extra traffic. In this way, the network resources and the interests of the operators are protected. For example, you can limi...
Page 590
1-11 port rate limiting port rate limiting refers to limiting the total rate of inbound or outbound packets on a port. Port rate limiting can be implemented through token buckets. That is, if you perform port rate limiting configuration for a port, the token bucket determines the way to process the ...
Page 591
1-12 in queue scheduling, sp sends packets in the queue with higher priority strictly following the priority order from high to low. When the queue with higher priority is empty, packets in the queue with lower priority are sent. You can put critical service packets into the queues with higher prior...
Page 592
1-13 burst the burst function can provide better packet cache function and traffic forwarding performance. It is suitable for networks where z large amount of broadcast/multicast packets and large burst traffic exist. Z packets of high-rate links are forwarded to low-rate links or packets of multipl...
Page 593
1-14 for detailed information about priority trust mode, refer to priority trust mode . Configuration prerequisites the priority trust mode to be configured is determined. Configuration procedure you can configure to trust port priority or packet priority. Table 1-10 shows the detailed configuration...
Page 594
1-15 operation command description specifying the trusted priority type, the switch trusts the 802.1p (cos) priority of the received packets. Note that the h3c s3100-ei series ethernet switches do not support the ip-precedence keyword of this command. Configuration examples # configure to trust port...
Page 595
1-16 configuration procedure table 1-11 configure cos-precedence-to-local-precedence mapping table operation command description enter system view system-view — configure cos-precedence-to-local-p recedence mapping table qos cos-local-precedence-map cos0-map-local-prec cos1-map-local-prec cos2-map-l...
Page 596
1-17 local precedence(queue) : 0 0 1 1 2 2 3 3 marking packet priority only h3c s3100-ei series switches support this configuration. Refer to section priority marking for information about marking packet priority. Marking packet priority can be implemented in the following two ways: z through traffi...
Page 598
1-19 [sysname] acl number 2000 [sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [sysname-acl-basic-2000] quit [sysname] traffic-priority vlan 2 inbound ip-group 2000 dscp 56 configuring traffic policing only h3c s3100-ei series switches support this configuration. Refer to section traf...
Page 599
1-20 table 1-20 configure traffic policing for packets that are of a port group and match specific acl rules operation command description enter system view system-view — enter port group view port-group group-id — configure traffic policing traffic-limit inbound acl-rule target-rate [ burst-bucket ...
Page 600
1-21 [sysname] acl number 2000 [sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [sysname-acl-basic-2000] quit [sysname] traffic-limit vlan 2 inbound ip-group 2000 128 exceed remark-dscp 56 configuring traffic shaping only h3c s3100-ei series switches support this configuration. Refer t...
Page 603
1-24 2) method ii system-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [sysname-acl-basic-2000] quit [sysname] traffic-redirect vlan 2 inbound ip-group 2000 interface ethernet1/0/7 configuring vlan marking configuration prerequisites z the acl rules us...
Page 605
1-26 table 1-30 generate traffic statistics on all the packets matching specific acl rules operation command description enter system view system-view — generate the statistics on the packets matching specific acl rules traffic-statistic inbound acl-rule required clear the statistics on the packets ...
Page 606
1-27 configuration example z ethernet 1/0/1 is connected to the 10.1.1.0/24 network segment. Z generate statistics on the packets sourced from the 10.1.1.0/24 network segment. Z clear the statistics. 1) method i system-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule permit source 10.1.1...
Page 607
1-28 only h3c s3100-ei series switches support this configuration. Refer to section traffic mirroring for information about traffic mirroring. Configuration prerequisites z the acl rules for traffic classification are defined. Refer to the acl moduleof this manual for information about defining acl ...
Page 608
1-29 table 1-37 configure traffic mirroring for a port group operation command description enter system view system-view — enter ethernet port view of the destination port interface interface-type interface-number — define the current port as the destination port monitor-port required exit current v...
Page 609
1-30 [sysname] interface ethernet 1/0/4 [sysname-ethernet1/0/4] monitor-port [sysname-ethernet1/0/4] quit [sysname] interface ethernet 1/0/1 [sysname-ethernet1/0/1] mirrored-to inbound ip-group 2000 monitor-interface 2) method ii system-view [sysname] acl number 2000 [sysname-acl-basic-2000] rule pe...
Page 611
1-32 network diagram figure 1-9 network diagram for traffic policing configuration configuration procedure 1) define an acl for traffic classification. # create acl 2000 and enter basic acl view to classify packets sourced from the 192.168.1.0/24 network segment. System-view [sysname] acl number 200...
Page 612: Qos Profile Configuration
2-1 2 qos profile configuration only h3c s3100-ei series switches support this configuration. Overview introduction to qos profile qos profile is a set of qos configurations. It provides an easy way for performing and managing qos configuration. A qos profile can contain one or multiple qos actions....
Page 613
2-2 a user-based qos profile application fails if the traffic classification rule defined in the qos profile contains source address information (including source mac address information, source ip address information, and vlan information). Manual application mode you can use the apply command to m...
Page 614
2-3 operation command description local-precedence pre-value }* applying a qos profile you can configure to apply a qos profile dynamically or simply apply a qos profile manually. Configuration prerequisites z to configure to apply a qos profile dynamically, make sure 802.1x is enabled both globally...
Page 615
2-4 displaying qos profile configuration after the above configuration, you can execute the display command in any view to view the running status of the qos profile and verify the configuration. Table 2-5 display qos profile configuration operation command description display qos profile configurat...
Page 616
2-5 system-view [sysname] radius scheme radius1 [sysname-radius-radius1] primary authentication 10.11.1.1 [sysname-radius-radius1] primary accounting 10.11.1.2 [sysname-radius-radius1] secondary authentication 10.11.1.2 [sysname-radius-radius1] secondary accounting 10.11.1.1 # set the encryption pas...
Page 617: Table of Contents
I table of contents 1 mirroring configuration ····························································································································1-1 mirroring overview ···········································································································...
Page 618: Mirroring Configuration
1-1 1 mirroring configuration mirroring overview mirroring refers to the process of copying packets of one or more ports (source ports) to a destination port which is connected to a data detection device. Users can then use the data detection device to analyze the mirrored packets on the destination...
Page 619
1-2 to implement remote port mirroring, a special vlan, called remote-probe vlan, is needed. All mirrored packets are sent from the reflector port of the source switch to the monitor port (destination port) of the destination switch through the remote-probe vlan, so as to implement the monitoring of...
Page 620
1-3 switch ports involved function trunk port receives remote mirrored packets. Destination switch destination port receives packets forwarded from the trunk port and transmits the packets to the data detection device. Z do not configure the default vlan (vlan 1), the port vlan, or a dynamic vlan as...
Page 622
1-5 operation command description configure the current vlan as the remote-probe vlan remote-probe vlan enable required return to system view quit — enter the view of the ethernet port that connects to the intermediate switch or destination switch interface interface-type interface-number — configur...
Page 623
1-6 z layer 2 connectivity is ensured between the source and destination switches over the remote-probe vlan. 2) configuration procedure table 1-5 configuration on the intermediate switch operation command description enter system view system-view — create a vlan and enter vlan view vlan vlan-id vla...
Page 624
1-7 operation command description configure trunk port to permit packets from the remote-probe vlan port trunk permit vlan remote-probe-vlan-id required return to system view quit — create a remote destination mirroring group mirroring-group group-id remote-destination required configure the destina...
Page 625
1-8 z configure ethernet 1/0/3 as the mirroring destination port. Network diagram figure 1-3 network diagram for local port mirroring configuration procedure configure switch c: # create a local mirroring group. System-view [sysname] mirroring-group 1 local # configure the source ports and destinati...
Page 626
1-9 z ethernet 1/0/2 of switch b connects to ethernet 1/0/1 of switch c. Z the data detection device is connected to ethernet 1/0/2 of switch c. The administrator wants to monitor the packets sent from department 1 and 2 through the data detection device. Use the remote port mirroring function to me...
Page 627
1-10 # configure ethernet 1/0/3 as trunk port, allowing packets of vlan 10 to pass. [sysname] interface ethernet 1/0/3 [sysname-ethernet1/0/3] port link-type trunk [sysname-ethernet1/0/3] port trunk permit vlan 10 [sysname-ethernet1/0/3] quit # display configuration information about remote source m...
Page 628
1-11 [sysname-ethernet1/0/1] port trunk permit vlan 10 [sysname-ethernet1/0/1] quit # display configuration information about remote destination mirroring group 1. [sysname] display mirroring-group 1 mirroring-group 1: type: remote-destination status: active monitor port: ethernet1/0/2 remote-probe ...
Page 629: Table of Contents
I table of contents 1 stack ···························································································································································1-1 stack function overview ·························································································...
Page 630: Stack
1-1 1 stack the s3100 series switches can be stacked only when stack modules are installed. Stack function overview a stack is a management domain formed by a group of ethernet switches interconnected through their stack ports. A stack contains a main switch and multiple slave switches. Logically, y...
Page 631
1-2 z connect the intended main switch and slave switches through stack modules and dedicated stack cables. (refer to h3c s3100 series ethernet switches installation manual for the information about stack modules and stack cables.) z configure the ip address pool for the stack and enable the stack f...
Page 632
1-3 z make sure the ip addresses in the ip address pool of a stack are successive so that they can be assigned successively. For example, the ip addresses in an ip address pool with its start ip address something like 223.255.255.254 are not successive. In this case, errors may occur when adding a s...
Page 633
1-4 introduction to the stack-port function if you enable the stack function on a stack-supporting device, the device will send join-in requests to the connected stack ports of all the switches connected with the device. This may cause switches not expecting to join in the stack to join in the stack...
Page 634
1-5 operation command description display the stack status information on a slave switch display stacking the display command can be executed in any view. The displayed information indicates that the local switch is a slave switch. The information such as stack number of the local switch, and the ma...
Page 635
1-6 main device for stack. Total members:3 management-vlan:1(default vlan) # display the information about the stack members on switch a. Display stacking members member number: 0 name:stack_0.Sysname device: s3100-ei mac address:000f-e20f-c43a member status:admin ip: 129.10.1.15 /16 member number: ...
Page 636: Cluster
2-1 2 cluster cluster overview introduction to hgmp a cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way. Cluster management is implemented through huawei group management protocol (hgmp). Hgmp version 2 (hgmpv2) is...
Page 637
2-2 you can configure and manage all the member devices through the management device without the need to log onto them one by one. Z it provides the topology discovery and display function, which assists in monitoring and maintaining the network. Z it allows you to configure and upgrade multiple sw...
Page 638
2-3 figure 2-2 state machine of cluster role z a candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On becoming a management device, the device collects network topology information and tries to discover a...
Page 639
2-4 z the management device adds the candidate devices to the cluster or removes member devices from the cluster according to the candidate device information collected through ntdp. Introduction to ndp ndp is a protocol used to discover adjacent devices and provide information about them. Ndp opera...
Page 640
2-5 device busy processing of the ntdp topology collection responses. To avoid such cases, the following methods can be used to control the ntdp topology collection request advertisement speed. Z configuring the devices not to forward the ntdp topology collection request immediately after they recei...
Page 641
2-6 to create a cluster, you need to determine the device to operate as the management device first. The management device discovers and determines candidate devices through ndp and ntdp, and adds them to the cluster. You can also add candidate devices to a cluster manually. After a candidate device...
Page 642
2-7 additionally, on the management device, you can configure the ftp server, tftp server, logging host and snmp host to be shared by the whole cluster. When a member device in the cluster communicates with an external server, the member device first transmits data to the management device, which th...
Page 643
2-8 1) determine whether the destination mac address or destination ip address is used to trace a device in the cluster z if you use the tracemac command to trace the device by its mac address, the switch will query its mac address table according to the mac address and vlan id in the command to fin...
Page 644
2-9 configuration task remarks configuring the cluster synchronization function optional configuring the management device management device configuration tasks complete the following tasks to configure management device: task remarks enabling ndp globally and on specific ports required configuring ...
Page 645
2-10 operation command description enter ethernet port view interface interface-type interface-number specified ethernet ports in ethernet port view enable ndp on the port ndp enable enabled on a port. Configuring ndp-related parameters follow these steps to configure ndp-related parameters: operati...
Page 646
2-11 operation command description configure the port forward delay of topology collection requests ntdp timer port-delay time optional by default, the port forward delay is 20 ms. Configure the interval to collect topology information periodically ntdp timer interval-in-minutes optional by default,...
Page 647
2-12 operation command description set the interval for the management device to send multicast packets cluster-mac syn-interval time-interval optional by default, the interval to send multicast packets is one minutes. Set the holdtime of member switches holdtime seconds optional by default, the hol...
Page 648
2-13 operation command description configure a shared tftp server for the cluster tftp-server ip-address optional by default, no shared tftp server is configured. Configure a shared logging host for the cluster logging-host ip-address optional by default, no shared logging host is configured. Config...
Page 649
2-14 to reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the s3100 series ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: z opening udp port 40000 (used for cluster) only when the clu...
Page 650
2-15 operation command description enter ethernet port view interface interface-type interface-number — enable ntdp on the port ntdp enable required enabling the cluster function follow these steps to enable the cluster function: operation command description enter system view system-view — enable t...
Page 651
2-16 operation command description enter system view system-view — enter cluster view cluster — configuring mac address of management device administrator-address mac-address name name optional add a candidate device to the cluster add-member [ member-number ] mac-address h-h-h [ password password ]...
