3Com® Switch 4200G Family Configuration Guide 4200G 12-Port (3CR17660-91) 4200G 24-Port (3CR17661-91) 4200G 48-Port (3CR17662-91) www.3Com.com Part Number: 10014915 Rev.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS ABOUT THIS GUIDE Organization of the Manual Intended Readership 2 Conventions 2 Related Manuals 3 1 1 CLI OVERVIEW Introduction to the CLI 1 Command Level/Command View CLI Features 6 Terminal Display 7 2 1 LOGGING INTO AN ETHERNET SWITCH Logging into an Ethernet Switch 9 Introduction to the User Interface 9 3 LOGGING IN THROUGH THE CONSOLE PORT Introduction 11 Setting up the Connection to the Console Port 11 Console Port Login Configuration 13 Console Port Login Configuration with Authentic
2 CONTENTS 8 CONFIGURATION FILE MANAGEMENT Introduction to Configuration File 41 Configuration File-Related Configuration 9 VLAN CONFIGURATION VLAN Overview 43 VLAN Configuration 44 Displaying a VLAN 44 VLAN Configuration Example 10 41 45 MANAGEMENT VLAN CONFIGURATION Introduction to Management VLAN 47 Management VLAN Configuration 47 Displaying and Debugging Management VLAN 11 DHCP/BOOTP CLIENT CONFIGURATION Introduction to DHCP Client 51 Introduction to BOOTP Client 53 DHCP/BOOTP Client Configu
CONTENTS Port Isolation Configuration 85 Displaying Port Isolation 85 Port Isolation Configuration Example 17 PORT SECURITY CONFIGURATION Port Security Configuration 87 Displaying Port Security 90 Port Security Configuration Example 18 85 91 MAC ADDRESS TABLE MANAGEMENT Overview 93 MAC Address Table Management 95 Displaying and Maintaining a MAC Address Table Configuration Example 96 19 96 LOGGING IN THROUGH TELNET Introduction 99 Telnet Configuration with Authentication Mode Being None 100 Telnet
4 CONTENTS HABP Client Configuration 166 Displaying and Debugging HABP 166 23 AAA&RADIUS CONFIGURATION Overview 167 Configuration Tasks 173 AAA Configuration 174 RADIUS Configuration 179 Displaying AAA&RADIUS Information 186 AAA&RADIUS Configuration Example 187 Troubleshooting AAA&RADIUS Configuration 24 189 CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC Address Authentication Overview 191 Centralized MAC Address Authentication Configuration 191 Displaying and Debugging Centrali
CONTENTS 28 CONFIGURATION FOR MIRRORING FEATURES Mirroring Features 237 Mirroring Supported by Switch 4200G 239 Mirroring Configuration 239 Displaying and Debugging Mirroring 248 29 IGMP SNOOPING CONFIGURATION Overview of IGMP Snooping 249 IGMP Snooping Configuration 252 Displaying Information About IGMP Snooping IGMP Snooping Configuration Example 256 Troubleshooting IGMP Snooping 259 30 256 ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION Routing Port Join to Multicast Group Configuration 31 26
6 CONTENTS NTP Implementation Mode Configuration 295 Access Control Permission Configuration 297 NTP Authentication Configuration 297 Configuration of Optional NTP Parameters 299 Displaying and Debugging NTP 300 Configuration Example 300 36 SSH TERMINAL SERVICES SSH Terminal Services SFTP Service 317 37 309 FILE SYSTEM MANAGEMENT File Attribute Configuration 325 File System Configuration 326 Testing Tools for Network Connection 38 331 FTP AND TFTP CONFIGURATION FTP Configuration 333 TFTP Configura
CONTENTS 44 DEVICE MANAGEMENT Introduction to Device Management 375 Device Management Configuration 375 Displaying the Device Management Configuration 376 Remote Switch Update Configuration Example 376 45 CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS Introduction to the Newly Added Cluster Functions 379 Displaying and Debugging a Cluster 389 Configuration Example for Newly Added Cluster Functions 46 DHCP RELAY CONFIGURATION Introduction to DHCP Relay 393 DHCP Relay Configuration 395 Option 82 Support
8 CONTENTS
ABOUT THIS GUIDE This guide provides information about configuring your network using the commands supported on the 3Com® Switch 4200-G Family. The descriptions in this guide applies to the Switch 4200-G. Organization of the Manual The Switch 4200 Family Configuration Guide consists of the following chapters: ■ CLI Overview—Provides an introduction to the CLI interface. ■ Logging In—Provides information on the different ways to log into the switch.
2 ABOUT THIS GUIDE Intended Readership Conventions ■ QoS—Details Quality of Service. ■ Mirroring—Details how to configure Mirroring. ■ IGMP Snooping—Details Internet Group Management Protocol Snooping ■ Multicast Protocol—Details how to configure multicast protocols. ■ Clustering—Details Clustering Configuration. ■ SNMP—Details Simple Network Management Protocol Configuration. ■ RMON—Details Remote Monitoring Configuration. ■ NTP—Details Network time protocol.
Related Manuals 3 Table 1 Icons (Continued) Icon Notice Type Description Warning Information that alerts you to potential personal injury. Table 2 Text conventions Convention Description Screen displays This typeface represents text as it appears on the screen.
4 ABOUT THIS GUIDE
1 Introduction to the CLI Command Level/Command View CLI OVERVIEW A S4200G series Ethernet switch provides a command line interface (CLI) and commands for you to configure and manage the Ethernet switch. The CLI is featured by the following: ■ Commands are grouped by levels. This prevents unauthorized users from operating the switch with relevant commands. ■ Users can gain online help at any time by entering the question mark “?”.
2 CHAPTER 1: CLI OVERVIEW Setting a user level switching password Table 1 lists the operations to set a user level switching password.
Command Level/Command View ■ System view ■ Ethernet port view ■ VLAN view ■ VLAN interface view ■ LoopBack interface view ■ Local user view ■ User interface view ■ FTP client view ■ SFTP client view ■ MST region view ■ Cluster view ■ Public key view ■ Public key editing view ■ Basic ACL view ■ Advanced ACL view ■ Layer 2 ACL view ■ RADIUS scheme view ■ ISP domain view 3 Table 4 lists information about CLI views (including the operations you can performed in these views,
4 CHAPTER 1: CLI OVERVIEW Table 4 CLI views (Continued) View VLAN view Available operation Prompt example Configure VLAN parameters [4200G-Vlan1] Enter method Quit method Execute the vlan 1 command in system view. Execute the quit command to return to system view. Execute the return command to return to user view. VLAN interface view LoopBack interface view Configure IP [4200G-Vlan-inte Execute the interface interface rface1] vlan-interface 1 parameters for command in system VLANs and view.
Command Level/Command View 5 Table 4 CLI views (Continued) View Available operation Cluster view Configure cluster parameters Prompt example [4200G-cluster] Enter method Quit method Execute the cluster command in system view. Execute the quit command to return to system view. Execute the return command to return to user view.
6 CHAPTER 1: CLI OVERVIEW CLI Features Online Help CLI provides two types of online help: complete online help and partial online help. They assist you with your configuration. Complete online help Enter a “?” character in any view on your terminal to display all the commands available in the view and their brief descriptions. The following takes user view as an example.
Terminal Display 7 Enter a command, the first several characters of an available keyword which uniquely identifies the keyword, and press , to complete the keyword will be automatically completed. Terminal Display CLI provides the following display feature: ■ Display suspending. That is, the displaying of output information can be paused when the screen is full and you can then perform the three operations listed in Table 5 as needed.
8 CHAPTER 1: CLI OVERVIEW Command Edit The CLI provides basic command edit functions and supports multi-line editing. The maximum number of characters a command can contain is 256. Table 8 lists the CLI edit operations. Table 8 Edit operations Press… To… A common key Insert the character the key represents at the cursor and move the cursor one character to the right if the edit buffer is not full.
2 Logging into an Ethernet Switch LOGGING INTO AN ETHERNET SWITCH You can log into an S4200-G series Ethernet switch in one of the following ways: ■ Logging in locally through the Console port ■ Telneting locally or remotely to an Ethernet port ■ Telneting to the Console port using a modem ■ Logging into the Web-based network management system ■ Logging in through NMS (network management system) Introduction to the User Interface Supported User Interfaces S4200-G series Ethernet switch supports
10 CHAPTER 2: LOGGING INTO AN ETHERNET SWITCH Common User Interface Configuration Table 10 Common user interface configuration Operation Command Description Lock the current user interface lock Optional Execute this command in user view. A user interface is not locked by default. Specify to send messages to all user interfaces/a specified user interface send { all | number | type number } Optional Execute this command in user view.
3 Introduction LOGGING IN THROUGH THE CONSOLE PORT To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. By default, you can log into an S4200G series Ethernet switch through its Console port only. To log into an Ethernet switch through its Console port, the related configuration of the user terminal must be in accordance with that of the Console port. Table 11 lists the default settings of a Console port.
12 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Figure 2 Create a connection Figure 3 Specify the port used to establish the connection
Console Port Login Configuration 13 Figure 4 Set port parameters ■ Turn on the switch. The user will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as ) appears after the user presses the Enter key. ■ You can then configure the switch or check the information about the switch by executing commands. You can also acquire help by type the ? character.
14 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 12 Common configuration of Console port login (Continued) Configuration Terminal configuration Description Make terminal services available Optional Set the maximum number of lines the screen can contain Optional Set history command buffer size Optional Set the timeout time of a user interface Optional By default, terminal services are available in all user interfaces By default, the screen can contain up to 24 lines.
Console Port Login Configuration with Authentication Mode Being None 15 Table 13 Console port login configurations for different authentication modes (Continued) Authentication mode Scheme Console port login configuration Description Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Configure user name and password Configure user names and passwords for local/remote users Required
16 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 14 Console port login configuration with the authentication mode being none Operation Configure the Console port Command Description Set the baud rate speed speed-value Optional Set the check mode parity { even | mark | none | odd | space } Optional Set the stop bits stopbits { 1 | 1.5 | 2 } Optional Set the data bits databits { 7 | 8 } The default baud rate of an AUX port (also the Console port) is 9,600 bps.
Console Port Login Configuration with Authentication Mode Being None 17 Note that the command level available to users logging into a switch depends on both the authentication-mode { password | scheme | none } command and the user privilege level level command, as listed in Table 15.
18 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT 3 Specify not to authenticate users logging in through the Console port. [4200G-ui-aux0] authentication-mode none 4 Specify commands of level 2 are available to users logging into the AUX user interface. [4200G-ui-aux0] user privilege level 2 5 Set the baud rate of the Console port to 19,200 bps. [4200G-ui-aux0] speed 19200 6 Set the maximum number of lines the screen can contain to 30.
Console Port Login Configuration with Authentication Mode Being Password 19 Table 16 Console port login configuration with the authentication mode being password Operation Command Description Make terminal services available to the user interface shell Optional By default, terminal services are available in all user interfaces. Set the maximum number screen-length screen-length of lines the screen can contain Optional By default, the screen can contain up to 24 lines.
20 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT ■ The history command buffer can store up to 20 commands. ■ The timeout time of the AUX user interface is 6 minutes. Network diagram Figure 6 Network diagram for AUX user interface configuration (with the authentication mode being password) Ethernet1/0/1 Ethernet User PC running Telnet Configuration procedure 1 Enter system view. system-view 2 Enter AUX user interface view.
Console Port Login Configuration with Authentication Mode Being Scheme 21 Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Table 18 Console port login configuration with authentication mode being scheme Operation Command Description Enter system view system-view — Configure the authentic ation mode Enter the default ISP domain view domain system Optional Specify the AAA scheme to be applied to the domain scheme { local | radius-scheme radius-scheme
22 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Table 18 Console port login configuration with authentication mode being scheme Operation Configure the Console port Set the baud rate Command Description speed speed-value Optional The default baud rate of the AUX port (also the Console port) is 9,600 bps. Set the parity { even | mark | check mode none | odd | space } Optional Set the stop stopbits { 1 | 1.
Console Port Login Configuration with Authentication Mode Being Scheme 23 Note that the level the commands of which are available to users logging into a switch depends on the authentication-mode { password | scheme | none } command, the user privilege level level command, and the service-type terminal [ level level ] command, as listed in Table 19.
24 CHAPTER 3: LOGGING IN THROUGH THE CONSOLE PORT Network diagram Figure 7 Network diagram for AUX user interface configuration (with the authentication mode being scheme) Ethernet1/0/1 Ethernet User PC running Telnet Configuration procedure 1 Enter system view. system-view 2 Create a local user named guest and enter local user view. [4200G] local-user guest 3 Set the authentication password to 123456 (in plain text).
4 Introduction LOGGING IN USING MODEM The administrator can log into the Console port of a remote switch using a modem through PSTN (public switched telephone network) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely. When a network operates improperly or is inaccessible, you can log into the switches in the network in this way to configure these switches, to query logs and warning messages, and to locate problems.
26 CHAPTER 4: LOGGING IN USING MODEM Switch Configuration After logging into a switch through its Console port by using a modem, you will enter the AUX user interface. The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that: ■ When you log in through the Console port using a modem, the baud rate of the Console port is usually set to a value lower than the transmission speed of the modem. Otherwise, packets may get lost.
Modem Connection Establishment 27 3 Connect your PC, the modems, and the switch, as shown in Figure 8. Figure 8 Establish the connection by using modems Serial cable Modem PC Telephone line PSTN Modem Console port Telephone number: 82882285 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 9 and Figure 10.
28 CHAPTER 4: LOGGING IN USING MODEM Figure 10 Call the modem 5 Provide the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. If you perform no AUX user-related configuration on the switch, the commands of level 3 are available to modem users. Refer to the CLI Overview module for information about command level.
5 Introduction LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM An S4200-G series switch has a Web server built in. You can log into an S4200-G series switch through a Web browser and manage and maintain the switch intuitively by interacting with the built-in Web server. To log into an S4200-G series switch through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.
30 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM ■ Launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X) on the PC, with the baud rate set to 9,600 bps, data bits set to 8, parity check set to off, and flow control set to off. ■ Turn on the switch. When the switch is starting, the information about self-testing appears on the terminal window.
HTTP Connection Establishment 31 3 Establish an HTTP connection between your PC and the switch, as shown in Figure 13. Figure 13 Establish an HTTP connection between your PC and the switch Sw itch HTTP Connection connection HTTP Connection PC PC 4 Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch (here it is http://10.153.17.82).
32 CHAPTER 5: LOGGING IN THROUGH WEB-BASED NETWORK MANAGEMENT SYSTEM
6 Introduction LOGGING IN THROUGH NMS You can also log into a switch through an NMS (network management station), and then configure and manage the switch through the agent module on the switch. ■ The agent here refers to the software running on network devices (switches) and as the server. ■ SNMP (simple network management protocol) is applied between the NMS and the agent. To log into a switch through an NMS, you need to perform related configuration on both the NMS and the switch.
34 CHAPTER 6: LOGGING IN THROUGH NMS
CONTROLLING LOGIN USERS 7 Introduction A switch provides ways to control different types of login users, as listed in Table 24.
36 CHAPTER 7: CONTROLLING LOGIN USERS Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs, which are numbered from 3000 to 3999. Refer to the ACL module for information about defining an ACL.
Controlling Network Management Users by Source IP Addresses Controlling Network Management Users by Source IP Addresses Prerequisites Controlling Network Management Users by Source IP Addresses 37 You can manage a S4200G series Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.
38 CHAPTER 7: CONTROLLING LOGIN USERS As SNMP community name is a feature of SNMP V1 and SNMP V2, the specified ACLs in the command that configures SNMP community names (the snmp-agent community command) take effect in the network management systems that adopt SNMP V1 or SNMP V2.
Controlling Web Users by Source IP Address Controlling Web Users by Source IP Address 39 You can manage a S4200G series Ethernet switch remotely through Web. Web users can access a switch through HTTP connections. You need to perform the following two operations to control Web users by source IP addresses.
40 CHAPTER 7: CONTROLLING LOGIN USERS Configuration procedure 1 Define a basic ACL. system-view [4200G] acl number 2030 match-order config [4200G-acl-basic-2030] rule 1 permit source 10.110.100.46 0 [4200G-acl-basic-2030] rule 2 deny source any 2 Apply the ACL to only permit the Web users sourced from the IP address of 10.110.100.46 to access the switch.
8 Introduction to Configuration File CONFIGURATION FILE MANAGEMENT Configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Upon powered on, a switch loads the configuration file known as saved-configuration file, which resides in the Flash, for initialization. If the Flash contains no configuration file, the system initializes using the default settings.
42 CHAPTER 8: CONFIGURATION FILE MANAGEMENT Table 30 Configure a configuration file (Continued) Operation Command Description Specify the startup saved-configuration configuration file to be cfgfile [ backup | main ] used when the switch starts the next time Optional By default, the main configuration file is used.
9 VLAN CONFIGURATION VLAN Overview Introduction to VLAN The virtual local area network (VLAN) technology is developed for switches to control broadcast operations in LANs. By creating VLANs in a physical LAN, you can divide the LAN into multiple logical LANs, each of which has a broadcast domain of its own. Hosts in the same VLAN communicate with each other as if they are in a LAN. However, hosts in different VLANs cannot communicate with each other directly. Figure 19 illustrates a VLAN implementation.
44 CHAPTER 9: VLAN CONFIGURATION VLAN Classification You can create port-based and policy-based VLAN types a Switch 4200G: The port-based VLAN members are defined in terms of switch ports. You can add ports to which close-related hosts are connected to the same port-based VLAN. This is the simplest yet most effective way to create VLANs. Policy-based VLANs enable a switch to forward received packets that match specific QoS/ACLs to specific VLANs.
VLAN Configuration Example VLAN Configuration Example Port-based VLAN Configuration Example Network requirements ■ Create VLAN 2 and VLAN 3, with the name of VLAN 2 being v2, and the description string being home. ■ Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 ports to VLAN 2; add GigabitEthernet1/0/3 and GigabitEthernet1/0/4 ports to VLAN 3.
46 CHAPTER 9: VLAN CONFIGURATION
MANAGEMENT VLAN CONFIGURATION 10 Introduction to Management VLAN Management VLAN To manage an Ethernet switch remotely through Telnet or network management, the switch need to be assigned an IP address. As for a S4200G series Layer 2 Ethernet switch, only the management VLAN interface can be assigned an IP address.
48 CHAPTER 10: MANAGEMENT VLAN CONFIGURATION Configuring the Management VLAN Table 34 Configure the management VLAN Operation Command Description Enter system view system-view - Configure a specified VLAN to be the management VLAN management-vlan vlan-id Required Create the management VLAN interface and enter VLAN interface view interface vlan-interface vlan-id By default, VLAN 1 operates as the management VLAN.
Displaying and Debugging Management VLAN Configuration procedure 1 Enter system view. system-view 2 Create VLAN 10 and configure VLAN 10 to be the management VLAN. [4200GA] vlan 10 [4200GA-vlan10] quit [4200GA] management-vlan 10 3 Create the VLAN 10 interface and enter VLAN interface view. [4200GA] interface vlan-interface 10 4 Configure the IP address of VLAN 10 interface to be 1.1.1.1. [4200GA-Vlan-interface10] ip address 1.1.1.1 255.255.255.
50 CHAPTER 10: MANAGEMENT VLAN CONFIGURATION
11 Introduction to DHCP Client DHCP/BOOTP CLIENT CONFIGURATION As the network scale expands and the network complexity increases, the network configurations become more and more complex accordingly. It is usually the case that the computer locations change (such as the portable computers or wireless networks) or the number of the computers exceeds that of the available IP addresses. The dynamic host configuration protocol (DHCP) is developed to meet these requirements. It adopts the client/server model.
52 CHAPTER 11: DHCP/BOOTP CLIENT CONFIGURATION Figure 22 Interaction between a DHCP client and a DHCP server DHCP Client DHCP _Disc over DHCP Client r _Offe DHCP DHCP _Req ue DHCP Client st DHCP Server _ACK DHCP DHCP _Ren ew DHCP Client rDHCP Server DHCP Server _ACK DHCP To obtain valid dynamic IP addresses, a DHCP client exchanges different information with the DHCP server in different phases.
Introduction to BOOTP Client 53 2 The DHCP client accesses the network for the second time In this case, the DHCP client establishes connections with the DHCP server through the following steps. a After accessing the network successfully for the first time, the DHCP client can access the network again by broadcasting a DHCP_Request packet that contains the IP address assigned to it last time instead of a DHCP_Discover packet.
54 CHAPTER 11: DHCP/BOOTP CLIENT CONFIGURATION Configuring a DHCP/BOOTP Client Table 36 Configure DHCP/BOOTP client Operation Command Description Enter system view system-view Required Configure a specified VLAN to be the management VLAN management-vlan vlan-id Required By default, VLAN 1 operates as the management VLAN.
12 VOICE VLAN CONFIGURATION Voice VLAN Configuration Introduction to Voice VLAN Voice VLANs are VLANs configured specially for voice data stream. By adding the ports with voice devices attached to voice VLANs, you can perform QoS-related configuration for voice data, ensuring the transmission priority of voice data stream and voice quality. S4200G series Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address.
56 CHAPTER 12: VOICE VLAN CONFIGURATION As multiple types of IP phones exist, you need to match port mode with types of voice stream sent by IP phones, as listed in Table 37. Table 37 Port modes and voice stream types Port voice VLAN mode Voice stream type Automatic mode Tagged voice stream Port type Supported or not Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN. And the access port permits the packets of the default VLAN.
Voice VLAN Configuration 57 Voice VLAN Configuration Configuration Prerequisites Configuring a voice VLAN to operate in automatic mode Configuring a voice VLAN to operate in manual mode ■ Create the corresponding VLAN before configuring a voice VLAN. ■ VLAN 1 is the default VLAN and do not need to be created. But VLAN 1 does not support the voice VLAN function.
58 CHAPTER 12: VOICE VLAN CONFIGURATION Table 39 Configure a voice VLAN to operate in manual mode (Continued) Operation Add a port to the VLAN Access port Enter VLAN view Command Description vlan vlan-id Required Add the port port port-type port-num to the VLAN Trunk or hybrid port Enter port view interface interface-type interface-num Add the port port trunk permit vlan vlan-id to the voice port hybrid vlan vlan-id VLAN { tagged | untagged } Configure the voice VLAN to be the default VLAN of th
Voice VLAN Displaying and Debugging Voice VLAN Displaying and Debugging 59 Table 40 Display and debug a voice VLAN Operation Command Description Display voice VLAN configuration display voice vlan status You can execute the display command in any view.
60 CHAPTER 12: VOICE VLAN CONFIGURATION Configuration procedure 1 Create VLAN 3. system-view System View: return to User View with Ctrl+Z. [4200G] vlan 3 2 Configure GigabitEthernet1/0/3 port to be a trunk port and add it to VLAN 3. [4200G] interface GigabitEthernet1/0/3 [4200G-GigabitEthernet1/0/3] port link-type trunk [4200G-GigabitEthernet1/0/3] port trunk permit vlan 3 3 Enable the voice VLAN function for the port and configure the port to operate in manual mode.
13 Introduction to GVRP GVRP CONFIGURATION GVRP (GARP VLAN registration protocol) is an application of GARP (generic attribute registration protocol). GVRP is based on the mechanism of GARP; it maintains dynamic VLAN registration information and propagates the information to other switches. GARP is a generic attribute registration protocol.
62 CHAPTER 13: GVRP CONFIGURATION Leave timer, and unregisters the attribute information if it does not receives a Join message again before the timer times out. ■ LeaveAll: Once a GARP entity starts up, it starts the LeaveAll timer, and sends out a LeaveALL message after the timer times out, so that other GARP entities can re-register all the attribute information on this entity. After that, the entity restarts the LeaveAll timer to begin a new cycle.
GVRP Configuration 63 Table 41describes the packet fields Figure 23. Table 41 Description of the packet fields Field Description Value Protocol ID Protocol ID 1 Message Each message consists of two parts: Attribute Type and Attribute List. — Attribute Type It is defined by specific GARP application. The attribute type of GVRP is 0x01. Attribute List It contains multiple attributes.
64 CHAPTER 13: GVRP CONFIGURATION Table 42 Configuration procedure (Continued) Operation Command Description Enable GVRP globally gvrp Required By default, GVRP is disabled globally. Enter Ethernet port view interface interface-type interface-number — Enable GVRP on the port gvrp Required By default, GVRP is disabled on the port. After you enable GVRP on a trunk port, you cannot change the port to a different type.
Displaying and Maintaining GVRP 65 Network diagram Figure 24 Network diagram for GVRP configuration E 1 /0 /1 E 1 /0 /2 S w itc h A S w itc h B Configuration procedure 1 Configure switch A: a Enable GVRP globally. system-view [4200G] gvrp b Set the port GigabitEthernet1/0/1 to a trunk port, and allow all VLAN packets to pass through the port.
66 CHAPTER 13: GVRP CONFIGURATION
14 BASIC PORT CONFIGURATION Ethernet Port Overview Types and Numbers of Ethernet Ports Table 45 lists the types and numbers of the Ethernet ports available on the S4200G series Ethernet switches.
68 CHAPTER 14: BASIC PORT CONFIGURATION Configuring the Default VLAN ID for an Ethernet Port An access port can belong to only one VLAN. Therefore, the VLAN an access port belongs to is also the default VLAN of the access port. A hybrid/trunk port can belong to several VLANs, and so a default VLAN ID for the port is required.
Configuring Ethernet Ports 69 Configuring Ethernet Ports Making Basic Port Configuration Table 47 Make basic port configuration Operation Command Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Enable the Ethernet port undo shutdown By default, the port is enabled. Use the shutdown command to disable the port.
70 CHAPTER 14: BASIC PORT CONFIGURATION ■ If you execute the command in Ethernet port view, the command takes effect only on current port. Table 48 Set the Ethernet port broadcast suppression ratio Enabling Flow Control on a Port Operation Command Remarks Enter system view system-view — Set the global broadcast suppression ratio broadcast-suppression { ratio | pps max-pps } By default, the ratio is 100%, that is, the system does not suppress broadcast traffic globally.
Configuring Ethernet Ports 71 Table 51 Configure hybrid port attribute Add the current hybrid port into the specified VLAN Configuring Trunk Port Attribute Copying Port Configuration to Other Ports port hybrid vlan vlan-id-list { tagged | untagged } Optional For a hybrid port, you can configure to tag the packets of specific VLANs, based on which the packets of those VLANs can be processed in differently ways.
72 CHAPTER 14: BASIC PORT CONFIGURATION Setting Loopback Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port. After you enable loopback detection on Ethernet ports, the switch can monitor if external loopback occurs on them. If there is a loopback port found, the switch will put it under control.
Ethernet Port Configuration Example 73 Table 55 Configure the Ethernet port to run loopback test Configure the Ethernet port to run loopback { external | internal } loopback test Optional After you use the shutdown command on a port, the port cannot run loopback test. You cannot use the speed, duplex, mdi and shutdown commands on the ports running loopback test. Some ports do not support loopback test, and corresponding prompts will be given when you perform loopback test on them.
74 CHAPTER 14: BASIC PORT CONFIGURATION Network diagram Figure 25 Network diagram for default VLAN ID configuration Switch A Switch B Configuration procedure The following configuration is used for Switch A. Configure Switch B in a similar way. 1 Enter port view of GigabitEthernet1/0/1. [4200G] interface GigabitEthernet1/0/1 2 Set GigabitEthernet1/0/1 as a trunk port and allow the packets of VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 to pass the port.
15 LINK AGGREGATION CONFIGURATION Overview Introduction to Link Aggregation Link aggregation means aggregating several ports together to form an aggregation group, so as to implement outgoing/incoming load sharing among the member ports in the group and to enhance the connection reliability. Depending on different aggregation modes, aggregation groups fall into three types: manual, static LACP, and dynamic LACP.
76 CHAPTER 15: LINK AGGREGATION CONFIGURATION 4 The member ports in a dynamic aggregation group must have the same operation key. Manual Aggregation Group Introduction to manual aggregation group A manual aggregation group is manually created. All its member ports are manually added and can be manually removed (it inhibits the system from automatically adding/removing ports to/from it). Each manual aggregation group must contain at least one port.
Overview Static LACP Aggregation Group 77 Introduction to static LACP aggregation A static LACP aggregation group is also manually created. All its member ports are manually added and can be manually removed (it inhibits the system from automatically adding/removing ports to/from it). Each static aggregation group must contain at least one port. When a static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group.
78 CHAPTER 15: LINK AGGREGATION CONFIGURATION Besides multiple-port aggregation groups, the system is also able to create single-port aggregation groups, each of which contains only one port. LACP is enabled on the member ports of dynamic aggregation groups. Port status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states: selected or unselected.
Link Aggregation Configuration Aggregation Group Categories 79 Depending on whether or not load sharing is implemented, aggregation groups can be load-sharing or non-load-sharing aggregation groups. In general, the system only provides limited load-sharing aggregation resources (currently 64 load-sharing aggregation groups can be created at most), so the system needs to reasonably allocate the resources among different aggregation groups.
80 CHAPTER 15: LINK AGGREGATION CONFIGURATION Table 59 Configure a manual aggregation group (Continued) Operation Command Description Configure a description for the aggregation group link-aggregation group agg-id description Optional agg-name By default, an aggregation group has no description.
Displaying and Maintaining Link Aggregation Information 81 Table 60 Configure a static LACP aggregation group (Continued) Operation Command Description Add the port to the aggregation group port link-aggregation group agg-id Required Enable LACP on the port lacp enable Optional, the system will automatically enable LACP on the port added to a static aggregation group. The default LACP state on a port is disabled.
82 CHAPTER 15: LINK AGGREGATION CONFIGURATION You can also execute the reset command in user view to clear statistics on LACP ports.
Link Aggregation Configuration Example 83 2 Adopting static LACP aggregation mode a Create static aggregation group 1. system-view [4200G] link-aggregation group 1 mode static b Add ports GigabitEthernet1/0/1 through GigabitEthernet1/0/3 to aggregation group 1.
84 CHAPTER 15: LINK AGGREGATION CONFIGURATION
16 PORT ISOLATION CONFIGURATION Port Isolation Overview Introduction to Port Isolation The port isolation function enables you to isolate the ports to be controlled on Layer 2 by adding the ports to an isolation group, through which you can improve network security and network in a more flexible way. Currently, you can configure only one isolation group on a switch. The number of Ethernet ports an isolation group can accommodate is not limited.
86 CHAPTER 16: PORT ISOLATION CONFIGURATION Network diagram Figure 27 Network diagram for port isolation configuration Internet GE1/0/1 Switch GE1/0/2 GE1/0/4 GE1/0/3 PC2 PC3 PC4 Configuration procedure 1 Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 ports to the isolation group. system-view System View: return to User View with Ctrl+Z.
17 PORT SECURITY CONFIGURATION Port Security Configuration Introduction to Port Security Port security is a security mechanism that controls network access. It is an expansion to the current 802.1x and MAC address authentication. This scheme controls the incoming/outgoing packets on port by checking the MAC addresses contained in data frames, and provides multiple security and authentication modes; this greatly improves the security and manageability of the system.
88 CHAPTER 17: PORT SECURITY CONFIGURATION Table 65 Description of the port security modes (Continued) Security mode userloginsecure Description Feature The port opens only after the access user passes the 802.1x authentication. Even after the port opens, only the packets of the successfully authenticated user can pass through the port. In these modes, only the NTK and Intrusion Protection features take effect. In this mode, only one 802.1x-authenticated user is allowed to access the port.
Port Security Configuration 89 Table 66 Configure port security (Continued) Operation Command Description Set the security mode of a port port-security port-mode mode Required Set the maximum number of MAC addresses that can be accommodated by a port port-security max-mac-count count-value Optional Set the NTK transmission mode port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts } Users can choose the optimal mode as necessary.
90 CHAPTER 17: PORT SECURITY CONFIGURATION Security MAC can be learned by the autolearn function of Port-Security feature, and can be configured by the command or MIB manually.
Port Security Configuration Example 91 Table 68 Display port security (Continued) Port Security Configuration Example Operation Command Display the information about port binding display am user-bind [ interface interface-type interface-number | mac-addr | ip-addr ] Network requirements ■ Enable port security on port GigabitEthernet1/0/1 of switch A, and set the maximum number of the MAC addresses accommodated by the port to 80.
92 CHAPTER 17: PORT SECURITY CONFIGURATION 9 Enable the sending of intrusion trap messages. [4200G] port-security trap intrusion 10 Bind the MAC and IP addresses of PC1 to GigabitEthernet1/0/1 port. [4200G] am user-bind mac-address 00e0-fc00-4200G ip-address 10.153.1.
18 MAC ADDRESS TABLE MANAGEMENT This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Chapter 29. Overview Introduction to MAC Address Table A MAC address table is a port-based Layer 2 address table. It is the base for Ethernet switch to perform Layer 2 packet forwarding.