Page 652
2-17 the topology information is saved as a topology.Top file in the flash memory to the administrative device. You cannot specify the file name manually. 2) cluster device blacklist function to ensure stability and security of the cluster, you can use the blacklist to restrict the devices to be add...
Page 654
2-19 snmp configuration synchronization with this function, you can configure the public snmp community name, snmp group, snmp users and mib views. These configurations will be synchronized to the member devices of the cluster automatically, which not only simplifies the configurations on the member...
Page 655
2-20 z perform the above operations on the management device of the cluster. Z configuring the public snmp information is equal to executing these configurations on both the management device and the member devices (refer to the snmp-rmon operation part in this manual), and these configurations will...
Page 656
2-21 member 2 succeeded in the usm-user configuration. Member 1 succeeded in the usm-user configuration. Finish to synchronize the command. # after the above configuration, you can see that the public snmp configurations for the cluster are saved to the management device and member devices by viewin...
Page 657
2-22 z a cluster is established, and you can manage the member devices through the management device. 2) configuration procedure perform the following operations on the management device to synchronize local user configurations: to do… use the command… remarks enter system view system-view — enter c...
Page 658
2-23 operation command description clear the statistics on ndp ports reset ndp statistics [ interface port-list ] you can execute the reset command in user view. When you display the cluster topology information, the devices attached to the switch that is listed in the backlist will not be displayed...
Page 659
2-24 network diagram figure 2-4 network diagram for hgmp cluster configuration network ftp server/tftp server snmp host/logging host 63.172.55.1/24 69.172.55.4/24 eth1/0/1 vlan-int2 163.172.55.1/24 eth1/0/3 eth1/0/2 eth1/0/1 eth1/0/1 member switch mac:000f.E001.0011 member switch mac: 000f.E001.0012...
Page 660
2-25 # set the holdtime of ndp information to 200 seconds. [sysname] ndp timer aging 200 # set the interval to send ndp packets to 70 seconds. [sysname] ndp timer hello 70 # enable ntdp globally and on ethernet 1/0/2 and ethernet 1/0/3. [sysname] ntdp enable [sysname] interface ethernet 1/0/2 [sysna...
Page 661
2-26 [aaa_0.Sysname-cluster] tftp-server 63.172.55.1 [aaa_0.Sysname-cluster] logging-host 69.172.55.4 [aaa_0.Sysname-cluster] snmp-host 69.172.55.4 3) perform the following operations on the member devices (taking one member as an example) after adding the devices under the management device to the ...
Page 662
2-27 network diagram figure 2-5 network diagram for the enhanced cluster feature configuration configuration procedure # enter cluster view. System-view [aaa_0.Sysname] cluster # add the mac address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # ...
Page 663: Table of Contents
I table of contents 1 poe configuration ·····································································································································1-1 poe overview ··············································································································...
Page 664: Poe Configuration
1-1 1 poe configuration poe overview introduction to poe power over ethernet (poe)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (pd) in the network and implement power supply and data transmission simultaneously. Advantages of poe z reliabi...
Page 665
1-2 switch input power supply number of electrical ports supplying power maximum poe distance maximum power provided by each electrical port total maximum poe output power ac input 370 w a poe-enabled s3100 switch has the following features: z as the pse, it supports the ieee802.3af standard. It can...
Page 666
1-3 task remarks setting poe management mode and poe priority of a port optional setting the poe mode on a port optional configuring the pd compatibility detection function optional configuring poe over-temperature protection on the switch optional upgrading the pse processing software online option...
Page 667
1-4 setting poe management mode and poe priority of a port when a switch is close to its full load in supplying power, you can adjust the power supply of the switch through the cooperation of the poe management mode and the port poe priority settings. S3100 series switches support two poe management...
Page 668
1-5 operation command description set the poe mode on the port to signal poe mode signal optional signal by default. Configuring the pd compatibility detection function after the pd compatibility detection function is enabled, the switch can detect the pds that do not conform to the 802.3af standard...
Page 669
1-6 upgrading the pse processing software online the online upgrading of pse processing software can update the processing software or repair the software if it is damaged. Before performing the following configuration, download the pse processing software to the flash of the switch. Table 1-9 upgra...
Page 670
1-7 poe configuration example poe configuration example networking requirements switch a is an s3100 series ethernet switch supporting poe, switch b can be poe powered. Z the ethernet 1/0/1 and ethernet 1/0/2 ports of switch a are connected to switch b and an ap respectively; the ethernet 1/0/8 port...
Page 671
1-8 [switcha] interface ethernet 1/0/8 [switcha-ethernet1/0/8] poe enable [switcha-ethernet1/0/8] poe priority critical [switcha-ethernet1/0/8] quit # set the poe management mode on the switch to auto (it is the default mode, so this step can be omitted). [switcha] poe power-management auto # enable...
Page 672: Poe Profile Configuration
2-1 2 poe profile configuration introduction to poe profile on a large-sized network or a network with mobile users, to help network administrators to monitor the poe features of the switch, s3100 series ethernet switches provide the poe profile features. A poe profile is a set of poe configurations...
Page 673
2-2 operation command description in system view apply poe-profile profile-name interface interface-type interface-number [ to interface-type interface-number ] enter ethernet port view interface interface-type interface-number apply the existing poe profile to the specified ethernet port in etherne...
Page 674
2-3 ethernet 1/0/1 through ethernet 1/0/10 of switch a are used by users of group a, who have the following requirements: z the poe function can be enabled on all ports in use. Z signal mode is used to supply power. Z the poe priority for ethernet 1/0/1 through ethernet 1/0/5 is critical, whereas th...
Page 675
2-4 [switcha] display poe-profile name profile1 poe-profile: profile1, 3 action poe enable poe max-power 3000 poe priority critical # create profile2, and enter poe profile view. [switcha] poe-profile profile2 # in profile2, add the poe policy configuration applicable to ethernet 1/0/6 through ether...
Page 676: Table of Contents
I table of contents 1 snmp configuration··································································································································1-1 snmp overview·················································································································...
Page 677: Snmp Configuration
1-1 1 snmp configuration snmp overview the simple network management protocol (snmp) is used for ensuring the transmission of the management information between any two network nodes. In this way, network administrators can easily retrieve and modify the information about any node on the network. In...
Page 678
1-2 adopts a hierarchical naming scheme to organize the managed objects. It is like a tree, with each tree node representing a managed object, as shown in figure 1-1 . Each node in this tree can be uniquely identified by a path starting from the root. Figure 1-1 architecture of the mib tree a 2 6 1 ...
Page 679
1-3 configuring basic snmp functions snmpv3 configuration is quite different from that of snmpv1 and snmpv2c. Therefore, the configuration of basic snmp functions is described by snmp versions, as listed in table 1-2 and table 1-3 . Table 1-2 configure basic snmp functions (snmpv1 and snmpv2c) opera...
Page 680
1-4 table 1-3 configure basic snmp functions (snmpv3) operation command description enter system view system-view — enable snmp agent snmp-agent optional disabled by default. You can enable snmp agent by executing this command or any of the commands used to configure snmp agent. Set system informati...
Page 681
1-5 an s3100 ethernet switch provides the following functions to prevent attacks through unused udp ports. Z executing the snmp-agent command or any of the commands used to configure snmp agent enables the snmp agent, and at the same opens udp port 161 used by snmp agents and the udp port used by sn...
Page 682
1-6 configuring extended trap the extended trap includes the following. Z “interface description” and “interface type” are added into the linkup/linkdown trap message. When receiving this extended trap message, nms can immediately determine which interface on the device fails according to the interf...
Page 684
1-8 [sysname] snmp-agent sys-info version all [sysname] snmp-agent community read public [sysname] snmp-agent community write private # set the access right of the nms to the mib of the snmp agent. [sysname] snmp-agent mib-view include internet 1.3.6.1 # for snmpv3, set: z snmpv3 group and user z se...
Page 685
1-9 authentication-related configuration on an nms must be consistent with that of the devices for the nms to manage the devices successfully..
Page 686: Rmon Configuration
2-1 2 rmon configuration introduction to rmon remote monitoring (rmon) is a kind of management information base (mib) defined by internet engineering task force (ietf). It is an important enhancement made to mib ii standards. Rmon is mainly used to monitor the data traffic across a network segment o...
Page 687
2-2 commonly used rmon groups event group event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms. You can specify a network device to a...
Page 688
2-3 the statistics include the number of the following items: collisions, packets with cyclic redundancy check (crc) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets. With the rmon statistics management function, you can monitor the use of...
Page 689
2-4 displaying rmon after the above configuration, you can execute the display command in any view to display the rmon running status, and to verify the configuration. Table 2-2 display rmon operation command description display rmon statistics display rmon statistics [ interface-type interface-numb...
Page 690
2-5 # add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by ethernet 1/0/1 that are in correct data form...
Page 691: Table of Contents
I table of contents 1 ntp configuration ·····································································································································1-1 introduction to ntp ·······································································································...
Page 692: Ntp Configuration
1-1 1 ntp configuration introduction to ntp network time protocol (ntp) is a time synchronization protocol defined in rfc 1305. It is used for time synchronization between a set of distributed time servers and clients. Carried over udp, ntp transmits packets through udp port 123. Ntp is intended for...
Page 693
1-2 z the clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock accuracy decreases as the stratum number increases. A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock. Z the local clock o...
Page 694
1-3 z device a sends an ntp message to device b, with a timestamp 10:00:00 am (t 1 ) identifying when it is sent. Z when the message arrives at device b, device b inserts its own timestamp 11:00:01 am (t 2 ) into the packet. Z when the ntp message leaves device b, device b inserts its own timestamp ...
Page 695
1-4 symmetric peer mode figure 1-3 symmetric peer mode in the symmetric peer mode, the local s3100 ethernet switch serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer automatically. If both of the peers have ...
Page 696
1-5 table 1-1 ntp implementation modes on h3c s3100 series ethernet switches ntp implementation mode configuration on s3100 series switches server/client mode configure the local s3100 ethernet switch to work in the ntp client mode. In this mode, the remote server serves as the local time server, wh...
Page 697
1-6 z configuring ntp server/client mode z configuring the ntp symmetric peer mode z configuring ntp broadcast mode z configuring ntp multicast mode to protect unused sockets against attacks by malicious users and improve security, h3c s3100 series ethernet switches provide the following functions: ...
Page 698
1-7 z the remote server specified by remote-ip or server-name serves as the ntp server, and the local switch serves as the ntp client. The clock of the ntp client will be synchronized by but will not synchronize that of the ntp server. Z remote-ip cannot be a broadcast address, a multicast address o...
Page 699
1-8 z in the symmetric peer mode, you need to execute the related ntp configuration commands (refer to section configuring ntp implementation modes for details) to enable ntp on a symmetric-passive peer; otherwise, the symmetric-passive peer will not process ntp messages from the symmetric-active pe...
Page 701
1-10 configuring a switch to work in the multicast client mode table 1-8 configure a switch to work in the ntp multicast client mode operation command description enter system view system-view — enter vlan interface view interface vlan-interface vlan-id — configure the switch to work in the ntp mult...
Page 702
1-11 the access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring ntp authentication in networks with higher security requirements, the ntp authentication function must be enabled to run nt...
Page 703
1-12 with the corresponding ntp broadcast/multicast client. Otherwise, ntp authentication cannot be enabled normally. Z configurations on the server and the client must be consistent. Configuration procedure configuring ntp authentication on the client table 1-11 configure ntp authentication on the ...
Page 704
1-13 operation command description configure the specified key as a trusted key ntp-service reliable authentication-keyid key-id required by default, no trusted authentication key is configured. Enter vlan interface view interface vlan-interface vlan-id — configure on the ntp broadcast server ntp-se...
Page 705
1-14 configuring the number of dynamic sessions allowed on the local switch a single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations. A static association refers to an association that a user has manually created by using an ntp ...
Page 706
1-15 operation command description display the brief information about ntp servers along the path from the local device to the reference clock source display ntp-service trace configuration example configuring ntp server/client mode network requirements z the local clock of device a (a switch) is to...
Page 707
1-16 actual frequency: 100.0000 hz clock precision: 2^18 clock offset: 0.66 ms root delay: 27.47 ms root dispersion: 208.39 ms peer dispersion: 9.63 ms reference time: 17:03:32.022 utc apr 2 2007 (bf422ae4.05aea86c) the above output information indicates that device b is synchronized to device a, an...
Page 708
1-17 # enter system view. System-view # set device c as the peer of device b. [deviceb] ntp-service unicast-peer 3.0.1.33 device c and device b are symmetric peers after the above configuration. Device b works in symmetric active mode, while device c works in symmetric passive mode. Because the stra...
Page 709
1-18 network diagram figure 1-8 network diagram for the ntp broadcast mode configuration vlan-int2 1.0.1.31/24 vlan-int2 3.0.1.31/24 vlan-int2 3.0.1.32/24 device a device b device c device d configuration procedure 1) configure device c. # enter system view. System-view # set device c as the broadca...
Page 710
1-19 the output information indicates that device d is synchronized to device c, with the clock stratum level of 3, one level lower than that of device c. # view the information about the ntp sessions of device d and you can see that a connection is established between device d and device c. [device...
Page 711
1-20 [devicea] interface vlan-interface 2 [devicea-vlan-interface2] ntp-service multicast-client after the above configurations, device a and device d respectively listen to multicast messages through their own vlan-interface2, and device c advertises multicast messages through vlan-interface2. Beca...
Page 712
1-21 configuration procedure 1) configure device b. # enter system view. System-view # enable the ntp authentication function. [deviceb] ntp-service authentication enable # configure an md5 authentication key, with the key id being 42 and the key being anicekey. [deviceb] ntp-service authentication-...
Page 713
1-22 total associations : 1.
Page 714: Table of Contents
I table of contents 1 ssh configuration·····································································································································1-1 ssh overview················································································································...
Page 715: Ssh Configuration
1-1 1 ssh configuration when configuring ssh, go to these sections for information you are interested: z ssh overview z ssh server and client configuration task list z displaying and maintaining ssh configuration z comparison of ssh commands with the same functions z ssh configuration examples ssh o...
Page 716
1-2 figure 1-1 encryption and decryption key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asymmetric key algorithm asymmetric key algorithm means that a key pair exists at both ends. The key pair consists of a private key and a public key. The publ...
Page 717
1-3 version negotiation z the server opens port 22 to listen to connection requests from clients. Z the client sends a tcp connection request to the server. After the tcp connection is established, the server sends the first packet to the client, which includes a version identification string in the...
Page 718
1-4 z in password authentication, the client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server. Upon receiving the request, the server decrypts the username and password, compares them with those it maintains, and then i...
Page 719
1-5 table 1-2 complete the following tasks to configure the ssh server: task remarks configuring the user interfaces for ssh clients required preparation configuring the ssh management functions optional version configuring the ssh server to be compatible with ssh1 clients optional this task determi...
Page 720
1-6 table 1-3 follow these steps to configure the user interface for ssh clients: to do... Use the command... Remarks enter system view system-view — enter user interface view of one or more user interfaces user-interface vty first-number [ last-number ] — configure the authentication mode as scheme...
Page 721
1-7 z you can configure a login header only when the service type is stelnet. For configuration of service types, refer to specifying a service type for an ssh user . Z for details of the header command, refer to the corresponding section in login command. Z currently, only the s3100-ei series suppo...
Page 722
1-8 to do... Use the command... Remarks destroy the dsa key pair public-key local destroy dsa optional use the command to destroy the generated dsa key pair. Z the ssh server’s key pairs are for generating session keys and for ssh clients to authenticate the server. As different clients may support ...
Page 723
1-9 z for password authentication type, the username argument must be consistent with the valid user name defined in aaa; for publickey authentication, the username argument is the ssh local user name, so that there is no need to configure a local user in aaa. Z if the default authentication type fo...
Page 724
1-10 this configuration is not necessary if the password authentication mode is configured for ssh users. With the publickey authentication mode configured for an ssh client, you must configure the client’s rsa or dsa host public key(s) on the server for authentication. You can manually configure th...
Page 725
1-11 this configuration task is unnecessary if the ssh user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Table 1-10 follow these steps to assign a public key for an ssh user: to do... Use the comm...
Page 726
1-12 configuring the ssh client the configurations required on the ssh client are related to the authentication mode that the ssh server uses. In addition, if an ssh client does not support first-time authentication, you need to configure the public key of the server on the client, so that the clien...
Page 727
1-13 z selecting the protocol for remote connection as ssh. Usually, a client can use a variety of remote connection protocols, such as telnet, rlogin, and ssh. To establish an ssh connection, you must select ssh z selecting the ssh version. Since the device supports ssh2.0 now, select 2.0 or lower ...
Page 728
1-14 figure 1-3 generate the client keys (2) after the key pair is generated, click save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 1-4 generate the client keys (3).
Page 729
1-15 likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-5 generate the...
Page 730
1-16 figure 1-7 ssh client configuration interface 1 in the host name (or ip address) text box, enter the ip address of the server. Note that there must be a route available between the ip address of the server and the client. Selecting a protocol for remote connection as shown in figure 1-7 , selec...
Page 731
1-17 figure 1-8 ssh client configuration interface 2 under protocol options, select 2 from preferred ssh protocol version. Some ssh client software, for example, tectia client software, supports the des algorithm only when the ssh1 version is selected. The putty client software supports des algorith...
Page 732
1-18 figure 1-9 ssh client configuration interface 3 click browse… to bring up the file selection window, navigate to the private key file and click open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server. Configur...
Page 733
1-19 configuring whether first-time authentication is supported when the device connects to the ssh server as an ssh client, you can configure whether the device supports first-time authentication. Z with first-time authentication enabled, an ssh client that is not configured with the server host pu...
Page 736
1-22 network diagram figure 1-10 switch acts as server for local password authentication configuration procedure z configure the ssh server # create a vlan interface on the switch and assign an ip address, which the ssh client will use as the destination for ssh connection. System-view [switch] inte...
Page 737
1-23 # configure the ssh client software to establish a connection to the ssh server. Take ssh client software putty (version 0.58) as an example: 1) run putty.Exe to enter the following configuration interface. Figure 1-11 ssh client configuration interface in the host name (or ip address) text box...
Page 738
1-24 figure 1-12 ssh client configuration interface 2 under protocol options, select 2 from preferred ssh protocol version. 3) as shown in figure 1-12 , click open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you ...
Page 739
1-25 network diagram figure 1-13 switch acts as server for password and radius authentication configuration procedure 1) configure the radius server this document takes cams version 2.10 as an example to show the basic radius server configurations required. # add an access device. Log into the cams ...
Page 740
1-26 figure 1-14 add an access device # add a user for device management. From the navigation tree, select user management > user for device management, and then in the right pane, click add to enter the add account window and perform the following configurations: z add a user named hello, and speci...
Page 741
1-27 generating the rsa and dsa key pairs on the server is prerequisite to ssh login. # generate rsa and dsa key pairs. [switch] public-key local create rsa [switch] public-key local create dsa # set the authentication mode for the user interfaces to aaa. [switch] user-interface vty 0 4 [switch-ui-v...
Page 742
1-28 figure 1-16 ssh client configuration interface (1) in the host name (or ip address) text box, enter the ip address of the ssh server. Z from the category on the left pane of the window, select connection > ssh. The window as shown in figure 1-17 appears. Figure 1-17 ssh client configuration int...
Page 743
1-29 authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the cams server. You can specify the level by setting the exec privilege level argument in the add account window shown in figure 1-15 . When switch acts as server for ...
Page 744
1-30 [switch-ui-vty0-4] authentication-mode scheme # enable the user interfaces to support ssh. [switch-ui-vty0-4] protocol inbound ssh [switch-ui-vty0-4] quit # configure the hwtacacs scheme. [switch] hwtacacs scheme hwtac [switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [switch-hwtacacs-...
Page 745
1-31 2) from the category on the left pane of the window, select connection > ssh. The window as shown in figure 1-20 appears. Figure 1-20 ssh client configuration interface (2) under protocol options, select 2 from preferred ssh protocol version. Then, click open. If the connection is normal, you w...
Page 746
1-32 configuration procedure under the publickey authentication mode, either the rsa or dsa public key can be generated for the server to authenticate the client. Here takes the rsa public key as an example. Z configure the ssh server # create a vlan interface on the switch and assign an ip address,...
Page 747
1-33 # import the client’s public key named switch001 from file public. [switch] public-key peer switch001 import sshkey public # assign the public key switch001 to client client001. [switch] ssh user client001 assign publickey switch001 z configure the ssh client (taking putty version 0.58 as an ex...
Page 748
1-34 figure 1-23 generate a client key pair (2) after the key pair is generated, click save public key and enter the name of the file for saving the public key (public in this case). Figure 1-24 generate a client key pair (3).
Page 749
1-35 likewise, to save the private key, click save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click yes and enter the name of the file for saving the private key (private.Ppk in this case). Figure 1-25 generate a client key pair (4) af...
Page 750
1-36 figure 1-27 ssh client configuration interface 2 under protocol options, select 2 from preferred ssh protocol version. 4) select connection/ssh/auth.The following window appears. Figure 1-28 ssh client configuration interface (2).
Page 751
1-37 click browse… to bring up the file selection window, navigate to the private key file and click ok. 5) from the window shown in figure 1-28 , click open. If the connection is normal, you will be prompted to enter the username. When switch acts as client for password authentication network requi...
Page 752
1-38 [switchb] local-user client001 [switchb-luser-client001] password simple abc [switchb-luser-client001] service-type ssh level 3 [switchb-luser-client001] quit # configure the authentication type of user client001 as password. [switchb] ssh user client001 authentication-type password z configure...
Page 753
1-39 configuration procedure in public key authentication, you can use either rsa or dsa public key. Here takes the dsa public key as an example. Z configure switch b # create a vlan interface on the switch and assign an ip address, which the ssh client will use as the destination for ssh connection...
Page 754
1-40 # import the client public key pair named switch001 from the file switch001. [switchb] public-key peer switch001 import sshkey switch001 # assign the public key switch001 to user client001. [switchb] ssh user client001 assign publickey switch001 z configure switch a # create a vlan interface on...
Page 755
1-41 when switch acts as client and first-time authentication is not supported network requirements as shown in figure 1-31 , establish an ssh connection between switch a (ssh client) and switch b (ssh server) for secure data exchange. The user name is client001 and the ssh server’s ip address is 10...
Page 756
1-42 before doing the following steps, you must first generate a dsa key pair on the client and save the key pair in a file named switch001, and then upload the file to the ssh server through ftp or tftp. For details, refer to the following “configure switch a”. # import the client’s public key file...
Page 757
1-43 when first-time authentication is not supported, you must first generate a dsa key pair on the server and save the key pair in a file named switch002, and then upload the file to the ssh client through ftp or tftp. For details, refer to the above part “configure switch b”. # import the public k...
Page 758: Table of Contents
I table of contents 1 file system management configuration ·································································································1-1 file system configuration ··················································································································...
Page 759
1-1 1 file system management configuration file system configuration introduction to file system to facilitate management on the switch memory, s3100 series ethernet switches provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy o...
Page 760
1-2 table 1-2 directory operations to do… use the command… remarks create a directory mkdir directory optional delete a directory rmdir directory optional display the current work directory pwd optional display the information about specific directories and files dir [ /all ] [ file-url ] optional e...
Page 761
1-3 to do… use the command… remarks execute the specified batch file execute filename optional this command should be executed in system view. Z for deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored. Z the files which are deleted by t...
Page 763
1-5 7239 kb total (3585 kb free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute file attribute configuration introduction to file attributes the following three startup files support file attribute configuration: z app files: an app file is an executabl...
Page 764
1-6 booting with the startup file the device selects the main startup file as the preferred startup file. If the device fails to boot with the main startup file, it boots with the backup startup file. For the web file and configuration file, hangzhou h3c technologies co., ltd (referred to as h3c her...
Page 765
1-7 z the configuration of the main or backup attribute of a web file takes effect immediately without restarting the switch. Z after upgrading a web file, you need to specify the new web file in the boot menu after restarting the switch or specify a new web file by using the boot web-package comman...
Page 766: Table of Contents
I table of contents 1 ftp and sftp configuration····················································································································1-1 introduction to ftp and sftp ·······································································································...
Page 767: Ftp and Sftp Configuration
1-1 1 ftp and sftp configuration introduction to ftp and sftp introduction to ftp ftp (file transfer protocol) is commonly used in ip-based networks to transmit files. Before world wide web comes into being, files are transferred through command lines, and the most popular application is ftp. At pre...
Page 768
1-2 ftp configuration table 1-2 ftp configuration tasks item configuration task description creating an ftp user required enabling an ftp server required configuring connection idle time optional disconnecting a specified user optional configuring the banner for an ftp server optional ftp configurat...
Page 769
1-3 z only one user can access an h3c s3100 series ethernet switch at a given time when the latter operates as an ftp server. Z operating as an ftp server, an h3c s3100 series ethernet switch cannot receive a file whose size exceeds its storage space. The clients that attempt to upload such a file w...
Page 770
1-4 with an h3c s3100 series ethernet switch acting as the ftp server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the ftp server the s3100 ethernet switch will disconnect the user after the data transmission is completed. Configuring the banne...
Page 771
1-5 table 1-7 configure the banner display for an ftp server operation command description enter system view system-view — configure a login banner header login text configure a shell banner header shell text required use either command or both. By default, no banner is configured. For details about...
Page 772
1-6 operation command description get the local working path on the ftp client lcd display the working directory on the ftp server pwd create a directory on the remote ftp server mkdir pathname remove a directory on the remote ftp server rmdir pathname delete a specified file delete remotefile dir [...
Page 773
1-7 to upgrade the switch application and download the configuration file config.Cfg from the switch, thus to back up the configuration file. Z create a user account on the ftp server with the user name “switch” and password “hello”. Z the ip addresses 1.1.1.1 for a vlan interface on the switch and ...
Page 774
1-8 ftp> put switch.Bin 200 port command okay. 150 opening ascii mode data connection for switch.Bin. 226 transfer complete. Ftp: 75980 bytes received in 5.55 seconds 13.70kbytes/sec. # download the config.Cfg file. Ftp> get config.Cfg 200 port command okay. 150 opening ascii mode data connection fo...
Page 775
1-9 z an ftp user named “switch” and the password “hello” have been configured on the ftp server. Z the ip addresses 1.1.1.1 for a vlan interface on the switch and 2.2.2.2 for the pc have been configured. Ensure that a route exists between the switch and the pc. Z configure the login banner of the s...