94 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT MAC Address Learning Mechanism The MAC address learning mechanism enables a switch to acquire the MAC addresses of the network devices on the segments connected to the ports of the switch. A packet can be directly forwarded if its destination MAC address is already learnt by the switch.
MAC Address Table Management 95 By setting the maximum numbers of MAC addresses that can be learnt from individual ports, you can control the number of the MAC address entries the MAC address table can dynamically maintains. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.
96 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT Disabling MAC Address learning for a VLAN You can disable a switch from learning MAC addresses in specific VLANs to improve stability and security for the users belong to these VLANs and prevent unauthorized accesses.
Configuration Example Configuration procedure 1 Enter system view. system-view 2 Add a static MAC address entry. [4200G] mac-address static 00e0-fc35-dc71 interface GigabitEthernet1/0/2 vlan 1 3 Set the aging time to 500 seconds. [4200G] mac-address timer aging 500 4 Display the information about the MAC address table.
98 CHAPTER 18: MAC ADDRESS TABLE MANAGEMENT
19 Introduction LOGGING IN THROUGH TELNET You can telnet to a remote switch to manage and maintain the switch. To achieve this, you need to configure both the switch and the Telnet terminal properly. Table 74 Requirements for Telnet to a switch Item Requirement Switch The management VLAN of the switch is created and the route between the switch and the Telnet terminal is available. (Refer to the Management VLAN Configuration module for more.) The authentication mode and other settings are configured.
100 CHAPTER 19: LOGGING IN THROUGH TELNET Table 76 Telnet configurations for different authentication modes (Continued) Authentication mode Scheme Telnet configuration Description Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default.
Telnet Configuration with Authentication Mode Being None 101 Table 77 Telnet configuration with the authentication mode being none Operation Command Description Set the history command buffer size history-command max-size value Optional The default history command buffer size is 10. That is, a history command buffer can store up to 10 commands by default.
102 CHAPTER 19: LOGGING IN THROUGH TELNET Network diagram Figure 30 Network diagram for Telnet configuration (with the authentication mode being none) RS-232 Console port Console cable Configuration procedure 1 Enter system view. system-view 2 Enter VTY 0 user interface view. [4200G] user-interface vty 0 3 Configure not to authenticate Telnet users logging into VTY 0. [4200G-ui-vty0] authentication-mode none 4 Specify commands of level 2 are available to users logging into VTY 0.
Telnet Configuration with Authentication Mode Being Password 103 Table 79 Telnet configuration with the authentication mode being password (Continued) Operation Command Description Configure to authenticate users logging into VTY user interfaces using the local password authentication-mode password Required Set the local password set authentication password { cipher | simple } password Required Configure the command level available to users logging into the user interface user privilege level lev
104 CHAPTER 19: LOGGING IN THROUGH TELNET Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0: ■ Authenticate users logging into VTY 0 using the local password. ■ Set the local password to 123456 (in plain text). ■ Commands of level 2 are available to users logging into VTY 0. ■ Telnet protocol is supported. ■ The screen can contain up to 30 lines.
Telnet Configuration with Authentication Mode Being Scheme 105 Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Table 81 Telnet configuration with the authentication mode being scheme Operation Command Description Enter system view system-view — Configure the authenticati on scheme Enter the default ISP domain view domain system Optional Configure the AAA scheme to be applied to the domain scheme { local | radius-scheme radius-scheme-name [ local ] | none } Qu
106 CHAPTER 19: LOGGING IN THROUGH TELNET Table 81 Telnet configuration with the authentication mode being scheme (Continued) Operation Command Set the maximum number of screen-length lines the screen can contain screen-length Description Optional By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages.
Telnet Configuration with Authentication Mode Being Scheme 107 Note that if you configure to authenticate the users in the scheme mode, the command level available to users logging into a switch depends on the authentication-mode { password | scheme | none } command, the user privilege level level command, and the service-type { ftp [ ftp-directory directory ] | lan-access | { ssh | telnet | terminal }* [ level level ] } command, as listed in Table 80 Table 82 Determine the command level when users logging
108 CHAPTER 19: LOGGING IN THROUGH TELNET Refer to the corresponding modules in this manual for information about AAA, RADIUS, and SSH. Configuration Example Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0: ■ Configure the name of the local user to be “guest”. ■ Set the authentication password of the local user to 123456 (in plain text). ■ Set the service type of VTY users to Telnet.
Telnet Connection Establishment 109 [4200G-ui-vty0] user privilege level 2 8 Configure Telnet protocol is supported. [4200G-ui-vty0] protocol inbound telnet 9 Set the maximum number of lines the screen can contain to 30. [4200G-ui-vty0] screen-length 30 10 Set the maximum number of commands the history command buffer can store to 20. [4200G-ui-vty0] history-command max-size 20 11 Set the timeout time to 6 minutes.
110 CHAPTER 19: LOGGING IN THROUGH TELNET Figure 34 Launch Telnet 4 Enter the password when the Telnet window displays “Login authentication” and prompts for login password. The CLI prompt (such as ) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
Telnet Connection Establishment 111 Where xxxx is the IP address or the host name of the switch operating as the Telnet server. You can use the ip host to assign a host name to a switch. 4 Enter the password. If the password is correct, the CLI prompt (such as ) appears. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”.
112 CHAPTER 19: LOGGING IN THROUGH TELNET
20 MSTP Overview MSTP CONFIGURATION Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or the port is an edge port. This slows down the spanning tree convergence of STP.
114 CHAPTER 20: MSTP CONFIGURATION Figure 36 Basic MSTP terminologies MST region An MST region (multiple spanning tree region) comprises multiple physically-interconnected MSTP-enabled switches and the corresponding network segments connected to these switches. These switches have the same region name, the same VLAN-to-spanning-tree mapping configuration and the same MSTP revision level. A switched network can contain multiple MST regions.
MSTP Overview 115 IST An internal spanning tree (IST) is a spanning tree in an MST region. ISTs together with the common spanning tree (CST) form the common and internal spanning tree (CIST) of the entire switched network. An IST is a special MSTI; it belongs to an MST region and is a branch of CIST. In Figure 36, each MST region has an IST, which is a branch of the CIST. CST A CST is the spanning tree in a switched network that connects all MST regions in the network.
116 CHAPTER 20: MSTP CONFIGURATION In Figure 37, switch A, B, C, and D form an MST region. Port 1 and port 2 on switch A connect upstream to the common root. Port 5 and port 6 on switch C form a loop. Port 3 and port 4 on switch D connect downstream to other MST regions. Figure 37 shows the roles these ports play. ■ A port can play different roles in different MSTIs. ■ The role a region edge port plays is consistent with the role it plays in the CIST.
MSTP Overview 117 Implementation of MSTP MSTP divides a network into multiple MST regions at Layer 2. The CST is generated between these MST regions, and multiple spanning trees (or, MSTIs) can be generated in each MST region. As well as RSTP, MSTP uses configuration BPDUs to generate spanning trees. The only difference is that the configuration BPDUs for MSTP carry the MSTP configuration information on the switches.
118 CHAPTER 20: MSTP CONFIGURATION First, the switch generates a designated port configuration BPDU for each of its port using the root port configuration BPDU and the root port path cost, with the root ID being replaced with that of the root port configuration BPDU, root path cost being replaced with the sum of the path cost of the root port configuration BPDU and the path cost of the root port, the ID of the designated bridge being replaced with that of the switch, and the ID of the designated port bein
Root Bridge Configuration 119 Table 84 Root bridge configuration (Continued) Operation Description Related section Network diameter configuration Optional Network Diameter Configuration MSTP time-related configuration Optional Timeout time factor configuration Optional Timeout Time Factor Configuration Maximum transmitting speed configuration Optional Maximum Transmitting Speed Configuration The default is recommended. The defaults are recommended. The default is recommended.
120 CHAPTER 20: MSTP CONFIGURATION MST Region Configuration Configuration procedure Table 85 Configure an MST region Operation Command Description Enter system view system-view — Enter MST region view stp region-configuration — Configure a name for the MST region region-name name Required Configure the VALN mapping table for the MST region instance instance-id vlan vlan-list Required The default MST region name of a switch is its MAC address.
Root Bridge Configuration 121 Admin configuration Format selector Region name Revision level Instance 0 1 2 Root Bridge/Secondary Root Bridge Configuration :0 :info :1 Vlans Mapped 11 to 19, 31 to 4094 1 to 10 20 to 30 MSTP can automatically choose a switch as a root bridge. You can also manually specify the current switch as a root bridge by using the corresponding commands.
122 CHAPTER 20: MSTP CONFIGURATION You can configure a switch as the root bridges of multiple spanning tree instances. But you cannot configure two or more root bridges for one spanning tree instance. So, do not configure root bridges for the same spanning tree instance on two or more switches using the stp root primary command. You can configure multiple secondary root bridges for one spanning tree instance.
Root Bridge Configuration 123 ■ RSTP mode: In this mode, the protocol packets sent out of the ports of the switch are RSTP packets. If the switched network contains RSTP-enabled switches, you can configure the current MSTP-enabled switch to operate in this mode by using the stp mode rstp command. ■ MSTP mode: In this mode, the protocol packets sent out of the ports of the switch are MSTP packets, or STP packets if the ports have STP-enabled switches connected.
124 CHAPTER 20: MSTP CONFIGURATION Configuration example 1 Configure the maximum hops of the MST region to be 30 (assuming that the current switch operates as the region root). system-view System View: return to User View with Ctrl+Z. [4200G] stp max-hops 30 Network Diameter Configuration In a switched network, any two switches can communicate with each other through a path, on which there may be some other switches.
Root Bridge Configuration 125 ■ The Max age parameter is used to judge whether or not a configuration BPDU is obsolete. Obsolete configuration BPDUs will be discarded.
126 CHAPTER 20: MSTP CONFIGURATION Configuration example 1 Configure the Forward delay parameter to be 1,600 centiseconds, the Hello time parameter to be 300 centiseconds, and the Max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge). system-view System View: return to User View with Ctrl+Z.
Root Bridge Configuration 127 Configuration procedure (in system view) Table 94 Configure the maximum transmitting speed for specified ports in system view Operation Command Description Enter system view system-view — Configure the stp interface interface-list maximum transmitting transmit-limit packetnumber speed for specified ports Required The maximum transmitting speed of all Ethernet ports on a switch defaults to 3.
128 CHAPTER 20: MSTP CONFIGURATION Configuration procedure (in system view) Table 96 Configure a port as an edge port (in system view) Operation Command Description Enter system view system-view — Configure the specified stp interface interface-list ports as edge ports edged-port enable Required By default, all the Ethernet ports of a switch are non-edge ports.
Root Bridge Configuration 129 Configuration procedure (in system view) Table 98 Specify whether or not the links connected to the specified ports are point-to-point links (in system view) Operation Command Description Enter system view system-view — Specify whether or not the links connected to the specified ports are point-to-point links stp interface interface-list Required point-to-point The auto keyword is adopted by default.
130 CHAPTER 20: MSTP CONFIGURATION System View: return to User View with Ctrl+Z. [4200G] stp interface GigabitEthernet1/0/1 point-to-point force-true ■ Configure in Ethernet port view. system-view System View: return to User View with Ctrl+Z.
Leaf Node Configuration 131 ■ Configure in Ethernet port view. system-view System View: return to User View with Ctrl+Z. [4200G] stp enable [4200G] interface GigabitEthernet1/0/1 [4200G-GigabitEthernet1/0/1] stp disable Leaf Node Configuration Table 102 lists MSTP-related configurations about leaf nodes.
132 CHAPTER 20: MSTP CONFIGURATION Maximum Transmitting Speed Configuration Refer to “Maximum Transmitting Speed Configuration”. Edge Port Configuration Refer to “Edge Port Configuration”. Path Cost Configuration The path cost parameters reflects the link rates on ports. For a port on an MSTP-enabled switch, the path cost may differ with spanning tree instance.
Leaf Node Configuration 133 Table 104 Transmission speeds and the corresponding path costs (Continued) Transmiss Operation mode ion speed (half-/full-duplex) 802.1D-1998 IEEE 802.1t Standard defined by 3Com 10 Gbps Full-duplex 2 2,000 2 Aggregated link 2 ports 1 1,000 1 Aggregated link 3 ports 1 666 1 Aggregated link 4 ports 1 500 1 Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.
134 CHAPTER 20: MSTP CONFIGURATION ■ Configure in Ethernet port view. system-view System View: return to User View with Ctrl+Z. [4200G] interface GigabitEthernet1/0/1 [4200G-GigabitEthernet1/0/1] stp instance 1 cost 2000 Configuration example (B) 1 Change the path cost of GigabitEthernet1/0/1 port in spanning tree instance 1 to the default one calculated with the IEEE 802.1D-1998 standard. ■ Configure in system view. system-view System View: return to User View with Ctrl+Z.
The mCheck Configuration 135 A lower port priority value indicates a higher port priority. If all the ports of a switch have the same port priority value, the port priorities are determined by the port indexes. Changing the priority of a port will cause spanning tree regeneration. You can configure port priorities according to actual networking requirements. Configuration example 1 Configure the port priority of GigabitEthernet1/0/1 port in spanning tree instance 1 to be 16. ■ Configure in system view.
136 CHAPTER 20: MSTP CONFIGURATION Performing the mCheck operation in system view Table 109 Perform the mCheck operation in system view Operation Command Description Enter system view System-view — Perform the mCheck operation stp [ interface interface-list ] mcheck Required Performing the mCheck operation in Ethernet port view Table 110 Perform the mCheck operation in Ethernet port view Operation Command Description Enter system view system-view — Enter Ethernet port view interface interf
Protection Function Configuration 137 Root protection A root bridge and its secondary root bridges must reside in the same region. A CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes new root bridge to be elected and network topology jitter to occur.
138 CHAPTER 20: MSTP CONFIGURATION BPDU Protection Configuration Configuration procedure Table 111 Enable the BPDU protection function Operation Command Description Enter system view system-view — Enable the BPDU protection function stp bpdu-protection Required The BPDU protection function is disabled by default. Configuration example Enable the BPDU protection function. system-view System View: return to User View with Ctrl+Z.
BPDU Tunnel Configuration 139 Enabling the loop prevention function on specified ports in system view Table 114 Enable the loop prevention function on specified ports in system view Operation Command Description Enter system view system-view — Enable the loop stp interface interface-list prevention function on loop-protection specified ports Required By default, the loop prevention function is disabled.
140 CHAPTER 20: MSTP CONFIGURATION As shown in Figure 38, the upper part is the operator’s network, and the lower part is the user network. The operator’s network comprises packet ingress/egress devices, and the user network has networks A and B. On the operator’s network, configure the arriving BPDU packets at the ingress to have MAC addresses in a special format, and reconvert them back to their original formats at the egress.
Digest Snooping Configuration 141 Digest Snooping Configuration Introduction According to IEEE 802.1s, two interconnected MSTP switches can interwork with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them. (A configuration ID contains information such as region ID and configuration digest.
142 CHAPTER 20: MSTP CONFIGURATION ■ To enable the digest snooping feature, the interconnected switches must be configured with exactly the same MST region-related configuration. ■ The digest snooping feature must be enabled on all the ports of your S4200G switch that are connected to partners' proprietary protocol-adopted switches in the same MST region.. ■ To change MST region-related configuration, be sure to disable the digest snooping feature first to prevent possible broadcast storms.
Rapid Transition Configuration 143 Figure 40 The MSTP rapid transition mechanism Upstream sw itch Dow nstream sw itch Send proposal packets to request rapid transition Root port blocks other non-edge ports - Send agreement packets Send agreement packets Designated port change to Forw arding state Root port changes to Forw arding state and sends agreement packets to upstream switch Root port Designated port Limitation on the combination of RSTP and MSTP exists to implement rapid transition.
144 CHAPTER 20: MSTP CONFIGURATION Figure 41 Network diagram for rapid transition configuration Sw itch coming from other manufacturers Port 1 Port 2 Quidw ay Switch Configuration procedure Table 119 Configure the rapid transition feature in system view Operation Command Description Enter system view system-view — Enable the rapid transition feature stp interface interface-type interface-number no-agreement-check Required ■ By default, the rapid transition feature is disabled on a port.
MSTP Displaying and Debugging 145 MSTP Displaying and Debugging You can verify the above configurations by executing the display commands in any view. Execute the reset command in user view to clear MSTP statistics. Execute the debugging command in user view to debug the MSTP module.
146 CHAPTER 20: MSTP CONFIGURATION b Configure the MST region. [4200G-mst-region] [4200G-mst-region] [4200G-mst-region] [4200G-mst-region] [4200G-mst-region] region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 revision-level 0 c Activate the settings of the MST region. [4200G-mst-region] active region-configuration d Specify Switch A as the root bridge of spanning tree instance 1. [4200G] stp instance 1 root primary 2 Configure Switch B. a Enter MST region view.