Page 776
1-10 z create a user account on the ftp server with the user name “switch” and password “hello”, and grant the user “switch” read and write permissions for the directory named “switch” on the pc. Z configure the ip address 1.1.1.1 for a vlan interface on the switch, and 2.2.2.2 for the pc. Ensure a ...
Page 777
1-11 [ftp] put config.Cfg # execute the get command to download the file named switch.Bin to the flash memory of the switch. [ftp] get switch.Bin # execute the quit command to terminate the ftp connection and return to user view. [ftp] quit # after downloading the file, use the boot boot-loader comm...
Page 778
1-12 configuring connection idle time after the idle time is configured, if the server does not receive service requests from a client within a specified time period, it terminates the connection with the client, thus preventing a user from occupying the connection for a long time without performing...
Page 780
1-14 if you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the sftp server. Since both rsa and dsa are available for public key authentication, you need to use the identity-key key word to specify the algorithms to...
Page 781
1-15 # configure the authentication mode as password. Authentication timeout time, retry number, and update time of the server key adopt the default values. [sysname] ssh user client001 authentication-type password # specify the service type as sftp. [sysname] ssh user client001 service-type sftp # ...
Page 782
1-16 drwxrwxrwx 1 noone nogroup 0 sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 sep 01 06:55 pub received status: end of file received status: success # add a directory new1, and then check whether the new directory is successfully created. Sftp-client> mkdir new1 received status: success new dire...
Page 783
1-17 -rwxrwxrwx 1 noone nogroup 283 sep 02 06:36 puk received status: end of file received status: success sftp-client> # exit sftp. Sftp-client> quit bye [sysname].
Page 784: Tftp Configuration
2-1 2 tftp configuration introduction to tftp compared with ftp, tftp (trivial file transfer protocol) features simple interactive access interface and no authentication control. Therefore, tftp is applicable in the networks where client-server interactions are relatively simple. Tftp is implemented...
Page 785
2-2 item configuration task description tftp server configuration for details, see the corresponding manual — tftp configuration: a switch operating as a tftp client basic configurations on a tftp client by default a switch can operate as a tftp client. In this case you can connect the switch to the...
Page 786
2-3 2) configure the tftp client (switch). # log in to the switch. (you can log in to a switch through the console port or by telnetting the switch. See the “login” module for detailed information.) if available space on the flash memory of the switch is not enough to hold the file to be uploaded, y...
Page 787: Table of Contents
I table of contents 1 information center·····································································································································1-1 information center overview ·······························································································...
Page 788: Information Center
1-1 1 information center information center overview introduction to information center acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for n...
Page 789
1-2 the system supports ten channels. The channels 0 through 5 have their default channel names and are associated with six output directions by default. Both the channel names and the associations between the channels and output directions can be changed through commands. Table 1-2 information chan...
Page 790
1-3 module name description dev device management module dns domain name system module eth ethernet module fib forwarding module ftm fabric topology management module ftps ftp server module ha high availability module habp huawei authentication bypass protocol module httpd http server module hwcm hu...
Page 791
1-4 to sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output direct...
Page 792
1-5 z severity (the information level) ranges from 1 to 8. Table 1-1 details the value and meaning associated with each severity. Note that the priority field appears only when the information has been sent to the log host. Timestamp timestamp records the time when system information is generated to...
Page 793
1-6 note that there is a space between the sysname and module fields. %% this field is a preamble used to identify a vendor. It is displayed only when the output destination is log host. Nn this field is a version identifier of syslog. It is displayed only when the output destination is log host. Mo...
Page 794
1-7 task remarks setting to output system information to the snmp nms optional configuring synchronous information output synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the...
Page 796
1-9 table 1-8 default output rules for different output directions log trap debug output direction modules allowed enabled /disable d severity enabled/d isabled severity enabled/d isabled severity console default (all modules) enabled warnings enabled debugging enabled debugging monitor terminal def...
Page 797
1-10 setting to output system information to a monitor terminal table 1-10 set to output system information to a monitor terminal operation command description enter system view system-view — enable the information center info-center enable optional enabled by default. Enable system information outp...
Page 798
1-11 make sure that the debugging/log/trap information terminal display function is enabled (use the terminal monitor command) before you enable the corresponding terminal display function by using the terminal debugging, terminal logging, or terminal trapping command. Setting to output system infor...
Page 799
1-12 setting to output system information to the trap buffer table 1-13 set to output system information to the trap buffer operation command description enter system view system-view — enable the information center info-center enable optional enabled by default. Enable system information output to ...
Page 800
1-13 setting to output system information to the snmp nms table 1-15 set to output system information to the snmp nms operation command description enter system view system-view — enable the information center info-center enable optional enabled by default. Enable information output to the snmp nms ...
Page 801
1-14 operation command description display the status of trap buffer and the information recorded in the trap buffer display trapbuffer [ unit unit-id ] [ size buffersize ] clear information recorded in the log buffer reset logbuffer [ unit unit-id ] clear information recorded in the trap buffer res...
Page 802
1-15 # switch configuration messages local4.Info /var/log/switch/information when you edit the file “/etc/syslog.Conf”, note that: z a note must start in a new line, starting with a “#” sign. Z in each pair, a tab should be used as a separator instead of a space. Z no space is allowed at the end of ...
Page 803
1-16 # enable the information center. System-view [switch] info-center enable # configure the host whose ip address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [switch] info-center loghost 202.38.1.10 facility lo...
Page 804
1-17 log output to the console network requirements the switch sends the following information to the console: the log information of the two modules arp and ip, with severity higher than “informational”. Network diagram figure 1-3 network diagram for log output to the console configuration procedur...
Page 805
1-18 # set the time stamp format of the log information to be output to the log host to date. System-view system view: return to user view with ctrl+z. [switch] info-center timestamp loghost date # configure to add utc time to the output information of the information center. [switch] info-center ti...
Page 806: Table of Contents
I table of contents 1 boot rom and host software loading ···································································································1-1 introduction to loading approaches ·······································································································1-...
Page 807
Ii configuring a scheduled task················································································································5-1 configuration prerequisites ·············································································································5-1 configuring ...
Page 808
1-1 1 boot rom and host software loading traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the tftp and ftp modules are introduced into the switch. With these modules, you can load/d...
Page 809
1-2 boot menu starting...... *********************************************************** * * * h3c s3100-26tp-ei-w bootrom, version 506 * * * *********************************************************** copyright(c) 2004-2007 hangzhou h3c technologies co., ltd. Creation date : apr 17 2007, 10:12:36 c...
Page 810
1-3 loading by xmodem through console port introduction to xmodem xmodem protocol is a file transfer protocol that is widely used due to its simplicity and high stability. The xmodem protocol transfers files through console port. It supports two types of data packets (128 bytes and 1 kb), two check ...
Page 811
1-4 if you have chosen 9600 bps as the download baudrate, you need not modify the hyperterminal’s baudrate, and therefore you can skip step 4 and 5 below and proceed to step 6 directly. In this case, the system will not display the above information. Following are configurations on pc. Take the hype...
Page 812
1-5 figure 1-2 console port configuration dialog box step 5: click the button to disconnect the hyperterminal from the switch and then click the button to reconnect the hyperterminal to the switch, as shown in figure 1-3 . Figure 1-3 connect and disconnect buttons the new baudrate takes effect after...
Page 813
1-6 step 7: choose [transfer/send file] in hyperterminal, and click in pop-up dialog box, as shown in figure 1-4 . Select the software file that you need to load to the switch, and set the protocol to xmodem. Figure 1-4 send file dialog box step 8: click . The system displays the page, as shown in f...
Page 814
1-7 z if the hyperterminal’s baudrate is not reset to 9600 bps, the system prompts "your baudrate should be set to 9600 bps again! Press enter key when ready". Z you need not reset the hyperterminal’s baudrate and can skip the last step if you have chosen 9600 bps. In this case, the system upgrades ...
Page 815
1-8 loading the boot rom figure 1-6 local loading using tftp step 1: as shown in figure 1-6 , connect the switch through an ethernet port to the tftp server, and connect the switch through the console port to the configuration pc. You can use one pc as both the configuration device and the tftp serv...
Page 816
1-9 step 6: enter y to start file downloading or n to return to the boot rom update menu. If you enter y, the system begins to download and update the boot rom. Upon completion, the system displays the following information: loading........................................Done bootrom updating..........
Page 817
1-10 you can use one computer as both configuration device and ftp server. Step 2: run the ftp server program on the ftp server, configure an ftp user name and password, and copy the program file to the specified ftp directory. Step 3: run the hyperterminal program on the configuration pc. Start the...
Page 818
1-11 when loading the boot rom and host software using ftp through boot menu, you are recommended to use the pc directly connected to the device as ftp server to promote upgrading reliability. Remote boot rom and software loading if your terminal is not directly connected to the switch, you can teln...
Page 819
1-12 this will update bootrom file on unit 1. Continue? [y/n] y upgrading bootrom, please wait... Upgrade bootrom succeeded! Step 3: restart the switch. Reboot before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration informati...
Page 820
1-13 you can configure the ip address for any vlan on the switch for ftp transmission. However, before configuring the ip address for a vlan interface, you have to make sure whether the ip addresses of this vlan and pc are routable. System-view system view: return to user view with ctrl+z. [sysname]...
Page 821
1-14 figure 1-11 enter boot rom directory step 6: enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in figure 1-12 , to log on to the ftp server. Figure 1-12 log on to the ftp server step 7: use the put command to upload the file switch.Btm to the switch, as shown in figur...
Page 822
1-15 figure 1-13 upload file switch.Btm to the switch step 8: configure switch.Btm to be the boot rom at next startup, and then restart the switch. Boot bootrom switch.Btm this will update bootrom on unit 1. Continue? [y/n] y upgrading bootrom, please wait... Upgrade bootrom succeeded! Reboot after ...
Page 823
1-16.
Page 825
2-2 table 2-2 system information display commands operation command description display the current date and time of the system display clock display the version of the system display version display the information about users logging onto the switch display users [ all ] you can execute the displa...
Page 826
2-3 you can use the following commands to enable the two switches. Table 2-3 enable debugging and terminal display for a specific module operation command description enable system debugging for specific module debugging module-name [ debugging-option ] required disabled for all modules by default. ...
Page 827
2-1 command alias configuration introduction as the network environment becomes more complex and network products become increasingly diverse, users always use network devices from several vendors in real networking environments. In this case, command keywords differences of devices from different v...
Page 828: Network Connectivity Test
3-1 3 network connectivity test network connectivity test ping you can use the ping command to check the network connectivity and the reachability of a host. Table 3-1 the ping command operation command description check the ip network connectivity and the reachability of a host ping [ -a ip-address...
Page 829: Device Management
4-1 4 device management introduction to device management device management includes the following: z reboot the ethernet switch z configure real-time monitoring of the running status of the system z specify the app to be used at the next reboot z update the boot rom z identifying and diagnosing plu...
Page 830
4-2 scheduling a reboot on the switch after you schedule a reboot on the switch, the switch will reboot at the specified time. Table 4-3 schedule a reboot on the switch operation command description schedule a reboot on the switch, and set the reboot date and time schedule reboot at hh:mm [ mm/dd/yy...
Page 832
4-4 table 4-8 commonly used pluggable transceivers transceiver type applied environment whether can be an optical transceiver whether can be an electrical transceiver sfp (small form-factor pluggable) generally used for 100m/1000m ethernet interfaces or pos 155m/622m/2.5g interfaces yes yes gbic (gi...
Page 833
4-5 tx power, and rx power. When these parameters are abnormal, you can take corresponding measures to prevent transceiver faults. Table 4-10 display pluggable transceiver information operation command description display the current alarm information of the pluggable transceiver(s) display transcei...
Page 834
4-6 the switch acts as the ftp client, and the remote pc serves as both the configuration pc and the ftp server. Perform the following configuration on the ftp server. Z configure an ftp user, whose name is switch and password is hello. Authorize the user with the read-write right on the directory s...
Page 835
4-7 trying ... Press ctrl+k to abort connected. 220 wftpd 2.0 service (by texas imperial software) ready for new user user(none):switch 331 give me your password, please password: 230 logged in successfully [ftp] 5) enter the authorized path on the ftp server. [ftp] cd switch 6) execute the get comm...
Page 836: Scheduled Task Configuration
5-1 5 scheduled task configuration what is a scheduled task a scheduled task defines a command or a group of commands and when such commands will be executed. It allows a device to execute specified command(s) at a time when no person is available to maintain the device. With a scheduled task config...
Page 837
5-2 specify the time delay to execute the commands in the task follow these steps to configure a scheduled task: to do… use the command… description enter system view system-view — create a scheduled task, and enter scheduled task view job job-name required configure the view where the specified com...
Page 838
5-3 [switch] job phone1 # configure the view where the specified command to be executed as ethernet interface view. [switch-job-phone1] view ethernet1/0/2 # configure the scheduled task so that poe can be enabled on switch at eight am from monday to friday. [switch-job-phone1] time 1 repeating at 8:...
Page 839: Table of Contents
I table of contents 1 vlan-vpn configuration··························································································································1-1 vlan-vpn overview ················································································································...
Page 840: Vlan-Vpn Configuration
1-1 1 vlan-vpn configuration when configuring vlan-vpn, go to these sections for information you are interested in: z vlan-vpn overview z vlan-vpn configuration z displaying and maintaining vlan-vpn configuration z vlan-vpn configuration example vlan-vpn overview introduction to vlan-vpn virtual pri...