MSTP Implementation Example 147 b Configure the MST region. [4200G-mst-region] [4200G-mst-region] [4200G-mst-region] [4200G-mst-region] [4200G-mst-region] region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 revision-level 0 c Activate the settings of the MST region.
148 CHAPTER 20: MSTP CONFIGURATION
21 Introduction to 802.1x 802.1X CONFIGURATION The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs. It was then used in Ethernet as a common access control mechanism for LAN ports to address mainly authentication and security problems. 802.1x is a port-based network access control protocol. It authenticates and controls devices requesting for access in terms of the ports of LAN access control devices. With the 802.
150 CHAPTER 21: 802.1X CONFIGURATION PAE A PAE (port access entity) is responsible for the implementation of algorithm and protocol-related operations in the authentication mechanism. The authenticator system PAE authenticates the supplicant systems when they log into the LAN and controls the authorizing state (on/off) of the controlled ports according to the authentication result.
Introduction to 802.1x 151 Encapsulation of EAPoL Messages ■ EAP protocol packets transmitted between the supplicant system and the authenticator system are encapsulated as EAPoL packets.
152 CHAPTER 21: 802.1X CONFIGURATION Note that EAPoL-Start, EAPoL-Logoff, and EAPoL-Key packets are only transmitted between the supplicant system and the authenticator system. EAP-packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers. Network management-related information (such as alarming information) is encapsulated in EAPoL-Encapsulated-ASF-Alert packets, which are terminated by authenticator systems.
Introduction to 802.1x 153 Figure 48 The format of an EAP-message field 0 1 Type 2 Length String EAP packet The Message-authenticator field, as shown in Figure 49, is used to prevent unauthorized interception of access requesting packets during authentications using CHAP, EAP, and so on. A packet with the EAP-message field must also have the Message-authenticator field, otherwise the packet is regarded as invalid and is discarded.
154 CHAPTER 21: 802.1X CONFIGURATION Figure 50 802.
Introduction to 802.1x 155 ■ The RADIUS server compares the received encrypted password (contained in a RADIUS access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authorized. ■ The switch changes the state of the corresponding port to accepted state to allow the supplicant system access the network.
156 CHAPTER 21: 802.1X CONFIGURATION Figure 51 802.
Introduction to 802.1x 157 802.1x Implementation on an S4200G Series Switch ■ Handshake timer (handshake-period): This timer sets the handshake-period and is triggered after a supplicant system passes the authentication. It sets the interval to for a switch to send handshake request packets to online users.
158 CHAPTER 21: 802.1X CONFIGURATION ■ After the maximum number of authentication retries have been made and there are still ports that have not sent any response back, the switch will then add these ports into the Guest VLAN. ■ When the maximum number of authentication retries is reached, the switch adds the ports that do not return response packets to Guest VLAN. ■ Users belonging to the Guest VLAN can access the resources of the Guest VLAN without being authenticated.
Timer and Maximum User Number Configuration 159 Configuring Basic 802.1x Functions Table 122 Configure basic 802.1x functions Operation Command Description Enter system view system-view — Enable 802.1x globally dot1x Required By default, 802.1x is disabled globally. Enable 802.1x for specified ports Use the following command in system view: Required By default, 802.1x is disabled for all ports.
160 CHAPTER 21: 802.1X CONFIGURATION Table 123 Configure 802.1x timers and the maximum number of users (Continued) Operation Command Description Configure 802.1x timers dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | tx-period tx-period-value | supp-timeout supp-timeout-value | server-timeout server-timeout-value | ver-period ver-period-value } Optional The default values of 802.
Advanced 802.1x Configuration 161 The proxy checking function needs the support of 3Com's 802.1x client program. The configuration listed in Table 124 takes effect only when it is performed on CAMS as well as on the switch and the client version checking function is enabled on the switch (by the dot1x version-check command). Configuring Client Version Checking Table 125 Configure client version checking Operation Command Enter system view system-view Enable 802.
162 CHAPTER 21: 802.1X CONFIGURATION Supplicant systems that are not authenticated, fail to pass the authentication, or are offline belong to Guest VLANs. Displaying and Debugging 802.1x You can verify the 802.1x-related configuration by executing the display command in any view. You can clear 802.1x-related statistics information by executing the reset command in user view. Table 128 Display and debug 802.1x Operation Command Display the configuration, session, and statistics information about 802.
Configuration Example 163 and the authenticating RADIUS server to be name, and money for interaction between the switch and the counting RADIUS. Configure the waiting period for the switch to resend packets to the RADIUS server to be 5 seconds, that is, if after 5 seconds the RADIUS still has not sent any responses back, the switch will resend packets. Configure the number of times that a switch resends packets to the RADIUS server to be 5.
164 CHAPTER 21: 802.1X CONFIGURATION 6 Assign IP addresses to the secondary authentication and accounting RADIUS server. [4200G-radius-radius1] secondary authentication 10.11.1.2 [4200G-radius-radius1] secondary accounting 10.11.1.1 7 Set the password for the switch and the authentication RADIUS servers to exchange messages. [4200G -radius-radius1] key authentication name 8 Set the password for the switch and the accounting RADIUS servers to exchange messages.
22 Introduction to HABP HABP CONFIGURATION With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. If ports connected to the switch are not authenticated and authorized by 802.1x, their received packets will be filtered. This means that users can no longer manage the attached switches. To address this problem, 3Com authentication bypass protocol (HABP) has been developed.
166 CHAPTER 22: HABP CONFIGURATION HABP Client Configuration HABP clients reside on switches attached to HABP servers. After you enable HABP for a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client. Table 130 Configure an HABP client Displaying and Debugging HABP Operation Command Description Enter system view system-view - Enable HABP habp enable Optional HABP is enabled by default.
23 AAA&RADIUS CONFIGURATION Overview Introduction to AAA AAA is shortened from the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure the three security functions to implement the network security management. The network security mentioned here mainly refers to access control.
168 CHAPTER 23: AAA&RADIUS CONFIGURATION Generally, AAA adopts the client/server structure, where the client acts as the managed resource and the server stores user information. This structure has good scalability and facilitates the centralized management of user information. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a user name in the format of userid@isp-name, the isp-name following the @ character is the ISP domain name.
Overview 169 Figure 54 Databases in RADIUS server RADIUS server Users Clients Dictionary In addition, the RADIUS server can act as the client of some other AAA server to provide the authentication or accounting proxy service. Basic message exchange procedure of RADIUS The messages exchanged between a RADIUS client (a switch, for example) and the RADIUS server are verified by using a shared key. This enhances the security.
170 CHAPTER 23: AAA&RADIUS CONFIGURATION 3 The RADIUS server compares the received user information with that in the Users database to authenticate the user. If the authentication succeeds, it sends back an authentication response (Access-Accept), which contains the information of user’s rights, to the RADIUS client. If the authentication fails, it returns an Access-Reject response. 4 The RADIUS client accepts or denies the user depending on the received authentication result.
Overview 171 Table 132 Description on major values of the Code field (Continued) Code Packet type Packet description 4 Accounting-Request Direction: client->server. The client transmits this packet to the server to request the server to start or end the accounting (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the packet). This packet carries almost the same attributes as those carried in the Access-Request packet.
172 CHAPTER 23: AAA&RADIUS CONFIGURATION Table 133 RADIUS attributes (Continued) Value of the Type field Attribute type Value of the Type field Attribute type 13 Framed-Compression 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Framed-AppleTalk-Link 16 Login-TCP-Port 38 Framed-AppleTalk-Network 17 (unassigned) 39 Framed-AppleTalk-Zone 18 Reply_Message 40-59 (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-ID 61 NAS-Por
Configuration Tasks 173 Configuration Tasks Table 134 Configuration tasks Configuration task Description Related section AAA configuration Create an ISP domain Required Creating an ISP Domain Configure the attributes of the ISP domain Optional Configuring the Attributes of an ISP Domain Configure an AAA scheme for the ISP domain Required Configuring an AAA Scheme for an ISP Domain. If local authentication is adopted, also refer to Configuring the Attributes of a Local User.
174 CHAPTER 23: AAA&RADIUS CONFIGURATION AAA Configuration Configuration Prerequisites Creating an ISP Domain The goal of AAA configuration is to protect network devices against unauthorized access and at the same time provide network access services to legal users. If you need to use ISP domains to implement AAA management on access users, you can configure the ISP domains. If you want to adopt remote AAA method, you must create a RADIUS scheme.
AAA Configuration 175 CAUTION: ■ On an S4200G series switch, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the user name, the switch assumes that the user belongs to the default ISP domain.
176 CHAPTER 23: AAA&RADIUS CONFIGURATION ■ If you execute the scheme local command, the local scheme is adopted as the primary scheme. In this case, only local authentication is performed, no RADIUS authentication is performed. ■ If you execute the scheme none command, no authentication is performed.
AAA Configuration 177 Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. Currently, the switch supports the RADIUS authentication server to assign the following two types of VLAN IDs: integer and string.
178 CHAPTER 23: AAA&RADIUS CONFIGURATION Configuring the Attributes of a Local User When local scheme is chosen as the AAA scheme, you should create local users on the switch and configure the relevant attributes. The local users are users set on the switch, with each user uniquely identified by a user name. To make a user who is requesting network service pass through the local authentication, you should add an entry in the local user database on the switch for the user.
RADIUS Configuration 179 ■ Cutting Down User Connections Forcibly RADIUS Configuration If the configured authentication method is none or requires a password, the command level that a user can access after login is determined by the level of the user interface Table 141 Cut down user connection forcibly Operation Command Description Enter system view system-view — Cut down user connections forcibly cut connection { all | access-type { dot1x | mac-authentication } | domain domain-name | interface
180 CHAPTER 23: AAA&RADIUS CONFIGURATION Configuring RADIUS Authentication/Auth orization Servers Table 143 Configure RADIUS authentication/authorization server Operation Command Description Enter system view system-view — Create a RADIUS scheme and enter radius scheme its view radius-scheme-name Required By default, a RADIUS scheme named “system” has already been created in the system.
RADIUS Configuration 181 Table 144 Configure RADIUS accounting server (Continued) Operation Command Description Set the maximum number of continuous no-response real-time accounting requests retry realtime-accounting retry-times Optional By default, the switch is allowed to continuously send at most 10 real-time accounting requests if it gets no response.
182 CHAPTER 23: AAA&RADIUS CONFIGURATION CAUTION: You must set the share keys separately for the authentication/authorization packets and the accounting packets if the authentication/authorization server and the accounting server are different devices and the shared keys on the two servers are also different. Configuring the Maximum Number of Transmission Attempts of RADIUS Requests The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data.
RADIUS Configuration 183 When both the primary and secondary servers are in active or block state, the switch sends packets only to the primary server. Table 148 Set the status of RADIUS servers Operation Command Description Enter system view system-view — Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Required By default, a RADIUS scheme named “system” has already been created in the system.
184 CHAPTER 23: AAA&RADIUS CONFIGURATION Configuring a Local RADIUS Authentication Server ■ For a RADIUS scheme, if you have specified that no ISP domain names are carried in the user names, you should not adopt this RADIUS scheme in more than one ISP domain. Otherwise, such errors may occur: the RADIUS server regards two different users having the same name but belonging to different ISP domains as the same user (because the usernames sent to it are the same).
RADIUS Configuration 185 To charge the users in real time, you should set the interval of real-time accounting. After the setting, the switch sends the accounting information of online users to the RADIUS server at regular intervals.
186 CHAPTER 23: AAA&RADIUS CONFIGURATION The user re-authentication upon device restart function is designed to resolve the above problem. After this function is enabled, every time the switch restarts: 1 The switch generates an Accounting-On packet, which mainly contains the following information: NAS-ID, NAS-IP address (source IP address), and session ID. 2 The switch sends the Accounting-On packet to CAMS at regular intervals.
AAA&RADIUS Configuration Example 187 Table 155 Display RADIUS protocol information Operation Command Display the statistics about local RADIUS authentication server display local-server statistics Display the configuration information about one specific or all RADIUS schemes display radius [ radius-scheme-name ] Display the statistics about RADIUS packets display radius statistics Display the buffered no-response stop-accounting request packets display stop-accounting-buffer { radius-scheme radius
188 CHAPTER 23: AAA&RADIUS CONFIGURATION Network diagram Figure 58 Remote RADIUS authentication of Telnet users Authentication server Server IP address: 10.110.91.164 Sw itch Internet Internet Telnet user Configuration procedure 1 Enter system view. system-view System View: return to User View with Ctrl+Z. [4200G] 2 Adopt AAA authentication for Telnet users [4200G] user-interface vty 0 4 [4200G-ui-vty0-4] authentication-mode scheme 3 Configure an ISP domain.
Troubleshooting AAA&RADIUS Configuration 189 Network requirements In the network environment shown in Figure 59, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally. Network diagram Figure 59 Local authentication of Telnet users Internet Internet Telnet user Configuration procedure 1 Method 1: Using a local authentication scheme a Enter system view. system-view System View: return to User View with Ctrl+Z.
190 CHAPTER 23: AAA&RADIUS CONFIGURATION Possible reasons and solutions: ■ The user name is not in the userid@isp-name format, or no default ISP domain is specified on the switch—Use the correct user name format, or set a default ISP domain on the switch. ■ The user is not configured in the database of the RADIUS server—Check the database of the RADIUS server, make sure that the configuration information about the user exists.
24 Centralized MAC Address Authentication Overview CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC address authentication is port-/MAC address-based authentication used to control user permissions to access a network. Centralized MAC address authentication can be performed without client-side software. With this type of authentication employed, a switch authenticates a user upon detecting the MAC address of the user for the first time.
192 CHAPTER 24: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION ■ Configuring the ISP Domain for MAC Address Authentication Users ■ Configuring the Timers Used in Centralized MAC Address Authentication The configuration of the maximum number of learned MAC addresses (refer to the mac-address max-mac-count command) is unavailable for the ports with centralized MAC address authentication enabled.
Displaying and Debugging Centralized MAC Address Authentication 193 Configuring the ISP Domain for MAC Address Authentication Users Configuring the Timers Used in Centralized MAC Address Authentication Table 159 lists the operations to configure the ISP domain for centralized MAC address authentication users.
194 CHAPTER 24: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC Address Authentication Configuration Example Centralized MAC address authentication configuration is similar to 802.1x. In this example, the differences between the two lie in the following: Centralized MAC address authentication needs to be enabled both globally and for port. In MAC address mode, Mac address of locally authenticated user is used as both user name and password.
25 ARP CONFIGURATION Introduction to ARP Address resolution protocol (ARP) is used to resolve IP addresses into MAC addresses. Necessity of the Address Resolution IP address is used on the network layer and cannot be used directly for communication, because network devices can only identify MAC addresses. To enable packets travel on the network layer to reach the destination host, the MAC address of the host is required.
196 CHAPTER 25: ARP CONFIGURATION Table 163 Description on the fields of an ARP packet (Continued) Field Description Hardware address of the receiver For an ARP request packet, this field is null. For an ARP reply packet, this field carries the hardware address of the receiver. IP address of the receiver IP address of the receiver Table 164 Description on the values of the hardware type field ARP Table Type Description 1 Ethernet 2 Experimental Ethernet 3 X.
Introduction to Gratuitous ARP 197 Table 165 describes the APR mapping table fields.
198 CHAPTER 25: ARP CONFIGURATION By sending gratuitous ARP packets, a network device can: ■ Determine whether or not IP address conflicts exist between it and other network devices. ■ Trigger other network devices to update its hardware address stored in their caches.
Gratuitous ARP Packet Learning configuration 199 Enabling the ARP Entry Checking Function When multiple hosts share one multicast MAC address, you can specify whether or not to create multicast MAC address ARP entries for MAC addresses learned by performing the operations listed in Table 169.
200 CHAPTER 25: ARP CONFIGURATION Table 171 Display and debug ARP Operation Command Remark Display the setting of the ARP aging timer display arp timer aging This command can be executed in any view.
26 ACL Overview ACL CONFIGURATION An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass.
202 CHAPTER 26: ACL CONFIGURATION ACL Match Order An ACL may contain a number of rules, and each rule specifies a different packet range. This brings about the issue of match order when packets are matched. An ACL supports the following four types of match orders: ■ Configured order: ACL rules are matched according to the configured order. ■ Automatic ordering: ACL rules are matched according to “depth-first” order.
Defining Basic ACLs 203 Configuration Procedure Table 172 Configure a time range Operation Command Description Enter system view system-view - Create a time range time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date } Required Display a time range or time ranges display time-range { all | time-name } Optional The display command can be executed in any vie
204 CHAPTER 26: ACL CONFIGURATION Configuration Procedure Table 173 Define a basic ACL rule Operation Command Description Enter system view system-view - Enter basic ACL view acl number acl-number [ match-order { config | auto } ] By the default, the match order is config Define an rule rule [ rule-id ] { permit | deny } [ fragment ] [ source { sour-addr sour-wildcard | any } ] [ time-range time-name ] Required Define the description description text information of the ACL Optional Display
Defining Advanced ACLs 205 Configuration Preparation Before configuring an ACL rule containing time range arguments, you need to configure define the corresponding time ranges. For the configuration of time ranges, refer to ?Advanced ACL. The values of source and destination IP addresses, the type of protocol over IP, and protocol-specific features in the rule have been defined.
206 CHAPTER 26: ACL CONFIGURATION Table 175 Rule information (Continued) Parameter Type Function Description destination { dest-addr dest-wildcard | any } Destination address information Specifies the destination address information in the rule dest-addr dest-wildcard is used to specify the destination address of the packet, expressed in dotted decimal notation any represents any destination address precedence precedence Packet precedence Packet priority Value range: 0 to 7 tos tos Packet pre
Defining Layer 2 ACLs 207 If the protocol type is ICMP, you can also directly input the ICMP message name after the icmp-type argument. Table 178 describes some common ICMP messages.
208 CHAPTER 26: ACL CONFIGURATION Configuration Tasks Table 179 Configure a Layer 2 ACL rule Operation Command Description Enter system view system-view - Create or enter layer 2 ACL view acl number acl-number [ match-order { config | auto } ] By the default, the match order is config Define an rule rule [ rule-id ] { permit | deny } rule-string Required Define the comment rule rule-id comment text string of the ACL rule Optional Define the description description text information of the AC
Applying ACLs on Ports 209 Table 180 Rule information (Continued) Configuration Example Parameter Type Function Description cos vlan-pri Priority Defines the vlan-pri: VLAN priority, in the range 802.
210 CHAPTER 26: ACL CONFIGURATION Configuration Example Apply ACL 2100 in the inbound direction on GigabitEthernet 1/0/1 to filter packets. system-view [4200G] interface gigabitethernet 1/0/1 [4200G-GigabitEthernet1/0/1] packet-filter inbound ip-group 2100 Displaying and Debugging ACL Configuration After the about-mentioned configuration, you can use the display command in any view to view the ACL running information, so as to verify configuration result.
ACL Configuration Examples 211 Configuration procedure Only the commands related to the ACL configuration are listed below. 1 Define a time range that contain a periodic time section from 8:00 to 18:00. system-view [4200G] time-range test 8:00 to 18:00 working-day 2 Define an ACL on traffic to the wage server. Enter advanced ACL view of ACL 3000. [4200G] acl number 3000 3 Define an ACL rule for access to the wage server by other departments.
212 CHAPTER 26: ACL CONFIGURATION Layer 2 ACL Configuration Example Network requirements Through Layer 2 ACL configuration, packets with the source MAC address of 00e0-fc01-0101 and destination MAC address of 00e0-fc01-0303 are to be filtered within the time range from 8:00 to 18:00 everyday. Network diagram Figure 63 Network diagram for Layer 2 ACL configuration Configuration procedure Only the commands related to the ACL configuration are listed below. 1 Define the time range.
QOS CONFIGURATION 27 Introduction to QoS QoS (Quality of Service) is a concept generally existing in occasions with service supply and demand. It evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to grade precisely. Its purpose is to analyze the conditions when the service is the best and the conditions when the service still needs improvement and then to make improvements in the specified aspects.
214 CHAPTER 27: QOS CONFIGURATION ■ RFC2474 re-defines the ToS field in the IP packet header, which is called the DS field. The first six (bit 0-bit 5) bits of the DS field indicate DSCP precedence in the range of 0 to 63.The first three bits in DSCP precedence are class selector codepoints, bit 4 and bit 5 indicate drop precedence, and bit 6 is zero indicating that the device sets the service class with the DS model. ■ The last two bits (bit 6 and bit 7) are reserved bits.
Introduction to QoS 215 Table 185 Description on DSCP values (Continued) Key word DSCP value (decimal) DSCP value (binary) af42 36 100100 af43 38 100110 cs1 8 001000 cs2 16 010000 cs3 24 011000 cs4 32 100000 cs5 40 101000 cs6 48 110000 cs7 56 111000 default (be) 0 000000 2 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured in Layer 2.
216 CHAPTER 27: QOS CONFIGURATION Table 186 Description on 802.1p priority (Continued) IP Precedence (decimal) IP Precedence (binary) Description 3 011 excellent-effort 4 100 controlled-load 5 101 video 6 110 voice 7 111 network-management The precedence is called 802.1p priority because the related applications of this precedence are defined in detail in the 802.1p specification.
Introduction to QoS 217 Figure 67 Evaluate the traffic with the token bucket Put tokens into the bucket at the set rate 按规定的速率向桶内放置令牌 Packet to bevia sent sent this oninterface this interface 需由此接口发送的包 Continue 继续发送 to send Classify 分类 Token 令牌桶 bucket Drop 丢弃 1 Evaluate the traffic with the token bucket The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding.
218 CHAPTER 27: QOS CONFIGURATION Two token buckets are used in this evaluation. Their rates of putting tokens into the buckets are CIR and PIR respectively, and their sizes are CBS and EBS respectively (the two buckets are called C bucket and E bucket respectively for short), representing different permitted burst levels.
Introduction to QoS 219 For example, if the device A sends packets to the device B. The device B will perform TP on packets from the device A to drop the packets beyond the specification. In order to avoid meaningless packet loss, you can perform TS on the packets on the egress of the device A and cache the packets beyond the TP specification in the device A. When the next packets can be sent, the packets cached in the buffer queues will be taken out and sent.
220 CHAPTER 27: QOS CONFIGURATION The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be “starved to death” because they are not served.
Priority Mapping 221 Table 187 Queue-scheduling sequence of SDWRR Scheduling algorithm Queue-scheduling sequence Description WRR 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1 SDWRR 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0 0 indicates packets in queue0 1 indicates packets in queue1 Traffic-based Traffic Statistics The function of traffic-based traffic statistics is to use ACL rules in traffic identifying and perform traffic statistics on the packets matching with the ACL rules.
222 CHAPTER 27: QOS CONFIGURATION You can select the priority trust mode of the port as you require. In the mode of trusting the packet precedence, the switch can trust the following priorities as you configure: Trusting the 802.1p priority of the Packets ■ Trust the 802.1p priority of the packets ■ Trust the DSCP precedence of the packets You can specify whether to replace the precedence carried in the packet with the mapped precedence when you configure to trust the 802.
QoS Supported by Switch 4200G 223 Figure 73 The mapping process of trusting the DSCP precedence in the default mode and automap mode DSCP->other precedence mapping table DSCP Local-pre Drop 802.1p 0 2 0 1 1 0 0 1 2 1 0 1 . . . . . . . . . . . .
224 CHAPTER 27: QOS CONFIGURATION Table 188 The QoS functions supported by S4200G and related commands (Continued) Specificati on Related command Link Traffic statistics Supported traffic-statistic Configuring Traffic Statistics Set the priority of protocol packets Supported protocol-priority Setting the Precedence of Protocol Packet QoS Configuring Priority Mapping Setting to Trust the Port Precedence Refer to Priority Mapping for introduction to priority mapping.
Configuring Priority Mapping 225 Table 190 The “COS-->other precedence” mapping table and its default value 802.1p Local-pre Drop DSCP 0 2 0 16 1 0 0 0 2 1 0 8 3 3 0 24 4 4 0 32 5 5 0 40 6 6 0 48 7 7 0 56 Configuration prerequisites ■ The priority trust mode is specified to trusting the 802.
226 CHAPTER 27: QOS CONFIGURATION Configuration procedure Table 191 Setting to trust the 802.
Configuring Priority Mapping 227 Setting to Trust the DSCP Precedence of the Packets Refer to Trusting the DSCP Precedence of the Packets for the description on trusting the DSCP precedence of the packets. You can modify the “DSCP-->other precedence” mapping relationship as required. Table 192 The “DSCP-->other precedence” mapping table and its default value DSCP Local-pre Drop 802.
228 CHAPTER 27: QOS CONFIGURATION Configuration procedure Table 194 Setting to trust the DSCP precedence of the packets Operation Command Description Enter system view system-view - Modify the “DSCP->Local-pre” qos mapping relationship dscp-local-precedence-map dscp-list : local-precedence Optional Refer to for the Table 192 and Table 193 for the default value. Modify the “DSCP->Drop precedence” mapping relationship qos dscp-drop-precedence-map dscp-list : drop-precedence Modify the “DSCP-->801.
Configuring TP 229 Configuring TP Configuration Prerequisites Configuration Procedure of TP Refer to T for the introduction to TP. ■ ACL rules used for traffic identifying are defined. Refer to the ACL module in the book for defining ACL rules ■ The limit rate for TP, the actions for the packets within the specified traffic and the actions for the packets beyond the specified traffic have been specified.
230 CHAPTER 27: QOS CONFIGURATION Table 197 Clearing the statistics of TP Display the statistics of TP display qos-interface { interface-type interface-num | unit-id } traffic-limit Required The statistics of TP includes the bytes of the packets within the limited rate and the bytes of the packets beyond the limited rate. When the statistics count reaches the upper threshold, the switch will restart statistics.
Configuring Queue-scheduling 231 Table 198 Configuring TS Start TS and send the packets at a even rate Display the parameter configurations of TS traffic-shape [ queue Required queue-id ] max-rate burst-size The switch supports two forms of TS: display qos-interface { interface-type interface-num | unit-id } traffic-shape ■ TS for all the traffic on the port.
232 CHAPTER 27: QOS CONFIGURATION Configuration Procedure of the SDWRR Queue Scheduling Configuration Example Table 200 Configuring the SDWRR queue scheduling Operation Command Description Enter system view system-view - Set the SDWRR queue-scheduling algorithm and its parameters queue-scheduler wrr { group1 { queue-id queue-weight } &<1-8> | group2 { queue-id queue-weight } &<1-8> }* Required Display the queue-scheduling mode and related parameters on the switch display queue-scheduler Optio
Setting the Precedence of Protocol Packet 233 acl-rule: Issued ACL rules which can be the combination of various ACL rules. The way of combination is described Table 202.
234 CHAPTER 27: QOS CONFIGURATION Table 204 Setting the precedence of the protocol packet Set the precedence of protocol-priority protocol-type the protocol packet protocol-type { ip-precedence ip-precedence | dscp dscp-value } Required You can modify the IP precedence or DSCP precedence of the protocol packet Only the precedence of TELNET, SNMP, and ICMP protocol packets is supported currently Display the precedence of the protocol packet Configuration Example display protocol-priority Optional You
QoS Configuration Example 235 Table 205 Displaying and maintaining QoS (Continued) Operation Command Display the parameter configurations of traffic policing display qos-interface { interface-type interface-num | unit-id } traffic-limit Display the parameter configurations of TS display qos-interface { interface-type interface-num | unit-id } traffic-shape Display the traffic statistics display qos-interface { interface-type interface-num | unit-id } traffic-statistic Display the queue scheduling m
236 CHAPTER 27: QOS CONFIGURATION [4200G-acl-adv-3000] quit 2 Limit the outbound traffic of the salary query server a Limit the average rate of outbound traffic within 640kbps and set the precedence of packets exceeding the specification to 4.
28 Mirroring Features CONFIGURATION FOR MIRRORING FEATURES Mirroring refers to the process of copying packets that meet the specified rules to a destination port. Generally, a destination port is connected to a data detect device, which users can use to analyze the mirrored packets for monitoring and troubleshooting the network.
238 CHAPTER 28: CONFIGURATION FOR MIRRORING FEATURES ■ Intermediate switch: the switch between the source and the destination switch on the network. ■ Destination switch: the switch to which the destination port for remote mirroring belongs. Table 206 describes how the ports on various switches are involved in the mirroring operation.
Mirroring Supported by Switch 4200G 239 MAC-Based Mirroring VLAN-Based Mirroring Mirroring Supported by Switch 4200G In MAC-based mirroring, the device mirrors the following packets to the destination port. ■ Packets whose source MAC addresses match the specified MAC addresses ■ Packets whose destination MAC addresses match the specified MAC addresses In VLAN-based mirroring, the device mirrors all packets received by the ports that belong to the VLAN to the destination port.
240 CHAPTER 28: CONFIGURATION FOR MIRRORING FEATURES Configuration procedure Table 208 Configure traffic mirroring Operation Command Description Enter system view system-view - Enter Ethernet port view of interface interface-type the destination port interface-number - Define the current port as the destination port monitor-port Required Exit current view quit - Enter Ethernet port view of interface interface-type traffic mirroring interface-number configuration - Reference ACLs for mirror
Mirroring Configuration 241 Configuring Port Mirroring Configuration prerequisites ■ The source port is specified and whether the packets to be mirrored are inbound or outbound is specified: inbound: only mirrors the packets received using the port; outbound: only mirrors the packets sent by the port; both: mirrors the packets received and sent by the port at the same time. ■ The destination port is specified. ■ The group number of the mirroring group is specified.
242 CHAPTER 28: CONFIGURATION FOR MIRRORING FEATURES Configuring port mirroring in system view Table 212 Configure port mirroring in system view Operation Command Description Enter system view system-view - Create a port mirroring group mirroring-group group-id local Required Configure the destination port mirroring-group group-id monitor-port monitor-port Required Configure the source port mirroring-group group-id and specify the direction of mirroring-port mirroring-port-list the packets to
Mirroring Configuration 243 Configuration procedure Table 213 Configure MAC-based mirroring Operation Command Description Enter system view system-view - Define a MAC-based local mirroring group mirroring-group group-id local Required Configure MAC-based mirroring mirroring-group group-id mirroring-mac mac vlan vlan-id Required Enter Ethernet port view of interface interface-type the destination port interface-number - Define the current port as the destination port mirroring-group group-id
244 CHAPTER 28: CONFIGURATION FOR MIRRORING FEATURES Configuration procedure Table 214 Configure VLAN-based mirroring Operation Command Description Enter system view system-view - Define a VLAN-based local mirroring group mirroring-group group-id local Required Configure VLAN-based mirroring mirroring-group group-id Required mirroring-vlan vlan-id inbound Enter Ethernet port view of interface interface-type the destination port interface-number - Define the current port as the destination por
Mirroring Configuration 245 Configuring RSPAN on the source switch Table 215 Configure RSPAN on the source switch Operation Command Description Enter system view system-view - Create a remote-probe vlan vlan-id VLAN and enter VLAN view vlan-id is the ID of the remote-probe VLAN.
246 CHAPTER 28: CONFIGURATION FOR MIRRORING FEATURES Table 216 Configure RSPAN on the intermediate switch (Continued) Operation Command Description Configure Trunk port to permit packets from the remote-probe VLAN port trunk permit vlan remote-probe-vlan-id Required This configuration is necessary for ports on the intermediate switch that are connected to the source switch or the destination switch.
Mirroring Configuration 247 To meet the requirement above by using the RSPAN function, perform the following configuration: ■ Define VLAN10 as remote-probe VLAN. ■ Define Switch A as the destination switch; configure Ethernet1/0/2, the port that is connected to the data detect device, as the destination port for remote mirroring. Disable the STP function on GigabitEthernet1/0/2. ■ Define Switch B as the intermediate switch.
248 CHAPTER 28: CONFIGURATION FOR MIRRORING FEATURES [4200G] interface gigabitethernet1/0/1 [4200G-GigabitEthernet1/0/1] port trunk permit vlan 10 [4200G-GigabitEthernet1/0/1] quit [4200G] interface gigabitethernet1/0/2 [4200G-GigabitEthernet1/0/2] port trunk permit vlan 10 3 Configure Switch A.
29 IGMP SNOOPING CONFIGURATION Overview of IGMP Snooping IGMP Snooping Fundamentals IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on Layer 2 switch. It is used to manage and control multicast groups. When the IGMP messages transferred from the hosts to the router pass through the Layer 2 switch, the switch uses IGMP Snooping to analyze and process the IGMP messages.