Page 841
1-2 implementation of vlan-vpn with the vlan-vpn feature enabled, no matter whether or not a received packet already carries a vlan tag, the switch will tag the received packet with the default vlan tag of the receiving port and add the source mac address to the mac address table of the default vlan...
Page 842
1-3 protocol type value is-is 0x8000 lacp 0x8809 802.1x 0x888e vlan-vpn configuration vlan-vpn configuration task list complete the following tasks to configure vlan-vpn: task remarks enabling the vlan-vpn feature for a port required configuring the tpid value for vlan-vpn packets optional enabling ...
Page 843
1-4 follow these steps to configure the tpid for vlan-vpn packets : to do... Use the command... Remarks enter system view system-view — set the tpid value on the port vlan-vpn tpid value required do not set the tpid value to any of the protocol type values listed in table 1-1 . For h3c series switch...
Page 844
1-5 network diagram figure 1-4 network diagram for vlan-vpn configuration configuration procedure z configure switch a. # enable the vlan-vpn feature on ethernet 1/0/11 of switch a and tag the packets received on this port with the tag of vlan 1040 as the outer vlan tag. System-view [switcha] vlan 1...
Page 845
1-6 [switchb] interface ethernet 1/0/21 [switchb-ethernet1/0/21] vlan-vpn enable # set the global tpid value to 0x9200 (for intercommunication with the devices in the public network) and set ethernet 1/0/22 as a trunk port permitting packets of vlan 1024. [switchb-ethernet1/0/21] quit [switchb] vlan...
Page 846: Selective Qinq Configuration
2-1 2 selective qinq configuration this chapter is only applicable to s3100-ei series switches. When configuring selective qinq, go to these sections for information you are interested in: z selective qinq overview z selective qinq configuration z selective qinq configuration example selective qinq ...
Page 847
2-2 figure 2-1 diagram for a selective qinq implementation in this implementation, switch a is an access device of the service provider. The users connecting to it include common customers (in vlan 8 to vlan 100), vips (in vlan 101 to vlan 200), and ip telephone users (in vlan 201 to vlan 300). Pack...
Page 848
2-3 configuring global tag mapping rules for selective qinq table 2-1 configure global tag mapping rules for selective qinq operation command description enter system view system-view — configure the outer vlan tag and enter qinq view vlan-vpn vid vlan-id required configure to add outer vlan tags to...
Page 849
2-4 z the public network permits packets of vlan 1000 and vlan 1200. Apply qos policies for these packets to reserve bandwidth for packets of vlan 1200. That is, packets of vlan 1200 have higher transmission priority over packets of vlan 1000. Z employ the selective qinq feature on switch a and swit...
Page 850
2-5 [switcha-etherent1/0/5] port hybrid vlan 5 1000 1200 tagged [switcha-ethernet1/0/5] quit # configure ethernet 1/0/3 as a hybrid port and configure vlan 5 as its default vlan. Configure ethernet 1/0/3 to remove vlan tags when forwarding packets of vlan 5, vlan 1000, and vlan 1200. [switcha] inter...
Page 851
2-6 [switchb-etherent1/0/12] port hybrid pvid vlan 12 [switchb-etherent1/0/12] port hybrid vlan 12 1000 untagged [switchb-ethernet1/0/12] quit # configure ethernet 1/0/13 as a hybrid port and configure vlan 13 as its default vlan . Configure ethernet 1/0/13 to remove vlan tags when forwarding packet...
Page 852: Bpdu Tunnel Configuration
3-1 3 bpdu tunnel configuration this chapter is only applicable to s3100-ei series switches. When configuring bpdu tunnel, go to these sections for information you are interested in: z bpdu tunnel overview z bpdu tunnel configuration z displaying and maintaining bpdu tunnel configuration z bpdu tunn...
Page 853
3-2 customer network to the service provider network. The customer network contains network a and network b. You can make the bpdu packets of the customer network to be transmitted in the service provider network transparently by enabling the bpdu tunnel feature on the edge devices at both ends of t...
Page 854
3-3 figure 3-3 the structure of a bpdu packet after it enters a bpdu tunnel to prevent the devices in the service provider network from processing the tunnel packets as other protocol packets, the mac address of a tunnel packet must be a multicast address uniquely assigned to the bpdu tunnel in the ...
Page 855
3-4 to do... Use the command... Remarks enter ethernet port view interface interface-type interface-number — enable bpdu tunnel for packets of a specific protocol bpdu-tunnel protocol-type required by default, bpdu tunnel is disabled for packets of any protocol. Z if bpdu tunnel transparent transmis...
Page 856
3-5 z enable the service provider network to transmit stp packets of the customer network through bpdu tunnel. The destination mac address for tunnel packets is 010f-e233-8b22. Z enable the vlan-vpn feature for the service provider network, and enable the service provider network to use vlan 100 to ...
Page 857
3-6 [sysname-ethernet1/0/4] bpdu-tunnel stp # enable vlan-vpn and use vlan 100 to transmit user data packets through bpdu tunnels. [sysname-ethernet1/0/4] port access vlan 100 [sysname-ethernet1/0/4] vlan-vpn enable # configure the destination mac address for the packets transmitted in the tunnel. [...
Page 858: Table of Contents
I table of contents 1 vlan mapping configuration ··················································································································1-1 vlan mapping overview ···············································································································...
Page 859: Vlan Mapping Configuration
1-1 1 vlan mapping configuration the vlan mapping feature is applicable to only the s3100-ei series among the s3100 series. Vlan mapping overview vlan mapping replaces the original vlan tag of a packet with a new one, so that the packet can be processed and forwarded according to the new vlan tag. T...
Page 860
1-2 as shown in figure 1-1 , each user in the community has multiple applications. The vlan technology is used on the home gateway to distinguish traffic types. Because each home gateway has the same configuration, the same type of traffic from different users is transmitted within the same vlan. As...
Page 861
1-3 figure 1-3 after many-to-one vlan mapping …… configuring the dhcp option 82 for many-to-one vlan mapping option 82 is the relay agent option in the option field of the dhcp message. A dhcp snooping-enabled device that supports option 82 can insert the location information (including the port num...
Page 862
1-4 configuring one-to-one vlan mapping one-to-one vlan mapping configuration task list complete the following tasks to configure one-to-one vlan mapping: task remarks configuring a global one-to-one vlan mapping rule configuring a port-level one-to-one vlan mapping rule use either approach z on a p...
Page 863
1-5 z you cannot enable one-to-one vlan mapping on a link aggregation group member port. Z when you configure a global one-to-one vlan mapping rule and then enable one-to-one vlan mapping on a port, selective qinq is automatically enabled on the port. Configuring a port-level one-to-one vlan mapping...
Page 864
1-6 to do… use the command… remarks configure a many-to-one vlan mapping rule and enable many-to-one vlan mapping on the port vlan-mapping n-to-1 vlan old-vlan-id remark new-vlan-id required repeat this step to map multiple original vlans to the target vlan z one-to-one vlan mapping is mutually excl...
Page 865
1-7 this example describes how to configure one-to-one vlan mapping for two users: map the three traffic streams from user a to vlan 1001, vlan 1002, and vlan 1003, and map the three traffic streams from user b to vlan 2001, vlan 2002, and vlan 2003. Figure 1-5 network diagram for one-to-one vlan ma...
Page 866
1-8 z if you configure ethernet 1/0/1 and ethernet 1/0/2 as trunk ports, you also need to assign them to the corresponding original vlans and target vlans. Z in the configuration above, the default vlan of each port is vlan 1. If you have changed the default vlan of a port, you must assign the port ...
Page 867
1-9 figure 1-6 network diagram for many-to-one vlan mapping configuration …… configuration procedure configuring many-to-one vlan mapping # create vlan 1 (which exits by default), vlan 2, and vlan 3, and the target vlans (vlan 1001 and vlan 2001) on switch a. System-view [switcha] vlan 2 to 3 [switc...
Page 868
1-10 [switcha] interface gigabitethernet 1/1/1 [switcha-gigabitethernet1/1/1] port link-type trunk [switcha-gigabitethernet1/1/1] port trunk permit vlan 1001 2001 configuring dhcp option 82 # enable dhcp snooping on switch a, and configure gigabitethernet 1/1/1 as a trusted port. [sysname] dhcp-snoo...
Page 869: Table of Contents
I table of contents 1 hwping configuration ······························································································································1-1 hwping overview ···············································································································...
Page 870: Hwping Configuration
1-1 1 hwping configuration when configuring hwping, go to these sections for information you are interested in: z hwping overview z hwping configuration z hwping configuration examples hwping overview introduction to hwping hwping (pronounced hua’wei ping) is a network diagnostic tool. It is used to...
Page 871
1-2 test types supported by hwping table 1-1 test types supported by hwping supported test types description icmp test dhcp test ftp test http test dns test snmp test for these types of tests, you need to configure the hwping client and corresponding servers. Jitter test tcppublic test tcp test tcpp...
Page 872
1-3 test parameter description number of probes per test (count) for tests except jitter test, only one test packet is sent in a probe. In a jitter test, you can use the jitter-packetnum command to set the number of packets to be sent in a probe. Packet size (datasize) z for icmp/udp/jitter test, yo...
Page 873
1-4 test parameter description interval to send jitter test packets (jitter-interval) each jitter probe will send multiple udp test packets at regular intervals (you can set the interval). The smaller the interval is, the faster the test is. But a too small interval may somewhat impact your network....
Page 874
1-5 to do… use the command… remarks enter system view system-view — enable the hwping client function hwping-agent enable required by default, the hwping client function is disabled. Create an hwping test group and enter its view hwping administrator-name operation-tag required by default, no test g...
Page 876
1-7 to do… use the command… remarks create an hwping test group and enter its view hwping administrator-name operation-tag required by default, no test group is configured. Configure the test type test-typedhcp required by default, the test type is icmp. Configure the source interface source-interfa...
Page 877
1-8 to do… use the command… remarks enable the hwping client function hwping-agent enable required by default, the hwping client function is disabled. Create an hwping test group and enter its view hwping administrator-name operation-tag required by default, no test group is configured. Configure th...
Page 879
1-10 to do… use the command… remarks configure the source ip address source-ip ip-address optional by default, no source ip address is configured. Configure the source port source-port port-number optional by default, no source port is configured. Configure the number of probes per test count times ...
Page 881
1-12 to do… use the command… remarks configure a stuffing character string datafill string optional by default, the numbers between 0 and 255 are stuffed into datagrams in a cyclically way. Configure a test description description string optional by default, no description information is configured....
Page 882
1-13 to do… use the command… remarks configure advantage factor for a jitter voice test adv-factor adv-number by default, the advantage factor is zero. Start the test test-enable required display test results display hwping results [ admin-nameoperation-tag ] required you can execute the command in ...
Page 884
1-15 to do… use the command… remarks configure the destination port destination-port port-number required in a tcpprivate test a tcppublic test is a tcp connection test on port 7. Use the hwping-server tcpconnect ip-address 7 command on the server to configure the listening service port; otherwise t...
Page 885
1-16 to do… use the command… remarks configure the type of service tos value optional by default, the service type is zero. Start the test test-enable required display test results display hwping results [ admin-nameoperation-tag ] required the display command can be executed in any view. 8) configu...
Page 886
1-17 to do… use the command… remarks enable history record history-record enable optional by default, history record is not enabled. Configure the retaining time of history record history keep-time keep-time optional by default, the retaining time of history record is 120 minutes. Configure statisti...
Page 887
1-18 to do… use the command… remarks configure the source ip address source-ip ip-address optional by default, no source ip address is specified. Configure the number of probes per test count times optional by default, one probe is made per test. Configure a test description description string optio...
Page 888
1-19 to do… use the command… remarks configure the ip address of the dns server dns-server ip-address required by default, no dns server address is configured. Start the test test-enable required display test results display hwping results [ admin-nameoperation-tag ] required the display command can...
Page 890
1-21 destination ip address:10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 3/6/3 square-sum of round trip time: 145 last succeeded test time: 2000-4-2 20:55:12.3 extend result: sd maximal delay: 0 ds maximal delay: 0 packet lost in test: 0% disconnect o...
Page 891
1-22 [sysname-hwping-administrator-dhcp] source-interface vlan-interface 1 # configure to make 10 probes per test. [sysname-hwping-administrator-dhcp] count 10 # set the probe timeout time to 5 seconds. [sysname-hwping-administrator-dhcp] timeout 5 # enable the saving of history records and set the ...
Page 892
1-23 ftp test network requirements both the hwping client and the ftp server are h3c s3100 series ethernet switches. Perform an hwping ftp test between the two switches to test the connectivity to the specified ftp server and the time required to upload a file to the server after the connection is e...
Page 893
1-24 # start the test. [sysname-hwping-administrator-ftp] test-enable # display test results [sysname-hwping-administrator-ftp] display hwping results administrator ftp hwping entry(admin administrator, tag ftp) test result: destination ip address:10.2.2.2 send operation times: 10 receive response t...
Page 894
1-25 network diagram figure 1-5 network diagram for the http test configuration procedure z configure http server: use windows 2003 server as the http server. For http server configuration, refer to the related instruction on windows 2003 server configuration. Z configure hwping client (switch a): #...