250 CHAPTER 29: IGMP SNOOPING CONFIGURATION IGMP Snooping Fundamentals IGMP Snooping terminologies Before going on, we first describe the following terms involved in IGMP Snooping: ■ Router port: the switch port directly connected to the multicast router. ■ Multicast member port: a switch port connected to a multicast group member (a host in a multicast group). ■ MAC multicast group: a multicast group identified by a MAC multicast address and maintained by the switch.
Overview of IGMP Snooping 251 To implement Layer 2 multicast, the switch processes four different types of IGMP messages it received, as shown in Table 221.
252 CHAPTER 29: IGMP SNOOPING CONFIGURATION IGMP Snooping Configuration The following sections describe the IGMP Snooping configuration tasks.
IGMP Snooping Configuration 253 Configuring Timers This configuration task is to manually configure the aging time of the router port, the aging time of the multicast member ports, and the query response timeout time. ■ If the switch receives no general query message from a router within the aging time of the router port, the switch removes the router port from the port member lists of all MAC multicast groups.
254 CHAPTER 29: IGMP SNOOPING CONFIGURATION In practice, when a user orders a multicast program, an IGMP report message is generated. When the message arrives at the switch, the switch examines the multicast filtering ACL configured on the access port to determine if the port can join the corresponding multicast group or not. If yes, it adds the port to the forward port list of the multicast group. If not, it drops the IGMP report message and does not forward the corresponding data stream to the port.
IGMP Snooping Configuration 255 Multicast VLAN is mainly used in Layer 2 switching, but you must make corresponding configuration on the Layer 3 switch. Table 227 Configure multicast VLAN on Layer 3 switch Operation Command Description Enter system view system-view — Create a VLAN and enter the VLAN view vlan vlan-id vlan-id is a VLAN ID.
256 CHAPTER 29: IGMP SNOOPING CONFIGURATION Displaying Information About IGMP Snooping ■ You cannot set the isolate VLAN as a multicast VLAN. ■ One port can belong to only one multicast VLAN. ■ The port connected to a user end can only be as set as a hybrid port. You can execute the following display commands in any view to display information about IGMP Snooping.
IGMP Snooping Configuration Example 257 2 Enable IGMP Snooping on VLAN 10 where no Layer 3 multicast protocol is enabled. [4200G] vlan 10 [4200G-vlan10] igmp-snooping enable Example 2 Configure multicast VLAN on Layer 2 and Layer 3 switches. Network requirements Table 230 describes the network devices involved in this example and the configurations you should make on them.
258 CHAPTER 29: IGMP SNOOPING CONFIGURATION Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured. 1 Configure Switch A: a Set the interface IP address of VLAN 20 to 168.10.1.1 and enable the PIM DM protocol on the VLAN interface.
Troubleshooting IGMP Snooping 259 [ Switch B-GigabitEthernet 1/0/1] quit e Define the GigabitEthernet 1/0/2 port as a hybrid port, add the port to VLAN 3 and VLAN 10, and configure the port to exclude VLAN tags in its outbound packets for VLAN 3 and VLAN 10, and set VLAN 3 as the default VLAN of the port.
260 CHAPTER 29: IGMP SNOOPING CONFIGURATION
30 ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION Routing Port Join to Multicast Group Configuration Introduction Normally, an IGMP host responds to IGMP query messages of the multicast router. In case of response failure, the multicast router may consider that there is no multicast member on this network segment and cancel the corresponding path. To avoid such a problem, you can configure an interface of the switch as a multicast group member.
262 CHAPTER 30: ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION
31 Introduction MULTICAST MAC ADDRESS ENTRY CONFIGURATION In Layer 2 multicast, the system can add multicast forwarding entries dynamically through Layer 2 multicast protocol. However, you can also statically bind a port to a multicast address entry by configuring a multicast MAC address manually. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch broadcasts the packet in the VLAN.
264 CHAPTER 31: MULTICAST MAC ADDRESS ENTRY CONFIGURATION ■ Displaying Multicast MAC Address Configuration You cannot enable port aggregation on a port where you have configured a multicast MAC address; and you cannot configure a multicast MAC address on an aggregation port. You can use the following display command in any view to display the multicast MAC address entry/entries you configured manually.
32 CLUSTER CONFIGURATION Cluster Overview Introduction to Cluster A cluster is implemented through HGMP V2. By employing HGMP V2, a network administrator can manage multiple switches using the public IP address of a switch known as a management device. The switches under the management of the management device are member devices. The management device, along with the member devices, forms a cluster. Normally, a cluster member device is not assigned a public IP address.
266 CHAPTER 32: CLUSTER CONFIGURATION HGMP V2 provides the following functions: ■ Topology discovery: HGMP V2 implements NDP (neighbor discovery protocol) to discover the information about the directly connected neighbor devices, including device type, software/hardware version, connecting port and so on. The information such as device ID, port mode (duplex or half duplex), product version, and BootROM version can also be given.
Cluster Overview 267 Figure 84 Role changing rule de ge m en td Ad ev ice Candidate device an a m a a fro m as ov e te d m Re te r l us ac ig na r ste clu rom De s oa clu ste r dt ef ov Introduction to NDP m Re Management device Member device ■ Each cluster has one (and only one) management device. A management device collects NDP/NTDP information to discover and determine candidate devices, which can be then added into the cluster through manual configurations.
268 CHAPTER 32: CLUSTER CONFIGURATION Upon detecting a change occurred on a neighbor, a member device informs the management device of the change through handshake packets. The management device then collects the specified topology information through NTDP. Such a mechanism enables topology changes to be tracked in time.
Management Device Configuration 269 Enabling NDP Globally and for Specific Ports Configuring NDP-related Parameters Enabling NTDP Globally and for Specific Ports Configuring NTDP-related Parameters Table 235 Enable NDP globally and for a specific port Operation Command Description Enter system view system-view — Enable NDP globally ndp enable Required Enable NDP for specified ports ndp enable interface port-list Optional Enter Ethernet port view interface interface-type interface-number —
270 CHAPTER 32: CLUSTER CONFIGURATION Enabling the Cluster Function Configuring Cluster Parameters Table 239 Enable the cluster function Operation Command Description Enter system view system-view — Enable the cluster function globally cluster enable Required Configuring cluster parameters manually Table 240 Configure cluster parameters manually Operation Command Description Enter system view system-view — Specify the management VLAN management-vlan vlan-id This is to specify the manage
Member Device Configuration 271 Configuring Internal-External Interaction Member Device Configuration Enabling NDP Globally and for Specific Ports Table 242 Configure internal-external interaction Operation Command Enter system view system-view Enter cluster view cluster Required Configure an FTP server ftp-server ip-address for the cluster Optional Configure a TFTP server tftp-server ip-address for the cluster Optional Configure a log host for the cluster logging-host ip-address Optional
272 CHAPTER 32: CLUSTER CONFIGURATION Specifying the cluster FTP/TFTP server Intra-Cluster Configuration Table 245 Specify the cluster FTP/TFTP server Operation Command Description Establish a connection with the cluster FTP server ftp cluster Optional Download a file from the cluster TFTP server tftp cluster get source-file [ destination-file ] Optional Upload a file to the cluster TFTP server tftp cluster put source-file [ destination-file ] Optional Table 246 Configure a cluster Operation
HGMP V2 Configuration Example 273 Table 247 Display and maintain cluster configurations (Continued) Operation Command Remark Display state and statistics information about a cluster display cluster Optional This command can be executed in any view. Display the information display cluster candidates [ about the candidate mac-address H-H-H | verbose ] devices of a cluster Optional This command can be executed in any view.
274 CHAPTER 32: CLUSTER CONFIGURATION Network diagram Figure 85 Network diagram for HGMP cluster configuration SNMP host/log host 69.172.55.4 FTP server/TFTP server 63.172.55.1 Network GE1/0/1 VLAN-interface 2 163.172.55.1 Management Device GE1/0/ 3 GE1/0/2 GE1/1 GE1/1 Cluster Member Device MAC address 00e0.fc01.0011 Member Device MAC address 00e0.fc01.0012 Configuration procedure 1 Configure the management device. a Enable NDP globally and for GigabitEthernet1/0/2 and GigabitEthernet1/0/3 ports.
HGMP V2 Configuration Example 275 f Configure the delay time for topology-collection request packets to be forwarded on member devices to be 150 ms. [4200G] ntdp timer hop-delay 150 g Configure the delay time for topology-collection request packets to be forwarded through the ports of member devices to be 15 ms. [4200G] ntdp timer port-delay 15 h Configure the interval to collect topology information to be 3 minutes. [4200G] ntdp timer 3 i Enable the cluster function.
276 CHAPTER 32: CLUSTER CONFIGURATION d Establish a connection with the cluster FTP server. ftp cluster e Download the file named aaa.txt from the cluster TFTP server. tftp cluster get aaa.txt f Upload the file named bbb.txt to the cluster TFTP server. tftp cluster put bbb.
33 SNMP Overview SNMP CONFIGURATION By far, the simple network management protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network.
278 CHAPTER 33: SNMP CONFIGURATION MIBs Supported by the Device The management variable in the SNMP packet describes management objects of a device. To uniquely identify the management objects of the device in SNMP messages, SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree, and each tree node represents a managed object, as shown in Figure 86. Thus the object can be identified with the unique path starting from the root.
Configuring SNMP Basic Functions 279 Table 248 Common MIBs (Continued) MIB attribute MIB content References Private MIB DHCP MIB — DHCP MIB QACL MIB ADBM MIB IGMP Snooping MIB RSTP MIB VLAN MIB Device management Interface management Configuring SNMP Basic Functions QACL MIB — ADBM MIB — RSTP MIB — VLAN MIB — Device management — Interface management — The configuration of SNMP V3 configuration is different from that of SNMP V1 and SNMP V2C, therefore SNMP basic function configurations fo
280 CHAPTER 33: SNMP CONFIGURATION Table 249 Configure SNMP basic functions for SNMP V1 and SNMP V2C (Continued) Operation Set a community name and access authority Command Direct Set a snmp-agent community configura community { read | write } tion name community-name [ acl acl-number | mib-view view-name ] Indirect Set an configura SNMP tion group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Add a new snmp-age
Configuring Trap 281 Table 250 Configure SNMP basic functions (SNMP V3) (Continued) Operation Command Set the size of SNMP packet that the snmp-agent packet Agent can send/receive max-size byte-count Configuring Trap Configuration Prerequisites Configuration Tasks Description Optional By default, it is 1,500 bytes. Set the device engine ID snmp-agent local-engineid Optional engineid By default, the device engine ID is "Enterprise Number + device information".
282 CHAPTER 33: SNMP CONFIGURATION Setting the Logging Function for Network Management Table 252 Set the logging function for network management Operation Command Description Enter system view system-view — Set the logging function snmp-agent log { set-operation | for network get-operation | all } management Optional; By default, the logging function for SNMP is disabled. You can use the display logbuffer command to display logging information for the get and set operations sent from NMS.
SNMP Configuration Example 283 Network diagram Figure 87 Network diagram for SNMP 10.10.10.1 10.10.10 .2 NMS Ethernet Network procedure 1 Set the community name, group name and user. system-view [4200G] snmp-agent sys-info version all [4200G] snmp-agent community write public [4200G] snmp-agent mib-view include internet 1.3.6.
284 CHAPTER 33: SNMP CONFIGURATION
34 Introduction to RMON RMON CONFIGURATION Remote monitoring (RMON) is a kind of management information base (MIB) defined by Internet Engineering Task Force (IETF) and is a most important enhancement made to MIB II standards. RMON is mainly used to monitor the data traffic across a network segment or even the entire network, and is currently a commonly used network management standard.
286 CHAPTER 34: RMON CONFIGURATION You can specify a network device to act in one of the following ways in response to an event: ■ Logging the event ■ Sending trap messages to the NMS ■ Logging the event and sending trap messages to the NMS Alarm group RMON alarm management enables monitors on specific alarm variables (such as the statistics of a port). When the value of a monitored variable exceeds the threshold, an alarm event is generated, which triggers the network device to act in the set way.
RMON Configuration 287 With the RMON statistics management function, you can monitor the usage of a port and make statistics on the errors occurred when the ports are being used. RMON Configuration Prerequisites Configuring RMON Before performing RMON configuration, make sure the SNMP agents are correctly configured. For the information about SNMP agent configuration, refer to the “Configuring Basic SNMP Functions” part in SNMP Configuration Operation Manual.
288 CHAPTER 34: RMON CONFIGURATION Displaying and Debugging RMON After the above configuration, you can execute the display command in any view to display the RMON running status, and verify the effect of the configuration.
RMON Configuration Example 289 2 Display RMON configuration. [4200G-GigabitEthernet1/0/1] display rmon statistics GigabitEthernet1/0/1 Statistics entry 1 owned by user1-rmon is VALID. Interface : GagabitEthernet1/0/1
290 CHAPTER 34: RMON CONFIGURATION
35 Introduction to NTP NTP CONFIGURATION Network time protocol (NTP) is a time synchronization protocol defined by RFC1305. It is used for time synchronization among a set of distributed time servers and clients. NTP is based on user datagram protocol (UDP). NTP is intended for time synchronization of all devices that have clocks in a network, so that the clocks of all devices can keep consistent. This enables the applications that require unified time.
292 CHAPTER 35: NTP CONFIGURATION Working Principle of NTP The working principle of NTP is shown in Figure 89. In Figure 89, The Ethernet switch A (LS_A) is connected to the Ethernet switch B (LS_B) through their Ethernet ports. Both of them have system clocks of their own, and they need to synchronize the clocks of each other through NTP.
Introduction to NTP 293 At this time, LS_A has enough information to calculate the following two parameters: ■ The delay for an NTP packet to make a round trip between LS_A and LS_B: delay = (T4 -T1)-(T3 -T2). ■ The time offset of LS_A with regard to LS_B: offset = ((T2 -T1) + (T3 -T4))/2. LS_A can then set its own clock according to the above information to synchronize its clock to that of LS_B. For the detailed information, refer to RFC1305.
294 CHAPTER 35: NTP CONFIGURATION Broadcast mode Figure 92 NTP implementation mode: broadcast mode Server Client Netw ork Work as a server automatically and send response packets Broadcast clock synchronization Initiate a client/server mode request after receiving the packets periodically first broadcast packet Client/Server mode request Obtain the delay betw een the client and the server and work as Response packet a client in broadcast mode Broadcast clock synchronization packets periodically Receive
NTP Implementation Mode Configuration 295 Table 256 NTP implementation modes on an S4200G series switch (Continued) NTP implementation mode Configuration on S4200G switches Multicast mode ■ Configure the S4200G to operate in NTP multicast server mode. In this case, the S4200G switch sends multicast NTP packets through the VLAN interface configure on it. ■ Configure the S4200G switch to operate in NTP multicast client mode.
296 CHAPTER 35: NTP CONFIGURATION Table 257 Configure NTP implementation modes (Continued) Operation Command Description Configure to operate in ntp-service broadcast-client NTP broadcast client mode Optional Configure to operate in ntp-service broadcast-server [ NTP broadcast server authentication-keyid key-id | mode version number ]* Optional By default, the number argument is set to 3.
Access Control Permission Configuration 297 Access Control Permission Configuration ■ The total number of the servers and peers configured for a switch can be up to 128. ■ After the configuration, the S4200G series switch does not establish connections with the peer if it operates in NTP server mode. Whereas if it operates in any of the other modes, it establishes connections with the peer.
298 CHAPTER 35: NTP CONFIGURATION Configuring NTP Authentication Configuring NTP authentication on the client Table 259 Configure NTP authentication on the client Operation Command Description Enter system view system-view — Enable NTP ntp-service authentication enable authentication globally Required By default, the NTP authentication is disabled. Configure the NTP authentication key Required By default, the NTP authentication key is not configured.
Configuration of Optional NTP Parameters 299 Configuring NTP authentication on the server Table 260 Configure NTP authentication on the server Operation Command Description Enter system view system-view — Enable NTP authentication ntp-service authentication enable Required By default, NTP authentication. Configure NTP authentication key ntp-service authentication-keyid key-id authentication-model md5 value Required By default, NTP authentication key is not configured.
300 CHAPTER 35: NTP CONFIGURATION Table 261 Configure optional NTP parameters (Continued) Operation Command Description Disable the interface from receiving NTP packets ntp-service in-interface disable Optional By default, a VLAN interface receives NTP packets. Display the session display ntp-service sessions [ information maintained verbose ] by the NTP services This command can be executed in any view.
Configuration Example 301 Network diagram Figure 94 Network diagram for the NTP server mode configuration Configuration procedures The following configurations are for the S4200G 1 switch. 1 Display the NTP status of the S4200G 1 switch before synchronization. display ntp-service status clock status: unsynchronized clock stratum: 16 reference clock ID: none nominal frequence: 99.8562 Hz actual frequence: 99.8562 Hz clock precision: 2^7 clock offset: 0.0000 ms root delay: 0.