Page 895
1-26 dns resolve time: 0 http operation time: 675 dns resolve min time: 0 http test total time: 748 dns resolve max time: 0 http transmission successful times: 10 dns resolve failed times: 0 http transmission failed times: 0 dns resolve timeout times: 0 http transmission timeout times: 0 tcp connect...
Page 896
1-27 system-view [sysname] hwping-server enable [sysname] hwping-server udpecho 10.2.2.2 9000 z configure hwping client (switch a): # enable the hwping client. System-view [sysname] hwping-agent enable # create an hwping test group, setting the administrator name to administrator and test tag to jit...
Page 897
1-28 negative sd number:30 negative ds number:24 negative sd sum:64 negative ds sum: 41 negative sd average:2 negative ds average:1 negative sd square sum:200 negative ds square sum:161 sd lost packets number:0 ds lost packet number:0 unknown result lost packet number:0 [sysname-hwping-administrator...
Page 898
1-29 z the snmp network management function must be enabled on snmp agent before it can receive response packets. Z the snmpv2c version is used as reference in this example. This configuration may differ if the system uses any other version of snmp. For details, see snmp – rmon operation manual. Z c...
Page 899
1-30 4 10 1 0 2000-04-03 08:57:19.9 5 9 1 0 2000-04-03 08:57:19.9 6 11 1 0 2000-04-03 08:57:19.9 7 10 1 0 2000-04-03 08:57:19.9 8 10 1 0 2000-04-03 08:57:19.9 9 10 1 0 2000-04-03 08:57:19.8 10 10 1 0 2000-04-03 08:57:19.8 for detailed output description, see the corresponding command manual. Tcp tes...
Page 900
1-31 [sysname-hwping-administrator-tcpprivate] history-records 10 # start the test. [sysname-hwping-administrator-tcpprivate] test-enable # display test results. [sysname-hwping-administrator-tcpprivate] display hwping results administrator tcpprivate hwping entry(admin administrator, tag tcpprivate...
Page 901
1-32 system-view [sysname] hwping-server enable [sysname] hwping-server udpecho 10.2.2.2 8000 z configure hwping client (switch a): # enable the hwping client. System-view [sysname] hwping-agent enable # create an hwping test group, setting the administrator name to administrator and test tag to udp...
Page 902
1-33 7 10 1 0 2000-04-02 08:29:45.3 8 10 1 0 2000-04-02 08:29:45.3 9 10 1 0 2000-04-02 08:29:45.3 10 11 1 0 2000-04-02 08:29:45.3 for detailed output description, see the corresponding command manual. Dns test network requirements an h3c s3100 series ethernet switch serves as the hwping client, and ...
Page 903
1-34 [sysname-hwping-administrator-dns] display hwping results administrator dns hwping entry(admin administrator, tag dns) test result: destination ip address:10.2.2.2 send operation times: 10 receive response times: 10 min/max/average round trip time: 6/10/8 square-sum of round trip time: 756 last...
Page 904: Table of Contents
I table of contents 1 ipv6 configuration·····································································································································1-1 ipv6 overview ·············································································································...
Page 905: Ipv6 Configuration
1-1 1 ipv6 configuration z h3c s3100 series ethernet switches support ipv6 management features, but do not support ipv6 forwarding and related features. Z the term “router” in this document refers to a router in a generic sense or an ethernet switch running a routing protocol. Ipv6 overview internet...
Page 906
1-2 adequate address space the source ipv6 address and the destination ipv6 address are both 128 bits (16 bytes) long. Ipv6 can provide 3.4 x 10 38 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses. Hierarchical addre...
Page 907
1-3 z if an ipv6 address contains two or more consecutive groups of zeros, they can be replaced by the double-colon (::) option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130f::9c0:876a:130b. The double-colon can be used only once in an ipv6 address...
Page 908
1-4 type format prefix (binary) ipv6 prefix id anycast address anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses. Unicast address there are several forms of unicast address assignment in ipv6, including global unicast address, lin...
Page 909
1-5 hexadecimal number fffe needs to be inserted in the middle of mac addresses (behind the 24 high-order bits).To ensure the interface identifier obtained from a mac address is unique, it is necessary to set the universal/local (u/l) bit (the seventh high-order bit) to “1”. Thus, an interface ident...
Page 910
1-6 z h3c s3100 series ethernet switches do not support rs, ra, or redirect message. Z of the above mentioned ipv6 ndp functions, h3c s3100 series ethernet switches support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection. The subs...
Page 911
1-7 duplication address detection is accomplished through ns and na messages. Figure 1-4 shows the duplicate address detection procedure. Figure 1-4 duplicate address detection the duplicate address detection procedure is as follows: 2) node a sends an ns message whose source address is the unassign...
Page 912
1-8 z if they are consistent, the device resets the aging timer for the nd snooping entry. Z if they are inconsistent and the received packet is a dad ns message, the message is ignored. Z if they are inconsistent and the received packet is not a dad ns message, the device performs active acknowledg...
Page 913
1-9 z router advertisement (ra) z redirect the nd protocol functions powerfully, but without any security mechanism, it is apt to be used by attackers. Nd attacks usually come from users. Normally, when the device switch is a layer-2 access device, nd multiple packets sent by users are broadcast on ...
Page 914
1-10 the user legality check is based on the source ipv6 address and source mac address in the nd packet to check whether the user is legal on the vlan where the port receives the packet. The check includes those based on the ipv6 static binding entry, the security entry of nd snooping and of dhcpv6...
Page 915
1-11 ensuring dhcpv6 clients to obtain ip addresses from authorized dhcpv6 servers if there is an unauthorized dhcpv6 server on a network, the dhcpv6 clients may obtain invalid ipv6 addresses. With dhcpv6 snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients...
Page 916
1-12 figure 1-7 diagram for the ipv6 filtering function the switch can filter invalid ipv6 packets through ipv6 static binding entries or ip-to-mac address mappings of ipv6 dynamic binding entries. Ipv6 static binding entry a static binding is configured manually. It is suitable when there are a few...
Page 917
1-13 z rfc 1981: path mtu discovery for ip version 6 z rfc 2375: ipv6 multicast address assignments z rfc 2460: internet protocol, version 6 (ipv6) specification. Z rfc 2461: neighbor discovery for ip version 6 (ipv6) z rfc 2462: ipv6 stateless address autoconfiguration z rfc 2463: internet control ...
Page 918
1-14 z manual configuration: ipv6 site-local addresses or global unicast addresses are configured manually. Ipv6 link-local addresses can be acquired in either of the following ways: z automatic generation: the device automatically generates a link-local address for an interface according to the lin...
Page 919
1-15 z ipv6 unicast addresses can be configured for only one vlan interface of an h3c s3100 series ethernet switches. Only one global unicast address or one site-local address can be configured for an interface. Z after an ipv6 site-local address or global unicast address is configured for an interf...
Page 920
1-16 dynamically learned neighbors reaches the threshold, the interface will stop learning neighbor information. Table 1-7 configure the maximum number of neighbors dynamically learned: to do… use the command… remarks enter system view system-view — enter vlan interface view interface interface-type...
Page 921
1-17 table 1-10 configure the neighbor reachable timeout time on an interface to do… use the command… remarks enter system view system-view — enter vlan interface view interface interface-type interface-number — configure the neighbor reachable timeout time ipv6 nd nud reachable-time value optional ...
Page 922
1-18 configuring the maximum number of ipv6 icmp error packets sent within a specified time if too many ipv6 icmp error packets are sent within a short time in a network, network congestion may occur. To avoid network congestion, you can control the maximum number of ipv6 icmp error packets sent wit...
Page 923
1-19 configuring nd snooping follow these steps to configure nd snooping: to do… use the command… remarks enter system view system-view — enter vlan view vlan vlan-id — enable nd snooping ipv6 nd snooping enable required disabled by default. Return to system view quit — enter layer 2 ethernet interf...
Page 924
1-20 to do… use the command remarks enter layer-2 ethernet interface view interface interface-type interface-number — configure the ports requiring no user legality check as nd trusted ports ipv6 nd detection trust optional a port is nd untrusted by default when configuring the nd detection, configu...
Page 925
1-21 configuring dhcpv6 snooping support for dhcpv6 option 18/option 37 dhcpv6 option 37, also known as the dhcpv6 relay agent remote id option, records the location information of dhcpv6 clients. Option 18, also known as the dhcpv6 interface id option, records the interface that receives messages f...
Page 926
1-22 you cannot configure both ipv6 filtering and port binding. Configuring ipv6 dns configure a static host name to ipv6 address mapping you can directly use a host name when applying telnet applications and the system will resolve the host name into an ipv6 address. Each host name can correspond t...
Page 929
1-25 [switchb-vlan-interface1] ipv6 address 3001::2/64 verification # display the brief ipv6 information of an interface on switch a. [switcha-vlan-interface1] display ipv6 interface vlan-interface 1 vlan-interface1 current state :up line protocol current state :up ipv6 is enabled, link-local addres...
Page 930
1-26 bytes=56 sequence=3 hop limit=64 time = 6 ms reply from fe80::2e0:fcff:fe00:2006 bytes=56 sequence=4 hop limit=64 time = 7 ms reply from fe80::2e0:fcff:fe00:2006 bytes=56 sequence=5 hop limit=64 time = 14 ms --- fe80::2e0:fcff:fe00:2006 ping statistics --- 5 packet(s) transmitted 5 packet(s) re...
Page 931
1-27 configuration procedure # enable dhcpv6 snooping. System-view [switcha] dhcp-snooping ipv6 enable # specify ethernet 1/1 as trusted. [switcha] interface ethernet 1/0/1 [switcha-ethernet1/0/1] dhcp-snooping ipv6 trust nd detection configuration example networking requirement users host a and hos...
Page 932
1-28 # configure the upper port ethernet 1/0/3 as nd trusted port, while the lower ports ethernet 1/0/1 and ethernet 1/0/2 as the default state, namely nd untrusted ports [switchb] interface ethernet 1/0/3 [switchb-ethernet1/0/3] ipv6 nd detection trust after the configuration above, check the nd pa...
Page 933
1-29 # enable ipv6 filtering on ethernet 1/0/2, ethernet 1/0/3, and ethernet 1/0/4 to filter packets based on the source ip addresses/mac addresses. [switchb] interface ethernet1/0/2 [switchb-ethernet1/0/2] ipv6 check source ip-address mac-address [switchb-ethernet1/0/2] quit [switchb] interface eth...
Page 934
2-1 2 ipv6 application configuration introduction to ipv6 applications ipv6 are supporting more and more applications. Most of ipv6 applications are the same as those of ipv4. The applications supported on h3c s3100 series ethernet switches are: z ping z traceroute z tftp z telnet configuring ipv6 a...
Page 935
2-2 figure 2-1 traceroute process device a hop limit=1 hop limit exceeded hop limit=2 hop limit exceeded hop limit=n udp port unreachable device b device c device d as figure 2-1 shows, the traceroute process is as follows: z the source sends an ip datagram with the hop limit of 1. Z if the first ho...
Page 936
2-3 when you use the tftp ipv6 command to connect to the tftp server, you must specify the “–i” keyword if the destination address is a link-local address. Ipv6 telnet telnet protocol belongs to application layer protocols of the tcp/ip protocol suite, and is used to provide remote login and virtual...
Page 937
2-4 ipv6 application configuration example network requirements in figure 2-3 , swa, swb, and swc are three switches, among which swa is an h3c s3100 ethernet switch, swb and swc are two switches supporting ipv6 forwarding. In a lan, there is a telnet server and a tftp server for providing telnet se...
Page 938
2-5 # on swa, configure static routes to swc, the telnet server, and the tftp server. System-view [swa] ipv6 route-static 3002:: 64 3003::1 [swa] ipv6 route-static 3001:: 64 3003::1 [swa] quit # trace the ipv6 route from swa to swc. Tracert ipv6 3002::1 traceroute to 3002::1 30 hops max,60 bytes pac...
Page 939
2-6 unable to run tftp symptom unable to download and upload files by performing tftp operations. Solution z check that the route between the device and the tftp server is up. Z check that the file system of the device is usable. You can check it by running the dir command in user view. Z check that...
Page 940: Table of Contents
I table of contents 1 dns configuration·····································································································································1-1 dns overview················································································································...
Page 941: Dns Configuration
1-1 1 dns configuration this chapter covers only ipv4 dns configuration. For details about ipv6 dns, refer to ipv6 management operation. Dns overview domain name system (dns) is a mechanism used for tcp/ip applications to provide domain name-to-ip address translation. With dns, you can use memorizab...
Page 942
1-2 figure 1-1 dynamic domain name resolution figure 1-1 shows the relationship between user program, dns client, and dns server. The resolver and cache comprise the dns client. The user program and dns client run on the same device, while the dns server and the dns client usually run on different d...
Page 943
1-3 z the ip address you assign to a host name last time will overwrite the previous one if there is any. Z you may create up to 50 static mappings between domain names and ip addresses. Configuring dynamic domain name resolution table 1-2 configure dynamic domain name resolution operation command r...
Page 944
1-4 operation command… remarks clear the information in the dynamic domain name cache reset dns dynamic-host available in user view dns configuration example static domain name resolution configuration example network requirements the switch uses static domain name resolution to access host 10.1.1.2...
Page 945
1-5 dynamic domain name resolution configuration example network requirements as shown in figure 1-3 , the switch serving as a dns client uses dynamic domain name resolution to access the host at 3.1.1.1/16 through its domain name host. The dns server has the ip address 2.1.1.2/16. The dns suffix is...
Page 946
1-6 reply from 3.1.1.1: bytes=56 sequence=2 ttl=125 time=4 ms reply from 3.1.1.1: bytes=56 sequence=3 ttl=125 time=4 ms reply from 3.1.1.1: bytes=56 sequence=4 ttl=125 time=4 ms reply from 3.1.1.1: bytes=56 sequence=5 ttl=125 time=5 ms --- host.Com ping statistics --- 5 packet(s) transmitted 5 packe...
Page 947: Table of Contents
I table of contents 1 smart link configuration ·························································································································1-1 smart link overview ············································································································...
Page 948: Smart Link Configuration
1-1 1 smart link configuration currently, only s3100-ei series ethernet switches support the smart link feature. Smart link overview as shown in figure 1-1 , dual-uplink networking is widely applied currently. Usually, spanning tree protocol (stp) is used to implement link redundancy backup in the n...
Page 949
1-2 master port the master port can be either an ethernet port or a manually-configured or static lacp aggregation group. For example, you can configure ethernet1/0/1 of switch a in figure 1-1 as the master port through the command line. Slave port the slave port can be either an ethernet port or a ...
Page 950
1-3 operating mechanism of smart link figure 1-2 network diagram of smart link operating mechanism block switch a switch b eth1/0/1 eth1/0/2 switch c switch d switch e eth1/0/1 eth1/0/2 eth1/0/3 eth1/0/1 eth1/0/2 eth1/0/11 eth1/0/12 as shown in figure 1-2 , ethernet1/0/1 on switch a is active and et...
Page 951
1-4 configuration tasks table 1-1 smart link configuration tasks task remarks create a smart link group add member ports to the smart link group configuring a smart link device enable the function of sending flush messages in the specified control vlan required configuring associated devices enable ...
Page 953
1-6 5) when a combo port operates as a member port of a smart link group, the optical port and the electrical port of the combo port must not be both engaged with a cable at the same time. 6) when you copy a port, the smart link/monitor link group member information configured on the port will not b...
Page 954
1-7 smart link configuration example implementing link redundancy backup network requirements as shown in figure 1-3 , switch a is an h3c s3100 series ethernet switch. Switch c, switch d and switch e support smart link. Configure smart link feature to provide remote pcs with reliable access to the s...
Page 955
1-8 # configure ethernet1/0/1 as the master port and ethernet1/0/2 as the slave port for smart link group 1. [switcha-smlk-group1] port ethernet 1/0/1 master [switcha-smlk-group1] port ethernet 1/0/2 slave # configure to send flush messages within vlan 1. [switcha-smlk-group1] flush enable control-v...
Page 956: Monitor Link Configuration
2-1 2 monitor link configuration currently, only s3100-ei series ethernet switches support the monitor link feature. Introduction to monitor link monitor link is a collaboration scheme introduced to complement for smart link. It is used to monitor uplink and to perfect the backup function of smart l...
Page 957
2-2 how monitor link works figure 2-2 network diagram for a monitor link group implementation block switch a switch b eth1/0/1 eth1/0/2 switch c switch d switch e eth1/0/1 eth1/0/2 eth1/0/3 eth1/0/1 eth1/0/2 eth1/0/11 eth1/0/12 as shown in figure 2-2 , the devices switch c and switch d are connected...
Page 958
2-3 before configuring a monitor link group, you must create a monitor link group and configure member ports for it. A monitor link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static lacp link aggregation group, an ethernet por...
Page 959
2-4 operation command remarks monitor link group view port interface-type interface-number uplink quit interface interface-type interface-number configure the specified ethernet port as the uplink port of the monitor link group ethernet port view port monitor-link group group-id uplink configuring a...
Page 961
2-6 [switcha-ethernet1/0/1] stp disable [switcha-ethernet1/0/1] quit [switcha] interface ethernet 1/0/2 [switcha-ethernet1/0/2] stp disable # return to system view. [switcha-ethernet1/0/2] quit # create smart link group 1 and enter smart link group view. [switcha] smart-link group 1 # configure ethe...
Page 962: Table of Contents
I table of contents 1 arp and ip attack defense configuration ································································································ 1 arp packet filtering based on gateway’s address ················································································· 1 introdu...
Page 963
1 1 arp and ip attack defense configuration arp packet filtering based on gateway’s address introduction according to the arp design, after receiving an arp packet with the target ip address being that of the receiving interface, a device adds the ip-to-mac mapping of the sender into its arp mapping...
Page 964
2 among the s3100 series ethernet switches, only the s3100-ei series support arp packet filtering. Follow these steps to configure arp packet filtering based on gateway’s address: to do… use the command… remarks enter system view system-view — enter ethernet port view interface interface-type interf...
Page 965
3 to do… use the command… remarks configure the maximum number of dynamic arp entries that the vlan interface can learn arp max-learning-num number optional by default, the maximum number of dynamic arp entries that the vlan interface can learn is not limited arp/ip attack defense based on 802.1x ov...
Page 966
4 follow these steps to configure 802.1x-based arp/ip attack defense: to do… use the command… remarks enter system view system-view — enable using ip-mac bindings of authenticated 802.1x clients for arp attack detection ip source static import dot1x required disabled by default. Enter ethernet port ...
Page 967
5 z if they are not consistent, the arp packet is considered invalid and the corresponding arp entry is not learned. Enabling arp source mac address consistency check to do… use the command… remarks enter system view system-view — enable arp source mac address consistency check arp anti-attack valid...
Page 968
6 [switch] interface ethernet 1/0/2 [switch-ethernet1/0/2] arp filter source 192.168.100.1 [switch-ethernet1/0/2] quit # configure arp packet filtering based on the gateway’s ip address on ethernet 1/0/3. [switch] interface ethernet 1/0/3 [switch-ethernet1/0/3] arp filter source 192.168.100.1 [switc...
Page 969
7 [switcha-vlan-interface1] arp max-learning-num 500 [switcha-vlan-interface1] quit arp/ip attack defense configuration example iii network requirements z host a is assigned with an ip address statically and installed with an 802.1x client. Z a cams authentication, authorization and accounting serve...
Page 970
8 [switch] interface ethernet1/0/1 [switch-ethernet1/0/1] dot1x # enable ip filtering based on ip-mac bindings of authenticated 802.1x clients. [switch-ethernet1/0/1] ip check dot1x enable.
Page 971: Table of Contents
I table of contents 1 lldp configuration···································································································································1-1 overview ····················································································································...
Page 972: Lldp Configuration
1-1 1 lldp configuration when configuring lldp, go to these sections for information you are interested in: z overview z lldp configuration task list z performing basic lldp configuration z configuring cdp compatibility z configuring lldp trapping z displaying and maintaining lldp z lldp configurati...
Page 973
1-2 figure 1-1 ethernet ii-encapsulated lldp frame format the fields in the frame are described in table 1-1 : table 1-1 description of the fields in an ethernet ii-encapsulated lldp frame field description destination mac address the mac address to which the lldpdu is advertised. It is fixed to 0x0...
Page 974
1-3 field description source mac address the mac address of the sending port. If the port does not have a mac address, the mac address of the sending bridge is used. Type the snap type for the upper layer protocol. It is 0xaaaa-0300-0000-88cc for lldp. Data lldpdu. Fcs frame check sequence, a 32-bit...
Page 975
1-4 type description remarks port description port description of the sending port. System name assigned name of the sending device. System description description of the sending device. System capabilities identifies the primary functions of the sending device and the primary functions that have be...
Page 976
1-5 lldp-med tlvs lldp-med tlvs provide multiple advanced applications for voice over ip (voip), such as basic configuration, network policy configuration, and address and directory management. Lldp-med tlvs satisfy the voice device vendors’ requirements for cost effectiveness, ease of deployment, a...
Page 977
1-6 how lldp works transmitting lldp frames an lldp-enabled port operating in txrx mode or tx mode sends lldp frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by lldp frames at times of frequent local d...
Page 978
1-7 performing basic lldp configuration enabling lldp to make lldp take effect on certain ports, you need to enable lldp both globally and on these ports. Follow these steps to enable lldp: to do… use the command… remarks enter system view system-view — enable lldp globally lldp enable required by d...
Page 979
1-8 enabling lldp polling with lldp polling enabled, a device checks for local configuration changes periodically. Upon detecting a configuration change, the device sends lldp frames to inform the neighboring devices of the change. Follow these steps to enable lldp polling: to do… use the command… r...
Page 980
1-9 to do… use the command… remarks enter ethernet interface view interface interface-type interface-number required enable lldp to advertise management address tlvs and configure the advertised management ip address lldp management-address-tlv [ ip-address ] optional by default, the management addr...
Page 981
1-10 setting an encapsulation format for lldpdus lldpdus can be encapsulated in ethernet ii or snap frames. Z with ethernet ii encapsulation configured, an lldp port sends lldpdus in ethernet ii frames and processes an incoming lldp frame only when it is ethernet ii encapsulated. Z with snap encapsu...
Page 982
1-11 with cdp compatibility enabled, the device can use lldp to receive and recognize cdp packets from cisco ip phones and respond with cdp packets carrying the voice vlan id of the device for the ip phones to configure the voice vlan automatically. In this way, voice traffic is confined in the conf...
Page 983
1-12 follow these steps to configure lldp trapping: to do… use the command… remarks enter system view system-view — enter ethernet interface view interface interface-type interface-number required enable lldp trap sending lldp notification remote-change enable required disabled by default quit to sy...
Page 984
1-13 figure 1-4 network diagram for basic lldp configuration nms switch a med switch b eth1/0/2 eth1/0/1 eth1/0/1 configuration procedure 1) configure switch a. # enable lldp globally. System-view [switcha] lldp enable # enable lldp on ethernet 1/0/1 and ethernet 1/0/2 (you can skip this step becaus...
Page 985
1-14 hold multiplier : 4 reinit delay : 2s transmit delay : 2s trap interval : 5s fast start times : 3 port 1 [ethernet1/0/1]: port status of lldp : enable admin status : rx_only trap flag : no roll time : 0s number of neighbors : 1 number of med neighbors : 1 number of cdp neighbors : 0 number of s...
Page 986
1-15 port status of lldp : enable admin status : rx_only trap flag : no roll time : 0s number of neighbors : 1 number of med neighbors : 1 number of cdp neighbors : 0 number of sent optional tlv : 0 number of received unknown tlv : 5 port 2 [ethernet1/0/2]: port status of lldp : enable admin status ...
Page 987
1-16 figure 1-5 network diagram for cdp-compatible lldp configuration configuration procedure 1) configure a voice vlan on switch a # create vlan 2. System-view [switcha] vlan 2 [switcha-vlan2] quit # set the link type of ethernet 1/0/1 and ethernet 1/0/2 to trunk and enable voice vlan on them. [swi...
Page 988
1-17 [switcha] display lldp neighbor-information cdp neighbor-information of port 1[ethernet1/0/1]: cdp neighbor index : 1 chassis id : sep00141cbcdbfe port id : port 1 sofrware version : p0030301mfg2 platform : cisco ip phone 7960 duplex : full cdp neighbor-information of port 2[ethernet1/0/2]: cdp...
Page 989: Table of Contents
I table of contents 1 pki configuration ······································································································································1-1 introduction to pki·······································································································...
Page 990: Pki Configuration
1-1 1 pki configuration when configuring pki, go to these sections for information you are interested in: z introduction to pki z pki configuration task list z displaying and maintaining pki z pki configuration examples z troubleshooting pki introduction to pki this section covers these topics: z pk...
Page 991
1-2 cas are trusted by different users in a pki system, the cas will form a ca tree with the root ca at the top level. The root ca has a ca certificate signed by itself while each lower level ca has a ca certificate signed by the ca at the next higher level. Crl an existing certificate may need to b...
Page 992
1-3 ca a ca is a trusted authority responsible for issuing and managing digital certificates. A ca issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing crls. Ra a registration authority (ra) is an extended part of a ca or an independen...
Page 993
1-4 2) the ra reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the ca. 3) the ca verifies the digital signature, approves the application, and issues a certificate. 4) the ra receives the certificate from the ca, sends it to th...
Page 994
1-5 the configuration of an entity dn must comply with the ca certificate issue policy. You need to determine, for example, which entity dn parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity dn: to do… use the co...
Page 995
1-6 configuring a pki domain before requesting a pki certificate, an entity needs to be configured with some enrollment information, which is referred to as a pki domain. A pki domain is intended only for convenience of reference by other applications like ssl, and has only local significance. A pki...
Page 998
1-9 z if a pki domain already has a local certificate, creating an rsa key pair will result in inconsistency between the key pair and the certificate. To generate a new rsa key pair, delete the local certificate and then issue the public-key local create command. Z a newly created key pair will over...
Page 999
1-10 z if a pki domain already has a ca certificate, you cannot retrieve another ca certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new ca certificate, use the pki delete-certificate ...
Page 1000
1-11 to do… use the command… remarks enter pki domain view pki domain domain-name — disable crl checking crl check disable required enabled by default return to system view quit — retrieve the ca certificate refer to retrieving a certificate manually required verify the validity of the certificate p...
Page 1001
1-12 configuring an access control policy by configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. Follow these steps to configure a certificate attribute-based access control policy: to do… use th...
Page 1002
1-13 pki configuration examples z the scep plug-in is required when you use the windows server as the ca. In this case, when configuring the pki domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an ra. Z the scep plug-in is not req...