302 CHAPTER 35: NTP CONFIGURATION note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured NTP Peer Mode Configuration Network requirements S4200G 2 sets the local clock to be the NTP master clock, with the clock stratum being 2. Configure an S4200G 1 series switch to operate as a client, with S4200G 2 as the time server. S4200G 2 will then operate in the server mode automatically. Meanwhile, S4200G 3 sets the S4200G 1 series switch to be its peer.
Configuration Example 303 Display the status of the S4200G switch after the synchronization. [S4200G] display ntp-service status Clock status: synchronized Clock stratum: 2 Reference clock ID: 3.0.1.32 Nominal frequency: 250.0000 Hz Actual frequency: 249.9992 Hz Clock precision: 2^19 clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 6 2001 (BF422AE4.
304 CHAPTER 35: NTP CONFIGURATION Configuration procedures 1 Configure S4200G 3. a Enter system view. system-view System View: return to User View with Ctrl+Z. [S4200G] b Enter VLAN interface 2 view. [S4200G] interface vlan-interface 2 [S4200G-Vlan-interface2] c Configure S4200G 3 to be the broadcast server and send broadcast packets through VLAN interface 2. [S4200G-Vlan-interface2] ntp-service broadcast-server 2 Configure S4200G 1. a Enter system view.
Configuration Example 305 Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Thu Sep 6 2001 (BF422AE4.05AEA86C) The output information indicates that S4200G 1 is synchronized to S4200G 3, with the clock stratum of 3, one stratum higher than S4200G 3. d Display the information about the NTP sessions of S4200G and you can see that a connection is established between S4200G and S4200G3.
306 CHAPTER 35: NTP CONFIGURATION 2 Configure S4200G 1. a Enter system view. system-view System View: return to User View with Ctrl+Z. [S4200G] b Enter VLAN interface 2 view. [[S4200G] interface vlan-interface 2 c Configure S4200G 4 to be a multicast client. [S4200G-Vlan-interface2] ntp-service multicast-client 3 Configure S4200G.2 a Enter system view. system-view System View: return to User View with Ctrl+Z. [S4200G] b Enter VLAN interface 2 view.
Configuration Example 307 NTP Server Mode with Authentication Configuration Network requirements The local clock of S4200G1 operates as the master NTP clock, with the clock stratum set to 2. A S4200G 2 series switch operates in client mode with S4200G 1 as the time server. S4200G 1 operates in the server mode automatically. Meanwhile, NTP authentication is enabled on both sides. This example assumes that S4200G 1 is a switch that supports the local clock being the master NTP clock.
308 CHAPTER 35: NTP CONFIGURATION After the above configuration, the S4200G 2 series switch can be synchronized to S4200G 1. You can display the status of S4200G 2 after the synchronization. [S4200G] display ntp-service status clock status: synchronized clock stratum: 3 reference clock ID: 1.0.1.11 nominal frequence: 250.0000 Hz actual frequence: 249.9992 Hz clock precision: 2^19 clock offset: 0.66 ms root delay: 27.47 ms root dispersion: 208.39 ms peer dispersion: 9.63 ms reference time: 17:03:32.
36 SSH TERMINAL SERVICES SSH Terminal Services Introduction to SSH Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely using an insecure network environment. A Switch can connect to multiple SSH clients. SSH2.0 and SSH1.x are currently available.
310 CHAPTER 36: SSH TERMINAL SERVICES Figure 100 Establish SSH channels through WAN Workstation Local Switch Local Ethernet Laptop Server PC SSH-Client Workstation WAN Remote Switch Remote Ethernet SSH-Server Laptop PC Server The communication process between the server and client includes these five stages: 1 Version negotiation stage. These operations are completed at this stage: ■ The client sends TCP connection requirement to the server.
SSH Terminal Services 311 SSH supports two authentication types: password authentication and RSA authentication. (1) Password authentication works as follows: ■ The client sends its username and password to the server. ■ The server compares the username and password received with those configured locally. The user is allowed to log on to the Switch if the usernames and passwords match exactly. (2) RSA authentication works as follows: ■ Configure the RSA public key of the client user at the server.
312 CHAPTER 36: SSH TERMINAL SERVICES Configuring supported protocols Table 264 Configure supported protocols Operation Command Remarks Enter system view system-view - Enter one or multiple user interface views user-interface [ type-keyword ] Required number [ ending-number ] Configure the protocols supported protocol inbound { all |ssh | in the user interface view(s) telnet } Optional By default, the system supports both Telnet and SSH.
SSH Terminal Services 313 Configuring authentication type New users must specify authentication type. Otherwise, they cannot access the switch.
314 CHAPTER 36: SSH TERMINAL SERVICES Table 268 Configure client public keys (Continued) Operation Command Return to system view from public key view peer-public-key end Allocate public keys to SSH users ssh user username assign rsa-key keyname SSH Client Configuration Remarks Required Keyname is the name of an existing public key. If the user already has a public key, the new public key overrides the old one. Table 269 describes SSH configuration tasks.
SSH Terminal Services 315 SSH Server Configuration Example Network requirements As shown in Figure 101, configure a local connection from the SSH client to the switch. The PC runs the SSH2.0-supported client software. Network diagram Figure 101 Network diagram for SSH server configuration S w itch P C S S HS e rve r S S HC lie n t Configuration procedure 1 Generate a local RSA key pair.
316 CHAPTER 36: SSH TERMINAL SERVICES Configure the login protocol for the client002 user as SSH and authentication type as RSA public key. [4200G] ssh user client002 authentication-type rsa Generate randomly RSA key pairs on the SSH2.0 client and send the corresponding public keys to the server. Configure client public keys on the server, with their name as S4200G002.
SFTP Service 317 [4200G-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [4200G-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [4200G-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [4200G-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [4200G-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [4200G-rsa-key-code] public-key-code end [4200G-rsa-public-key] peer-public-key end [4200G] ssh client 10.165.87.
318 CHAPTER 36: SSH TERMINAL SERVICES SFTP Server Configuration The following sections describe SFTP server configuration tasks: ■ Configuring service type for an SSH user ■ Enabling the SFTP server ■ Setting connection timeout time Configuring service type for an SSH user Table 271 Configure service type for an SSH user Operation Command Remarks Enter system view system-view - Configure service type for an SSH user ssh user username service-type { stelnet | sftp | all } Optional By default
SFTP Service 319 SFTP Client Configuration The following sections describe SFTP client configuration tasks: Table 274 Configuring SFTP client Serial No Operation Command Key word View Remarks 1 Enable the SFTP client sftp System view Required 2 Disable the SFTP client bye SFTP client view Optional SFTP client view Optional SFTP client view Optional SFTP client view Optional exit quit 3 4 SFTP directory -related operations SFTP file-related operations Change the current directory
320 CHAPTER 36: SSH TERMINAL SERVICES Disabling the SFTP client Table 276 Disable the SFTP client Operation Command Remarks Enter system view system-view - Enter SFTP client view sftp { host-ip | host-name } - Disable the SFTP client bye The three commands have the same function.
SFTP Service 321 Displaying help information You can display help information about a command, such as syntax and parameters.
322 CHAPTER 36: SSH TERMINAL SERVICES b Display the current directory on the SFTP server, delete file z and verify the operation. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 -rwxrwxrwx 1 noone nogroup 225 Aug 24 -rwxrwxrwx 1 noone nogroup 283 Aug 24 drwxrwxrwx 1 noone nogroup 0 Sep 01 -rwxrwxrwx 1 noone nogroup 225 Sep 01 -rwxrwxrwx 1 noone nogroup 0 Sep 01 sftp-client> delete z The following File will be deleted: flash:/z Are you sure to delete it?(Y/N):y This operation may take a long time.
SFTP Service 323 -rwxrwxrwx 1 noone -rwxrwxrwx 1 noone sftp-client> g Exit from SFTP.
324 CHAPTER 36: SSH TERMINAL SERVICES
37 FILE SYSTEM MANAGEMENT File Attribute Configuration Introduction to File Attributes An app file, a configuration file, or a Web file can be of one of these three attributes: main, backup and none, as described in Table 280. Table 280 Descriptions on file attributes Attribute name Description Feature Identifier main The main attribute identifies main startup files. The main startup file is used first for a switch to startup.
326 CHAPTER 37: FILE SYSTEM MANAGEMENT Perform the following configuration in user view.
File System Configuration 327 According to the operation objects, the operations on the file system fall into the following categories: ■ Directory operation ■ File operation ■ Storage device operation ■ Prompt mode configuration File path and file name can be represented in one of the following ways: In URL (universal resource locator) format and starting with unit[ No.]>flash:/ ([ No.] represents the unit ID of a switch). This method is used to specify a file on a specified unit.
328 CHAPTER 37: FILE SYSTEM MANAGEMENT ■ Managing a configuration file ■ Renaming a file ■ Copying a file ■ Moving a file ■ Displaying the content of a file ■ Displaying the information about a file ■ Checking file system Table 283 describes the file-related operations. Perform the following configuration in user view.
File System Configuration 329 As for the save command listed in Table 283 the safely keyword determines the ways to save the current configuration, as described in the following. ■ If you execute this command with the safely keyword not specified, the system saves the current configuration in the fast mode. In this mode, the configuration gets lost if the switch restarts or is powered off when the saving operation is being processed.
330 CHAPTER 37: FILE SYSTEM MANAGEMENT 7 8 9 10 11(*) 12 13 14 -rw-rw-rw-rw-rw-rwh -rwh -rw- 296368 951305 8451 3114 3628 716 572 1735 Apr Apr Apr Apr Apr Apr Apr Apr 02 02 01 02 09 05 05 02 2000 2000 2000 2000 2000 2000 2000 2000 00:34:16 00:34:25 23:56:53 23:21:44 00:11:00 21:33:33 21:33:42 00:43:04 s3u01_00.btm s3v01_00.web 3comoscfgdef.old l3config.old updt.cfg hostkey serverkey [l3.
Testing Tools for Network Connection 331 Display the file information after the copy operation. <4200G>dir flash:/test Directory of unit1>flash:/ 1 drw- - Apr 16 2000 01:22:48 test 15367 KB total (623 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute <4200G> Testing Tools for Network Connection ping This section contains the tools necessary to test network connections.
332 CHAPTER 37: FILE SYSTEM MANAGEMENT You can configure up to 50 IP addresses by using the command repeatedly. tracert The tracert is used for testing the gateways passed by the packets from the source host to the destination one. It is mainly used for checking if the network is connected and analyzing where the fault occurs in the network.
38 FTP AND TFTP CONFIGURATION FTP Configuration Introduction to FTP FTP (File Transfer Protocol) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP. At present, although E-mail and Web are the usual methods for file transmission, FTP still has its strongholds. As an application layer protocol, FTP is used for file transfer between remote server and local host.
334 CHAPTER 38: FTP AND TFTP CONFIGURATION Table 289 describes the operations needed when a switch operates as an FTP server. Table 289 Configurations needed when a switch operates as an FTP server Device Configuration Default Switch Enable the FTP server function The FTP function You can run the display ftp-server is disabled by command to view the FTP server default configuration on the switch.
FTP Configuration 335 FTP services are implemented in this way: An FTP client sends FTP requests to the FTP server. The FTP server receives the requests, perform operations accordingly, and return the results to the FTP client. To prevent unauthorized accesses, an FTP server disconnects a FTP connection when it does not receive requests from the FTP client for a specific period of time known as the connection idle time.
336 CHAPTER 38: FTP AND TFTP CONFIGURATION Table 292 FTP client operations (Continued) Configuration Example: A Switch Operating as an FTP Client Operation Command Description Query the specified files dir [ filename ] [ localfile ] Optional Query a specified remote file ls [ remotefile ] [ localfile ] Optional Download a remote file get remotefile [ localfile ] Optional Upload a local file to the remote FTP server put localfile [ remotefile ] Optional Rename a file on a remote host.
FTP Configuration 337 Network diagram Figure 106 Network diagram for FTP configuration (A) Network Network Switch PC Configuration procedure 1 Perform FTP server-related configurations on the PC, that is, create a user account on the FTP server, with the user name being switch, password being hello, and the permission to access the directory named Switch assigned to the user account. (These operations are omitted here.) 2 Configure the switch. Log into the switch.
338 CHAPTER 38: FTP AND TFTP CONFIGURATION 6 Specify the downloaded file (the file named switch.bin) to be the startup file used when the switch starts the next time and restart the switch. Thus the switch application is upgraded. boot boot-loader switch.bin reboot Configuration Example: A Switch Operating as an FTP Server Network requirements A switch and a PC operate as an FTP server and an FTP client.
TFTP Configuration 339 3 After uploading the application, you can update the application on the switch. Specify the downloaded file (the file named switch.bin) to be the startup file used when the switch starts the next time and restart the switch. Thus the switch application is upgraded. boot boot-loader switch.
340 CHAPTER 38: FTP AND TFTP CONFIGURATION Table 293 describes the operations needed when a switch operates as an TFTP client. Table 293 Configurations needed when a switch operates as a TFTP client Device Configuration Switch Configure an IP address for the — VLAN interface of the switch so that it is reachable for TFTP server. TFTP applies to networks where client-server interactions are comparatively simple. It requires the routes between TFTP clients TFTP servers are reachable.
TFTP Configuration 341 Network diagram Figure 109 Network diagram for TFTP configuration Network Switch PC Configuration procedure 1 Start the TFTP server and configure the work directory on the PC. 2 Configure the switch. a Log into the switch. (You can log into a switch through the Console port or by Telneting to the switch. See Chapter 2 for detailed information.
342 CHAPTER 38: FTP AND TFTP CONFIGURATION
39 Information Center Overview INFORMATION CENTER Information center is an indispensable part of Ethernet switches and exists as an information hub of system software modules. The information center manages most information outputs; it sorts information carefully, and hence can screen information in an efficient way. Combined with the debug program, it provides powerful support for network administrators and developers in network operation monitoring and fault diagnosis.
344 CHAPTER 39: INFORMATION CENTER 4 Module name It indicates the modules that generate the information. Table 295 gives some examples of the modules. Table 295 Examples of some module names Module name Module and description 8021X 802.
Information Center Configuration 345 Information Center Configuration The switch supports information output to six directions. By far, each output direction is assigned with an information channel, as shown in Table 297.
346 CHAPTER 39: INFORMATION CENTER Enabling Information Output to a Log Host Table 299 lists the related configurations on the switch. Table 299 Enable information output to a log host Operation Command Description Enter system view system-view — Enable the information info-center enable center Define an information source Optional By default, the information center is enabled.
Information Center Configuration 347 Table 301 Enable debug/log/trap terminal display Enabling Information Output to a Monitor Terminal Operation Command Description Enable debug terminal display terminal debugging Optional By default, debug terminal display is disabled for terminal users. Enable log terminal display terminal logging Optional By default, log terminal display is enabled for console users.
348 CHAPTER 39: INFORMATION CENTER Perform the following configuration in user view. Table 303 Enable debug/log/trap terminal display Enabling Information Output to the Log Buffer Operation Command Description Enable the debug/log/trap terminal display function terminal monitor Optional By default, this function is enabled for console user. Enable debugging terminal display terminal debugging Optional By default, debugging terminal display is disabled for terminal users.
Information Center Configuration 349 Table 305 Enable information output to the trap buffer Operation Command Description Enable information output to the trap buffer info-center trapbuffer [ channel { channel-number | channel-name } ] [ size buffersize] Optional By default, the switch outputs information to the trap buffer, which can holds up to 256 items by default.
350 CHAPTER 39: INFORMATION CENTER Displaying and Debugging Information Center After the performing the above configurations, you can execute the display command in any view to display the running status of the information center, and thus validate your configurations. You can also execute the reset command to clear statistics on the information center. Make sure to execute the reset commands in the User View.
Information Center Configuration Example 351 terminal logging
352 CHAPTER 39: INFORMATION CENTER
BOOTROM AND HOST SOFTWARE LOADING 40 Traditionally, the loading of switch software is accomplished through a serial port. This approach is slow, inconvenient, and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port. This chapter introduces how to load BootROM and host software to a switch locally and how to do this remotely.
354 CHAPTER 40: BOOTROM AND HOST SOFTWARE LOADING CPU type CPU Clock Speed BUS Clock Speed Memory Size Mac Address : : : : : BCM4704 200MHz 33MHz 64MB 00e0fc005104 Press Ctrl-B to enter Boot Menu… 5 Press . The system displays: Password : To enter the Boot Menu, you should press within five seconds after the information “Press Ctrl-B to enter Boot Menu…” appears.