Page 1003
1-14 after configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the ca server. This includes selecting the proper extension profiles, enabling the scep autovetting function, and adding the ip address list for scep autovetting. # configure the ...
Page 1004
1-15 . Z apply for certificates # retrieve the ca certificate and save it locally. [switch] pki retrieval-certificate ca domain torsa retrieving ca/ra certificates. Please wait a while...... The trusted ca's finger print is: md5 fingerprint:ede9 0394 a273 b61a f1b3 0072 a0b1 f9ab sha1 fingerprint: 7...
Page 1005
1-16 modulus (1024 bit): 00d67d50 41046f6a 43610335 ca6c4b11 f8f89138 e4e905bd 43953ba2 623a54c0 ea3cb6e0 b04649ce c9cddd38 34015970 981e96d9 ff4f7b73 a5155649 e583ac61 d3a5c849 cbde350d 2a1926b7 0ae5ef5e d1d8b08a dbf16205 7c2a4011 05f11094 73eb0549 a65d9e74 0f2953f2 d4f0042f 19103439 3d4f9359 88fb5...
Page 1006
1-17 configuration procedure 1) configure the ca server z install the certificate server suites from the start menu, select control panel > add or remove programs, and then select add/remove windows components > certificate services and click next to begin the installation. Z install the scep plug-i...
Page 1007
1-18 # specify the entity for certificate request as aaa. [switch-pki-domain-torsa] certificate request entity aaa z generate a local key pair using rsa [switch] public-key local create rsa the range of public key size is (512 ~ 2048). Notes: if the key modulus is greater than 512, it may take a few...
Page 1008
1-19 subject: cn=switch subject public key info: public key algorithm: rsaencryption rsa public key: (1024 bit) modulus (1024 bit): 00a6637a 8cdea1ac b2e04a59 f7f6a9fe 5aee52ae 14a392e4 e0e5d458 0d341113 0bf91e57 fa8c67ac 6ce8febb 5570178b 10242fdd d3947f5e 2da70bd9 1faf07e5 1d167ce1 fc20394f 476f5c...
Page 1009
1-20 z the network connection is not proper. For example, the network cable may be damaged or loose. Z no trusted ca is specified. Z the url of the registration server for certificate request is not correct or not configured. Z no authority is specified for certificate request. Z the system clock of...
Page 1010
1-21 z the crl distribution url is not configured. Z the ldap server version is wrong. Solution z make sure that the network connection is physically proper. Z retrieve a ca certificate. Z specify the ip address of the ldap server. Z specify the crl distribution url. Z re-configure the ldap version..
Page 1011: Table of Contents
I table of contents 1 ssl configuration ·····································································································································1-1 ssl overview ··············································································································...
Page 1012: Ssl Configuration
1-1 1 ssl configuration when configuring ssl, go to these sections for information you are interested in: z ssl overview z ssl configuration task list z displaying and maintaining ssl z troubleshooting ssl ssl overview secure sockets layer (ssl) is a security protocol providing secure connection ser...
Page 1013
1-2 ssl protocol stack as shown in figure 1-2 , the ssl protocol consists of two layers of protocols: the ssl record protocol at the lower layer and the ssl handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 1-2 ssl protocol stack z ssl handshake protocol:...
Page 1014
1-3 configuration prerequisites when configuring an ssl server policy, you need to specify the pki domain to be used for obtaining the server side certificate. Therefore, before configuring an ssl server policy, you must configure a pki domain.. Configuration procedure follow these steps to configur...
Page 1015
1-4 z if you enable client authentication here, you must request a local certificate for the client. Z currently, ssl mainly comes in these versions: ssl 2.0, ssl 3.0, and tls 1.0, where tls 1.0 corresponds to ssl 3.1. When the device acts as an ssl server, it can communicate with clients running ss...
Page 1016
1-5 [switch-pki-entity-en] quit # create a pki domain and configure it. [switch] pki domain 1 [switch-pki-domain-1] ca identifier ca1 [switch-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.Dll [switch-pki-domain-1] certificate request from ra [switch-pki-domain-1] certific...
Page 1017
1-6 # configure the system to strip domain name off a user name before transmitting the user name to the radius server. [switch-radius-radius1] user-name-format without-domain [switch-radius-radius1] quit # create isp domain aabbcc.Net for web authentication users and enter the domain view. [switch]...
Page 1019
1-8 z if the ssl server is configured to authenticate the client, but the certificate of the ssl client does not exist or cannot be trusted, request and install a certificate for the client. 2) you can use the display ssl server-policy command to view the cipher suite used by the ssl server policy. ...
Page 1020: Table of Contents
I table of contents 1 https configuration ································································································································1-1 https overview ···············································································································...
Page 1021: Https Configuration
1-1 1 https configuration when configuring https, go to these sections for information you are interested in: z https overview z https configuration task list z associating the https service with an ssl server policy z enabling the https service z associating the https service with a certificate att...
Page 1022
1-2 associating the https service with an ssl server policy you need to associate the https service with a created ssl server policy before enabling the https service. Follow these steps to associate the https service with an ssl server policy: to do… use the command… remarks enter system view syste...
Page 1023
1-3 associating the https service with a certificate attribute access control policy associating the https service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security. Follow these steps to associate the h...
Page 1024
1-4 https configuration example network requirements z host acts as the https client and device acts as the https server. Z host accesses device through web to control device. Z ca (certificate authority) issues certificate to device. The common name of ca is new-ca. In this configuration example, w...
Page 1025
1-5 [device] pki retrieval-certificate ca domain 1 # apply for a local certificate. [device] pki request-certificate domain 1 2) configure an ssl server policy associated with the https service # configure an ssl server policy. [device] ssl server-policy myssl [device-ssl-server-policy-myssl] pki-do...
Page 1026: Table of Contents
I table of contents 1 ethernet oam configuration ····················································································································1-1 ethernet oam overview ·············································································································...
Page 1027: Ethernet Oam Configuration
1-1 1 ethernet oam configuration when configuring the ethernet oam function, go to these sections for information you are interested in: z ethernet oam overview z ethernet oam configuration task list z configuring basic ethernet oam functions z configuring link monitoring z enabling oam remote loopb...
Page 1028
1-2 ethernet oampdus figure 1-1 shows the formats of different types of oampdus. Figure 1-1 formats of different types of ethernet oampdus the fields in an oampdu are described as follows: table 1-1 description of the fields in an oampdu field description dest addr destination mac address of the eth...
Page 1029
1-3 table 1-2 functions of different types of oampdus oampdu type function information oampdu used for transmitting state information of an ethernet oam entity (including the information about the local device and remote devices, and customized information) to the remote ethernet oam entity and main...
Page 1030
1-4 z oam connections can be initiated only by oam entities operating in active oam mode, while those operating in passive mode wait and respond to the connection requests sent by their peers. Z no oam connection can be established between oam entities operating in passive oam mode. After an etherne...
Page 1031
1-5 z the system transforms the period of detecting errored frame period events into the maximum number of 64-byte frames that a port can send in the specific period, that is, the system takes the maximum number of frames sent as the period. The maximum number of frames sent is calculated using this...
Page 1032
1-6 task remarks configuring errored symbol event detection optional configuring errored frame event detection optional configuring errored frame period event detection optional configuring link monitoring configuring errored frame seconds event detection optional enabling oam remote loopback option...
Page 1033
1-7 to do… use the command… remarks enter system view system-view — configure the ethernet oam handshake packet transmission interval oam timer hello interval optional 1000 millisecond by default configure the ethernet oam connection timeout timer oam timer keepalive interval optional 5000 milliseco...
Page 1034
1-8 follow these steps to configure errored frame event detection: to do… use the command… remarks enter system view system-view — configure the errored frame event detection interval oam errored-frame period period-value optional 1 second by default configure the errored frame event triggering thre...
Page 1035
1-9 enabling oam remote loopback after enabling oam remote loopback on a port, you can send loopback frames from the port to a remote port and then observe how many of these loopback frames are returned. In this way, you can calculate the packet loss ratio on the link, thus evaluating the link perfo...
Page 1036
1-10 displaying and maintaining ethernet oam configuration to do… use the command… remarks display global ethernet oam configuration display oam configuration display the statistics on critical events after an ethernet oam connection is established display oam critical-event [ interface interface-ty...
Page 1037
1-11 # configure ethernet 1/0/1 to operate in active ethernet oam mode (the default) and enable ethernet oam for it. System-view [deviceb] interface ethernet 1/0/1 [devicea-ethernet1/0/1] oam mode active [deviceb-ethernet1/0/1] oam enable [deviceb-ethernet1/0/1] quit 3) verify the configuration use ...
Page 1038
1-12 the above information indicates that 35 errors occurred since ethernet oam is enabled on device a, 17 of which are caused by error frames. The link is instable..
Page 1039: Table of Contents
I table of contents 1 cfd configuration·····································································································································1-1 overview ···················································································································...
Page 1040: Cfd Configuration
1-1 1 cfd configuration when configuring cfd, go to these sections for information you are interested in: z overview z cfd configuration task list z configuring basic cfd settings z configuring cfd functions z displaying and maintaining cfd z cfd configuration example only the s3100-ei series suppor...
Page 1041
1-2 figure 1-1 two nested mds cfd exchanges messages and performs operations on a per-domain basis. By planning mds properly in a network, you can use cfd to rapidly locate failure points. Maintenance association a maintenance association (ma) is a set of maintenance points (mps) in an md. An ma is ...
Page 1042
1-3 as shown in figure 1-2 , an outward-facing mep sends packets to its host port. Figure 1-3 inward-facing mep as shown in figure 1-3 , an inward-facing mep does not send packets to its host port. Rather, it sends packets to other ports on the device. Z mip a mip is internal to an md. It cannot sen...
Page 1043
1-4 figure 1-4 levels of mps device a device b device c device d device e device f 5 5 3 5 5 3 3 3 2 2 2 2 0 0 0 0 0 0 md level 5 md level 3 md level 2 md level 2 md level 0 port 5 outward-facing mep and md level 5 mip and md level maintenance association logical path of cfd messages port 1 port 2 m...
Page 1044
1-5 linktrace linktrace is responsible for identifying the path between the source mep and the destination mep. This function is implemented in the following way: the source mep multicasts linktrace messages (ltms) to the destination mep. After receiving the messages, the destination mep and the mip...
Page 1045
1-6 z normally, a port blocked by stp cannot receive, send, or respond to cfd messages. However, if it is configured as an outward-facing mep, it can still receive and send ccm messages. Z only ethernet ports support cfd. Configuring basic cfd settings enabling cfd enable cfd on all concerned device...
Page 1046
1-7 to do... Use the command... Remarks create an ma cfd ma ma-name md md-name vlan vlan-id required not created by default create a service instance cfd service-instance instance-id md md-name ma ma-name required not created by default you must create the md, ma, and service instance by strictly fo...
Page 1047
1-8 mips are generated on each port automatically according to related mip generation rules. If a port has no mip, the system will check the mas in each md (from low to high levels), and follow the procedure described in figure 1-5 to create or not to create mips (within a single vlan): figure 1-5 p...
Page 1048
1-9 configuring cfd functions configuration prerequisites before configuring cfd functions, you need to complete basic cfd configurations first. Configuring cc on meps after the cc function is configured, meps can send ccms mutually to check the connectivity between them. Follow these steps to confi...
Page 1050
1-11 to do... Use the command... Remarks display mp information display cfd mp [ interface interface-type interface-number ] available in any view display the attribute and running information of the meps display cfd mep mep-id service-instance instance-id available in any view display ltr informati...
Page 1051
1-12 figure 1-6 network diagram for cfd configuration configuration procedure 1) configure a vlan and assign ports to it on each device shown in figure 1-6 , create vlan 100 and assign ports ethernet 1/0/1 through ethernet 1/0/4 to vlan 100. 2) enable cfd # enable cfd on device a. System-view [devic...
Page 1052
1-13 [devicec] cfd service-instance 2 md md_b ma ma_b 4) configure meps # on device a, configure a mep list in service instance 1; create and enable inward-facing mep 1001 in service instance 1 on ethernet 1/0/1. [devicea] cfd meplist 1001 4002 5001 service-instance 1 [devicea] interface ethernet 1/...
Page 1053
1-14 # on device b, enable the sending of ccms for mep 2001 in service instance 2 on ethernet 1/0/3. [deviceb] interface ethernet 1/0/3 [deviceb-ethernet1/0/3] cfd cc service-instance 2 mep 2001 enable [deviceb-ethernet1/0/3] quit # on device d, enable the sending of ccms for mep 4001 in service ins...
Page 1054: Table of Contents
I table of contents appendix a acronyms ································································································································ a-1.
Page 1055: Appendix A Acronyms
A-1 appendix a acronyms a aaa authentication, authorization and accounting abr area border router acl access control list arp address resolution protocol as autonomous system asbr autonomous system border router b bdr backup designated router c car committed access rate cli command line interface co...
Page 1056
A-2 igmp internet group management protocol igp interior gateway protocol ip internet protocol l lldp link layer discovery protocol lsa link state advertisement lsdb link state database m mac medium access control mib management information base n nbma non broadcast multiaccess nic network informati...
Page 1057
A-3 ttl time to live u udp user datagram protocol v vlan virtual lan vod video on demand w wrr weighted round robin x xid exchange identification xrn expandable resilient networking.