Local Software Loading 355 Loading BootROM software Follow these steps to load the BootROM software: 1 At the prompt "Enter your choice(0-9):" in the Boot Menu, press <6> or , and then press to enter the BootROM update menu shown below: Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): 2 Enter 3 in the above menu to download the BootROM software using XMODEM.
356 CHAPTER 40: BOOTROM AND HOST SOFTWARE LOADING Figure 111 Properties dialog box Figure 112 Console port configuration dialog box 5 Click the button to disconnect the HyperTerminal from the switch and then click the button to reconnect the HyperTerminal to the switch.
Local Software Loading 357 Figure 113 Connect and disconnect buttons The new baud rate takes effect only after you disconnect and reconnect the terminal emulation program. 6 Press to start downloading the program. The system displays the following information: Now please start transfer file with XMODEM protocol. If you want to exit, Press .
358 CHAPTER 40: BOOTROM AND HOST SOFTWARE LOADING Figure 115 Sending file page After the download completes, the system displays the following information: Loading …CCCCCCCCCC done! You need not reset the HyperTerminal’s baud rate and can skip the last step if you have chosen 9600 bps. In this case, the system display the prompt “BootROM is updating now……………………………….done!” instead of the prompt “Your baudrate should be set to 9600 bps again! Press enter key when ready”.
Local Software Loading 359 Loading Software Using TFTP Through Ethernet Port Loading BootROM software Introduction to TFTP TFTP, one protocol in TCP/IP protocol suite, is used for trivial file transfer between client and server. It uses UDP to provide unreliable data stream transfer service.
360 CHAPTER 40: BOOTROM AND HOST SOFTWARE LOADING Loading host software Follow these steps to load the host software. 1 Select <1> in Boot Menu. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3):3 2 Enter 1 in the above menu to download the host software using TFTP.
Remote Software Loading 361 4 Enter 2 in the above menu to download the BootROM software using FTP. Then set the following FTP-related parameters as required: Load File name Switch IP address Server IP address FTP User Name FTP User Password :S4200G.btm :10.1.1.2 :10.1.1.1 :4200G :abc 5 Press . The system displays the following information: Are you sure to update your bootrom?Yes or No(Y/N) 6 Enter Y to start file downloading or N to return to the Bootrom update menu.
362 CHAPTER 40: BOOTROM AND HOST SOFTWARE LOADING Figure 118 Remote loading using FTP FTP server 10.1.1.1 PC Internet Internet Switch Ethernet port FTP client 1 Download the software to the switch using FTP commands. ftp 10.1.1.1 Trying … Press CTRL+K to abort Connected. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(none):abc 331 Give me your password, please Password: 230 Logged in successfully [ ftp] get S4200G.bin [ ftp] get S4200G.
Remote Software Loading 363 After the above operations, the BootROM and host software loading is completed. Pay attention to the following: Remote Loading Using TFTP ■ The loading of host software takes effect only after you restart the switch with the reboot command. ■ If the space of the Flash memory is not enough, you can delete the useless files in the Flash memory before software downloading. ■ No power-down is permitted during software loading.
364 CHAPTER 40: BOOTROM AND HOST SOFTWARE LOADING
41 Basic System Configuration Setting the System Name of the Switch Basic System Configuration and Debugging The following sections describe the basic system configuration and management tasks: ■ Setting the System Name of the Switch ■ Setting the Date and Time of the System ■ Setting the Local Time Zone ■ Setting the Summer Time ■ Setting the CLI Language Mode ■ Returning from Current View to Lower Level View ■ Returning from Current View to User View ■ Entering System View from User View
366 CHAPTER 41: Basic System Configuration and Debugging Perform the following configuration in user view. Table 310 Set the local time zone Setting the Summer Time Operation Command Description Set the local time zone clock timezone zone-name { add | minus } HH:MM:SS Optional By default, it is the UTC time zone. This configuration task is to set the name, time range (start time and end time), and time offset of the summer timer. The operation here saves you from manually adjust the system time.
Displaying the System Status 367 Entering System View from User View Displaying the System Status Perform the following configuration in user view. Table 315 Enter system view from user view Operation Command Description Enter system view from user view system-view — You can use the following display commands to check the status and configuration information about the system. For information about protocols and ports, and the associated display commands, refer to relevant sections.
368 CHAPTER 41: Basic System Configuration and Debugging The relation between the two switches is as follows: 3 1 Debugging information 2 Figure 119 Debugging information output Protocol debugging switches ON 1 1 3 OFF 3 ON Terminal display switches ON 3 1 OFF You can use the following commands to operate the two kinds of switches. Perform the following operations in user view.
System Debugging 369 Displaying Operating Information about Modules in System When your Ethernet switch is in trouble, you may need to view a lot of operating information to locate the problem. Each functional module has its own operating information display command(s). You can use the command here to display the current operating information about the modules (settled when this command is designed) in the system for troubleshooting your system. Perform the following operation in any view.
370 CHAPTER 41: Basic System Configuration and Debugging
42 IP PERFORMANCE CONFIGURATION IP Performance Configuration Introduction to TCP Attributes Configuring TCP Attributes Displaying and Debugging IP Performance You can configure the following TCP attributes of the Ethernet switch: ■ synwait timer: When a SYN packet is sent, TCP starts the synwait timer. If no response packet is received before the synwait timer times out, the TCP connection is terminated. The timeout time of this timer ranges from 2 seconds to 600 seconds and defaults to 75 seconds.
372 CHAPTER 42: IP PERFORMANCE CONFIGURATION You can execute the reset commands in user view to clear the IP, TCP and UDP traffic statistics. You can also execute the debugging commands to enable different IP performance debugging.
NETWORK CONNECTIVITY TEST 43 Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host.
374 CHAPTER 43: NETWORK CONNECTIVITY TEST
44 DEVICE MANAGEMENT Introduction to Device Management The device management function of the Ethernet switch can report the current status and event-debugging information of the boards to you. Through this function, you can maintain and manage your physical device, and restart the system when some functions of the system are abnormal.
376 CHAPTER 44: DEVICE MANAGEMENT Specifying the APP to be Adopted at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be adopted when the switch reboots.
Remote Switch Update Configuration Example 377 Perform the following configuration on the FTP server. ■ Configure an FTP user, whose name and password are switch and hello respectively. Authorize the user with the read-write right of the Switch directory on the PC. ■ Make appropriate configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is reachable to each other. The PC stores the host software switch.
378 CHAPTER 44: DEVICE MANAGEMENT d Enter the authorized path on the FTP server. [ ftp] cd switch e Execute the get command to download the switch.bin and boot.btm files on the FTP server to the Flash memory of the switch. [ ftp] get switch.bin [ ftp] get boot.btm f Execute the quit command to terminate the FTP connection and return to user view. [ ftp] quit g Update the BootROM. boot bootrom boot.btm This will update BootRom file on unit 1.
45 Introduction to the Newly Added Cluster Functions CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS The newly added cluster functions aim to improve switch performance. They extend switch functionality. With the cluster function employed, you can manage and maintain all the member switches in a cluster through the master switch. (A cluster can contain up to 16 switches.
380 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS Configuration of the Newly Added Cluster Functions Configuring the TFTP Server and SNMP Host for a Cluster You can perform the operations listed in Table 329 on the master device of a cluster to configure the TFTP Server and SNMP host for the cluster. A TFTP server is required if you want to perform upgrade or backup operations to multiple cluster devices simultaneously through Web.
Introduction to the Newly Added Cluster Functions 381 Notes Perform the operations listed in Table 330 in cluster view on the master device. The configuration can only be synchronized to the member devices in the white list only. The configuration remains valid on a member device even if it quits the cluster or is removed from the white list. Configuration example Synchronize the following SNMP configuration to all the member devices in a cluster for logging into the cluster through an SNMP host.
382 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS # Display the current topology. [chwn_0.
Introduction to the Newly Added Cluster Functions 383 Finish to synchronize the command. # Configure the group name to be ggg. [chwn_0.S4200G-cluster] cluster-snmp-agent group v3 ggg Member 2 succeeded in the group configuration. Member 1 succeeded in the group configuration. Finish to synchronize the command. # Configure the MIB view name to be mmm, with org sub-tree contained in the MIB view. [chwn_0.
384 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS # radius scheme system # domain system # vlan 1 # snmp-agent snmp-agent local-engineid 800007DB000FE224055F6877 snmp-agent community read aaa@cm2 snmp-agent community write bbb@cm2 snmp-agent sys-info version all snmp-agent group v3 ggg snmp-agent target-host trap address udp-domain 168.192.0.
Introduction to the Newly Added Cluster Functions 385 Table 331 Configure member management (Continued) Operation Command Description Reboot the specified member device reboot member { member-number | mac-address mac-address } [ eraseflash ] Optional Locate a device with the MAC address or the IP address tracemac { by-mac mac-address vlan vlan-id | by-ip ip-address } [ nondp ] Optional You can execute this command according to the MAC table saved by the device.
386 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS Table 332 Configure topology management (Continued) Configuring Cluster Interoperation Operation Command Description Release a device from the blacklist black-list delete-mac { all | mac-address } Optional Confirm the current topology information of the cluster and save that as a standard topology topology accept { all [ save-to { administrator | local-flash } ] | mac-address mac-address | member-id member-number } Optional Save the
Introduction to the Newly Added Cluster Functions 387 Synchronizing User Name and Password User Name and Password Synchronization of Web users simplifies user configuration. With this function employed, the configuration performed on the master device is synchronized to all the member devices in the cluster. These configurations are mainly used for WEB users to log into a cluster. Configuration prerequisites ■ NDP and NTDP configurations are performed on the related cluster devices.
388 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS # user-interface aux 0 user-interface vty 0 4 # return Configuring Topology Authentication You can save a reference topology file that serves as the basis of the current network topology. It can be used to locate problems in subsequent network topologies. After you confirm the structure of the current network through CLI according to the actual cluster deployment, the master device generates a reference topology file named topology.top.
Displaying and Debugging a Cluster 389 Configuration procedure Table 335 Configure enhanced cluster functions Displaying and Debugging a Cluster Operation Command Description Enter system view system-view - Enter cluster view cluster - Configure an FTP Server ftp-server ip-address for the cluster Required Confirm the current topology of the cluster and save it as a reference topology file Optional topology accept { all [ save-to local-flash ] | mac-address mac-address | member-id member-id }
390 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS Configuration Example for Newly Added Cluster Functions Network requirements Network diagram In a cluster formed by Switch A, Switch B, Switch C, and Switch D, Switch A is the master switch. NDP and NTDP configurations are performed on the related devices. The cluster is enabled and you can manage member devices on the master device. ■ The IP address of the TFTP Server configured for the cluster is 10.1.1.15.
Configuration Example for Newly Added Cluster Functions 391 Configuration procedure Perform the following configurations on the master device (Switch A). # Configure a TFTP server and SNMP host for the cluster. [S4200G] cluster [S4200G-cluster]tftp-server 10.1.1.15 [S4200G-cluster] snmp-host 10.1.1.16 [S4200G-cluster] topology accept all save-to local-flash # Remove the member device numbered 3 from the cluster and add it to the black list.
392 CHAPTER 45: CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS
46 DHCP RELAY CONFIGURATION Introduction to DHCP Relay Usage of DHCP Relay Early DHCP implementations assumes that DHCP clients and DHCP servers are on the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical. DHCP Relay is designed to address this problem.
394 CHAPTER 46: DHCP RELAY CONFIGURATION Note that such an interacting process may be repeated several times for a DHCP client to be successfully configured. Actually, a DHCP relay enables DHCP clients and DHCP servers on different networks to communicate with each other by forwarding the DHCP broadcasting packets transparently between them. Option 82 supporting Introduction to option 82 supporting Option 82 is a relay agent information option in DHCP packets.
DHCP Relay Configuration 395 3 If the packet contains option 82, the DHCP relay processes the packet depending on the configured policy (that is, discards the packet, replaces the original option 82 in the packet with its own, or leaves the original option 82 unchanged in the packet), and forwards the packet (if not discarded) to the DHCP server. 4 If the packet does not contain option 82, the DHCP relay adds option 82 to the packet and forwards the packet to the DHCP server.
396 CHAPTER 46: DHCP RELAY CONFIGURATION You can configure an interface to forward DHCP packets received from DHCP clients to a group of external DHCP server(s), so that the DHCP server(s) in this group can assign IP addresses to the DHCP clients under this interface.
Option 82 Supporting Configuration 397 Configuring the dynamic user address entry updating function When a DHCP client obtains an IP address from a DHCP server with the help of a DHCP relay, the DHCP relay creates an entry (dynamic entry) in the user address table to track the binding information about the IP address and MAC address of the DHCP client.
398 CHAPTER 46: DHCP RELAY CONFIGURATION Option 82 Supporting Configuration Example Network requirements Two DHCP clients are on the network segment 10.110.0.0 (255.255.0.0). They obtain IP addresses from a DHCP server through a switch acting as DHCP relay. Option 82 supporting is enabled on the DHCP relay. Network diagram Figure 124 Network diagram for option 82 supporting DHCP client DHCP client DHCP server 202.38.1.2 10.110.0.0 Ethernet 10.110.1.1 Internet 202.38.1.
DHCP Relay Displaying 399 DHCP Relay Displaying You can verify your DHCP relay-related configuration by executing the following display commands in any view.
400 CHAPTER 46: DHCP RELAY CONFIGURATION You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations differ depending on different DHCP server devices and are thus omitted. Troubleshooting DHCP Relay Symptom A client fails to obtain configuration information through a DHCP relay. Analyze This problem may be caused by improper DHCP relay configuration.
47 STATIC ROUTE CONFIGURATION Introduction to Static Route Attributes and Functions of Static Route A static route is a special route. You can set up an interconnecting network with the static route configuration. The problem for such configuration is when a fault occurs to the network, the static route cannot change automatically to steer away from the node causing the fault, if without the help of an administrator.
402 CHAPTER 47: STATIC ROUTE CONFIGURATION Static Route Configuration Configuring a static route Static Route Configuration includes: ■ Configuring a static route ■ Configuring a default route ■ Deleting all the static routes Perform the following configurations in system view.
Displaying and Debugging Static Route 403 Configuring a default route Perform the following configurations in system view. Table 345 Configuring a default route Operation Command Configure a default route ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { interface-type interface-number | next-hop } [ preference value ] [ reject | blackhole ] Delete a default route undo ip route-static 0.0.0.0 { 0.0.0.
404 CHAPTER 47: STATIC ROUTE CONFIGURATION Networking diagram Figure 126 Networking diagram of the static route configuration example A Host 1.1.5.2/24 1.1.5.1/24 1.1.2.2/24 1.1.3.1/24 Switch C 1.1.2.1/24 1.1.1.1/24 Switch A 1.1.3.2/24 Switch B C Host 1.1.1.2/24 1.1.4.1/24 B Host 1.1.4.2/24 Configuration procedure 1 Configure the static route for Ethernet Switch A [ Switch A] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [ Switch A] ip route-static 1.1.4.0 255.255.255.0 1.1.2.
48 Overview of UDP Helper UDP HELPER CONFIGURATION The major function of UDP Helper is to relay-forward UDP broadcast packets, that is, it can convert UDP broadcast packets into unicast packets and send to the designated server, as a relay. When UDP Helper starts, the switch can judge if to forward the UDP broadcast packets received at the port based on UDP port ID. If yes, the switch then modifies the IP address in the IP packet header and sends the packet to the designated destination server.
406 CHAPTER 48: UDP HELPER CONFIGURATION Perform the following configuration in system view. Table 350 Configuring a UDP port with replay function Operation Command Configure a UDP port with replay function udp-helper port { port | dns | netbios-ds | netbios-ns | tacacs | tftp | time } Remove the configuration undo udp-helper port { port | dns | netbios-ds | netbios-ns | tacacs | tftp | time } You must first enable UDP Helper function and then configure the UDP port with relay function.
Overview of UDP Helper 407 UDP Helper Configuration Example Networking requirement The IP address of VLAN interface 2 on the switch is 10.110.1.1, which is connected with network segment 10.110.0.0. Set to relay-forward the broadcast packets with destination IP of all 1s and destination UDP port 55 in the network segment 10.110.0.0 to the destination server 202.38.1.2. Networking diagram Figure 127 Networking for UDP Helper configuration Server 202.38.1.2 10.110.0.0 Ethernet 10.110.1.1 202.38.1.
408 CHAPTER 48: UDP HELPER CONFIGURATION
